Microsoft on open source and security

Technical EvangelistDaveVoyles.com @DaveVoyles

Microsoft + Open Source Momentum

Dead and buried: Microsoft's holy war on open-source software

Years ago, Microsoft's CEO described open source as a cancer. Times have changed. Just ask 22-year Redmond veteran and open-source proponent Mark Hill.

Charles Cooper

Redmond top man Satya Nadella: 'Microsoft LOVES Linux

Neil McAllister

Microsoft: the Open Source Company

This is not your dads Microsoft

Steven J. Vaughan-Nichols

Source: Tweet by John Papa (Google Developer Expert, Microsoft Regional Director and MVP)

Azure Container Service is different and offers the broadest hint yet that Microsoft wants to build real products with open source, not merely leverage it where it's convenient

Serdar Yegulalp

[Script]: Weve seen some major milestones recently in working with open source communities and in delivering an open cloud platform. From significantly increased engagement with open source developers to making the full server-side .NET stack open source and betting big on Docker containers, were showing that openness is ingrained in our approach to business. As we help our customers and partners on their journey to the cloud, we at Microsoft believe that an open approach is the only way to help them take full advantage of cloud services, while leveraging existing investments.

2

10+ Years of Open Source Involvement

2015

Docker on Microsoft Azure

O365+Moodle Integration

[Script]: This hasnt happened overnight. These recent announcements are part of a sustained commitment has been going on for more than 10 years now, working with open source communities and ensuring open source software runs with high performance on our platforms. For example, we have been investing in building a first-class implementation of PHP on Windows for many years, which has enabled us to deliver a Azure Web Apps offering that includes high performance, hyper-scale PHP support.

The world is changing, and its changing fast. Let me share with you where Microsoft is focused for the future.

3

Were Reimagining Microsoft

We will empowerevery person andevery organizationon the planetto achieve moreOur StrategyOur AmbitionsBuild the best-in-class platforms and productivity services for the mobile-first, cloud-first world

Create more personal computingReinvent productivity & business processesBuild the intelligent cloud platformOur Mission

Note to presenter: Its important to emphasize the word Empower as we pick up on this in a later slide.

[Script]: Every great company has an enduring mission. Weve challenged ourselves to think about our core mission, our soul what would be lost if we disappeared.

We will empower every person and every organization on the planet to achieve more. We have unique capabilities in harmonizing the needs of both individuals and organizations. This is in our DNA. Perhaps on the planet is the most important and interesting idea in that statement. We care deeply about making a difference in lives and organizations in all corners of the planet.

Our strategy is to build best-in-class platforms and productivity services for a mobile-first, cloud-first world. Our platforms will harmonize the interests of end users, developers and IT better than any competing ecosystem or platform. We will realize our mission and strategy by investing in three interconnected and bold ambitions.

Again, doing so isnt simply good business. Its playing a part in the most fundamental of human activities: creating tools that enable each of us to continue our journey to become something more. In summary, we want to Empower you to achieve more!

4

Your Infrastructure is a Function of TimeHow do you plot your journey to the cloud?

The Landscape of Now!

[Script]: When customers are considering a move to the cloud, they obviously start with the infrastructure they have in placeand this can include many different technologies, including open source software (OSS), which have been acquired over the years, as well as different standards, frameworks, and programming languages. We call this the Landscape of Now. This isnt a bad thing, but its a management challenge as customers consider their cloud strategies.

As a result, customers have many questions: How do we standardize? How do we make sure that we are betting on the right technology? What about security and privacy? Do we have the right skills in place?

It is our mission to empower our customers to achieve more by helping them answer these questions and guiding them through their journey to the cloud on the Microsoft platform. So, how do we do that?

5

The Microsoft Open ApproachFor your journey to the cloud

Empowering Customers

By EnablingChoice

To Provide a Trusted Cloud

Freedom to Choose

Freedom to Change

Optimal Value

Vibrant LocalIT Economy

X-Platform

Open Standards

Interoperability

Open Source EcosystemEngagement

Secure

Privacy & Control

Compliance

Transparent

[Do not read this comment to the customer: This is the most important slide in this deck. It has been precisely crafted based on customer and partner feedback to make a VERY strong argument that puts Microsoft ahead of AWS and Google cloud services. It uses the very powerful, proven approach of establishing the uniquely WHY Microsoft (Empowering Customers) vs. AWS and Google and aligning Microsoft with some of the traditional customer preference drivers for open source, such as choice, freedom, and investment into the local economy.

The 2nd pillar then explains HOW we build our cloud services (Enabling Choice) which gives us an opportunity to dispel myths about our openness and establish ourselves as equals to AWS and Google in our commitment to x-platform support, interoperability and use of open standards and open source software.

Finally we explain the WHAT we deliver as a cloud service (A Trusted Cloud) where we have a very strong message, far superior to AWS and Google, which aligns our cloud offering with the customer preference drivers for data privacy & security and having transparency of how we access & manage their data.

The script below includes proof points for each of the bullets on the slide but we have also included additional hidden slides containing many more proof/data points, which will give you more background and help you have a more fruitful conversation with your customer. Additionally, see the corresponding hidden slides that have additional proof points / data points for you to be aware of for each of the pillars on this slide. This will make you more educated and have a more fruitful conversation with your customer.]

[Script]: Our open approach is designed to help customers realize the value of their open source investments with our trusted cloud.

[Click to reveal the Empowering Customers pillar] At the core of this approach is the concept of empowering our customers. From Microsofts very first day weve been all about empowering customers. In the early days our tagline was Making it Easier and later we switched to helping you Realize your Potential and you saw in an earlier slide that today were all about Empowering you to achieve more. We empower you by giving you the freedom to choose the technologies you want to use in our cloud, and then by giving you the freedom to change not just technologies, but solution provides, vendors and deployment models. Were all about empowering you to take your journey to the cloud and to be able to switch between cloud and on-premise so you can optimize your value based on your mix of security, privacy, performance and cost variables. And lastly, we empower you by giving you a choice of partners through our continued commitment to build a vibrant local IT economy in every country, including local open source specialist partners. Our investment into building the Microsoft partner community in each country has tremendous economic benefit because for every dollar earned by Microsoft, the local Microsoft Partner community earns more than eight dollars through product and services fees. In addition, our ongoing commitment to citizenship has result in extensive investments in this country, far outweighing anything that AWS or Google have managed to do and this is the same in every other country we operate.

In summary, Empowering customers is about Freedom of choice, its about Freedom to change and move your data where you chose to put it, its about the maximum value at the lowest possible cost based on your risk profile and its about stimulating your local economy.

[Click to reveal the Enabling Choice pillar] We are able to provide this choice because of our commitment to x-platform support to both Windows, Linux, as well as our commitment to other device platforms like IoS, Android. You have probably seen how we have recently re-engineered some of our flagship products and services like Office and One-Note and OneDrive and made them readily available on IoS and Android. We participate in over 150 standards bodies and 400 standards working groups to help in defining the open standards and to give us the opportunity to leverage those open standards so that our services can be accessed via open protocols and data formats from any operating system or programming language. Furthermore, we are supporting a variety of other languages, run-times, web servers, databases, and so forth on our cloud platforms, just as we do today on-premises. We also engage deeply with the global open source community and contribute to key open source projects. For example, the Azure engineering team has committed to engage, contribute and release open source code as part of our development process and has done so for the last 3 years, and we are key contributors to the Hadoop, Node.js and Linux projects. Finally, to illustrate how serious we are about engaging in the open source ecosystem in the deepest way possible, the President of the Apache Foundation is a full time employee of MS Ross Gardler http://www.apache.org/foundation/

At Microsoft we believe that HOW we empower customers is by Enabling Choice

[Click to reveal the Provide a Trusted Cloud pillar] And why are we making this effort? To provide you with the most trusted cloud environment. Today, Microsoft supports more than 200 online and cloud services, a billion customers, and 20 million businesses in more than 76 markets worldwide. We know that our customers want to use technology they trust. Establishing trust with customers starts with addressing four fundamental areas: security, privacy, control and transparency: We commit to a Secure cloud from the client all the way through the pipe and through the back end. Microsoft has very stringent certifications for security. Our datacenters are equipped with state-of-the-art physical security measures. We operate a 24x7 incident response team to mitigate threats and attacks and encrypt data between you and our data centers. We also protect your stored data with built-in tools and provide access to further encryption capabilities. Being secure, however, isnt enough by itself; privacy is also critical. Privacy is all about our you being in control of who can see and access your data and under which terms and conditions. And more importantly, you should always have access to your content, and should be able to delete it or take it with you if you leave. Microsoft allows you to keep your data in your region, and in some cases inside your country and we will not use your data for advertising or commercial purposes. Microsoft is the only HyperScale vendor that meets the highest standards and certifications for privacy in the industry today, and we were the first major cloud provider to adopt the worlds first international standard for cloud privacy, ISO/IEC 27018 in February of 2015. By default, no one at Microsoft has access to any customer data, and if access is required for administration purposes, that access is temporary granted and it is recorded in a log that customer can 24 hours a day, 365 days a year. It is critical that customers have Control of their data at all times. As a HyperScale vendor, Microsoft has datacenters at many regions of the world and therefore operates in many legal jurisdictions which have different laws regarding data sovereignty and privacy. To manage this complexity, Microsoft gives customers the tools to choose which data centers they want to use to store their data so that they remain in total control of their privacy. We are also dedicated to Compliance with every regions cloud certifications, like FISMA or HIPAA or any other region or industry certification, and we will make sure that our data centers meet the standards.The last tenant of our trusted cloud environment is Transparency. We publish detailed information about our processes and our practices so customers can monitor how we manage their data and who has accessed it. The Microsoft Law Enforcement Request report is one of the ways in which we provide transparency about requests for customer data from governments around the world. By being transparent, giving customers the tools to manage their privacy, and implementing strict security policies, we believe that we provide the most Trusted Cloud that is superior to our competitors. To summarize, Microsofts Open Approach is about adhering to some key principles that empowers our customers. We deliver that by providing a wide range of choices in a cross platform and interoperable way with open standards, resulting in the MOST Trusted Cloud.

6

Infrastructure+Hundreds of community supported images on VM Depot

Databases

SQL ServerMicrosoft Azure is an Open CloudWeve delivered an open, broad, and flexible cloud across the stack

App FrameworksHyper ScaleEnterprise GradeHybrid

Applications

Web App Gallery Dozens of .NET & PHP CMS and Web apps

Management

Clients

Microsoft Azure

One in Four VMs on Azure Runs Linux Today!

[Script]: So, what do we mean when we say that Azure and our entire cloud business is an Open Cloud?

The Microsoft cloud supports a wide range of industry leading operating systems, languages, tools and frameworks. From Windows to Linux, SQL Server to MySQL, and C# to Java. It puts the best of Windows and Linux ecosystems at your fingertips, so you can build world-class, globally scalable, secure applications and services that work seamlessly with any device.

As an example of how we support and integrate with Applications, we recently announced how we are integrating with Moodle, an very popular open source content management and collaboration solution for educational institutions. We helped port Moodle to Azure and contributed code to facilitate integration between Moodle and Microsoft Office 365, bringing a more productive experience to teachers and students by harmonizing login credentials, calendar management and course content creation, in addition to other workflow improvements for education institutions and other Moodle users. This will be an ongoing integration effort and its a great example of how we invest and partner with Open Source technologies to EMPOWER our customers.

We support and provide SDKs for all popular development languages, from Java and PHP to more modern open source programming environments like Ruby and Node.js. We have also developed and released a plug-in for Eclipse to empower developers to build solutions and publish them to Azure in an easy and integrated way. Azure also enables DevOps through tools like Chef, Ansible, Puppet and SALT.

When it comes to Data management, we are committed to providing implementations of all popular database environments, both commercial and open source. We provide a Microsoft SQL Server PaaS service and through Cleardb we provide a MySQL PAAS service. We support the Hadoop ecosystem and offer HDInsight, a 100% Apache Hadoop-based PaaS service, and we also provide a supported Hadoop on Linux VM implementation for customers who prefer the IaaS approach. Azure also provides a Redis cache service and supports other popular database environments like MongoDB, Couchbase, PostGreSQL, Oracle and many others as an IaaS implementation. We also provide first party SDKs for developing apps using Android, IOS or Windows phones.

And lastly, for device and operating system support you have the choice of a wide range of Linux distributions through the Azure-endorsed images from Microsoft partners such as Canonical (Ubuntu), OpenLogic (CentOS), CoreOS, Oracle and SUSE, as well as more than 1,000 community-provided Linux images in VM Depot.

The result is that we deliver an open, broad and flexible cloud that gives you the FREEDOM to choose the technologies that suit your needs, and we provide those technologies hyper-scale, in our hybrid, enterprise-grade approach.

[BEFORE YOU BUILD OUT THE WORDS AT THE BOTTOM OF THE SLIDE]:

Now, the breadth of choices we provide are very impressive, but you might say that many of these technologies are also provided by other leading cloud providers. Thats correct, but

[CLICK TO BUILD OUT THE WORDS AT THE BOTTOM OF THE SLIDE]:

How many of them can provide this choice in a Hybrid way, at Hyper scale and with Enterprise grade support that Microsoft provides in every country? No other vendor can do this at the level Microsoft can. Thats why customers are choosing Microsoft are moving their open source workloads and solutions to Azure.

[CLICK TO REVEAL THE BLUE OVAL AND TEXT]

And finally, we are seeing rapid adoption by customers using Azure to run their open source solutions and today 1 out of 4 VMs on Azure run Linux, and growing every day.

7

Open Source on Azure: Addressing Industry TrendsInternet of ThingsDevOpsManaged ServicesNext-Gen ArchitecturesMany Hyper-scale managed services today eg. HDInsight (Hadoop) on Win/LinuxStrong open source partner ecosystem over 3000 elements in Marketplace todayMore open source services on the way

Comprehensive data pipeline from thing to analyticsPowerful backend for all devices, RESTful interfaces, AMQP supportAzure Service Bus, Event Hubs, Notification Hubs, Stream Analytics, Apache Storm

Support for multiple open source configuration management toolsBroad availability of SDKs and cross-platform tools for multiple languagesIncorporating Linux support in PowerShell DSC

Empowering developers to do more in the cloudHyper-scale software-defined storageContainers & microservice architectures like Docker across hybrid cloud

[Script]: I would like to briefly talk about how we are collaborating and forming strategic partnerships with open source communities to support key industry trends so we can EMPOWER you.

When it comes to Next generation architectures, containers are emerging as an attractive way for developers to quickly and efficiently build and deploy these born in the cloud applications. With containers, developers and IT professionals gain the ability to deploy applications from a workstation to a server in mere seconds to offer flexibility and choice through Windows Server containers, Linux containers, and Hyper-V containers both in the cloud and on-premises. We offer containers with a new level of isolation previously reserved only for fully dedicated physical or virtual machines, while maintaining an agile and efficient experience with full Docker cross-platform integration. We are also integrating the Docker Hub into the Azure Marketplace so customers will have a seamless access to the latest Docker technology. (Read more about this here: https://www.microsoft.com/en-us/Openness/NextGenerationCloud)

Microsoft provides great options for customers looking for Managed Services solutions and tools. With Azure Managed Services, customers can outsource service management, including architecture, deployment, and updates, to Microsoft. Examples include HDInsight our Hadoop managed service running on both Windows and Linux, DocumentDB, and our Machine Learning offering. Customers who want to keep management in-house can also take advantage of our IT Management solutions that simplify IT management and monitoring, including Microsoft Operations Management Suite (OMS), App Insights, and System Center. You can manage Azure or AWS, Windows Server or Linux, VMware or OpenStack with these cost-effective, all-in-one cloud IT management solutions. (Read more here: https://www.microsoft.com/en-us/Openness/ManagedServices )

Many customers are looking at DevOps as a way to accelerate application delivery lifecycles. Practicing DevOps with Microsoft solutions can help development and operations teams respond to competitive industry pressures and keep up with the pace of enterprise application development. Whether youre a developer working in a start-up or an IT professional in a growing enterprise, your software applications will likely include both Linux- and Windows-based components. With our Microsoft Azure cloud platform you can also use a host of popular open source DevOps tools such as Puppet, Chef, Ansible, SALT to build DevOps environments for your company from a zero-process environment to a fully automated and deployed production environment. (Read more here: https://www.microsoft.com/en-us/Openness/DevOps)

And lastly, the Internet of Things. Across the globe, businesses and governments are connecting their things (devices or sensors) to drive data insights and create new value and improve services. By tapping into those data streams and connecting them to the cloud and back-end systems, organizations can optimize business processes, make more informed decisions, identify new revenue opportunities, and provide better services to customers and partners. The Microsoft Azure IoT Suite is an integrated offering that takes advantage of all the relevant Azure capabilities to drive operational performance, use advanced data analytics, and enable innovation. Available in preview later this year this new offering will provide enterprises with finished applications targeting common IoT scenarios such as remote monitoring, asset management and predictive maintenance to simplify deployment and provide the ability to scale their solution to millions of things over time. (Read more here: https://www.microsoft.com/en-us/Openness/InternetOfThings)

Bottom line were investing in technology and partnerships to EMPOWER you to take advantage of these key industry trends.

8

Azure Open Source CustomersMore customer stories at customers.microsoft.com!

Script: Go to microsoft.com/openness/customerstories for customer stories that highlight our support for open source software on Microsoft Azure. https://www.microsoft.com/en-us/Openness/CustomerStories

Selected Customer Case Study External Links:

http://www.microsoft.com/casestudies/Case_Study_Detail.aspx?CaseStudyID=710000004217



http://www.microsoft.com/casestudies/Microsoft-Azure/The-British-Irish-Lions/Top-Global-Rugby-Team-Wins-with-Cloud-Apps-That-Motivate-Fans-Monitor-Player-Health/710000003811

http://www.microsoft.com/casestudies/Windows-Azure/Cognosys-Technologies/Cognosys-Facilitiates-Azure-Transitions-in-Minutes-Exponentially-Reduces-Go-To-Market-Time/710000002544

http://www.microsoft.com/india/casestudies/microsoft-azure/cloudmunch/solutions-firm-uses-the-cloud-to-speed-release-cycles-and-cut-it-costs-by-more-than-20-percent/710000004304

https://customers.microsoft.com/Pages/CustomerStory.aspx?recid=338


https://customers.microsoft.com/Pages/CustomerStory.aspx?recid=1867

http://www.microsoft.com/casestudies/Windows-Azure/Semantic-Touch/Azure-Powers-Launch-of-Revolutionary-Open-Source-Social-E-commerce-Solution/710000001825


http://www.microsoft.com/casestudies/Windows-Azure/Nanobi-Data-and-Analytics/App-Store-in-the-Cloud-Democratizes-Analytics-Adoption-Across-Businesses/710000002921


http://www.microsoft.com/casestudies/Windows-Azure/Vibal-Publishing/Leading-publishing-house-combines-open-source-technology-with-Microsoft-Windows-Azure-for-more-efficient-delivery-of-digital-learning-tools/710000003099


http://www.microsoft.com/casestudies/Windows-Azure/Virginia-Polytechnic-Institute-and-State-University/University-Enables-Innovative-Life-Sciences-Research-with-Big-Data-Solution/710000003381


9

Facing increasing malware threats and a growing trend of BYOD

with

10

Source: Hackers who breached White House network accessed sensitive data, Steven Musil, CNET, April 13, 2015White House - unlimited budget, still vulnerable Hackers who breached White House network accessed sensitive dataSTEVEN MUSILCNETApril 13, 2015"In the State Department breach, none of the department's classified email system was affected, a senior department official said, but the hackers used that breach to break in to the White House's network."11

https://www.cnet.com/news/hackers-who-breached-white-house-network-allegedly-accessed-sensitive-data/

hackers were able to gain access to real-time nonpublic details of the president's schedule

believed to be the same ones behind a damaging cyberattack on the US Department of State around the same time last year, which forced the department toshut down its email systemfor an extended period.

2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.11/4/201611

Sony breach (3rd time) - adding terror to playbookBRENT LANG Variety December 5, 2014Sony hackers threaten 9/11 attack on movie theaters"The world will be full of fear, remember the 11th of September 2001. We recommend you to keep yourself distant from the places at that time." 12Source: Hackers Threaten Sony Employees in New Email: Your Family Will Be in Danger, Dave McNary, MSN, December 5, 2014. Image: G. Hodan

"The Interview," a comedy about a plot to kill North Korean leader Kim Jong-Un.


The Target hackers broke into the network using a stolen user name and password that had been created for the company servicing their air conditioning systems.The Target credit card breach resulted in millionsof credit cards appearing in the marketplaceBRAIN KREBS (SECURITY BLOGGER)Target - Exploiting Weak IdentitiesSource: Cards Stolen in Target Breach Flood Underground Markets, KrebsOnSecurity.com, December 20, 2013 13

Talk TrackYou face many challenges but one of the biggest is related to your users identities. Theyre getting stolen and misused at unprecedented levels and if we look back at the Target breach you can see how devastating the impact can be when an identity falls into the wrong hands. For those of you that dont know about the Target breach it started with a user name and password that was provisioned to the company that serviced their HVAC systems. This identity was provisioned to enable the HVAC them to remotely log into the Target network and make adjustments but somehow this it fell into the wrong hands. From here a number of additional hacking techniques were used to enable the attacker to provision malware to Targets POS systems which enabled them to steal millions of credit cards #s.If Target had used two factor authentication in this case possibly the breach could have been prevented, or at least delayed, but the reality is that two factor authentication is too expensive and too hard. Most organizations I speak with either dont deploy it or if they do they only use it in a subset of cases. Maybe they require use for VPN access or access to a few key resources.


14

Conficker, also know as Downup, is a computer work which targets Windows and was first detected in Nov 2008.

infected millions of computers including government, business and home computers in over 190 countries, making it the largest known computer worm infection since the 2000 Welchia14

15@yungchou

What we have learned from the past so far

IDENTITY SECURITYTHREAT RESISTANCE

INFORMATIONPROTECTION

Increasing password theft Poor password practices Support infrastructure and costs Cumbersome and costly MFA deployment Disk encryption optionalLacking integrated DLP Varying experience in mobile and desktopsPlatform security built of software aloneBootkit and rootkitPass-the-hashTrusted until detected as a threat, Not realistic facing numerous new threats per day

15

The sites we use are a weak linkInternet username and password16User

Bad guy

social.com

bank.com

network.com

LOL.com

obscure.comAttack weakest site12Leverage stolen credentials on high value sitesUse the same username and password

The attackers have proven themselves to be incredibly adept at stealing them. In fact 2014 one group claimed to have assembled 1.2 billion user name and password combination from 400K+ network breaches. Think about that!So how does an attacker steal your password? Well it turns out that its quite easy as it turns out that 75% of us try and use the same user name and password across every site we use and we do this as passwords are too hard to remember if there are too many. The attackers know this so if they want to break into your bank account they wont spend time trying to breach it directly. Instead theyll attack seemingly uninteresting website youve probably use. It could be that tiny mom and pop shop that sells flowers locally, or something like it where the owner was just savvy enough to get a ecommerce website online but lacks the funding and knowhow to secure it. The attackers will breach this site as its not well protected and once they do they very likely could acquire the user names and password combinations for all of it users. And because 75% of the item those combinations are used across a large body of sites the attackers quite likely can access those users Facebook, bank accounts, etc.


Business username and passwordUser

Username and password135Input UN and PWAuthorization tokenI trust tokens from ADWindows attempts authorization with PW

DeviceIDP

IDP

IDP

24

Bad guy

NetworkResource17The user and device are the weak links

So on the last slide we talked about an attack vector that is primarily a challenge for consumers and very small businesses. In contrast organizations typically require their users to use complex passwords and they force them reset them periodically. This means that when that the mom and pop shop is breached like we just talked about in the last example the users corporate password is very likely not the same and thus your credentials arent at risk.There are two attack vectors that organizations need to think about though. The first is phishing attackers on corporate which are successful at stealing identities at an alarming rate. Its not surprising as when you click on the link in the phishing email the web site they lead you to look identical to the corporate site they are so used to logging into. Only savvy people notice that the URL in the browser looks fishy. So thats one path. The next is a little less known. The reality is that if an operating system, whether its Windows, OSX, Linux, or anything else, is sitting on an unencrypted disk an attacker can get access to the system files that contain sensitive information like users identities and passwords and with the right tools that can very likely extract them. To address this threat every operating system drive, particularly those on mobile devices, must be encrypted with technology like BitLocker else their susceptible to this kind of attack.


18

Easily mishandled or lostShared secrets

shhh!Weak authentication

19

People write passwords under keyboard, share there passwords with others, we simply cannot stop people from doing these bad things.

19

WINDOWS HELLOFacial

Hello Chris

Fingerprint

Iris

20

20

Multi-factor authentication (MFA)On-premisesPhysical smartcardReaderUser-and-smartcard specific

Virtual smartcardCompany issued deviceHardware-specific pinUser-and-device specificCloud-centricAzure Active DirectoryIdentity as a Service2FA as a ServiceUser-specific with designated phone

Windows 10 MDM device enrollmentMicrosoft PassportWindows Hello biometrics as primaryBYOD MDM enrollmentDevice Guard and Credential Guard

21@yungchou

21

87%

of senior managers admit to regularly uploading work files to a personal email or cloud accountSource: Stroz Friedberg, On The Pulse: Information Security In American Business, 201322

Stroz Friedberg is a global leader in investigations, intelligence and risk management.

Anyone has uploaded a work file, send a work-related image, text a job-related message, etc. to a personal email account, some cloud storage, a colleague or a customer at some point of time? We all do.Data loss prevention capabilities are increasingly in demand and when you look at these first two stats its no wonder. 87% of senior managers leak data to unmanaged personal locations (email, cloud storage) and 58% of us have sent data to the wrong person. I actually think that stat is wrong. How could it not be 100%?Then there is the cost of data breaches which is about 240.00USD per record. Imagine that scaled across 10 or 100s of thousands of records.


58%

?

and have accidentally sent sensitive information to the wrong person. (Reply all?)Source: Stroz Friedberg, On The Pulse: Information Security In American Business, 201323

Stroz Friedberg is a global leader in investigations, intelligence and risk management.

Reply all?


The Fappening

On August 31, 2014, a collection of almost 500 private pictures of various celebrities, mostly women, and with manycontaining nudity, were posted on theimageboard4chan, via Apples iCloud.24


Protecting data with Enterprise Data Protection (EDP)Specifying privileged apps that can access enterprise data

Blocking selected apps from accessing enterprise data

Offering consistent UX while switching between personal & enterprise apps w/ enterprise policies in place without the need to switch environments or sign in againhttps://technet.microsoft.com/en-us/library/dn985838%28v=vs.85%29.aspx 25

You can set EDP to 1 of 4 protection modes:Block. EDP looks for inappropriate data sharing and stops the employee from completing the action.Override. EDP looks for inappropriate data sharing, letting employees know whether they do something inappropriate. However, this protection mode lets the employee override the policy and share the data anyway, while logging the action to your audit log.Audit. EDP runs silently, logging inappropriate data sharing, without blocking anything.Off. EDP isn't active and doesn't protect your data.

Important EDP also supports per-file encryption on SD cards along with the device encryption policy. To access your encrypted data, you will need to set up RMS during your EDP policy set up.25

Protecting data with Enterprise Data Protection (EDP)Requiring Intune, Configuration Manager or an MDM solution

Encrypting enterprise data on employee-owned & corporate-owned devices

Remotely wiping enterprise data off corporate devices and employee-owned computers, without affecting the personal datahttps://technet.microsoft.com/en-us/library/dn985838%28v=vs.85%29.aspx 26

Intune - Cloud-based desktop and mobile device management tool that helps organizations provide their employees with access to corporate applications, data, and resources from the device of their choice

26

27

27

Windows 10 Enterprise Device GuardRestricts OS to run only code signed by trusted signersDefined by your code integrity policy through specific hardware & security configurationsOS trusts only apps authorized by your enterprise

How it works:Universal Extensible Firmware Interface (UEFI) 2.3.1 (or later) Secure BootBootkits and rootkisLoading/starting Windows 10 Enterprise before anything elseVirtualization-based security services including the core (Kernel), while preventing malware from running early in the boot processUser Mode Code Integrity to ensure only trusted apps/binaries to runTPM to provide an isolated hardware to helps protect user credentials, certificates and secure informationhttps://technet.microsoft.com/en-us/library/dn986865(v=vs.85).aspx 28

Device Guard is a combination of enterprise-related hardware and software security features that, when configured together,will lock a device down so that it can only run trusted applications. If the app isnt trusted it cant run, period. It also meansthat even if an attacker manages to get control of the Windows kernel, he or she will be much less likely to be able to runmalicious executable code after the computer restarts because of how decisions are made about what can run and when.

Signature-based detection method is inadequate.

Device Guard uses the new virtualization-based security in Windows 10 Enterprise to isolate the Code Integrity service fromthe Microsoft Windows kernel itself, letting the service use signatures defined by your enterprise-controlled policy to help determine what is trustworthy. In effect, the Code Integrity service runs alongside the kernel in a Windows hypervisor-protected container.

Why use Device Guard

With thousands of new malicious files created every day, using traditional methods like signature-based detection to fight against malware provides an inadequate defense against new attacks. Device Guard on Windows 10 Enterprise changes from a mode where apps are trusted unless blocked by an antivirus or other security solutions, to a mode where the operating system trusts only apps authorized by your enterprise.

How it works:A device starts up with Universal Extensible Firmware Interface (UEFI) Secure BootBoot kits Windows 10 Enterprise starts before anything else.Windows 10 Enterprise starts the Hyper-V virtualization-based security services, including Kernel Mode Code Integrity to help protect the system core (kernel), privileged drivers, and system defenses, like anti-malware solutions, by preventing malware from running early in the boot process, or in kernel after startup.Device Guard uses User Mode Code Integrity to make sure that anything that runs in user mode, such as a service, a Universal Windows Platform (UWP) app, or a classic Windows application is trusted, allowing only trusted binaries to run.While Windows 10 Enterprise starts up, so too does the TPM to provide an isolated hardware component that helps protect sensitive information, such as user credentials and certificates.

28

Dangers - - Rootkits, Bootkits29Firmware/kernel/driver rootkitsOverwrite the systems basic I/O system

BootkitsSystems OS, infects MBRAllows the malicious program to be executed before the OS boots

Firmware rootkits. These kits overwrite firmware of the PCs basic input/output system or other hardware so the rootkit can start before Windows.Bootkits. These kits replace the operating systems bootloader (the small piece of software that starts the operating system) so that the PC loads the bootkit before the operating system. the Master Boot Record (MBR). Able to hook and patch Windows to get load into the Windows Kernel, and thus getting unrestricted access to the entire computer. It is even able to bypass full volume encryption, because the Master Boot Record is not encrypted. The master boot record contains the decryption software which asks for a password and decrypts the drive.This infection method allows the malicious program to be executed before the operating system boots. As soon as BIOS (Basic Input Output System) selects an appropriate boot device (it can be a hard disk or a flash drive), the bootkit that resides in the MBR starts executing its code. Once the bootkit receives the control, it usually starts preparing itself (reads and decrypts its auxiliary files in its own file system that it has created somewhere in the unallocated disk space) and returns the control to the legitimate boot loader overseeing all stages of the boot process.The main feature of a bootkit is that it cannot be detected by standard means of an operating system because all its components reside outside of the standard file systems. Some types of bootkits hide even the fact that the MBR has been compromised by returning the legitimate copy of the MBR when an attempt to read it has been made. Kernel rootkits. These kits replace a portion of the operating system kernel so the rootkit can start automatically when the operating system loads.Driver rootkits. These kits pretend to be one of the trusted drivers that Windows uses to communicate with the PC hardware.

The CountermeasuresWindows8.1 supports four features to help prevent rootkits and bootkits from loading during the startup process:Secure Boot. PCs with UEFI firmware and a Trusted Platform Module (TPM) can be configured to load only trusted operating system bootloaders. Secure Boot and Measured Boot are only possible on PCs with UEFI2.3.1 and a TPM chip. Trusted Boot. Windows checks the integrity of every component of the startup process before loading it.Early Launch Anti-Malware (ELAM). ELAM tests all drivers before they load and prevents unapproved drivers from loading.Measured Boot. The PCs firmware logs the boot process, and Windows can send it to a trusted server that can objectively assess the PCs health.

Secure BootWhen a PC starts, it first finds the operating system bootloader. PCs without Secure Boot simply run whatever bootloader is on the PCs hard drive. Theres no way for the PC to tell whether its a trusted operating system or a rootkit.

When a PC equipped with UEFI starts, the PC first verifies that the firmware is digitally signed, reducing the risk of firmware rootkits. If Secure Boot is enabled, the firmware examines the bootloaders digital signature to verify that it hasnt been modified. If the bootloader is intact, the firmware starts the bootloader only if one of the following conditions is true:The bootloader was signed using a trusted certificate. In the case of PCs certified for Windows 8.1, Microsofts certificate is trusted.The user has manually approved the bootloaders digital signature. This allows the user to load non-Microsoft operating systems.

Trusted BootTrusted Boot takes over where Secure Boot leaves off. The bootloader verifies the digital signature of the Windows8.1 kernel before loading it. The Windows8.1 kernel, in turn, verifies every other component of the Windows startup process, including the boot drivers, startup files, and ELAM. If a file has been modified, the bootloader detects the problem and refuses to load the corrupted component. Often, Windows8.1 can automatically repair the corrupted component, restoring the integrity of Windows and allowing the PC to start normally.

Early Launch Anti-MalwareBecause Secure Boot has protected the bootloader and Trusted Boot has protected the Windows kernel, the next opportunity for malware to start is by infecting a non-Microsoft boot driver. Traditional anti-malware apps dont start until after the boot drivers have been loaded, giving a rootkit disguised as a driver the opportunity to work.

ELAM can load a Microsoft or non-Microsoft anti-malware driver before all non-Microsoft boot drivers and applications, thus continuing the chain of trust established by Secure Boot and Trusted Boot. Because the operating system hasnt started yet, and because Windows needs to boot as quickly as possible, ELAM has a simple task: Examine every boot driver and determine whether it is on the list of trusted drivers. If its not trusted, Windows wont load it.

An ELAM driver isnt a full-featured anti-malware solution; that loads later in the boot process. Windows Defender (included with Windows8.1) supports ELAM, as does Microsoft System Center 2012 Endpoint Protection and several non-Microsoft anti-malware apps.

Measured BootIf a PC in your organization does become infected with a rootkit, you need to know about it. Enterprise anti-malware apps can report malware infections to the IT department, but that doesnt work with rootkits that hide their presence. In other words, you cant trust the client to tell you whether its healthy.

As a result, PCs infected with rootkits appear to be healthy, even with anti-malware running. Infected PCs continue to connect to the enterprise network, giving the rootkit access to vast amounts of confidential data and potentially allowing the rootkit to spread across the internal network.

Working with the TPM and non-Microsoft software, Measured Boot in Windows8.1 allows a trusted server on the network to verify the integrity of the Windows startup process. Measured Boot uses the following process:

The PCs UEFI firmware stores in the TPM a hash of the firmware, bootloader, boot drivers, and everything that will be loaded before the anti-malware app.At the end of the startup process, Windows starts the non-Microsoft remote attestation client. The trusted attestation server sends the client a unique key.The TPM uses the unique key to digitally sign the log recorded by the UEFI.The client sends the log to the server, possibly with other security information.Depending on the implementation and configuration, the server can now determine whether the client is healthy and grant the client access to either a limited quarantine network or to the full network.

29

Counter Measures30Secure BootPCs with UEFI firmware and a Trusted Platform Module (TPM) can be configured to load only trusted OS bootloaders

Trusted BootWindows checks the integrity of every component of the startup process before loading it.

Early Launch Anti-Malware (ELAM)Tests all drivers before they load and prevents unapproved drivers from loading

Measured BootPCs firmware logs the boot process, & Windows can send it to a trusted server that can objectively assess the PCs health.

The CountermeasuresWindows8.1 supports four features to help prevent rootkits and bootkits from loading during the startup process:Secure Boot. PCs with UEFI firmware and a Trusted Platform Module (TPM) can be configured to load only trusted operating system bootloaders. Secure Boot and Measured Boot are only possible on PCs with UEFI2.3.1 and a TPM chip. Trusted Boot. Windows checks the integrity of every component of the startup process before loading it.Early Launch Anti-Malware (ELAM). ELAM tests all drivers before they load and prevents unapproved drivers from loading.Measured Boot. The PCs firmware logs the boot process, and Windows can send it to a trusted server that can objectively assess the PCs health.

Secure BootWhen a PC starts, it first finds the operating system bootloader. PCs without Secure Boot simply run whatever bootloader is on the PCs hard drive. Theres no way for the PC to tell whether its a trusted operating system or a rootkit.

When a PC equipped with UEFI starts, the PC first verifies that the firmware is digitally signed, reducing the risk of firmware rootkits. If Secure Boot is enabled, the firmware examines the bootloaders digital signature to verify that it hasnt been modified. If the bootloader is intact, the firmware starts the bootloader only if one of the following conditions is true:The bootloader was signed using a trusted certificate. In the case of PCs certified for Windows 8.1, Microsofts certificate is trusted.The user has manually approved the bootloaders digital signature. This allows the user to load non-Microsoft operating systems.

Trusted BootTrusted Boot takes over where Secure Boot leaves off. The bootloader verifies the digital signature of the Windows8.1 kernel before loading it. The Windows8.1 kernel, in turn, verifies every other component of the Windows startup process, including the boot drivers, startup files, and ELAM. If a file has been modified, the bootloader detects the problem and refuses to load the corrupted component. Often, Windows8.1 can automatically repair the corrupted component, restoring the integrity of Windows and allowing the PC to start normally.

Early Launch Anti-MalwareBecause Secure Boot has protected the bootloader and Trusted Boot has protected the Windows kernel, the next opportunity for malware to start is by infecting a non-Microsoft boot driver. Traditional anti-malware apps dont start until after the boot drivers have been loaded, giving a rootkit disguised as a driver the opportunity to work.

ELAM can load a Microsoft or non-Microsoft anti-malware driver before all non-Microsoft boot drivers and applications, thus continuing the chain of trust established by Secure Boot and Trusted Boot. Because the operating system hasnt started yet, and because Windows needs to boot as quickly as possible, ELAM has a simple task: Examine every boot driver and determine whether it is on the list of trusted drivers. If its not trusted, Windows wont load it.

An ELAM driver isnt a full-featured anti-malware solution; that loads later in the boot process. Windows Defender (included with Windows8.1) supports ELAM, as does Microsoft System Center 2012 Endpoint Protection and several non-Microsoft anti-malware apps.

Measured BootIf a PC in your organization does become infected with a rootkit, you need to know about it. Enterprise anti-malware apps can report malware infections to the IT department, but that doesnt work with rootkits that hide their presence. In other words, you cant trust the client to tell you whether its healthy.

As a result, PCs infected with rootkits appear to be healthy, even with anti-malware running. Infected PCs continue to connect to the enterprise network, giving the rootkit access to vast amounts of confidential data and potentially allowing the rootkit to spread across the internal network.

Working with the TPM and non-Microsoft software, Measured Boot in Windows8.1 allows a trusted server on the network to verify the integrity of the Windows startup process. Measured Boot uses the following process:

The PCs UEFI firmware stores in the TPM a hash of the firmware, bootloader, boot drivers, and everything that will be loaded before the anti-malware app.At the end of the startup process, Windows starts the non-Microsoft remote attestation client. The trusted attestation server sends the client a unique key.The TPM uses the unique key to digitally sign the log recorded by the UEFI.The client sends the log to the server, possibly with other security information.Depending on the implementation and configuration, the server can now determine whether the client is healthy and grant the client access to either a limited quarantine network or to the full network.

30

2Prove to me you are healthyIMPORTANT RESOURCESOneDrive

File serversEmail

Wireless

WINDOWS PPCH & INTUNEMeasured Boot Integrity Data (PPCH)

Client policies (AV, Firewall, Patch state (Intune)

Here is my proof5Access please1

PPCH provides health intel to MDMS

Provable PC Health (PPCH)

Request34Approved

31

Public API for MDM device to access remote attestation service called PPCH.

In Windows 10 well be updating the Provable PC Health (PPCH) cloud service that we launched with Windows 8.1 with enhanced capability. Unlike the version for 8.1 that was designed for Consumers and just enabled us to inform users through action center or email that there PCs were infected with malware that required special offline scanning and remediation techniques, weve updated it to provide this same capability to enterprises along with the ability to use this information to make Conditional Access decisions. The Provable PC Health (PPCH) cloud service will use measured boot integrity to detect low level boot and root kits and this information will be made available to 3rd party security solutions. Intune will take this functionality and take it to the next level by coupling with client polices that will enable conditional access to be granted based on the systems ability to prove its malware free, its antimalware system is functional and up to date, the firewall is running, and the devices patch state is compliant.This feature is awesome and is much needed for BYOD devices that today are connecting to your network and very likely becoming the gateways to malware proliferation and greater network breaches.

31

32

Facing on-going security threats and a growing BYOD trend with a new approach

IDENTITY SECURITYTHREAT RESISTANCEBiometrics and strong MFA with Windows HelloMicrosoft PassportEnterprise Data Protection (EDP)Bitlocker auto-drive encryptionDevice GuardCredential GuardWindows DefenderProvable PC Health

INFORMATIONPROTECTION

Boot integrity and platform integrity with Device Guard, UEFI Secure Boot,Trusted Boot,Measured Boot, andTPM

Call to action33Learn Windows 10 security and Windows as a ServiceMicrosoft Virtual Academy: http://aka.ms/MVA1

Inventory hardware and software of your IT environmentMicrosoft Deployment Tool Kit (MDT)

Assess your business needs forWindows Hello and Microsoft PassportDevice Guard and Credential Guard

Call to action34Roll out UEFI and Secure Boot sooner than later

Plan your next hardware/software refresh accordinglyX64, UEFI 2.3.1, TPM 2.0, Intel VT-x/AMD-V, Windows 10 Enterprise

Evaluate Windows 10, Office 365, Enterprise Management Suits, and Azure AD

Reach out to me!35

@DaveVoyles

DaveVoyles.com

35

Date post:	12-Apr-2017
Category:	Technology
Upload:	david-voyles
View:	138 times
Download:	0 times

Microsoft on open source and security

Technology