Microsoft & Security (2 of 3)
In my last instalment in this series, I covered off the differences between the perceptions and the reality with regard to Microsoft and Security. As promised, this week's article is a joint effort from both myself and my colleague, Jordi Munoz-Royo (who is our Security Business Development Manager). If you've not met Jordi, he's a Spaniard (well, he's from Barcelona - so he's Catalonian), living in London and working in Ireland. A 'Security Business Development Manager' implies that we have a 'security business', which in turn implies that we have products that we sell - we do, and that's what we'll be covering in this article (Forefront for the Client, the Server and the Edge, and Exchange Hosted Services).
If you look at any of the reports that examine what are the top IT priorities for organisations, you'll see that security scores very highly in all of them. It is a priority because of the potential damage a bad security strategy could have. It is a complex area that requires dedication and a lot of effort.
Anytime I've been in a customer meeting with Jordi, he always asks a similar question to get the conversation started: 'How secure are you today?' He never gets a straight answer - not because it's a trick question, simply because it's a very hard question to respond to. There are so many different security products being used nowadays, that it is simply impossible to respond quickly without having to poll five or six different systems, all of which are necessary, but none of which are interconnected. The proxies, the AV for the mail store, the AV for the gateway, antispam, client AV, front-end and back-end firewall... any one of these could go wrong (and leave you at risk). Microsoft decided to enter the security space because we felt that we had a good chance to simplify the administration of this clutter.
You can tell Jordi is in a sales role, as he has the ability to explain detailed technical concepts to non-technical people. He was explaining that times have moved on, with regard to security, and that the risks we face today are nothing like the risks of a decade or so ago and that because of this Microsoft cannot afford to leave security as an afterthought. This is his analogy:
Cars are no longer sold without seat belts or airbags. They are fitted as standard by the manufacturer. In the same way that it took the car vendors themselves to increase the overall security of car driving, we felt that it would take Microsoft to increase the overall security of our own operating system, mail servers, portals, etc. Security is not to be 'retrofitted'.
Microsoft's objective then is to allow our customers to protect any Microsoft product with Microsoft technology. The result is greater security, more stability and a broader single security platform encompassing many areas, where in the past you would have needed multiple systems.
When you think about the usual required security products, you can classify them in two ways: 'vertical' and 'horizontal'. Vertically, you have the different 'layers' of security; starting with the edge or perimeter, going through the application servers and finishing on the client. These are the main three layers where most organisation will choose to install security products. It is important to highlight that while in the past the emphasis was put on creating a very strong perimeter, the fact that many attacks nowadays originate from within means that the focus is shifting towards the middle layer. Protecting your back-office servers is extremely important, as you can no longer assume that a good edge protection will keep them safe.
The fact that within a single layer you have different security needs gives you the 'horizontal' spread. At the edge, for example, you may have protection for the SMTP mail servers, the proxy server (to control how users navigate the Internet), the firewall, etc. On the server tier, you probably want to run AV on your email server, on your file/shares, on your intranet sites, etc.
Microsoft's portfolio of security products spans vertically from the cloud to the client, and horizontally from Exchange to your instant messaging server and from your firewall to your proxy.
Most of the products involved in that mix start with the word 'Forefront' (and those that don't use it today will do in their next release). Forefront is a brand (not a specific product) that means Microsoft corporate security, in the same way Microsoft Office means corporate productivity. One single brand with coverage across the vertical and horizontal segments we talked about. Here's a summary of our products, organised vertically:
Cloud: Exchange Hosted Services (hosted antivirus and antispam for email communications)
Edge: ISA Server (firewall, reverse and forward proxy and VPN server), Intelligent Application Gateway (SSL-VPN server), Forefront Security for Exchange (SMTP AV/antispam)
Server: Forefront Security for Exchange (email AV and policy enforcement), Forefront Security for Sharepoint (document AV and policy enforcement), Forefront Security for Office Communications Server (chat monitor and AV), Rights Management Server (documentation rights control)
Client: Forefront Client Security (OS, client and server) antimalware (root kits, virus, worms, trojans, etc)
Traditionally, it was accepted as a best practice that you had to use more than one vendor in your security product mix. The reason for using more than one vendor is 'fault-tolerance'. If you were using vendor A on your SMTP gateway and vendor B on your email server, it would take a problem in both A and B before infected emails would get to your users. More if you had vendor C scanning in the client. The benefits are clear, but dealing with A and B and C means that you end up with (at least) three licensing contracts, three support sockets, three technologies to maintain and learn, etc. Trusting a single vendor like Microsoft seems to resolve the management issues, but what happens with the principle of 'fault-tolerance' or 'all eggs in one basket'?
Forefront Security for Exchange (FSE) is based on a multiple scanning engines approach (Jordi's analogy is that of a deep sea diver, who has two of everything - a single failure should not mean that you drown). When you install FSE on your environment, underneath the management console you are installing up to nine different scanning engines. These engines are built by the likes of Kaspersky, Sophos, Computer Associates, etc (all of which you could buy separately as stand-alone products). When you install FSE, you get all of those plus some more installed. When an email comes in, you can configure the product to scan it with all the available engines. That means that you may decide that an email will make it to an inbox only after five successful scans by five different vendors.
Exchange Hosted Services, Microsoft's hosted email filtering product also uses the principle of multiple scanning engines (in this case Symantec, Trend Micro, Kaspersky and Sophos). Exchange Hosted Services (EHS), despite its name, doesn't require you to be running Exchange as your email server; it acts merely as a transparent SMTP filter. Its main objective is to stop spam before it ever hits your environment (Jordi's analogy is the water supply; do you want to have clean or dirty water coming out of your tap? EHS is the water purification system). Trinity College in Dublin is one of the biggest users of EHS in Ireland. In the first 20 days of operation, out of the 12.1 million emails that were sent to the tcd.ie domain, EHS blocked 11.1 million (94% blocked). EHS comes with a number of SLAs, including 100% known virus detection, 95% spam effectiveness and one false positive every 250,000 emails (one email every 19 years for the average user). If we send you a single known virus, you get your money back!
Some organisations only want tested, proven solutions. They will never buy a version-one product. With Microsoft Forefront they don't have to. Most Forefront products are an evolution of products we acquired from other vendors (the Antigen family). Under the covers, we are running version ten. Forefront is a new name that has a proven track record.
Similarly, Exchange Hosted Services is a new incarnation of an old product 'Frontbridge Technologies', which had been providing filtering services for over five years, with an impressive zero seconds interruption track record.
The bottom line is that Microsoft has entered the security space, and is very serious about it. Some organisations will chose to deploy Forefront products across their entire business; some will start on one particular area and extend over time. Whichever the case, now you have the option of having a complete, easy to manage, security solution, without sacrificing on the principles of 'defence-in-depth' or 'fault-tolerance'.
That's all for this week. In the next article, we will cover off some technical detail of ISA Server and IAG (among other things).
Dave and Jordi
