《微软TI信息安全策略.ppt》由会员分享,可在线阅读,更多相关《微软TI信息安全策略.ppt(36页珍藏版)》请在三一办公上搜索。
1、,微软IT信息安全策略,议程,世界级的运维,微软产品最好的客户,大规模的技术实施,4 data centers8K production servers7K Virtual machines100+countries300K System Center 2012 managed computers900K devices160K end users100%+users use Lyncfortelephony,175K+Windows 8 clients70K Office 2013 122K+SharePoint sites on2013Windows domains and infrast
2、ructure services all run Windows Server 2008 R2SAP single instance on SQLServer 2008 R2,2M remote connections per month20M spam mails filtered per dayMWorlds largest corporatewebsite1.2B hits per day755K concurrent300 GB per second,微软IT 基础环境简单介绍,Delight Customers,Enable unprecedented intimacy with c
3、ustomer experiences,Connect the Company,Enable high-speed,zero-latency,“straight through”processes,Inspire the Industry,Inspire the industry&our people with our innovative use of Microsoft products&services,MSIT will help Microsoft achieve its full potential by transforming it into a real-time enter
4、prise that connects the company,delights our customers,and inspires the industry with our use of Microsoft technology.,Real-Time Enterprise,微软IT 的远景及目标,微软IT战略,We DELIVER IT solutions and services that drive innovation and BUSINESS VALUE.,增进与业务部门的伙伴关系,简化平台,目标:统一需求管理满足全球业务需要,目标:统一需求管理满足全球业务需要,助力企业利润增长
5、,持续创新,目标:支撑和帮助企业利润增长,目标:不断改进和创新IT Showcase,人力资源投资,优化 IT,目标:全球人力资源整合管理策略,目标:提升IT服务客户满意度,组织结构的可持续性发展员工专长提高资源使用效率提升领导力和兼容并蓄,业务需求3年路线图业务部门满意度分析商业价值实现,影响产品战略改进产品质量提高产品创新周期,供应商管理需求管理风险管理自动化和可重复利用 优化FTE/Vendor分布,3 年架构路线图减少复杂程度数据梳理全球统一平台,高层接触1对1或者1对多的客户帮扶定制内部最佳实践分享素材,不同人对于信息安全的看法,从管理,风险控制及合规的要求到具体管理实践,Micro
6、soft CISO 的担心,信息安全管理所面临的主要挑战,执行中的交换,数据库,移动存储,共享网路,通讯设备,移动设备终端,在线应用,外包第三方,数据,管理信息的生命周期,微软内部的数据及信息保护方式,Microsoft Data Protection Solution,AD Plus KPI encrypt:To protect digital content(no matter where)security technology,designed for those who need to protect sensitive Web content,documents and email
7、user and design.The user can strict rules which users can open,read,modify,and redistribute specific content.,PKI encrypt:EFS system is encrypt by certification and transparent to protect the user data.,partition encrypt:Windows BitLocker drive encryption through the encryption Windows operating sys
8、tem on a volume of all data storage can better protect the computer data.,EFS,BitLocker,AD RMS,微软IT信息安全管理的使命及愿景,Assess Risk,Define Policy,Monitor,Audit,使命The Corporate Security group core functions support the Microsoft IT mission by managing risk to an acceptable level.风险管理构架 FInvesting in a risk m
9、anagement processwith a solid framework and defined roles and responsibilitiesprepares the organization to articulate priorities,plan to mitigate threats,and address the next threat or vulnerability to the business.To better manage security risks,the Corporate Security group follows a traditional ri
10、sk management approach consisting of an iterative four-phase process(MOF-ITIL):,五个信息安全愿景My identity is not compromisedResources are secure and availableData and communications are privateRoles and accountability are clearly definedThere is a timely response to risks and threats,微软IT信息安全管理的基本原则key ar
11、ea to evaluate risk and determine the optimal solution to support the business,领导管理层Manage risk according to business objectivesDefine organizational roles and responsibilities用户数据层Manage to practice of least privilegeStrictly enforce privacy and privacy rules应用开发层Build security into development lif
12、e cycleCreate layered defense and reduce attack surface运行维护层Integrate security into operations frameworkAlign monitor,audit,and response functions to operational functions,微软IT端对端的信息安全策略,Windows Standard User AccountsUser Account Control,and AppLockerModern ApplicationsDefender,Maintain software wit
13、h a patch management solutionDeliver software that is secure by designOperate a malware resistant platform and applicationsDefend against malware threats,Windows 7 BitLockerMDOP-BitLocker Administration and MonitoringOffice Information Rights Management(IRM)Office Encrypted File SystemActive Directo
14、ry Rights Management Services z,Secure data that is at rest with encryptionProtect data that is in motion with encryptionProtect data that is in use with access controls,Active DirectoryDirect AccessNetwork Access ProtectionDynamic Access Control,Manage the full identity lifecycleValidate user ident
15、ity with strong authenticationSecured and always connected remote accessProtect resources as environment changes,场景,流程与工具,功能,Secured BootMeasured BootProtected ViewIE Smart Screen,微软信息安全架构体系,安全的远程访问和网络的隔离,Back to All Tactics,智能卡,远程系统安全检验,连接的管理和通过RAS 进行隔离,风险 恶意用户,风险恶意软件,Back to All Tactics,双重验证,远程访问和
16、严格的身份验证,网络隔离概述,无线网的安全,Back to All Tactics,无线网和的访问策略,加强的安全协议VLAN和域的分隔集中管理的 Access Points客户Internet访问(Guest Internet Access)自动的非法AP探测,WPA&WPA2802.1X,EAP&RADIUSAruba Access Points,NAP在无线网的基础架构和RADIUS服务器间的IPSec通讯Aruba 的用户和防火墙的安全特性以保证最小权限访问(Least Privileged Access),方案,技术,策略,Back to All Tactics,强密码保护策略,控制
17、 通过Active Directory中的组策略执行政策 Security-101 培训教育用户未来 MIIS 自助口令重置 无需口令,最小化特权用户以及分权管理原则Least Privileged Access(LPA),保护和管理移动设备,Back to All Tactics,移动设备的考量,挑战环境包括被管理的设备(笔记本)和不被管理的设备(智能手机,PDA),风险不被管理的设备用户名/口令,缓存的帐户信息和口令以明文方式传送丢失/失窃的设备上的数据/帐户信息被危害,源代码及外包办公室的信息安全管理,Back to All Tactics,离岸外包中心信息安全管理,InfoSec,所有
18、计算机都必须加入域,所有联网设备和服务器都由 MSIT 管理(Lab除外),无线信号管制,不允许替代或外部连接(DSL 模拟信号、ISDN 线路等),未经批准,不得擅自复制数据、介质和系统,所有计算机都通过公司 SMS 中心管理,强制进行安全培训,限制访问权:严格遵循需知原则(need-to-know basis),只能通过 MS 监控的代理服务器访问互联网,ADSL,恶意软件和补丁管理,Back to All Tactics,软件更新管理时间表,20%,30%,有漏洞客户端的百分比,48小时,14 天 SMS 强制更新开始,24 天,2%,高客户影响,低客户影响,目前攻击所需时间=6天,平均
19、24天达到98%的机器被更新,24小时,5%,21 天 端口关闭开始,3%,Microsoft Update;电子邮件&ITWeb 通知(可选步骤),SMS 更新管理(自愿 强制),SER 扫描和脚本方式得更新,端口关闭,恶意软件防治策略,防病毒软件,网关上的内容过滤,Email网关阻止可执行文件,Internet网关阻止恶意站点,入侵检测软件,Back to All Tactics,如何做到全面的信息安全管理,为什么需要培训和沟通?,风险人的行为是不可预知的,业务驱动力减少资产和生产力的流失,挑战激励主动性的参与,Back to All Tactics,媒介,技术,持之以恒的用户教育,Thi
20、s document is provided for informational purposes only.MICROSOFT MAKES NO WARRANTIES,EXPRESS OR IMPLIED,IN THIS DOCUMENT.2006 Microsoft Corporation.All rights reserved.This presentation is for informational purposes only.MICROSOFT MAKES NO WARRANTIES,EXPRESS OR IMPLIED,IN THIS SUMMARY.Microsoft,Acti
21、ve Directory,MS-DOS,Windows,and Windows Server are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries.The names of actual companies and products mentioned herein may be the trademarks of their respective owners.,按项目需求访问,物理访问 专门团队负责,逻辑控制项目团
22、队负责,Back to All Tactics,访问隔离区域,源代码管理,微软IT运维实践中的成功经验,全局出发,全面考量标准化,系统化贯彻实施,从上到下,流程,远大的IT目标适合的IT员工 使命必达的责任感,克服挑战,802.1安全无线网,活动目录政策需要证书,加密文件系统,远程访问智能卡,加入域的,部署个人安全标识码策略,微软信息安全管理的协同业务模式,Information Security Embedded in the Business,Microsoft IT Information Security,Trustworthy Computing,On Line Services Information Security,Stakeholders,
