Hi all – Doug Leland here, general manager of the Identity and Security Business Group. Today at the Microsoft Management Summit vice president Bob Kelly spoke about cloud computing. He outlined Microsoft’s investments and provided guidance to help customers understand their options as they incorporate the cloud into their future plans, whether it is through “private clouds,” “public clouds,” or a combination. You can read an article about this and view the keynote or a related webcast on-demand.
I wanted to provide some additional information about our efforts to help customers maintain security with cloud infrastructure.
As part of our Business Ready Security strategy, we are taking a comprehensive approach to security across on-site and cloud infrastructure. This encompasses protection, access and management, all built around user identity and integrated with a highly secure, interoperable platform for a broad set of partner solutions.
Identity is a core part of our strategy, because it allows for more contextual protection and access to information and resources. With our Forefront platform, on-premise identities, such as those in Active Directory, work with cloud services. That enables simplified, secure user access to applications, such as Exchange, regardless of where the application is hosted.
Forefront's identity provisioning/de-provisioning and access management empower customers to integrate their investments in Active Directory and existing identities with cloud infrastructure. And, with solutions like Rights Management Services, in the future customers will be able to enforce persistent, identity-based policies around data anywhere it is stored, sent, or accessed - including the cloud.
We are delivering both standalone security services and security technologies within Microsoft’s cloud infrastructure. Forefront Online Security for Exchange is an example of a standalone service solution, providing email security for both on premise Exchange Server and Exchange Online (and other on-premise messaging systems.) Another example is System Center Online Desktop Manager, introduced today and available in beta by the end of the year. It is an integrated security and management tool that will provide desktop management capabilities in the form of an online service.
We are also providing fundamental identity components for Microsoft cloud services, such as the Azure Services Platform. The Microsoft Services Connector, for example, extends identities from on premises systems to cloud services. The .Net Access Control Service issues and manages identity “claims.” Both are based on “Geneva,” an open platform for simplified user access that works across organization boundaries for on-premise and cloud-based applications. Beta 2 of “Geneva” will be available soon.
I hope this information is helpful. Let us know if you have questions or comments.
Doug
One of the news items we announced with the April 16 introduction of the Business Ready Security strategy was the update/renaming of Exchange Hosted Filtering. The service is now called Forefront Online Security for Exchange (FOSE.) It is the first Forefront Online service, providing protection of inbound and outbound email - including Exhange and other solutions - from spam, viruses, phishing and email policy violation. The FOSE service level agreements include Five 9s uptime, email delivery of < 1 minute, 100% protection vs. known email viruses, capture of 98% of all inbound spam and less than 1 in 250k false positives.
FOSE received a lot of press attention with our announcement prior to the RSA Conference, such as this article on CNET.
Below is a diagram of the service.
Hi Forefront community,
My team members on the Forefront Threat Management Gateway project recently posted a great note on how ISP redundancy works in Forefront TMG. For those that don’t know, ISP redundancy is an important feature if you are deploying Forefront TMG as the edge of your network to filter Web traffic. Some companies choose to have multiple network pipes coming into and out of a site to ensure that if one becomes unavailable, there is at least a modicum of network access.
Forefront TMG lets your company take advantage of both pipes securely. First, it provides a failover capability. It can detect if one of the ISP links is unavailable and transfer traffic to the other link. Second, it provides load balancing between the two links. If one link is a faster link, for instance, Forefront TMG can be configured to route more traffic across that ISP link.
The great thing is that the engineers have removed much of the complexity involved in configuring such a solution. I’ve posted a couple screen shots from Forefront TMG Beta 2 to show how simple it is to configure.
First step is configuring the basic network settings for each ISP.
After configuring the ISPs, you decide the traffic weight between them.
What this means is that keeping your offices secure and connected becomes even simpler as Forefront TMG comes out. If you’re interested in Forefront TMG Beta 2, you can get more information on this Website.
Bill Jensen
Microsoft has become aware of two interrelated issues affecting a Manual Scan in Forefront Security for SharePoint.
The first issue is a memory leak which occurs when Keyword Filtering is enabled. In all versions of Forefront Security for SharePoint prior to Service Pack 3, whether you have Keyword Lists created or not, you may experience this issue. If, however, you have Forefront Security for SharePoint with Service Pack 3 installed (released 7/1/2009), this issue will only occur if you have Keyword Lists created. If you do not have any Keyword Lists, even if Keyword Filtering is enabled for Manual Scan, you will not experience the leak. Real-time scanning is not affected by this issue.
The second issue may occur as a result of the first. After a period of time the memory leak can cause memory allocations to fail. If these failures occur repeatedly in a specific way, it causes Forefront Security for SharePoint to incorrectly determine a valid document as “exceedingly nested”. Every file that is scanned and determined to be exceedingly nested will be deleted and the contents replaced with standard deletion text.
Microsoft is actively working toward a resolution for these issues. An update will posted as soon as more information becomes available. In the meantime, we recommend that any customers using Forefront Security for SharePoint that run a Manual Scan disable Keyword filtering for Manual Scanning (for more information on configuring the Manual Scan job, see "Running the Manual Scan Job" in the FSSP User Guide http://technet.microsoft.com/en-us/library/bb795164.aspx). This is extremely important, as manual scanning of your entire document library opens the potential of losing any document content incorrectly identified as “exceedingly nested”. Please note that, by default, Keyword Filtering is enabled for the Manual Scan job.
Today we posted a white paper about the Microsoft antimalware engine strategy and changes beginning December 1, 2009. A summary is below - read the full document for a complete overview.
Forefront server security products - such as Forefront Secrurity for Exchange, Forefront Security for Sharepoint and Forefront Security for Office Communications Server incorporate a multi-engine strategy, using both Microsoft and industry-leading security partner technology to consistently drive high detection rates. They also include an advanced multiple engine manager that allows customers to concurrently configure up to five engines. Using multiple scanning engines delivers several critical advantages:
Tests performed quarterly by the independent AV-Test.org group have shown that the multi-engine set for Forefront security products rates highest in response times for “in the wild” viruses and variants. We have found that having multiple engines consistently provides the highest detection rates against the competition with average response time of 3-6 hours for new viruses versus competitive single-engine solutions average response times are more than 2-9 days (as noted in recent AV-Test.org data.)
In order to further develop stronger technology relationships with our antimalware partners and ensure continued customer value for the longer term, we are standardizing on a set of five antimalware engines moving forward. We are confident that this solution will continue to provide equal or better detection rates and response times than the industry’s other leading solutions.
What does this mean for Microsoft and its customers? The current and next generation of Forefront server security products, including Antigen, will include five antimalware engines as part of an ongoing strategy to maximize and maintain our malware detection advantages, as well as make investments in other areas that will increase overall protection for our customers.
Customers will be able to take advantage of these new enhancements and engine changes after deploying the Antigen and Forefront service packs released on July 1, 2009. These service packs will allow customers to move to the new set of five engines as well as additional engine changes that Microsoft may release after December 1, 2009.