Slashdot Mirror

← Back to Stories (view on slashdot.org)

Microsoft Security Whitepaper

Posted by michael on from the security-through-asset-classes dept.

An anonymous reader writes "Microsoft last week published a document on its Web site that describes how the company manages security on its own 300,000 node corporate network. The document is basically a dry discussion of IT risk management strategy, with lots of references to 'asset classes' and 'stakeholders,' and about five, nearly identical 'cycle of life' type diagrams showing how one risk management strategy leads to the next and so on, in a never-ending process. However, the document does open a window on how the biggest, richest software company in the world does security: from the deployment of 65,000 smart cards (let's see, at $50 a piece, that comes to....?), to MS's admission that 'there is a medium to high probability that within the next year, a successful attack will occur that could compromise the High Value and/or Highest Value data class.' According to the document, that includes things such as source code or human resources data."

3 of 269 comments (clear)

  1. Good to see by H.G.+Pennypacker · · Score: 5, Interesting

    It is encouraging to see a big security industry leader such as Microsoft make such a public display of its unwavering belief that security through obscurity is not security at all - by publishing an open document on its security infrastructure. Perhaps other large players could take a cue from this (IBM, Sun)?

    --
    -- HG Pennypacker, wealthy industrialist and philanthropist
  2. Re:Smart cards $50??? by Anonymous Coward · · Score: 5, Interesting

    I was thinking along similar lines, then I has a look at the linked document which states:

    "OTG estimated that at a price range of approximately $55-75 per user, including labor for deployment and tool development as well as hardware such as cards and readers, Smart Cards were an inexpensive way to significantly strengthen corporate security."

    So evidently $55-75 per user is a reasonable amount for them to pay for each user inclusive of hardware and software development.

    To be honest it sounds a lot to roll that out to 65,000 users, but when you consider that this cost is tiny compared to what those guys get paid, the actual investment across the workforce is negligible. I mean if you can afford to pay 65,000 employees, you can afford to spend $55+ on each of them. And considering that a network instrusion might be the outcome of not doing it (See Valve for more information) it's incredibly cheap.

  3. Re:Real discussion by Anonymous Coward · · Score: 5, Interesting

    Thank you! I too tire of the 'ms sucks' posts.

    I work with MS once and awhile to get a bug fixed. Like ANY major software out there they have bugs just like the rest of us. Worked with a nice gentleman yesterday. He traced through their code for me. I have done if I had the code. But its their code, and I respect that. They were looking into why an API I use in my code changed after a 'security' hotfix. After an hour of tracing he found that it was wrong. I knew that, but thats ok too, he had to prove it to himself. After all that he told me 'if its a security hotfix it will not be fixed your lucky the code ever worked the way you were using it'. He was right, I knew what they had done and its a good thing.

    The moral here? They are deadly serious about security. They will not back out a fix just 'cause'. They are fixing the holes that are there.

    I am convinced they are enduring some of the most punishing testing on the face of the planet. To use a term from open source, 'many eyes make all bugs shallow'. They are on a much larger number of desktops then any other OS out there.

    I have never found them 'arrogant', 'loud mouthed', or 'bullying'. Like I find on slashdot sometimes about open source. I have found them to bend over backwards to fix ANY bug they have. They do not pounce on it. But they DO fix it. They do not 'hack' it into the code. They test it and make sure its good. If you act like an ass to them they respond in kind. They have THOUSANDS of bugs to fix and they have prioritized them. They only have so many 'core' developers and they are trying to write new stuff and retrofit old stuff.

    They have a serious challange. The code is basicly done. They now have to go through it ALL and fix things that were never a priority for them. I would cringe at someone coming up to me and saying my code has the same serious problem in every module, and every function. That is basicly the problem MS has. And making the code 'open source' would make the problem better in some ways, but much worse in others. Also would you want them to rush out a fix for something? Or test it and make sure it works? Also if you want top shelf support out of MS you need to talk in the language of the corporate world. You need money to wave at them. Otherwise get in line with the thousands of other people.

    Also do not be fooled by that linux has no 'serious' bugs. They exist, can you say 'root kit'. If you belive that linux is secure by default your living in a dream world neo.

    I look at the two systems as tools for me to do things. I have both types of boxs. I use both for many things all the time.