India Security Weeks
I spent the last two weeks on the road as a part of the "India Security Weeks" team, meeting developers, IT Pros, academics and CXOs across India. In all, we conducted around 20 seminars / conferences with the various audiences across 5 cities. It was a huge learning experience.
The traveling party consisted of Detlef Eckert - Chief Security Advisor, Microsoft EMEA, Steve Riley - Program Manager, Security Business Unit, Microsoft HQ, Dave Glover - Developer Evangelist, Microsoft Australia, Ramshankar Krishnan - Group Manager, Microsoft GDCI, Sanjay Sinha - IT Advisor, Microsoft India and myself. Detlef focused on Microsoft's strategy around security, our long-term goals and our progress on this front. Dave talked about security from a developer's perspective: VS 2005 security enhancements, web-services security and threats at the application layer and how to combat them. Steve gave a lot of insight around network security - the inadequacies of TCP/IP, the advantages offered by IpSec and most importantly about how we think about security - right from tools and technologies to our choices while defining policies and our actions as end-users in day to day life. Ram, who is a part of the team which defines security for our internal IT, made the advise and the best practices offered by the rest of the speakers very real, as he talked about how we internally implement the same principles, and shared our internal process for making our applications more secure. Sanjay and I were in a supporting role.
We received great feedback from the attendees - the speakers were inundated with questions at every seminar / conference we attended. Here are the top 5 common questions we heard and some advise for the same:
1. I have a large network and cannot control who gets on the network. How do I handle rogue clients who have no business being on the network?
A: It is no longer feasible to control physical access a network. The solution is logical isolation: Domain members can be configured to accept incoming TCP/IP connections only from other trusted members on the domain. The idea is to use a protocol at the network layer (called IpSec) which signs and/or encrypts every network packet exchanged on the network. A host with a configured IpSec policy will ignore the traffic which is not signed / encrypted. As usual, this can be centrally managed using AD and Group Policy. We call this approach "Server and Domain Isolation." You can find out more about this at Server and Domain Isolation Using IPsec and Group Policy. Microsoft IT uses the same approach internally to secure the Microsoft corporate network. They have published their experience on Improving Security with Domain Isolation - Microsoft IT implements IP Security (IPsec). Both the articles are fairly detailed, but quite readable.
2. I want to provide users remote access to my company's network. What are the risks? What steps should I take?
A: Providing remote access in a secure way takes a combination of several technologies. There is a guide titled Introduction to Remote Access Services which provides a prescriptive architecture. The basic idea is to adopt a defense-in-depth approach. As usual, Microsoft IT adopts (and often comes up with) the best practices we prescribe. Have a look at how we manage our own remote access at Security Enhancements for Remote Access at Microsoft.
3. How do I protect my data from being stolen?
A: Put access control on the data, and not just on the medium of access. Windows Rights Management Services provides a way of doing this. In short, the idea is as follows:
A user wanting to protect a document needs to be a trusted entity in a Rights Management System. He uses Microsoft Office to define permissions on the document (by default the permission is unrestricted access). This process transparently validates the user as being trusted and issues the licenses that define the usage rights and usage conditions provided by the user. The data is encrypted using keys generated by RMS. Now the document will open only using the public key resident on the RMS server. The RMS server issues the key only if the user is a) trusted by RMS, b) meets the usage rights as given by the creator of the document and defined in the license.
Ok, if that was cryptic, you may want to read Windows Rights Management Services: Helping Organizations Safeguard Digital Information from Unauthorized Use. For more details, check out Windows Server 2003 Rights Management Services (RMS).
4. It is difficult to manage the various patches Microsoft keeps issuing. Besides, these patches break existing applications. What should I do? How is Microsoft helping me?
A: We are attacking this problem from two perspectives: consistency and quality. Consistency means that we give you the same patching experience irrespective of the product / technology being patched. This will hopefully reduce the "extra effort / patch" significantly. More on Standardizing the Patch Experience. Quality means every patch that comes to you is tested rigorously before we give it over to you. More on Understanding Patch and Update Management: Microsoft’s Software Update Strategy. That said, no amount of testing on our part will replace testing the patch in your own environment before you deploy it. There is an extra cost to this testing, and we can help you to some extent using Virtual Server, but testing a patch is essential before you deploy it. This scenario would certainly improve in future, but will not go away.
5. I do not know if my applications are secure. How do I find out? How do I make them secure?
A: This is as much a problem for us at Microsoft as it is for everyone else. Our product teams came up with an approach called "Threat Modeling" to ensure that we write secure code. This is now used by not only our products teams but also our internal IT.
In short, the idea is this: 1) Analyze your system's security, 2) Understand the hacker's perspective of your system, 3) Determine threats and take steps against it. The process is described in detail at http://msdn.microsoft.com/security/securecode/threatmodeling/default.aspx?pull=/library/en-us/dnnetsec/html/thcmch03.asp. There is a tool that allows creation of threat models which can be downloaded from HYPERLINKhttp://www.microsoft.com/downloads/details.aspx?familyid=62830f95-0e61-4f87-88a6-e7c663444ac1&displaylang=en. The tool was written by Frank Swiderski who has also written a book on the subject.
Couple of other good resources on the subject:
1. Writing Secure Code by Michael Howard and David LeBlanc. Seminal work. Required reading at Microsoft.
2. Top Ten Security Tips Every Developer Must Know by Michael Howard and Keith Brown.
3. Improving Web Application Security: Threats and Countermeasures on Patterns and Practices.
4. Patterns and Practices have just released Threat Modeling Web Applications. Read it today!
I am sure Steve, Dave and Ram would be blogging about their experience and providing more insights into the topics I have given above. Do check out their blogs. BTW, We video recorded the MSDN and Technet sessions in Bangalore and are making the same available online along with the presentations. I will post the link as soon as the content is ready.
On a personal note, I think I have made some new friends - it was a motley crew I was traveling with, but there were a couple of common traits. One, they are all very professional people - dedicated to their work about which they think deeply. Second, they are all very good human beings - unassuming, down to earth and great fun to be with. I enjoyed myself thoroughly and am looking forward to meet them once again!
