Microsoft Security Whitepaper

An anonymous reader writes "Microsoft last week published a document on its Web site that describes how the company manages security on its own 300,000 node corporate network. The document is basically a dry discussion of IT risk management strategy, with lots of references to 'asset classes' and 'stakeholders,' and about five, nearly identical 'cycle of life' type diagrams showing how one risk management strategy leads to the next and so on, in a never-ending process. However, the document does open a window on how the biggest, richest software company in the world does security: from the deployment of 65,000 smart cards (let's see, at $50 a piece, that comes to....?), to MS's admission that 'there is a medium to high probability that within the next year, a successful attack will occur that could compromise the High Value and/or Highest Value data class.' According to the document, that includes things such as source code or human resources data."

Some people at Microsoft are smart.

And don't you forget that. Microsoft DOES have people with considerable technical skill and knowledge. I'm guessing that the probability of a security breach was calculated by the people who know what they're doing.

The problem is that you don't get to be the biggest software company in the world without selling products. (And Microsoft is arguably the most important software company - although I think overall Linux is more important in it's potential as an equalizer - there is no one single Linux company).

Selling products implies marketing. This is where it goes wrong. The second that product development is driven by marketing telling customers what features they want - things explode. I mean, really - half the crap in Windows and Office was never wanted by customers in the first place.

I'd still prefer to be using BeOS (I loved 5.0, but lack of support for new hardware meant I had to move on), so Windows 2000 is a pretty good compromise for my needs.

Re:more of the same, over and over and over

[mao+che+minh]

We are always scarcastic when it comes to Microsoft's relationship with security because of the many unpaid hours of overtime it has cost us.

I, like many here I would imagine, have to manage a lot of computers. In any common enterprise environment systems tend to range from old Windows 95 systems whom's only purpose is to drive some old piece of software with a very specific function, to Windows 98 and 2000 workstations, to Macintosh boxes for the marketing folk, to Linux servers running enterprise anti-virus solutions, to Netware servers running ZENworks, to 16 processor HP-UX beasts for databases, to OS/2 servers that run physical security systems (like magnetic card readers that grant access to the NOC for certain people/staff).

Of all of these operating systems that we people manage, a disturbing trend of insecurity has always plagued the Windows operating system(s) and the applications that Microsoft pushes for it. For years. Email clients, mail servers, web servers, core OS compenents, or just plain bad OS design that leads to the easy proliferation of things like viruses and worms. ANd worst of all: there is no escape from it. Everyone uses it, the management only wants stuff that is "supported" and/or "warrantied", and let's face it, it gives us job security.

So, when we relax, unwind, and gripe, we tend to end up taking a stab at the shitty software that has absorbed so many of our hours - time that could have been better spent having fun, or with our families, or responding to morons on web forums. You know.