Microsoft Security Whitepaper

An anonymous reader writes "Microsoft last week published a document on its Web site that describes how the company manages security on its own 300,000 node corporate network. The document is basically a dry discussion of IT risk management strategy, with lots of references to 'asset classes' and 'stakeholders,' and about five, nearly identical 'cycle of life' type diagrams showing how one risk management strategy leads to the next and so on, in a never-ending process. However, the document does open a window on how the biggest, richest software company in the world does security: from the deployment of 65,000 smart cards (let's see, at $50 a piece, that comes to....?), to MS's admission that 'there is a medium to high probability that within the next year, a successful attack will occur that could compromise the High Value and/or Highest Value data class.' According to the document, that includes things such as source code or human resources data."

Why it isn't interesting to read :

[Rosco+P.+Coltrane]

Given Microsoft's track record of implementing security through secrecy, you can bet that either ...

1) They're not doing at all what's in the white paper, and therefore you should not use/implement security, or try to break Microsoft's based on what's in it (read: the document is useless)

2) They've described the 25% least important security measures they've taken, leaving out the juicy bits, in which case the document is also useless.

It's not a "Whitepaper"; it's a social breakdown.

[Futurepower(R)]

From the parent comment: "Did any of the idiots commenting on this story with sophmoric [statements] ... even start to read the Whitepaper?"

The first section of the paper is an "Executive Summary". The second section is "Introduction: OTG Mission and Priorities". Think about it for a while.

Did you notice the acronym that is not defined? Did you notice the next two paragraphs? Look:

Microsoft Mission:
Enable people and businesses throughout the world to realize their full potential.

OTG Mission:
Proactively deliver IT infrastructure and applications that exceed defined expectations of our clients, customers, and partners-making it easy to work anywhere at any time.

The "Microsoft Security Whitepaper" is as comment #7540789 says, all nonsense. The paper is evidence of a social breakdown at Microsoft. Someone at Microsoft is not making sense, and no one else there notices it.

Don't think this is correct? Then what is the difference between "Proactively deliver" and "deliver"? What are "defined expectations"; how are they different from expectations?

Isn't this sentence a bit grandiose? "Microsoft Mission: Enable people and businesses throughout the world to realize their full potential." Does this mean Microsoft will begin providing free education?

Isn't it grandiose to say that the mission is "making it easy to work anywhere at any time"?

What is "partners-making"? It's a typo, that's what, and no one noticed the typo, even though it is at the beginning of the article. They mean "partners -- making..." Or maybe "partners-making" is playing cupid. No one noticed the typo because no one read the article, or even those first paragraphs of the article.

I'm not trolling. I'm serious. There is a social breakdown occurring at Microsoft, and this is just one symptom of it. I'm not saying it is the same as the social breakdown at Enron or Anderson Consulting or Tyco, but it a social breakdown nevertheless.

Why isn't OTG defined in the "whitepaper"? Because it doesn't matter. No one is depending on the article for anything, and they probably aren't reading it. OTG stands for Operations and Technology Group, or Operations & Technology Group, or Operations Technology Group. Sometimes two names for the group appear in one document.

When an organization begins producing nonsense documents like the "Microsoft Security Whitepaper", something is terribly wrong. That paper is just one small example. There are many.