Dan Griffin's Blog

Comments on security, PKI, smart cards, cryptography, and entrepreneurship.

Downloads here.

“Information security is a very dynamic field: legislation keeps changing, technology keeps evolving, and the attacker community continues to be more sophisticated. This turmoil has forced security practitioners to think creatively to address some very difficult problems. Much of this innovation has been locked away within corporations as they have made isolated progress on issues like security metrics, security risk management frameworks, and security policy. In order to address this discrepancy, Microsoft commissioned a whitepaper series to share key security innovations. Whitepaper topics came from participants in Microsoft’s CSO Council - a semi-annual gathering of security executives from leading global organizations who serve as advisors to Microsoft’s Trustworthy Computing group. Our goal is to share practices “from-the-trenches” that address some of the toughest problems in security. After numerous interviews, discussions, and debates with these thought leaders, a collection of effective practices emerged. While much remains to be done, we hope these papers fuel the discussion and help facilitate further sharing in the field of IT security.”

Permalink | Comments (0)

Download here.

“Information security awareness and training is critical to any organization’s information security strategy and operations. People are in many cases the last line of defense against threats such as malicious code, disgruntled employees, and malicious third parties. Microsoft offers the security awareness toolkit to help organizations plan, develop, and deliver a successful security awareness program. The kit includes a planning guide, templates, pointers to material can that can help speed the development of a security awareness program, a sample general security awareness presentation that can be modified and tailored to any organization, material to help articulate the value to peers and managers, and three example awareness campaigns from Microsoft Information Security. ”

Permalink | Comments (0)

Alternative content to RSA, next week in SF. Info here.

Permalink | Comments (0)

Pretty good post here with some security what-if scenarios, such as the above.

The view of someone who was there (regarding the Trustworthy Computing Memo what-if): the Windows security stand-down (aka security push) took place in early 2002, right in the middle of my career at Microsoft. It wasn’t the TwC memo that made 11,000 engineers stop work on the most profitable – and expensive – software project in history; it was the crisis in confidence in the Windows franchise.

The Code Red and Nimda worms had both hit within the preceding six months. There was the perception that Microsoft had not only suffered permanent damage to its reputation, but indeed that its customers were running for the exits and would not be coming back.

Good things came from the situation, however, and the TwC memo was a catalyst. The Windows security stand down was successful inasmuch as it resulted in a massive scrubbing of an enormous legacy code base. This was also the first real-world test of the early Microsoft Security Development Lifecycle processes, including threat modeling, security reviews, and the Secure by Design, by Default, and in Deployment mantra. The benefits of this experience have since been documented, implemented in tools, spread across the company, and made available to Microsoft’s partners and customers.

A frequently overlooked result of the same events which led to the TwC memo: Patch Tuesday. An imperfect solution to a very difficult problem.

Permalink | Comments (0)

A colleague asked a question on this topic last week at a Microsoft briefing: how, as security advocates in our own organizations, can we institute better security training as well as influence developers and other members of the IT organization on the importance of implementing security best-practices?

Answer: SDL content from Microsoft is a good start. They’ve invested big money in this since the XP SP2 days, and have shown good industry leadership. Check out these two resources in particular:

Also check out other stuff on the SDL landing page.

Permalink | Comments (0)

We’ve got all of our servers – and that includes production and test lab ones – virtualized on Hyper-V, and we’re using Restorify to replicate those VM images within our lab. This is good – our lab is getting more efficient and easier to manage.

Next step: move those images offsite. Indeed, Restorify is efficient enough to replicate those images to an offsite server – after all, that’s the whole point of the product.

But here’s the frustrating thing: for a small business, finding an offsite location to park those images is hard. Do we try to find an IT consulting firm to host it for us? It would be wiser, I think, to put that server in a co-location facility, but also more expensive. Worth it?

Permalink | Comments (0)

Anyone used these?

I saw a presentation on the Twitter + CRM integration at the 2009 MS Partner Conference – it looks pretty cool. But the social networking landscape has changed a lot in the past year, and I’m not sure how useful a Twitter-only integration would be. I’d like to see something that can track usage and patterns across Twitter, Facebook, YouTube, blogs, and the main business website.

Permalink | Comments (0)

For those of you who are still running Windows Small Business Server 2003 – and note that my own employer is in that group – be warned that the Windows Server 2003 product family lapses into “extended support” as of this summer.

What’s the difference between mainstream and extended support? Here’s a handy chart (about half-way down). Summary: with extended support, non-security hotfixes are only available via a paid support contract, and you have to enter into the contract within 90 days of the end of mainstream support.

How many small businesses are still running SBS03? A lot. It was a successful product, and there’s been little incentive to upgrade: the SBS03 to 08 upgrade procedure is complex, and hence expensive, and there’s a lack of compelling new features.

Why is SBS08 a let-down?

On the other hand, why doesn’t it bother the typical small business to run almost-10-years-old operating system technology? Heck, we shouldn’t be surprised; there are plenty of firms out there still running critical applications such as accounting software that were originally purchased when the firm was founded, even if that was 20 years ago.

But small businesses do adopt new technologies: VoIP, Yelp, Google Apps, and BPOS all come to mind.

VoIP is a great example because it requires equipment purchase, software setup, and training. So there’s a significant investment there. And yet small firms are buying it in droves. (In fact, the main barrier to adoption of VoIP right now is a lack of qualified IT providers.)

In other words, there are plenty of opportunities still in the SMB market, but they’re changing.

How does this apply to SBS? Why is SBS08 a let-down?

Well, small businesses still need onsite servers: there’s data that can’t be stored offsite, the firms need somewhere to run that 20 year old accounting software, and they need AD for managing their workstations. But they don’t need a new version of Windows Server in order to accomplish those things.

What they need is a Windows Server that offers new things:

  • VoIP
  • Easy install and upgrade
  • Convenient backup features like Home Server

And – can’t forget this “feature” – clear messaging for the partner community, upon whom Microsoft is 100% dependent for SBS sales and servicing, about why SBS is and will continue to be the best platform for an IT servicing business, and why customers should upgrade (end of life doesn’t cut it).

Lacking those things, what has happened is that the rich feature set offered by SBS, which was so compelling 7 years ago, is showing its age. Indeed, it’s seeing stiff competition from Microsoft’s own cloud offerings.

As an advocate of cloud computing, I find myself ironically questioning this apparent assumption on Microsoft’s part: innovation on the Windows Server line is no longer profitable in the SMB market, so let’s ramp that down and migrate those customers to our cloud offerings.

One minor problem with that assumption: IT service providers don’t like the cloud offerings because there’s little revenue opportunity for them there. I think the theory is that they can suck it up and adapt.

But the major question is whether customers want the cloud offerings. How many businesses are ready to store their files offsite, especially with an entity that doesn’t share that “trusted advisor” relationship? In what verticals and scenarios will that migration make sense, and when?

I’m torn on this, because on one hand I believe it’s inevitable. On the other hand, I get more and more feedback that small business customers aren’t ready to move their key LOB data offsite. Is this just the IT service providers talking, or is there really something to this customer pushback? Are these the same customers that are already running hosted Exchange? What’s the difference they see there, and why? (And, again, my employer has some experience with that dichotomy, but it’s not clear to me how it plays out across the market.)

I’m left with the distinct impression that Microsoft is cannibalizing the Windows business in favor of a concept that’s unproven. Don’t get me wrong – Microsoft must invest aggressively in the unproven concept. But if you decrease investment in the current product too dramatically, and then get the timing wrong, you’ll lose the customers on the migration.

Here’s an interesting exercise: compare Microsoft’s net margin to that of Salesforce.com. Spoiler alert: it’s 27.7% versus 6.1% for the most recent reporting.

Hey, Microsoft, do you intend to make software as a service your only offering? No? Well, is the software + services strategy going to work if you don’t continue to treat segment-leading products like SBS like segment-leading products?

Permalink | Comments (1)