Culture Clash: Law, Culture Clash: Law, Business and TechnologyBusiness and Technology

Mitch DembinMitch DembinChief Security Advisor (US)Chief Security Advisor (US)Microsoft CorporationMicrosoft Corporation

How We Got HereHow We Got HereComputer OS, Apps and Internet Computer OS, Apps and Internet Protocols not designed for Protocols not designed for securitysecurityCriminalsCriminals

Malicious HackersMalicious HackersCorrupt InsidersCorrupt InsidersVirus/Worm WritersVirus/Worm Writers

PublicityPublicityPrimarily Website DefacementsPrimarily Website DefacementsIdentity Theft Identity Theft

What We DidWhat We DidPanic - Haphazard Frenzied Reaction to Panic - Haphazard Frenzied Reaction to Security IncidentsSecurity IncidentsPerimeter ProtectionPerimeter ProtectionPushed Data Security to IT Pushed Data Security to IT Departments without funding/training Departments without funding/training or understanding of special skills or understanding of special skills requiredrequiredAllowed development of one-off Allowed development of one-off security solutions throughout security solutions throughout enterpriseenterprise

ResultsResultsSilosSilos

By acquisition, design or reaction to a By acquisition, design or reaction to a security eventsecurity event

Little attention to security architecture, Little attention to security architecture, writing secure code, strategic security writing secure code, strategic security planningplanningSome progress in infrastructure Some progress in infrastructure protection leading to attacks up the protection leading to attacks up the stackstack

Consequences Consequences Here come the lawyersHere come the lawyersEEA, HIPAA, GLB, SarbanesEEA, HIPAA, GLB, SarbanesCommon Thread:Common Thread:

ReasonablenessReasonablenessAppropriatenessAppropriateness

Interpreted by lawyers after the factInterpreted by lawyers after the factAnd, on their heels, come the dreaded And, on their heels, come the dreaded AUDITORSAUDITORS

Compliance – A Partial LandscapeCompliance – A Partial Landscape

COMPLIANCECOMPLIANCE

Sarbanes-OxleySarbanes-OxleyFiscal accountability for Fiscal accountability for

all public companiesall public companies

Basel II Basel II Capital assessment Capital assessment and reporting standards and reporting standards for global bankingfor global banking

USA PATRIOT ActUSA PATRIOT ActCustomer documentation Customer documentation requirements in order to requirements in order to “know your customer“know your customer””

DoD 5015.2 DoD 5015.2 and UK PROand UK PRO

Federal standards Federal standards of records managementof records management

Health Insurance Health Insurance Portability and Portability and

Accountability Act Accountability Act (HIPAA)(HIPAA)

NASD 3110NASD 3110 Written policies and Written policies and

procedures for review procedures for review of correspondence of correspondence

with the publicwith the public

All records related to All records related to securities transactions to be securities transactions to be

maintained for 3 yearsmaintained for 3 years

Gramm-Leach Bliley Gramm-Leach Bliley Act (GLBA)Act (GLBA)

Privacy of financial Privacy of financial informationinformation

Right to carry insurance Right to carry insurance between job; privacy of between job; privacy of patient Informationpatient Information

SEC Rules SEC Rules 17a-3 & 17a-417a-3 & 17a-4

Source: Microsoft Compliance Summit; October 2003

The PlayersThe PlayersBusiness Decision MakersBusiness Decision Makers

Language = Brand Protection, Competitive Language = Brand Protection, Competitive Advantage, Value and ROIAdvantage, Value and ROI

IT SecurityIT SecurityLanguage = TechnologyLanguage = Technology

LawyersLawyersLanguage = ReasonablenessLanguage = Reasonableness

AuditorsAuditorsLanguage = ChecklistsLanguage = Checklists

Guiding Principle No. 1Guiding Principle No. 1It is really difficult to make predictions, It is really difficult to make predictions, especially about the future (Y. Berra)especially about the future (Y. Berra)

Problem 1: The SiloProblem 1: The SiloAssumptions:Assumptions:Different Data of relatively equal Different Data of relatively equal importanceimportanceWith different security solutions With different security solutions created, implemented and managed by created, implemented and managed by different technology, people and different technology, people and processesprocessesOf demonstrably different effectivenessOf demonstrably different effectiveness

Problem 1: ContinuedProblem 1: ContinuedData in less secure silo compromisedData in less secure silo compromisedHow do you demonstrate to How do you demonstrate to lawyers/auditors/regulators/shareholders lawyers/auditors/regulators/shareholders that protection of the data was that protection of the data was reasonable/adequate when better reasonable/adequate when better solutions were employed for equally solutions were employed for equally important data elsewhere in the important data elsewhere in the enterprise?enterprise?

Problem 2: Emerging Problem 2: Emerging TechnologiesTechnologies

Multiple Factor AuthenticationMultiple Factor AuthenticationRights ManagementRights ManagementNetwork SegmentationNetwork Segmentation

Where We Need To GoWhere We Need To GoEnterprise-wide security planEnterprise-wide security plan

Combat silosCombat silosPeople, Process & TechnologyPeople, Process & Technology

Dissemination of best practicesDissemination of best practicesEmergency and Incident ResponseEmergency and Incident ResponseCommon LanguageCommon Language

Common Ground?Common Ground?Risk AssessmentRisk AssessmentRisk MitigationRisk MitigationRisk ManagementRisk Management

Guiding Principle No. 2Guiding Principle No. 2

In theory, there is no difference In theory, there is no difference between theory and practice. In between theory and practice. In practice, there is.practice, there is.

Y. BerraY. Berra

© 2004 Microsoft Corporation. All rights reserved.© 2004 Microsoft Corporation. All rights reserved.This presentation is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS SUMMARY.This presentation is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS SUMMARY.