微软TI信息安全策略

微软微软IT信息安全策略信息安全策略Microsoft IT议程微软微软ITIT运维环境和运维环境和ITIT管理的战略管理的战略微软微软ITIT信息安全管理策略及原则信息安全管理策略及原则微软微软ITIT信息安全管理的主要手段信息安全管理的主要手段微软微软ITIT如何如何保证保证持久持久的系统的系统安全安全世界级的运维微软产品最好的客户大规模的技术实施M微软IT 基础环境简单介绍Delight CustomersEnable unprecedented intimacy with customer experiencesConnect the CompanyEnable high-speed,zero-latency,“straight through”processesInspire the IndustryInspire the industry&our people with our innovative use of Microsoft products&servicesMSIT will help Microsoft achieve its full potential by transforming it into a real-time enterprise that connects the company,delights our customers,and inspires the industry with our use of Microsoft technology.Real-Time EnterpriseReal-Time Enterprise微软IT 的远景及目标微软IT战略We DELIVER IT solutions and services that drive innovation and BUSINESS VALUE.增进与业务部门的伙伴关系简化平台目标：统一需求管理满足全球业务需要目标：统一需求管理满足全球业务需要助力企业利润增长持续创新目标：支撑和帮助企业利润增长目标：不断改进和创新IT Showcase人力资源投资优化 IT目标：全球人力资源整合管理策略目标：提升IT服务客户满意度战术原则全球资源管理模式组织结构的可持续性发展员工专长提高资源使用效率提升领导力和兼容并蓄战术原则全球需求管理业务需求3年路线图业务部门满意度分析商业价值实现战术原则产品战略影响产品战略改进产品质量提高产品创新周期战术原则统一流程治理供应商管理需求管理风险管理自动化和可重复利用 优化FTE/Vendor分布战术原则统一架构标准3 年架构路线图减少复杂程度数据梳理全球统一平台战术原则客户优先高层接触1对1或者1对多的客户帮扶定制内部最佳实践分享素材不同人对于信息安全的看法CSO/CIOCSO/CIO将GRC要求转换为信息安全管理目标ITIT将信息安全管理目标进行技术实践与日常运维Content OwnerContent Owner识别与保护本部门的数据Content UserContent User任何时间都可以方便而没有限制的访问我需要的信息从管理，风险控制及合规的要求到具体管理实践Microsoft CISO 的担心规章的遵从数据的移动性对数据的无授权访问恶意软件业务的持续发展信息安全管理所面临的主要挑战 通讯设备通讯设备作者作者创作创作编纂编纂修改修改管理信息的生命周期微软内部的数据及信息保护方式 AD Plus KPI encrypt:To protect digital content(no matter where)security technology,designed for those who need to protect sensitive Web content,documents and email user and design.The user can strict rules which users can open,read,modify,and redistribute specific content.PKI encrypt:EFS system is encrypt by certification and transparent to protect the user data.partition encrypt:Windows BitLocker drive encryption through the encryption Windows operating system on a volume of all data storage can better protect the computer data.微软IT信息安全管理的使命及愿景使命使命The Corporate Security group core functions support the Microsoft IT mission by managing risk to an acceptable level.风风险管理构架险管理构架 FInvesting in a risk management processwith a solid framework and defined roles and responsibilitiesprepares the organization to articulate priorities,plan to mitigate threats,and address the next threat or vulnerability to the business.To better manage security risks,the Corporate Security group follows a traditional risk management approach consisting of an iterative four-phase process(MOF-ITIL):五五个信息安全愿景个信息安全愿景My identity is not compromisedResources are secure and availableData and communications are privateRoles and accountability are clearly definedThere is a timely response to risks and threats微软IT信息安全管理的基本原则key area to evaluate risk and determine the optimal solution to support the business 领导管理层Manage risk according to business objectivesDefine organizational roles and responsibilities用户数据层Manage to practice of least privilegeStrictly enforce privacy and privacy rules应用开发层Build security into development life cycleCreate layered defense and reduce attack surface运行维护层Integrate security into operations frameworkAlign monitor,audit,and response functions to operational functions微软IT端对端的信息安全策略Universal Extensible Firmware Interface(UEFI)Trusted Platform Model(TPM)Windows Standard User AccountsUser Account Control,and AppLockerModern ApplicationsDefender Maintain software with a patch management solution Deliver software that is secure by design Operate a malware resistant platform and applications Defend against malware threats Windows 7 BitLockerMDOP-BitLocker Administration and MonitoringOffice Information Rights Management(IRM)Office Encrypted File SystemActive Directory Rights Management Services z Secure data that is at rest with encryption Protect data that is in motion with encryption Protect data that is in use with access controlsActive DirectoryDirect AccessNetwork Access ProtectionDynamic Access Control Manage the full identity lifecycle Validate user identity with strong authentication Secured and always connected remote access Protect resources as environment changesSecured BootMeasured BootProtected ViewIE Smart Screen微软信息安全架构体系 应用开发Security Development Lifecycle IT 主机监控Host Based SegmentationCombating MalwareAutomated Vulnerability ScansSecuring Mobile Devices Windows Firewall网络构架Secure Partner and Extranet ConnectionsSecuring Remote AccessE-Mail Hygiene and Trustworthy MessagingHardening the Wireless NetworkNetwork Intrusion Detection SystemsSecurity Event Collection 身份验证Two Factor Authentication for Remote and Elevated Account AccessStrong PasswordsPublic Key Infrastructure ServicesAutomated Identity and Access Management 人员及流程Security Strategy PlanningInformation Security GovernanceInformation Security PoliciesTraining and AwarenessIncident Management Risk Management FrameworkForensic Investigations 物理安全 RFID and BiometricsPhysical Access Monitoring 数据保护Managing Source CodeRights Management Services Encrypted File SystemS/MIME安全的远程访问和网络的隔离Back to All Tactics智能卡远程系统安全检验连接的管理和通过RAS 进行隔离 风险风险恶意软件Back to All Tactics双重验证远程访问和严格的身份验证网络隔离概述借助IPSec实现被管理的机器和不被管理机器的隔离降低网络风险改进资产管理保护知识产权推进政策执行探测恶意软件无线网的安全Back to All Tactics无线网和的访问策略加强的安全协议VLAN和域的分隔集中管理的 Access Points客户Internet访问(Guest Internet Access)自动的非法AP探测WPA&WPA2802.1X,EAP&RADIUSAruba Access PointsNAP在无线网的基础架构和RADIUS服务器间的IPSec通讯Aruba 的用户和防火墙的安全特性以保证最小权限访问(Least Privileged Access)方案技术 策略Back to All Tactics强密码保护策略驱动因素使用微软技术保护公司网络挑战教育用户重置口令的帮助请求风险疏远客户跨系统的口令同步 控制 通过Active Directory中的组策略执行政策 Security-101 培训教育用户未来 MIIS 自助口令重置 无需口令最小化特权用户以及分权管理原则Least Privileged Access(LPA)Establish GovernanceMinimize Exposure at PerimeterManageSource AccessMinimize Internal Exposure of HBIExtend Secure Global Campus保护和管理移动设备Back to All Tactics移动设备的考量挑战环境包括被管理的设备(笔记本)和不被管理的设备(智能手机,PDA)风险不被管理的设备用户名/口令,缓存的帐户信息和口令以明文方式传送丢失/失窃的设备上的数据/帐户信息被危害在一个不断发展的工作空间保证安全性源代码及外包办公室的信息安全管理Back to All Tactics离岸外包中心信息离岸外包中心信息安全安全管理管理 所有计算机都必须加入域 所有联网设备和服务器都由 MSIT 管理（Lab除外)无线信号管制 未经批准，不得擅自复制数据、介质和系统 所有计算机都通过公司 SMS 中心管理 强制进行安全培训 只能通过 MS 监控的代理服务器访问互联网恶意软件和补丁管理Back to All Tactics软件更新管理时间表20%30%有漏洞客户端的百分比48小时14 天 SMS 强制更新开始24 天2%高客户影响低客户影响目前攻击所需时间=6天平均24天达到98%的机器被更新24小时5%21 天 端口关闭开始3%Microsoft Update;电子邮件&ITWeb 通知(可选步骤)SMS 更新管理(自愿 强制)SER 扫描和脚本方式得更新端口关闭恶意软件防治策略Back to All Tactics如何做到全面的信息安全管理为什么需要培训和沟通?风险人的行为是不可预知的业务驱动力减少资产和生产力的流失挑战激励主动性的参与Back to All Tactics媒介媒介技术技术未来未来参与参与Security-101Security-101持之以恒的用户教育This document is provided for informational purposes only.MICROSOFT MAKES NO WARRANTIES,EXPRESS OR IMPLIED,IN THIS DOCUMENT.2006 Microsoft Corporation.All rights reserved.This presentation is for informational purposes only.MICROSOFT MAKES NO WARRANTIES,EXPRESS OR IMPLIED,IN THIS SUMMARY.Microsoft,Active Directory,MS-DOS,Windows,and Windows Server are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries.The names of actual companies and products mentioned herein may be the trademarks of their respective owners.按项目需求访问物理访问逻辑控制项目团队负责Back to All Tactics访问隔离区域源代码管理微软IT运维实践中的成功经验有“法”可依，有“法”必依从点到面，面面俱到善用资源，左右逢“源”技术全局出发，全面考量标准化，系统化贯彻实施，从上到下流程技术过硬善于思考立足本职，放眼世界人员远大的IT目标适合的IT员工 使命必达的责任感克服挑战802.1安全无线网活动目录政策需要证书加密文件系统远程访问智能卡加入域的非域用户的加入客户端证书验证微软信息安全管理的协同业务模式