As the Product Unit Manager, I oversaw the
design, engineering and release process for the TMG release. Being a long time security
professional, I am impressed with how Forefront TMG provides value to the
network security marketplace by integrating multiple web security technologies
into a single, comprehensive solution. As a secure web gateway, TMG enables safer
Internet access for users through comprehensive protection techniques against
malware, malicious web sites and vulnerabilities.
Today's information workers, guest users and
partners require web access to do their jobs, but web-based threats continue to
rise. For example, the recent Microsoft Security Intelligence Report
indicated that phishing rose significantly in the first half of 2009,
quadrupling in May, and that social networking sites accounted for 76% of all
phishing impressions. Protecting both managed and unmanaged user web
access and usage is traditionally challenging for security administrators. Many solutions only offer protection
for domain-joined, homogenous desktop environments. TMG helps protect all users whether they are managed or
despite the operating system or browser they are using to access the Internet.
In addition, multiple products and vendors create high costs and management
difficulty through "security sprawl." TMG is designed to address both the
protection as well as the management and costs challenges faced by enterprise
IT professionals, as well as small business IT managers.
TMG is a unique release from Microsoft with a
unique value proposition to both existing ISA 2006 customers, as well as new
customers looking for a SWG solution. As a SWG, TMG provides web access
and protection by integrating multiple detection technologies such as URL
filtering, Anti Malware, and intrusion prevention into a single, easy-to-manage
As part of the URL filtering solution for
TMG, one of the most exciting capabilities of the solution is the integration
of Microsoft Reputation Services. MRS is a cloud-based system hosted by
Microsoft that maintains a centralized database of in excess of 45 million web
domains and billions of web pages, aggregated from multiple sources to identify
and block malicious web sites. It utilizes the same technology that helps
protect Internet Explorer 8 users against malware and phishing sites. The
TMG/ISA blog provides a great
overview of TMG and its URL filtering capabilities.
second advanced capability of TMG is the Microsoft anti-malware engine
integration. Detecting, cleaning and /or blocking malware on the edge
significantly decreases the possibility that malware, Trojans or viruses will
decrease productivity of end users and create risk for the enterprise. TMG has
integrated the Microsoft Anti Malware engine to provide excellent scanning and blocking capability
at the network edge to enable productivity without compromising security.
third pillar of the new TMG solution for advanced web access and protection is
the Forefront Network Inspection System (NIS). NIS is a generic
application protocol decode-based traffic inspection system that uses
signatures of known vulnerabilities to detect and potentially block attacks on
network resources. NIS provides comprehensive protection for Microsoft network
vulnerabilities. It was researched
and developed by the Microsoft Malware Protection Center
through the NIS Response Team, as well as an operational signature distribution
channel which enables dynamic signature snapshot distribution. The unique value
proposition of NIS is how it helps to close the vulnerability window between
vulnerability disclosures and patch deployment from weeks to few hours. This
gives IT professionals the flexibility, as well as the peace of mind in their
environment, that may not have existed previously.
Last, but not least, TMG is built upon the
proven Windows Server 2008 and Server 2008 R2 platforms as a native 64-bit
application firewall, providing not only enhanced security and reliability, but
a hardened platform with network protection at the edge. In each of these
advanced defense-in-depth technologies, TMG also introduces HTTPS (SSL/TLS)
scanning to enable inspection of encrypted sessions, easing deployment and
management with a set of easy to use wizards and significantly improved logging
and reporting. These provide full visibility into how users are accessing the
web and whether those users are compliant with local security policies.
This is an exciting announcement and
development for the network security community. For more details, check
out my TechNet interview on TMG.
Based on the overwhelming positive community response and feedback through the
extensive beta cycle of TMG, I encourage the community needing a solution to
help protect and enable secure web access for users to download Forefront TMG 2010 today
to try it out!
David B. CrossProduct Unit Manager
Many great things have happened this year with the Forefront team, so we’d
like to have a quick recap in case you missed any of it. Overall, Forefront
helps companies save money through improving security, increasing productivity,
and reducing their costs. Below are the list of products which have been
released with a short description of what they do to help achieve these goals.
Newly Released Products in 2009:
Products which will release in 2010, but had pre-release versions in
Some Customer Highlights:
more Forefront customer highlights
Since I'll be coming here regularly, it seems fitting to share with you a bit about my background and what my plans are for this blog.
I've spent a long time in the security industry. In the early nineties I co-founded an endpoint-to-endpoint VPN company. CA bought it, and I stayed on as their security architect for eight years. Then I came to Microsoft two years ago, and I'm currently an architect in the Identity and Security Division. I spend most of my time thinking about our next wave of Forefront security management products, our protection technologies, and how Microsoft can do its part to help transform the security industry.
Transform's a big word. And it's not really very precise, so I need to elaborate a bit.
I believe we expect our customers to think and know too much about security. Whether our customers are consumers, information workers, IT professionals, risk officers, or security experts, we ask them to make limited-context security decisions; to understand the current threats and attacks on their identities, information, and infrastructure; to know the security ramifications of each action they take; and to use the tools we provide to build their own safe and secure environments.
Basically, the security industry builds products that work best when they are consumed by security experts. Which isn't bad, because security experts need tools to do their jobs, and because most security capabilities aren't operationalized to the point where it's easy to hand the reins over to non-experts.
But there aren't enough security experts in the world to go around. Experts are under incredibly high cost, compliance, and complexity pressures. And, frankly, most of the security experts I know wish we'd hurry up and operationalize larger chunks of security so they can enlist others to get the job done.
When we buy a car, security comes built-in. The seat belts, air bags, alarm system, even tracking systems are part of the car's infrastructure. True, there's an aftermarket for advanced security features if we want bulletproof windshields or five point harnesses, but by and large, the security we get with our cars (a) doesn't require us to be security experts, and (b) meets most of our needs.
More importantly, when we buy a car, security usually isn't top of mind. We're buying the car to be productive. Or efficient. Or maybe even noticeable. Yes, we want security baked into the car, and it's a consideration as we make our choice, but unless we're buying a presidential limo or an armored truck, it's won't be the driving factor.
My own personal vision of a utopian IT world has almost no standalone security products in it. Security services come inside applications and as part of the IT dial tone, and what little is exposed is consumable by non-experts. This is the world I see when I close my eyes, sit back, and dream of how Microsoft can help make the world a safer place.
To transform the security industry, we need to do two things: operationalize more and more of security, and bake it deeper into our applications. We'll need to ship more expertise like best practices and automatic responses, and we'll need to shift the security story to one about risk management. This will be quite a challenge, and we sure don't have all the answers yet, but this is going to be the main thrust of what I'll be blogging about.
I hope that this blog turns into a dialog. Please feel free to leave comments, questions, and criticisms. Let's work together and nail this transformation!