Microsoft's approach to secure government systems

Microsoft’s approach to secure government systems

Microsoft's approach to secure government systems

The U.S. federal government has unique needs when it comes to computer privacy and security that no other organization in the world faces. It also must ensure the privacy of personal information collected from hundreds of millions of citizens. Here is how Microsoft can help the U.S. federal government meet these challenges.

tabs_left_side_47x40

*
**
Related Links
Protecting personally identifiable information
Webcast: Are your people ready to address security threats?
Microsoft Trustworthy Computing
Microsoft Government Security Program
Microsoft Security Cooperation Program
**
On This Page
A world connected—but less safeA world connected—but less safe
Microsoft technologies for secure computingMicrosoft technologies for secure computing
Microsoft processes to build secure products and technologyMicrosoft processes to build secure products and technology
Microsoft hires experts with deep government experience Microsoft hires experts with deep government experience

Secure computing in government today must stand on three legs: technologies, processes, and people.

To protect privacy and ensure the security of information, agencies must deploy hardened technologies, establish safe practices, and continuously reinforce responsible behavior throughout the workforce. Without any one of these three pillars, an organization's data can be compromised and the safety and security of its employees, its constituents, and its nation put at risk.

Working in partnership with government to help protect the country's most valuable—and sometimes most threatened—data assets, Microsoft also relies on a three-fold strategy.

To help its government customers deflect security threats—whether from a malicious hacker or a hostile nation-state—Microsoft offers technologies that provide the highest level of protection available; it follows the most rigorous design and development processes; and it cultivates a team of people with extensive government security experience to serve its federal and state customers.

A world connected—but less safe

Microsoft understands that the U.S. federal government has computer security needs unmatched by any other organization in the world.

First, the adversaries intent on penetrating federal systems can be much more sophisticated, well funded, and better equipped than individuals performing malicious mischief or industrial espionage. Attacks from highly organized agents of hostile nation-states can find and exploit the slightest vulnerability in a computer network or application.

Second, the results of those attacks can go far beyond the financial ruin that may result from private sector security breeches. Not only is the basic personal privacy of every U.S. citizen at stake, but, ultimately, the safety of our nation and its entire infrastructure.

Microsoft technologies for secure computing

In response to today's security challenges, Microsoft offers some of the most sophisticated and highly regarded security innovations available. "We recognize that our platforms are widely deployed throughout the federal government, and we understand the responsibility that comes with that," says Bill Billings, chief security advisor for Microsoft Federal. "We are committed to the National Information Assurance Program security requirements and all other existing and emerging U.S. government security requirements. It's the very highest priority for our developers in Redmond."

Built with an understanding of the broad range of government security standards and requirements, Microsoft tools and services go beyond the basic needs of federal agencies and offer new levels of protection.

Microsoft Connected Government Framework (CGF) was developed by Microsoft in recognition of the fact that agencies must communicate with other agencies, partners, stakeholders, and constituents. The CGF incorporates a common user identity management model for all government services. And Microsoft Windows natively supports FIPS (Federal Information Processing System) 140-2 encryption, the standard for preventing the unauthorized capture of data while in transit.

Rights Management Services can prevent a document or e-mail from being forwarded, copied, or printed except with explicit permissions granted by the creator of the file. With this feature, which is built into the Microsoft Office system, the rights for documents and files can even be coded to expire after a pre-set period of time. This protection is now available for SharePoint Document Libraries in the 2007 Microsoft Office system.

Encrypting File System (EFS) is a feature of Microsoft Windows that can encrypt selected data on a laptop or desktop hard drive. Once encrypted by EFS, the files are virtually inaccessible by unauthorized users. To simplify the usage of EFS, a user's private key can be stored on a smart card.

BitLocker Drive Encryption technology takes encryption one step further in the Windows Vista operating system. With BitLocker, the entire volume of a hard drive—every bit of data in that volume—can be encrypted. If a BitLocker protected laptop is lost or stolen, the data in the volume is almost impossible to access, even if the hard drive is removed and installed in a different computer.

IPv6 support is offered out-of-the-box in Windows Vista. This feature is designed to make the Internet a safer platform for secure transmissions and transaction.

"These and other functions available for the first time in Windows Vista bring new levels of security to computing," says Billings.

Microsoft processes to build secure products and technology

Real security functions cannot be added to a product after it is designed and built. To be effective, security must be designed into a product from the ground up.

The Microsoft framework for designing secure computing into its products and services is Trustworthy Computing. Originally an initiative launched by Microsoft Chairman Bill Gates, Trustworthy Computing is now a long-term effort to provide more secure, private, and reliable computing experiences and has become a core tenet that drives the company's technology strategies.

And the key process by which Trustworthy Computing is realized in the software development process is through Microsoft's Security Development Lifecycle (SDL).

Established in 2003, SDL implements a rigorous process of secure design, coding, testing, review, and response, and is applied to the development of any product that might manage sensitive or personal information. With steps to include "threat modeling" and the engineering of hardened responses to potential threats, SDL helps minimize the risk of malicious attacks while improving overall system and application integrity.

Microsoft also recognizes that its software often serves as the platform for third party extensions and application solutions. Because any system is only as secure as its weakest point of entry, Microsoft provides detailed guidance on the SDL for independent software and solution developers to help them improve the security of their applications and services. This guidance included special Microsoft hosted training events—Security Summit East and Security Summit West—as well as onsite training sessions.

Microsoft hires experts with deep government experience

To ensure that its efforts are based on the broadest possible understanding of the threats our systems face, Microsoft recruits not only the best technology professionals in the industry, but also those with extensive hands-on experience in protecting data security at the federal level. Three examples, now employed by Microsoft, are:

Kimberly T. Nelson, Executive Director of E-Government. Her 22 years of government experience include serving as Chief Information Officer (CIO) for the Pennsylvania Department of Environmental Protection and CIO for the U.S. Environmental Protection Agency.

Phil Reitinger, Director of Trustworthy Computing. At the Department of Justice for eleven years, he served as Deputy Chief of the Computer Crime and Intellectual Property Section, and then became Executive Director of the Department of Defense Cyber Crime Center.

Bill Billings, Chief Security Advisor. He is a retired Naval Cryptographic Officer who spent the last eight years of his federal career at the National Security Agency (NSA) where he ran the Operational Network Evaluations group and was responsible for NSA security guides.

"Part of my job now," says Billings, "is to drive those unique security requirements that come out of the federal government into the products Microsoft builds. In that way, we are actively helping the government to protect itself."

The technologies Microsoft offers, the processes that guide those products, and the people to drive those processes are working together to ensure that the security built into federal systems keeps pace with the rapidly evolving threats to those systems. For Microsoft, that is more than an initiative—it is a mission.


Was this information useful?