How Microsoft runs IT. Ludwig Wilhelm CIO Central & Eastern Europe Microsoft IT

How Microsoft runs IT Ludwig Wilhelm CIO Central & Eastern Europe Microsoft IT

2

Source: Accenture Cloudrise: Rewards & Risks at the Dawn of Cloud Computing, November 2010 3

Source: Accenture Cloudrise: Rewards & Risks at the Dawn of Cloud Computing, November 2010 4

Processes People Technology Strategy 5

Similarities Security and Cost Reduction are our top priorities Too much work, too little time, mostly reactive A mix of Microsoft operating systems and configurations Not all users are cooperative Balancing security, cost, and efficiency is the bottom line Differences Being Microsoft s first and best customer Software deployed more than once Majority of users are technical, local administrators High target for security attacks

1,2m PCs and devices SVC Redmond Collaboration 210k mailboxes 3m internal email per day 25m+ e-mails from the Internet per day 92% rejected as spam 99.99% availability 746k Sharepoint sites Dublin Users/Sites 106 countries 700+ buildings 7,500 production servers 190K end users Office dweller (40%) Campus Nomad (40%) Remote users (20%) 2.3 Tb DB Single Instance SAP ERP on SQL 2008 R2 Singapore Remote connectivity 2,5m remote con p.m. 78m IMs p.m. 88m RPC/HTTP p.m. 100m Active Sync p.m. High scale www.microsoft.com Worlds largest corporate website 1.2B hit per day 755k concurrent usr.

Processes People Technology STRATEGY 8

Global Business Model Customer Requirements Supplier Requirements Security of Information Assets Privacy Protection Industry Mandates Mobile Devices Collaboration Tools Dogfooding

Savings FY13: 15% apps in the Cloud FY15: 80% apps in the Cloud FY11: Less than 5% apps in the Cloud Portfolio Mix in FY15 20% Apps retired or last to move 50% Apps moved to Cloud in VM role 20% Apps rearchitected for Cloud 10% New apps written directly to Cloud 10

Savings FY15: Effectiveness Fully cross-premise services management FY13: Efficiency Integrated provisioning, feature parity, integrated monitoring and support escalation FY11: Experience Manual provisioning, monitoring, support, and escalation FY11 Services Exchange Online: 3K SharePoint Online: LBI Only FY13 Services Exchange Online: 50% of Users SharePoint Online: Sample of sites and portals Lync Online: Dogfood deployment FY15 Services Exchange Online: Majority of Users SharePoint Online: Majority of sites Lync Online: Majority of users

Risk Management Intellectual Property Protection Targeted Malware Attacks Increased Data Leakage and Portability Zero Day Attacks Diverse Compliance Challenges Insider Tracks Foreign National Threats Risk Management vs. Risk Elimination Critical Infrastructure Protection Integration with ERM Initiatives Business Enablement Support for Rapidly Changing Business Focus on New Revenue Streams Mergers, Sourcing and Workforce Changes Increased Value Change Integration Need for Improved Business Intelligence E-Discovery and Investigations Technical Architecture Cloud Computing/SaaS Data Loss Prevention SIEM Platforms and Programs IAM Governance and Process (Role Optimization) Increased Encryption (Data Level and Portables) Application and Code Review Endpoint Security Operational Excellence Better Integration with Board/ERM Doing More with Less Vendor and 3 rd Party Management Security Organization Model and Structure Asset and Configuration Management Executive Reporting and Metrics Managed Security Services Awareness and Training

User Empowerment Mobility Proliferation Personal devices User-centric Social networking Partnering IT Controls Cost Reliability Security Efficiency Governance Risk & Compliance

Security of Digital Assets Anywhere & any device Access Time

P r a c t i t i o n e r Partners Scale thru Partners Policy Driving Policy and Compliance Product MS Security and Management Products Platform Securing the MS Platform

Processes PEOPLE Technology Strategy 17

Site Classification Information Security Risk Branding Upon classification, one of three graphics are affixed to the site.

PROCESSES People Technology Strategy 19

Impact considers potential financial loss, recovery time, operational scope, reputational impact, legal/regulatory impact

The cost of removing an application security vulnerability during the design phase ranges from 30-60 times less than if removed during production. NIST, IBM, and Gartner Group 100X Customers In the Field 15X System/Acceptance Testing 1 X 6.5X Static Analysis Integration Testing Design Development Testing Deployment Source IDC and IBM Systems Sciences Institute

Process that is integrated into software development lifecycles (SDLC) Goals: Assess risk (security/privacy) at every stage within the SDLC Reduce cost of developing secure applications SDLC Envision Design Develop Test Release SDL-LOB App Entry / Risk Assessment Threat Modeling Internal Review Pre-Prod Assessment Post-Prod Assessment Catalog & Classify Identify Controls Implement Controls Verify Controls Monitor Controls

Cost Center More Efficient Cost Center Business Enabler Strategic Asset IT staff taxed by operational challenges Users come up with their own IT solutions IT Staff trained in best practices i.e., MOF, ITIL Users expect basic services from IT IT managed environment Users have the right tools, availability, & access to info IT is viewed as a strategic asset IT is a valued partner & enables new business initiatives IT processes undefined Complexity due to localized processes & decentralization Central Admin & configuration of security Standard desktop images defined, not adopted by all SLAs are linked to business objectives Clearly defined and enforced images, security & best practices Self-assessing & continuous improvement Easy, secure access to info from anywhere Patch status of desktops is unknown No unified directory for access mgmt Multiple directories for authentication Limited automated s/w distribution Automated identity/ access management Automated system management Self provisioning & quarantine capable systems ensure compliance & high availability

Processes People TECHNOLOGY Strategy 24

BASIC STANDARDIZED RATIONALIZED DYNAMIC Two Factor Authentication Secure Remote User Enforce Strong Passwords Secure Wireless Access Network Intrusion Detection Basic to Standardized S Network Segmentation 2FA: Elevated Access Accts Security Event Monitoring LPA Controls Standardized to Rationalized R Network Access Protection Strong User Authent. User Account Control Bitlocker Drive Encryption Rights Management Rationalized to Dynamic D Sticky note

Gained Executive Level Support Changed Security and Procurement Polices Include BitLocker Config in Image Store Recovery Keys in AD Tools Deployed BitLocker Automated System Enforcement (BASE) BDEVault: Bitlocker Self-Service Recovery Tool BitLocker Check Automated E-Mail Notifications Windows 7 BitLocker FAQs http://technet.microsoft.com/en-us/library/ee449438(ws.10).aspx

Persistent Protection Encryption + Policy: Access Permissions Use Right Permissions

28

29

Domain Joined Active Directory policies requiring certificates EAS Pin Policy Remote Wipe 802.1 secure wireless w/ certificates BitLocker Drive Encryption Direct Access for Remote Access Non-Domain Joined Client Auth Certificate

Secure the Network Perimeter Secure the Network Interior Secure Key Assets Monitor and Audit Secure Wireless Direct Access Smart Cards for VPN Network Access Protection Intrusion Detection Anti-Malware Protection Patch Management IPSec - Network Segmentation Smart Cards for Admin Access SecureNet via IPSec Data Classification Rights Management Services BitLocker Drive Encryption Awareness Enforcement BG Scorecard Penalties

You manage You manage You manage Private (On-Premises) Infrastructure as a Service Platform as a Service Software as a Service Applications Runtimes Security & Integration No Databases provider may Databases fit all requirements Databases Servers Servers Servers However we have a choice now! Virtualization Virtualization BCDR built into most clouds Server HW Storage Networking Applications Runtimes Security & Integration Server HW Storage Networking Managed by vendor Applications Applications We need still to be in control & need to manage risk Runtimes Not all qualifies (yet) to be in the cloud Security & Integration Virtualization Server HW Storage Networking Managed by vendor Runtimes Security & Integration Databases Servers Virtualization Server HW Cloud provider building in depth security expertise Private vs. Public Cloud again is a difference Storage Networking Managed by vendor Control + Cost Efficiency + Savings

35

Additional content on Microsoft IT deployments and best practices can be found on http://www.microsoft.com/itshowcase Microsoft Case Study Resources http://www.microsoft.com/resources/casestudies Microsoft Security Intelligence Report http://www.microsoft.com/sir

How Microsoft Optimizes and Secures its IT Environment 38

2010 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.