Microsoft’s Information Security Is Becoming a Competitive Advantage
Author: Mark Estberg, Director Information Security, Microsoft

The prevailing wisdom in most organizations is that effective security measures hurt. Based on old technology and past experience, this is an understandable perspective – yet it’s not an inescapable truth. If security processes can be implemented in a well-thought-out, strategic fashion, the hope is that the business of running a business can continue without employees or executives seeing a significant change in how they access or share information.

Six years ago, in the face of mounting attacks from worms and e-mail viruses, Microsoft started a journey to greater security. This was no small task given the size of Microsoft’s network then and now. As part of its “defense in depth” security strategy, Microsoft relied on multiple layers of protection to help fend off attacks. The company retrofitted its internal processes with measures that were perceived by some as detrimental to business as usual. However, the end goal was a point where information security is an inherent part of business strategy for future growth.

At the beginning of this “journey” to better security, Microsoft recognized that regardless of how well thought out its plan was, the effort would be fruitless without the support of the company’s top executives and a high level of awareness on the part of employees and partners. The company also knew that success depended on having a clear road map upon which to measure progress toward the end goal: a security enabled business.

As the roadmap for its journey, Microsoft has adopted the Infrastructure Optimization (IO) model, which divides information security practices in to four stages: the basic stage, (reactive and uncoordinated security measures that tax business practices in unpredictable ways), standardized stage (more structured and purposeful, yet still costly), rationalized stage (efficient security applied through automation and process improvement that supports the business), and dynamic stage (security is a strategic advantage for the business). The important thing isn’t which model was picked, but that the company picked one and used it to measure progress and set goals.

Generally speaking, information security is viewed as a tax on business during the first two stages of the IO model, going from unpredictable expenses to those that are better planned and based on clear drivers. Microsoft took about three years to transition from the basic to standardized stage, and another three to move from the standardized to rationalized stage – where the company is currently operating.

Microsoft has applied a principle of implementing security controls based on top of incidents or risks. In addition to strong executive sponsorship and a global security awareness campaign, three key measures applied in moving from the basic to standardized stage, were the use of two-factor authentication for remote access – in this case a password and a smartcard; the adoption of 802.1x wireless standards for increased security; and the implementation of strong passwords – meaning a password that is frequently changed, has a minimum length and requires the use of letters, numbers and symbols.

To make the jump to the rationalized stage, the company adopted a risk management framework to help guide security investment decisions. A defense- in-depth approach also continued, which expanded security measures by further enforcing two-factor authentication to accounts with elevated network access, and segmenting the network to limit exposure from unmanaged computers. There was also an emphasis on automating security controls in areas such as identity and access management, certificate provisioning and renewals and vulnerability assessments. Automation increased reliability and consistency of the measures while also reducing costs.

Finally, Microsoft drove security accountability closer to the business by transferring much of the responsibility for operating secure services from the information security group to IT service managers. Not only did this move accountability closer to the business group, which ultimately held the purse strings for its own security investment, but it also ensured that information security would be an inherent part of IT services planning for the future.

Changing security risks and business priorities render the parameters of the rationalization stage a moving target, but the company is confident it will maintain this posture as it transitions to the dynamic stage.

More closely aligning with the business is critical to Microsoft reaching the dynamic stage, and Information Security Governance (ISG) is the method being used to make this alignment. This initiative will enable security and business leaders to agree on what steps to take so Microsoft can protect its assets, conduct business in the face of constant and changing security attacks, manage risks related to business opportunities, and comply with federal statutes and regulations.

Just as defense-in-depth is critical at the early levels of the model, it continues at the dynamic stage. Areas of focus for Microsoft include deploying Bitlocker Drive Encryption to protect data on lost or stolen laptop computers, Network Access Protection to enforce security requirements on all hosts connecting to the Microsoft network, and two-factor authentication for all network access to ensure that only authorized individuals access Microsoft resources. Security awareness will also continue to be a priority because of the role each person plays in making responsible security decisions.

Ultimately, the success of ISG will be based on whether the company is taking reasonable measures to grow the business, preserve intellectual property and enhance shareholder value. Security risks will continue to change, but Microsoft will be in a better position to anticipate those changes and preserve the security of its technology, employees, partners and customers. At its most simple level, success will be measured by the business saying “security helps”.

This entry was posted on Tuesday, October 24th, 2006 at 10:53 pm and is filed under Uncategorized. You can follow any responses to this entry through the RSS 2.0 feed. Both comments and pings are currently closed.