微软TI信息安全策略.ppt

,微软it信息安全策略,议程,世界级的运维,微软产品最好的客户,大规模的技术实施,4 data centers 8k production servers 7k virtual machines 100+ countries 300k system center 2012 managed computers 900k devices 160k end users 100% + users use lync for telephony,175k+ windows 8 clients 70k office 2013 122k+ sharepoint sites on 2013 windows domains and infrastructure services all run windows server 2008 r2 sap single instance on sql server 2008 r2,2m remote connections per month 20m spam mails filtered per day m worlds largest corporate website 1.2b hits per day 755k concurrent 300 gb per second,微软it 基础环境简单介绍,delight customers,enable unprecedented intimacy with customer experiences,connect the company,enable high-speed, zero-latency, “straight through” processes,inspire the industry,inspire the industry & our people with our innovative use of microsoft products & services,msit will help microsoft achieve its full potential by transforming it into a real-time enterprise that connects the company, delights our customers, and inspires the industry with our use of microsoft technology.,real-time enterprise,微软it 的远景及目标,微软it战略,we deliver it solutions and services that drive innovation and business value.,增进与业务部门的伙伴关系,简化平台,目标：统一需求管理满足全球业务需要,目标：统一需求管理满足全球业务需要,助力企业利润增长,持续创新,目标：支撑和帮助企业利润增长,目标：不断改进和创新it showcase,人力资源投资,优化 it,目标：全球人力资源整合管理策略,目标：提升it服务客户满意度,组织结构的可持续性 发展员工专长 提高资源使用效率 提升领导力和兼容并蓄,业务需求3年路线图 业务部门满意度分析 商业价值实现,影响产品战略 改进产品质量 提高产品创新周期,供应商管理 需求管理 风险管理 自动化和可重复利用 优化fte/vendor分布,3 年架构路线图 减少复杂程度 数据梳理 全球统一平台,高层接触 1对1或者1对多的客户帮扶 定制内部最佳实践分享素材,不同人对于信息安全的看法,从管理，风险控制及合规的要求到具体管理实践,microsoft ciso 的担心,信息安全管理所面临的主要挑战,执行中的交换,数据库,移动存储,共享网路,通讯设备,移动设备终端,在线应用,外包第三方,数据,管理信息的生命周期,微软内部的数据及信息保护方式,microsoft data protection solution,ad plus kpi encrypt: to protect digital content (no matter where) security technology, designed for those who need to protect sensitive web content, documents and email user and design. the user can strict rules which users can open, read, modify, and redistribute specific content.,pki encrypt : efs system is encrypt by certification and transparent to protect the user data .,partition encrypt : windows bitlocker drive encryption through the encryption windows operating system on a volume of all data storage can better protect the computer data.,efs,bitlocker,ad rms,微软it信息安全管理的使命及愿景,assess risk,define policy,monitor,audit,使命 the corporate security group core functions support the microsoft it mission by managing risk to an acceptable level. 风险管理构架 f investing in a risk management processwith a solid framework and defined roles and responsibilitiesprepares the organization to articulate priorities, plan to mitigate threats, and address the next threat or vulnerability to the business. to better manage security risks, the corporate security group follows a traditional risk management approach consisting of an iterative four-phase process (mof-itil):,五个信息安全愿景 my identity is not compromised resources are secure and available data and communications are private roles and accountability are clearly defined there is a timely response to risks and threats,微软it信息安全管理的基本原则 key area to evaluate risk and determine the optimal solution to support the business,领导管理层 manage risk according to business objectives define organizational roles and responsibilities 用户数据层 manage to practice of least privilege strictly enforce privacy and privacy rules 应用开发层 build security into development life cycle create layered defense and reduce attack surface 运行维护层 integrate security into operations framework align monitor, audit, and response functions to operational functions,微软it端对端的信息安全策略,windows standard user accounts user account control, and applocker modern applications defender,maintain software with a patch management solution deliver software that is secure by design operate a malware resistant platform and applications defend against malware threats,windows 7 bitlocker mdop -bitlocker administration and monitoring office information rights management (irm) office encrypted file system active directory rights management services z,secure data that is at rest with encryption protect data that is in motion with encryption protect data that is in use with access controls,active directory direct access network access protection dynamic access control,manage the full identity lifecycle validate user identity with strong authentication secured and always connected remote access protect resources as environment changes,场景,流程与工具,功能,secured boot measured boot protected view ie smart screen,微软信息安全架构体系,安全的远程访问和网络的隔离,back to all tactics,智能卡,远程系统安全检验,连接的管理和通过 ras 进行隔离,风险 恶意用户,风险 恶意软件,back to all tactics,双重验证,远程访问和严格的身份验证,网络隔离概述,无线网的安全,back to all tactics,无线网和的访问策略,加强的安全协议 vlan和域的分隔 集中管理的 access points 客户internet访问 (guest internet access) 自动的非法ap探测,wpa & wpa2 802.1x, eap & radius aruba access points,nap 在无线网的基础架构和radius服务器间的ipsec通讯 aruba 的用户和防火墙的安全特性以保证最小权限访问 (least privileged access),方案,技术,策略,back to all tactics,强密码保护策略,控制 通过active directory中的组策略执行政策 security-101 培训教育用户 未来 miis 自助口令重置 无需口令,最小化特权用户以及分权管理原则 least privileged access (lpa),保护和管理移动设备,back to all tactics,移动设备的考量,挑战 环境包括被管理的设备(笔记本)和不被管理的设备 (智能手机, pda),风险 不被管理的设备用户名/口令, 缓存的帐户信息和口令以明文方式传送 丢失/失窃的设备上的数据/帐户信息被危害,源代码及外包办公室的信息安全管理,back to all tactics,离岸外包中心信息安全管理,infosec,所有计算机都必须加入域,所有联网设备和服务器都由 msit 管理（lab除外),无线信号管制,不允许替代或外部连接（dsl 模拟信号、isdn 线路等）,未经批准，不得擅自复制数据、介质和系统,所有计算机都通过公司 sms 中心管理,强制进行安全培训,限制访问权：严格遵循需知原则 (need-to-know basis),只能通过 ms 监控的代理服务器访问互联网,adsl,恶意软件和补丁管理,back to all tactics,软件更新管理时间表,20%,30%,有漏洞客户端的百分比,48小时,14 天 sms 强制更新开始,24 天,2%,高客户影响,低客户影响,目前攻击所需时间= 6天,平均24天达到98%的机器被更新,24小时,5%,21 天 端口关闭开始,3%,microsoft update; 电子邮件 & itweb 通知 (可选步骤),sms 更新管理 (自愿 强制),ser 扫描和脚本方式得更新,端口关闭,恶意软件防治策略,防病毒软件,网关上的内容过滤,email网关阻止可执行文件,internet网关阻止恶意站点,入侵检测软件,back to all tactics,如何做到全面的信息安全管理,为什么需要培训和沟通?,风险 人的行为是不可预知的,业务驱动力 减少资产和 生产力的流失,挑战 激励主动性的参与,back to all tactics,媒介,技术,持之以恒的用户教育,this document is provided for informational purposes only. microsoft makes no warranties, express or implied, in this document. 2006 microsoft corporation. all rights reserved. this presentation is for informational purposes only. microsoft makes no warranties, express or imp