Microsoft Roadmap –Security, Interoperability and Programs

John WeigeltNational Technology OfficerMicrosoft Canada

40 / 100 GB 80 / 200 GB 568GB /

1 TB

213 / 500 GB

2002 2003 2005 2007/8

100Mb/S Wired

11Mb/S Wireless

100Mb/S (wired)

11 / 54 Mb/S (wireless) 1Gb/S (wired)

54 Mb/S (wireless)

Multi-core

Dual-core

3 GHz

37 TB

2009

10Gb/S (wired)

100 Mb/S (wireless)

Multi-Core

Graphene?

A Near Future…

Intel Research http://techresearch.intel.com/articles/Exploratory/1500.htm

Dynamic Physical

Rendering

The Microsoft Vision: Software + Services

We want to create experiences that combine

the magic of software with the power of

Internet services across a world of devices.

DESKTOP ENTERPRISE ONLINE DEVICES

Embracing the Cloud

20 Year DefenceScience and Technology R&D Priorities

Common Operating Picture

Advanced Analytics, Visualization

Human Interfaces

High Assurance Computing

Advanced Simulations

Identity Management

Building for tomorrow, today.

Virtual Earth & JEPRS

Search, Photsynth, Intelliview vision sol’ns

Microsoft Surface, Vista and WM speech

Trustworthy Computing

Windows Compute Cluster, Microsoft ESP

Claims Based Authentication

A Time of Change for Government

Governments are under increasing pressure to be

more responsive, efficient, and agile

Budget constraints

Rising constituent

expectations

Growing demand for

services New security threats

Greater need for internal

collaboration

What we hear from government.

Our priority is the Economy

And:

The Environment

Public Safety

Improved Health Outcomes

Education

Stronger Communities

Even during economic downturn

Tax revenues are down

Public sector organizations are expected to do more with less

Delivery of public safety services to citizens remains critical and in many cases, needs to be improved upon

Some Policy ConsiderationsEconomic Impact / Value for Money

Global perspective and global impact of activities

Business modelsSelf provisioned, hosted, tiered services, advertisement

Services Transformation

Multi-Channel / Appropriate Channel approaches

Trust & Confidence in Services

Response to crisis

Human Resources Impact / Skills Development

The role of Government in these evolving environmentsThe comingling of the Employee and the non-work contexts

Transform and Innovate

CIOs need to find a strategic balance

these days between exerting enormous

efforts to conserve vital cash via

sweeping cost-cutting efforts and also

keeping alive ideas and processes

geared toward creating innovative

approaches that are the key to future

growth.

Techweb editorial - - CIO As Chief Cost Cutter: It's Not Enough

By Bob Evans

Exploring Alternative Service Delivery Models

Consumer Online Services

Business Online Services

Hosted Service Provision

Shared Services

Self Provided

Enterprise class software delivered via subscription services hosted by Microsoft and sold with partners

Business Productivity Online Suite

Microsoft Online Services

www.microsoft.ca/online

The Legislative Background

Title 18 of the US Code: (well…USA PATRIOT Act)§ 2703. Required disclosure of customer communications or records

Canada Federal Personal Information Protection Electronic Documents Act (PIPEDA)

Codification of the OECD privacy principles and CSA model code for privacy

BC Freedom of Information Privacy Protection Act (FOIPPA)30.1 Storage and access must be in Canada

A public body must ensure that personal information in its custody or under its control is stored only in Canada and accessed only in Canada,

30.2 Obligation to report foreign demand for disclosure

Nova Scotia Privacy law fundamentally similar to BC

Federal Government also “interested” in data sovereignty

Healthcare is a provincial accountabilityOntario – PHIPA – Breach Notification

Privacy Commissioners role

Designing for Privacy

Implement for all privacy principles

Privacy implementations require defence in depth

A risk managed approach should be taken

Solutions must provide privacy policy agility

Privacy and security must be viewed as related but not dependent

Use existing technology in privacy enhancing ways

Security & Privacy Development Process

Release

VerificationBuildDesign

Security & Privacy Training

Security &

Privacy Kick

Off

Cost Analysis

Security &

Privacy

Design Best

Practices

Risk Analysis

Security &

Privacy

Devlopment

Best Practices

& Tools

Security &

Privacy Test

Best Practices

& Tools

Public Release

Privacy

Reviews

Final Security &

Privacy reviews

Requirements

Deliverables throughout the Product lifecycle.

Integrated Compliance Tracking Tools

Online and Live Privacy Training available

Some thoughts for the future

Integration of Privacy Enhancing Capabilities

Anonymous secret sharing

Obfuscation and perturbation techniques

Extending the trust model for the Cloud

Expanding federation models

Developing and recognizing technical controls

Embrace Different Delivery Models

Can you leverage your customers ingenuity?

How can your end users contribute?

Will your branch offices assist?

Adopting solutions from other jurisdictions

Sharing solutions with others

Applies to these products

Microsoft Interoperability Principles

Open Engagement

Ensuring Open Connections

Data Portability

Enhanced Support for Standards

“Driving interoperability through the implementation of this set of principles is a

best practice for the IT industry that will provide greater opportunity and choice.”

David O’Berry, Director of IT Systems, South Carolina Dept. Of Probation, Parole and Pardon Services

including the .NET Framework

Microsoft's Identity ManagementPlatform Components

A comprehensive set of IDA platform technologies and solution scenarios

Value is built into the platform and leveraged by solutions that Microsoft builds and partners extend

MicrosoftOffice

WindowsWeb

PortalsCardSpace

Extensibility20+ Connectors WS-*

ILM PartnersIDA

Management

Capabilities

User and

Developer

Experiences

DirectoryServices

StrongAuthentication

FederatedIdentity

InformationProtection

Microsoft SolutionFocus Areas

IdentityLifecycle Mgmt

AD Domain Services

AD Federation Services

AD Rights ManagementServices

AD CertificateServices

BizTalk .NET Visual Studio ILM SDK

Platform

ComponentsAD Lightweight Dir Services

Securing Change

Master the fundamentals

Reconsider traditional models

Strive for action & measurable outcomes

Communicate and Collaborate

Connect with service delivery leaders

Establishing End to End Trust

Core Security Components

Trust Founded on “Identity Claims”

not IdentityTrusted Stack

Alignment of Social, Political & Economic Forces

Needed for a trusted stack

HW, SW, people & data validation

Robust trust model

Informed decisions based on integrity & reputation

Scalable across all user scenarios

Identity Claims

Authentication

Authorization Policies

Access Control Mechanisms

Audit

Authenticate users on certified attributes

In-person proofing

Protects identity, reveals only data required to be

Authenticated

Authorized for Access

Actions auditable, privacy protected

Stolen identity claim insufficient to cause data breach or ID loss

PII control is right of the individual

Web anonymity optional but state clear to all parties

Successful end-to-end trust needs IT solutions aligned with

Society

Economy

Politics/Legislation

People

Software

Hardware

Data

Where do we Act?

Cyber Security

Acute Chronic

Industry Government

Critical Infrastructure Protection:An Economic Enabler

Microsoft Security Collaboration for Governments

Offerings are designed to address different concerns

Security of IT deployments

Productsecurity

Computing safety

Government Security

Program (GSP)

Source code access

Certification evidence

Training

Feedback

New - now includes GSHP

Primary audience:

Policy makers

Purchasing decision makers

Security mobilization

Prescriptive guidance via on-

line content, CD-ROM, on-line

training, service offerings

Primary audience:

IT managers & professionals

Developers

Security Cooperation

Program (SCP)

Incident response and public

safety collaboration

Cooperative projects

Information exchange

Primary audience:

Policy and national security

agencies

Public safety and incident

response agencies

Primary Security

Concern

28

Security Cooperation Program

Overview

• A worldwide program providing a structured way for governments and

governmental organizations responsible for computer incident response,

protection of critical infrastructure, and computing safety to collaborate with

Microsoft in the area of IT security

• Includes incident response, information exchange, and public outreach

components

Benefits

• Public/private partnership in incident response and information exchange can

help decrease risk to national security, economic strength, and social welfare

from attacks on the country’s IT infrastructure.

• Microsoft provides a 24/7 hotline for SCP participants, and works with

participants to define a process for disseminating information in the event of a

critical incident or emergency.

Government Security Program

National governments and international organizations have unique security concerns

Securing critical national infrastructure systems

Protecting the privacy of the country’s citizens

Preventing spying on privileged communications

Shielding national or global businesses from hackers

GSP addresses these unique concerns by

Allowing national governments to better understand and therefore feel confident in the security of Microsoft products

Providing the opportunity for national governments to collaborate with Microsoft on threat modeling and conducting reviews of Microsoft products.

The GSP provides national governments with

Access to source code for Microsoft products, including Windows® and Office®.

Access to Microsoft development personnel

Access to technical information related to the security of Microsoft products and platforms

Source

Access

Law Enforcement Portal

Goals:

Take Partnerships with LE to the next level

Provide LE opportunity to better leverage MSFT knowledge base

Provide training and informational materials

Points of contact for LE

Technical and investigative support for cases involving computer related crimes

Legislation

Regulation

Policy

Standards

Guidelines

Best Practices

Legislation

Regulation

Policy

Standards

Guidelines

Best Practices

Time

Advances

Legislation

Regulation

Policy

Standards

Guidelines

Best Practices

Time

Advances

What can you do?Engage the business leader

Reconsider your approach in support of Web 3.0

Include Web 3.0 considerations in Education and Awareness

Implement Security and Privacy safeguards available in your infrastructure

Engage in the End-to-End trust discussion

Next Steps

1. Call for industry dialogueTechnology Innovations

Economic Forces

Political Standards

Social Change

2. Learn about Microsoft solutions for security, identity & access, and management; see how these address your needs in a truly integrated way

www.microsoft.com/endtoendtrust

© 2009 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.

The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market

conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation.

MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.