Microsoft outlined the current state of its security initiatives Thursday during a presentation at the company's Silicon Valley campus, detailing the multifaceted strategy being hatched in Redmond.
In providing specifics on everything from Windows XP Service Pack 2 to remote-authentication practices, two high-ranking executives discussed how Microsoft is implementing the protections inside the company, as well as what users can expect over the next several months.
Rich Kaplan, corporate VP of security business and technology marketing, said Microsoft is focusing on four general areas: reducing the impact of malicious software on company networks, improving system and application access control, developing more secure and reliable software products, and providing better guidance to customers on how to plug security holes. But as with all security-related issues, Kaplan provided a disclaimer--namely that so long as companies run networks in which systems and apps talk to each other, and that connect to the outside world, no security approach will be bulletproof. "This isn't just about securing everything," Kaplan said. "You can secure everything easily if you don't connect it to anything else."
Microsoft itself certainly doesn't have that luxury, as new CIO Ron Markezich pointed out. With 300,000 devices on its network (more than five for every employee), 403 buildings, and 7 million remote connections each month, Markezich has his work cut out for him. And the potential sources of security threats keep multiplying, Markezich said. Instant messaging is picking up steam, yet E-mail traffic is unaffected by that growth--and of the 8 million external E-mails that enter Microsoft's network each day, 7 million are deleted as spam, he said. Microsoft maintains an extranet for enabling collaboration with external business partners, and the company's always-expanding base of source code is an intellectual-property asset whose protection is one of the IT department's top priorities.
As a result, Markezich and his staff serve as the ideal test bed for ensuring that the steps Microsoft is taking on the security front are effective. "You can think of my network as a large lab," he said. In terms of perimeter defense, Microsoft has begun using smart cards to control remote access to its network and also uses a tool called Connection Manager to prevent the introduction of malicious software. In the network's interior, patch deployment is key, as is the use of a technology called IPSec, which prevents untrusted devices from connecting with trusted ones, for protecting the valuable source code.