Microsoft Security Whitepaper

An anonymous reader writes "Microsoft last week published a document on its Web site that describes how the company manages security on its own 300,000 node corporate network. The document is basically a dry discussion of IT risk management strategy, with lots of references to 'asset classes' and 'stakeholders,' and about five, nearly identical 'cycle of life' type diagrams showing how one risk management strategy leads to the next and so on, in a never-ending process. However, the document does open a window on how the biggest, richest software company in the world does security: from the deployment of 65,000 smart cards (let's see, at $50 a piece, that comes to....?), to MS's admission that 'there is a medium to high probability that within the next year, a successful attack will occur that could compromise the High Value and/or Highest Value data class.' According to the document, that includes things such as source code or human resources data."

Good to see

[H.G.+Pennypacker]

It is encouraging to see a big security industry leader such as Microsoft make such a public display of its unwavering belief that security through obscurity is not security at all - by publishing an open document on its security infrastructure. Perhaps other large players could take a cue from this (IBM, Sun)?

Smart cards $50???

[terraformer]

from the deployment of 65,000 smart cards (let's see, at $50 a piece, that comes to....?)

Where does the $50 figure come from? I have two of them in my wallet (AE and Fleet Fusion) and two readers (useless on a mac) that retail for $29.99 a pop that I got for free being that I was an "early adopter". So where does that $50 really come from? And yes, I read the story, I just want to have a better handle on why someone supposedly "in the know" would trow out a figure like that for a quantity purchase of 65,000.

Re:Smart cards $50???

[rindeee]

$50 is cheap for some cards. Depending on the type of card you have there are a lot more things than simply a contact chip involved (multiple frequency radio power/emitters, blah blah blah etc.). $50 is probably a good average figure when one considers the range of cards on the market.

On a different but related subject, I think that three factor authentication will become the universal norm...a good thing me thinks. If anyone has seen the new military ID's, they are also CACs for login, med, etc. Very cool once they (EDS) gets things to speed up a bit.

Re:Smart cards $50???

I was thinking along similar lines, then I has a look at the linked document which states:

"OTG estimated that at a price range of approximately $55-75 per user, including labor for deployment and tool development as well as hardware such as cards and readers, Smart Cards were an inexpensive way to significantly strengthen corporate security."

So evidently $55-75 per user is a reasonable amount for them to pay for each user inclusive of hardware and software development.

To be honest it sounds a lot to roll that out to 65,000 users, but when you consider that this cost is tiny compared to what those guys get paid, the actual investment across the workforce is negligible. I mean if you can afford to pay 65,000 employees, you can afford to spend $55+ on each of them. And considering that a network instrusion might be the outcome of not doing it (See Valve for more information) it's incredibly cheap.

Uh, riiight...

[Svartalf]

I do believe the issue isn't just code compromise (i.e. putting back doors in...), but in the case of the closed source, finding exploits and backdoors. I need only point to the rationale that MS gave for not disclosing pieces of their source code- it would endanger National Security. Now, either that was a dodge, in which case, Allchin should be doing time in at least Club Fed for lying to a Judge, or it's the God's truth. If it's the God's truth, being in the open is going to reveal most of those things and get them zoomed right off the bat- if it's closed, only the people working on it know about the code (well, and anyone that manages to see it without them looking...) so you don't have as many people looking over the code in question so you end up with things like MS Blaster which caused a packet storm from Hell on the Internet.

Re:Real discussion

Thank you! I too tire of the 'ms sucks' posts.

I work with MS once and awhile to get a bug fixed. Like ANY major software out there they have bugs just like the rest of us. Worked with a nice gentleman yesterday. He traced through their code for me. I have done if I had the code. But its their code, and I respect that. They were looking into why an API I use in my code changed after a 'security' hotfix. After an hour of tracing he found that it was wrong. I knew that, but thats ok too, he had to prove it to himself. After all that he told me 'if its a security hotfix it will not be fixed your lucky the code ever worked the way you were using it'. He was right, I knew what they had done and its a good thing.

The moral here? They are deadly serious about security. They will not back out a fix just 'cause'. They are fixing the holes that are there.

I am convinced they are enduring some of the most punishing testing on the face of the planet. To use a term from open source, 'many eyes make all bugs shallow'. They are on a much larger number of desktops then any other OS out there.

I have never found them 'arrogant', 'loud mouthed', or 'bullying'. Like I find on slashdot sometimes about open source. I have found them to bend over backwards to fix ANY bug they have. They do not pounce on it. But they DO fix it. They do not 'hack' it into the code. They test it and make sure its good. If you act like an ass to them they respond in kind. They have THOUSANDS of bugs to fix and they have prioritized them. They only have so many 'core' developers and they are trying to write new stuff and retrofit old stuff.

They have a serious challange. The code is basicly done. They now have to go through it ALL and fix things that were never a priority for them. I would cringe at someone coming up to me and saying my code has the same serious problem in every module, and every function. That is basicly the problem MS has. And making the code 'open source' would make the problem better in some ways, but much worse in others. Also would you want them to rush out a fix for something? Or test it and make sure it works? Also if you want top shelf support out of MS you need to talk in the language of the corporate world. You need money to wave at them. Otherwise get in line with the thousands of other people.

Also do not be fooled by that linux has no 'serious' bugs. They exist, can you say 'root kit'. If you belive that linux is secure by default your living in a dream world neo.

I look at the two systems as tools for me to do things. I have both types of boxs. I use both for many things all the time.

People ask when Linux will lead instead of follow

[JimmytheGeek]

"The open source world needs to learn a little about UI consistency and try to make things easy to use if any Open Source OS is ever going to be taken seriously on the desktop or in the home."

Here is an opportunity for Linux to bring something entirely new to the table: UI consistency. The gratuitous UI changes from one windows flavor to another are deeply frustrating. Finding a particular admin applet is like playing whack-a-mole. As I recall in NT 3.51 the hard disk management applet was easily reached. Every generation hides it deeper.

And the default XP screen is really infantile - inspired by Teletubbies. You can see Po and La-la on really hi-rez screens.