Upload
others
View
14
Download
0
Embed Size (px)
Citation preview
Microsoft Roadmap –Security, Interoperability and Programs
John WeigeltNational Technology OfficerMicrosoft Canada
40 / 100 GB 80 / 200 GB 568GB /
1 TB
213 / 500 GB
2002 2003 2005 2007/8
100Mb/S Wired
11Mb/S Wireless
100Mb/S (wired)
11 / 54 Mb/S (wireless) 1Gb/S (wired)
54 Mb/S (wireless)
Multi-core
Dual-core
3 GHz
37 TB
2009
10Gb/S (wired)
100 Mb/S (wireless)
Multi-Core
Graphene?
A Near Future…
Intel Research http://techresearch.intel.com/articles/Exploratory/1500.htm
Dynamic Physical
Rendering
The Microsoft Vision: Software + Services
We want to create experiences that combine
the magic of software with the power of
Internet services across a world of devices.
DESKTOP ENTERPRISE ONLINE DEVICES
Embracing the Cloud
20 Year DefenceScience and Technology R&D Priorities
Common Operating Picture
Advanced Analytics, Visualization
Human Interfaces
High Assurance Computing
Advanced Simulations
Identity Management
Building for tomorrow, today.
Virtual Earth & JEPRS
Search, Photsynth, Intelliview vision sol’ns
Microsoft Surface, Vista and WM speech
Trustworthy Computing
Windows Compute Cluster, Microsoft ESP
Claims Based Authentication
A Time of Change for Government
Governments are under increasing pressure to be
more responsive, efficient, and agile
Budget constraints
Rising constituent
expectations
Growing demand for
services New security threats
Greater need for internal
collaboration
What we hear from government.
Our priority is the Economy
And:
The Environment
Public Safety
Improved Health Outcomes
Education
Stronger Communities
Even during economic downturn
Tax revenues are down
Public sector organizations are expected to do more with less
Delivery of public safety services to citizens remains critical and in many cases, needs to be improved upon
Some Policy ConsiderationsEconomic Impact / Value for Money
Global perspective and global impact of activities
Business modelsSelf provisioned, hosted, tiered services, advertisement
Services Transformation
Multi-Channel / Appropriate Channel approaches
Trust & Confidence in Services
Response to crisis
Human Resources Impact / Skills Development
The role of Government in these evolving environmentsThe comingling of the Employee and the non-work contexts
Transform and Innovate
CIOs need to find a strategic balance
these days between exerting enormous
efforts to conserve vital cash via
sweeping cost-cutting efforts and also
keeping alive ideas and processes
geared toward creating innovative
approaches that are the key to future
growth.
Techweb editorial - - CIO As Chief Cost Cutter: It's Not Enough
By Bob Evans
Exploring Alternative Service Delivery Models
Consumer Online Services
Business Online Services
Hosted Service Provision
Shared Services
Self Provided
Enterprise class software delivered via subscription services hosted by Microsoft and sold with partners
Business Productivity Online Suite
Microsoft Online Services
www.microsoft.ca/online
The Legislative Background
Title 18 of the US Code: (well…USA PATRIOT Act)§ 2703. Required disclosure of customer communications or records
Canada Federal Personal Information Protection Electronic Documents Act (PIPEDA)
Codification of the OECD privacy principles and CSA model code for privacy
BC Freedom of Information Privacy Protection Act (FOIPPA)30.1 Storage and access must be in Canada
A public body must ensure that personal information in its custody or under its control is stored only in Canada and accessed only in Canada,
30.2 Obligation to report foreign demand for disclosure
Nova Scotia Privacy law fundamentally similar to BC
Federal Government also “interested” in data sovereignty
Healthcare is a provincial accountabilityOntario – PHIPA – Breach Notification
Privacy Commissioners role
Designing for Privacy
Implement for all privacy principles
Privacy implementations require defence in depth
A risk managed approach should be taken
Solutions must provide privacy policy agility
Privacy and security must be viewed as related but not dependent
Use existing technology in privacy enhancing ways
Security & Privacy Development Process
Release
VerificationBuildDesign
Security & Privacy Training
Security &
Privacy Kick
Off
Cost Analysis
Security &
Privacy
Design Best
Practices
Risk Analysis
Security &
Privacy
Devlopment
Best Practices
& Tools
Security &
Privacy Test
Best Practices
& Tools
Public Release
Privacy
Reviews
Final Security &
Privacy reviews
Requirements
Deliverables throughout the Product lifecycle.
Integrated Compliance Tracking Tools
Online and Live Privacy Training available
Some thoughts for the future
Integration of Privacy Enhancing Capabilities
Anonymous secret sharing
Obfuscation and perturbation techniques
Extending the trust model for the Cloud
Expanding federation models
Developing and recognizing technical controls
Embrace Different Delivery Models
Can you leverage your customers ingenuity?
How can your end users contribute?
Will your branch offices assist?
Adopting solutions from other jurisdictions
Sharing solutions with others
Applies to these products
Microsoft Interoperability Principles
Open Engagement
Ensuring Open Connections
Data Portability
Enhanced Support for Standards
“Driving interoperability through the implementation of this set of principles is a
best practice for the IT industry that will provide greater opportunity and choice.”
David O’Berry, Director of IT Systems, South Carolina Dept. Of Probation, Parole and Pardon Services
including the .NET Framework
Microsoft's Identity ManagementPlatform Components
A comprehensive set of IDA platform technologies and solution scenarios
Value is built into the platform and leveraged by solutions that Microsoft builds and partners extend
MicrosoftOffice
WindowsWeb
PortalsCardSpace
Extensibility20+ Connectors WS-*
ILM PartnersIDA
Management
Capabilities
User and
Developer
Experiences
DirectoryServices
StrongAuthentication
FederatedIdentity
InformationProtection
Microsoft SolutionFocus Areas
IdentityLifecycle Mgmt
AD Domain Services
AD Federation Services
AD Rights ManagementServices
AD CertificateServices
BizTalk .NET Visual Studio ILM SDK
Platform
ComponentsAD Lightweight Dir Services
Securing Change
Master the fundamentals
Reconsider traditional models
Strive for action & measurable outcomes
Communicate and Collaborate
Connect with service delivery leaders
Establishing End to End Trust
Core Security Components
Trust Founded on “Identity Claims”
not IdentityTrusted Stack
Alignment of Social, Political & Economic Forces
Needed for a trusted stack
HW, SW, people & data validation
Robust trust model
Informed decisions based on integrity & reputation
Scalable across all user scenarios
Identity Claims
Authentication
Authorization Policies
Access Control Mechanisms
Audit
Authenticate users on certified attributes
In-person proofing
Protects identity, reveals only data required to be
Authenticated
Authorized for Access
Actions auditable, privacy protected
Stolen identity claim insufficient to cause data breach or ID loss
PII control is right of the individual
Web anonymity optional but state clear to all parties
Successful end-to-end trust needs IT solutions aligned with
Society
Economy
Politics/Legislation
People
Software
Hardware
Data
Where do we Act?
Cyber Security
Acute Chronic
Industry Government
Critical Infrastructure Protection:An Economic Enabler
Microsoft Security Collaboration for Governments
Offerings are designed to address different concerns
Security of IT deployments
Productsecurity
Computing safety
Government Security
Program (GSP)
Source code access
Certification evidence
Training
Feedback
New - now includes GSHP
Primary audience:
Policy makers
Purchasing decision makers
Security mobilization
Prescriptive guidance via on-
line content, CD-ROM, on-line
training, service offerings
Primary audience:
IT managers & professionals
Developers
Security Cooperation
Program (SCP)
Incident response and public
safety collaboration
Cooperative projects
Information exchange
Primary audience:
Policy and national security
agencies
Public safety and incident
response agencies
Primary Security
Concern
28
Security Cooperation Program
Overview
• A worldwide program providing a structured way for governments and
governmental organizations responsible for computer incident response,
protection of critical infrastructure, and computing safety to collaborate with
Microsoft in the area of IT security
• Includes incident response, information exchange, and public outreach
components
Benefits
• Public/private partnership in incident response and information exchange can
help decrease risk to national security, economic strength, and social welfare
from attacks on the country’s IT infrastructure.
• Microsoft provides a 24/7 hotline for SCP participants, and works with
participants to define a process for disseminating information in the event of a
critical incident or emergency.
Government Security Program
National governments and international organizations have unique security concerns
Securing critical national infrastructure systems
Protecting the privacy of the country’s citizens
Preventing spying on privileged communications
Shielding national or global businesses from hackers
GSP addresses these unique concerns by
Allowing national governments to better understand and therefore feel confident in the security of Microsoft products
Providing the opportunity for national governments to collaborate with Microsoft on threat modeling and conducting reviews of Microsoft products.
The GSP provides national governments with
Access to source code for Microsoft products, including Windows® and Office®.
Access to Microsoft development personnel
Access to technical information related to the security of Microsoft products and platforms
Source
Access
Law Enforcement Portal
Goals:
Take Partnerships with LE to the next level
Provide LE opportunity to better leverage MSFT knowledge base
Provide training and informational materials
Points of contact for LE
Technical and investigative support for cases involving computer related crimes
Legislation
Regulation
Policy
Standards
Guidelines
Best Practices
Legislation
Regulation
Policy
Standards
Guidelines
Best Practices
Time
Advances
Legislation
Regulation
Policy
Standards
Guidelines
Best Practices
Time
Advances
What can you do?Engage the business leader
Reconsider your approach in support of Web 3.0
Include Web 3.0 considerations in Education and Awareness
Implement Security and Privacy safeguards available in your infrastructure
Engage in the End-to-End trust discussion
Next Steps
1. Call for industry dialogueTechnology Innovations
Economic Forces
Political Standards
Social Change
2. Learn about Microsoft solutions for security, identity & access, and management; see how these address your needs in a truly integrated way
www.microsoft.com/endtoendtrust
© 2009 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.
The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market
conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation.
MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.