As the Product Unit Manager, I oversaw the design, engineering and release process for the TMG release. Being a long time security professional, I am impressed with how Forefront TMG provides value to the network security marketplace by integrating multiple web security technologies into a single, comprehensive solution. As a secure web gateway, TMG enables safer Internet access for users through comprehensive protection techniques against malware, malicious web sites and vulnerabilities.
Today's information workers, guest users and partners require web access to do their jobs, but web-based threats continue to rise. For example, the recent Microsoft Security Intelligence Report indicated that phishing rose significantly in the first half of 2009, quadrupling in May, and that social networking sites accounted for 76% of all phishing impressions. Protecting both managed and unmanaged user web access and usage is traditionally challenging for security administrators. Many solutions only offer protection for domain-joined, homogenous desktop environments. TMG helps protect all users whether they are managed or despite the operating system or browser they are using to access the Internet. In addition, multiple products and vendors create high costs and management difficulty through "security sprawl." TMG is designed to address both the protection as well as the management and costs challenges faced by enterprise IT professionals, as well as small business IT managers.
TMG is a unique release from Microsoft with a unique value proposition to both existing ISA 2006 customers, as well as new customers looking for a SWG solution. As a SWG, TMG provides web access and protection by integrating multiple detection technologies such as URL filtering, Anti Malware, and intrusion prevention into a single, easy-to-manage solution.
As part of the URL filtering solution for TMG, one of the most exciting capabilities of the solution is the integration of Microsoft Reputation Services. MRS is a cloud-based system hosted by Microsoft that maintains a centralized database of in excess of 45 million web domains and billions of web pages, aggregated from multiple sources to identify and block malicious web sites. It utilizes the same technology that helps protect Internet Explorer 8 users against malware and phishing sites. The TMG/ISA blog provides a great overview of TMG and its URL filtering capabilities.
The second advanced capability of TMG is the Microsoft anti-malware engine integration. Detecting, cleaning and /or blocking malware on the edge significantly decreases the possibility that malware, Trojans or viruses will decrease productivity of end users and create risk for the enterprise. TMG has integrated the Microsoft Anti Malware engine to provide excellent scanning and blocking capability at the network edge to enable productivity without compromising security.
The third pillar of the new TMG solution for advanced web access and protection is the Forefront Network Inspection System (NIS). NIS is a generic application protocol decode-based traffic inspection system that uses signatures of known vulnerabilities to detect and potentially block attacks on network resources. NIS provides comprehensive protection for Microsoft network vulnerabilities. It was researched and developed by the Microsoft Malware Protection Center through the NIS Response Team, as well as an operational signature distribution channel which enables dynamic signature snapshot distribution. The unique value proposition of NIS is how it helps to close the vulnerability window between vulnerability disclosures and patch deployment from weeks to few hours. This gives IT professionals the flexibility, as well as the peace of mind in their environment, that may not have existed previously.
Last, but not least, TMG is built upon the proven Windows Server 2008 and Server 2008 R2 platforms as a native 64-bit application firewall, providing not only enhanced security and reliability, but a hardened platform with network protection at the edge. In each of these advanced defense-in-depth technologies, TMG also introduces HTTPS (SSL/TLS) scanning to enable inspection of encrypted sessions, easing deployment and management with a set of easy to use wizards and significantly improved logging and reporting. These provide full visibility into how users are accessing the web and whether those users are compliant with local security policies.
This is an exciting announcement and development for the network security community. For more details, check out my TechNet interview on TMG. Based on the overwhelming positive community response and feedback through the extensive beta cycle of TMG, I encourage the community needing a solution to help protect and enable secure web access for users to download Forefront TMG 2010 today to try it out!
David B. CrossProduct Unit Manager
Many great things have happened this year with the Forefront team, so we’d like to have a quick recap in case you missed any of it. Overall, Forefront helps companies save money through improving security, increasing productivity, and reducing their costs. Below are the list of products which have been released with a short description of what they do to help achieve these goals.
Newly Released Products in 2009:
Products which will release in 2010, but had pre-release versions in 2009:
Some Customer Highlights:
Read more Forefront customer highlights
Since I'll be coming here regularly, it seems fitting to share with you a bit about my background and what my plans are for this blog.
I've spent a long time in the security industry. In the early nineties I co-founded an endpoint-to-endpoint VPN company. CA bought it, and I stayed on as their security architect for eight years. Then I came to Microsoft two years ago, and I'm currently an architect in the Identity and Security Division. I spend most of my time thinking about our next wave of Forefront security management products, our protection technologies, and how Microsoft can do its part to help transform the security industry.
Transform's a big word. And it's not really very precise, so I need to elaborate a bit.
I believe we expect our customers to think and know too much about security. Whether our customers are consumers, information workers, IT professionals, risk officers, or security experts, we ask them to make limited-context security decisions; to understand the current threats and attacks on their identities, information, and infrastructure; to know the security ramifications of each action they take; and to use the tools we provide to build their own safe and secure environments.
Basically, the security industry builds products that work best when they are consumed by security experts. Which isn't bad, because security experts need tools to do their jobs, and because most security capabilities aren't operationalized to the point where it's easy to hand the reins over to non-experts.
But there aren't enough security experts in the world to go around. Experts are under incredibly high cost, compliance, and complexity pressures. And, frankly, most of the security experts I know wish we'd hurry up and operationalize larger chunks of security so they can enlist others to get the job done.
When we buy a car, security comes built-in. The seat belts, air bags, alarm system, even tracking systems are part of the car's infrastructure. True, there's an aftermarket for advanced security features if we want bulletproof windshields or five point harnesses, but by and large, the security we get with our cars (a) doesn't require us to be security experts, and (b) meets most of our needs.
More importantly, when we buy a car, security usually isn't top of mind. We're buying the car to be productive. Or efficient. Or maybe even noticeable. Yes, we want security baked into the car, and it's a consideration as we make our choice, but unless we're buying a presidential limo or an armored truck, it's won't be the driving factor.
My own personal vision of a utopian IT world has almost no standalone security products in it. Security services come inside applications and as part of the IT dial tone, and what little is exposed is consumable by non-experts. This is the world I see when I close my eyes, sit back, and dream of how Microsoft can help make the world a safer place.
To transform the security industry, we need to do two things: operationalize more and more of security, and bake it deeper into our applications. We'll need to ship more expertise like best practices and automatic responses, and we'll need to shift the security story to one about risk management. This will be quite a challenge, and we sure don't have all the answers yet, but this is going to be the main thrust of what I'll be blogging about.
I hope that this blog turns into a dialog. Please feel free to leave comments, questions, and criticisms. Let's work together and nail this transformation!