- Delighting end users with Forefront UAG and DirectAccess
-
At my first 1-on-1 this year with Lee Nackman, the Identity and Security Division's Corporate Vice President, he asked me how something could possibly work. While on vacation on the east coast Lee had changed his password to Microsoft's corporate network using Outlook Web Access from a family computer. When he returned to his home near Redmond a week later he turned on his laptop and, since he hadn't yet been to the office, thought he would need his old (cached on the laptop) password to login. Lee was trying to recall the old password when he discovered he was able to login using the new password. How, he wondered, had the laptop been able to pick up the new password without having been inside the corporate network? Lee had experienced one of the benefits of DirectAccess being "always on". His Windows 7 laptop had, immediately after boot, established connectivity to the corporate network allowing the use of the new password rather than the old cached password. Not only was Lee delighted, but security was improved by rapid invalidation of the old credentials for accessing his laptop. Lee is one of over 10,000 users inside Microsoft currently enjoying the benefits of DirectAccess deployed using Forefront UAG.
I'm another of the DirectAccess users inside of Microsoft. I used to dread receiving requests to approve expense reports and purchase orders while I was out of the office because of the time and "clunkiness" of using VPN to connect to the corporate network. I admit to it being painful enough that sometimes I made employees wait until I returned to the office to do approvals. With DirectAccess though I approve them as quickly when I'm on the road as I do when I'm in the office. I just click on the approval link in an email and am immediately launched into the appropriate intranet site. There is no need for me to explicitly go run a VPN client and wait to be connected to the corporate network just so I can access the approval site. The experience is so much better that after using DirectAccess for just a short while I knew I could never go back to using a VPN.
What I like about Lee's experience in particular is it really helps demonstrate the core difference between DirectAccess and traditional VPNs. Where a VPN allows the creation of a temporary bridge from a PC outside of the corporate network to corporate resources, DirectAccess effectively keeps PCs that are part of your corporate network (that is, domain-joined machines) on the corporate network even when they aren't physically connected to it. From the standpoint of the administrator, you maintain control over the PC (Group Policy changes, patch management, health monitoring, etc.) anytime it is connected to the Internet anywhere in the world. From the end user standpoint, corporate resources such as Sharepoint sites, intranet sites, and file shares are accessible on the road exactly as they are when sitting in the office. How often does IT have an opportunity to increase control while improving the end user's experience and productivity? These are usually positioned as conflicting goals, but with DirectAccess there is no conflict.
One thing I hope to do in this blog is show that security and identity can be business enablers, rather than a tax a business pays to protect their assets. With DirectAccess, that is easy.
- Introduction to Hal Berenson
-
Hi, my name is Hal Berenson. I'm a Distinguished Engineer in Microsoft's Identity and Security Division where I lead our central architecture team (a.k.a, "ICA Architecture"). I'm also the General Manager of the Anywhere Access Group, which creates and delivers our Forefront Unified Access Gateway and Forefront Threat Management Gateway products. Those of you who know me from the Microsoft SQL Server world won't find the idea of my being both an architect and general manager all that unusual, for everyone who doesn't know me let's just say that I still can't decide what I want to be when I grow up.
I earned my first paycheck for writing software in 1972 and have been in the industry full-time since 1975, but I was actually born into it. My father was an IBM Systems Engineer who annoyed my mother by insisting my birth announcement go out on 80-column punch cards. He went on to become VP of IT for a Fortune 50 retailer, leading me to be exposed to computing in the Enterprise at a very early age. For my first act I wrote a program that asked the operator questions on the console of a S/360. Major panic ensued as they had never seen anything on that console other than "mount tape foo on drive 2" before. My first hack. A couple of years later I would go on to show the resident IBM systems programmer just how easy it was to break the security of the then-new TSO environment the shop had installed. At about the same time a couple of friends and I were breaking into the DEC TOPS-10 timesharing service used by our high school, and then were hired to harden it against the constant stream of attacks from clever high school students across the county. So I began my career in security, and in today's vernacular I started out as a Black Hat and moved to being a White Hat. While my career would continue to touch on security from time to time (including serving in the CISO/security engineering/security operations role for a startup) I really set my sights on displacing IBM (or, as my father put it, biting the hand that fed me) as the dominant provider of computers in the Enterprise. That lead me to Digital Equipment Corporation and a career focused on Database and Transaction Processing software, a focus I continued when I joined Microsoft in 1994. At DEC I lead projects such as DBMS-20 and DEC Rdb. Here at Microsoft I was a developer on Microsoft SQL Server 6.5, Product Unit Manager for SQL Server 7.0's Relational Engine, and General Manager for SQL Server 2000. I also lead Microsoft's corporate technical strategy ("Quests") and an enterprise strategy program for a few years. Along the way I've been involved in storage, office automation systems, systems management, performance analysis and other areas of computing critical to the Enterprise. Last summer I decided to return to the area where my career in computing began and joined the Identity and Security Division.
If one looks back on the SQL Server newsgroups and other forums of the late 90s and early 00s you'll find I was an active participant answering questions, explaining how SQL Server worked, and commenting on the database industry and products as a whole. If blogs had been common at the time I would have undoubtedly had an active one. Now I hope to be a very active blogger in the security and identity space. The Because It’s Everybody’s Business (BIEB) initiative's Forefront Experts blog is the perfect host since it lets me combine my passions for computing in the Enterprise with that of Identity and Security. And that is what Forefront is all about.
Hal
- Forefront Year in Review
-
Many great things have happened this year with the Forefront team, so we’d
like to have a quick recap in case you missed any of it. Overall, Forefront
helps companies save money through improving security, increasing productivity,
and reducing their costs. Below are the list of products which have been
released with a short description of what they do to help achieve these goals.
Newly Released Products in 2009:
- Forefront Security for Office Communication Server (FSOCS) : March – Secures
your instant messaging traffic from OCS AND from third parties, such as AOL,
Live Messenger, etc.
- Forefront Protection 2010 for Exchange Server (FPE) and Forefront
Online Protection for Exchange (FOPE) : November – Reduce your email SPAM, make your email more secure, and save costs.
The key differentiating
factors are: - Multiple malware protection engines allowing for removal of a single point
of failure in Exchange organizations
- Layered antispam defense with new content filtering engine producing above
99% spam catch rate (based on WestCoast
Labs and Virus Bulletin
evaluations)
- Hybrid Model with seamless Forefront Online Protection services
integration
- Ease of monitoring, reporting, and administration via new powershell-driven
UI
- Hyper-V support
- Significant performance improvements in engines Context Switches, CPU
utilization, messaging throughput, and memory management
- Threat Management Gateway (TMG) : November – Protect your network against
zero-day attacks and unmanaged clients with NIS and be more secure and more productive with URL
filtering. Protect even non-Microsoft clients with anti-malware inspection on downloads.
- Unified Access Gateway (UAG) released : December – Enable and extend secure
remote connectivity into your corporate network. UAG scales Windows Server 2008 R2's direct access.
Products which will release in 2010, but had pre-release versions in
2009:
- Forefront Identity Manager 2010 (FIM) @ Release Candidate 1
- Forefront Endpoint Protection 2010 (FEP) @ Beta 3
- Forefront Protection for SharePoint (FPSP) @ Beta 2
- Forefront Protection Manager (FPM) @ Beta 3
Some Customer Highlights:
- Magnus
Bjork, Exchange consultant at Mailmaster.se – always recommends FPE or FOPE
to his customers because of the ability to more thoroughly detect malware
through multi-engine scanning.
- Edinburgh
Napier University – reduced spam by 85 percent and lowered the
administrative burden for IT Staff by 93 percent by moving from their old SPAM
filtering solution to FOPE.
- PEI
Cobb Freed & Partners - “TMG is a perfect tool for us to protect our
clients and servers from malware and web based threats, and it doesn’t require
the additional IT manpower required by more complex systems. Everything is
configurable in an easy to use and understand GUI. We are finding this to be a
great security product to use without any of the hassles usually involved.”
Read
more Forefront customer highlights
- Introduction to Dennis Batchelder
-
Since I'll be coming here regularly, it seems fitting to share with you a bit about my background and what my plans are for this blog.
I've spent a long time in the security industry. In the early nineties I co-founded an endpoint-to-endpoint VPN company. CA bought it, and I stayed on as their security architect for eight years. Then I came to Microsoft two years ago, and I'm currently an architect in the Identity and Security Division. I spend most of my time thinking about our next wave of Forefront security management products, our protection technologies, and how Microsoft can do its part to help transform the security industry.
Transform's a big word. And it's not really very precise, so I need to elaborate a bit.
I believe we expect our customers to think and know too much about security. Whether our customers are consumers, information workers, IT professionals, risk officers, or security experts, we ask them to make limited-context security decisions; to understand the current threats and attacks on their identities, information, and infrastructure; to know the security ramifications of each action they take; and to use the tools we provide to build their own safe and secure environments.
Basically, the security industry builds products that work best when they are consumed by security experts. Which isn't bad, because security experts need tools to do their jobs, and because most security capabilities aren't operationalized to the point where it's easy to hand the reins over to non-experts.
But there aren't enough security experts in the world to go around. Experts are under incredibly high cost, compliance, and complexity pressures. And, frankly, most of the security experts I know wish we'd hurry up and operationalize larger chunks of security so they can enlist others to get the job done.
When we buy a car, security comes built-in. The seat belts, air bags, alarm system, even tracking systems are part of the car's infrastructure. True, there's an aftermarket for advanced security features if we want bulletproof windshields or five point harnesses, but by and large, the security we get with our cars (a) doesn't require us to be security experts, and (b) meets most of our needs.
More importantly, when we buy a car, security usually isn't top of mind. We're buying the car to be productive. Or efficient. Or maybe even noticeable. Yes, we want security baked into the car, and it's a consideration as we make our choice, but unless we're buying a presidential limo or an armored truck, it's won't be the driving factor.
My own personal vision of a utopian IT world has almost no standalone security products in it. Security services come inside applications and as part of the IT dial tone, and what little is exposed is consumable by non-experts. This is the world I see when I close my eyes, sit back, and dream of how Microsoft can help make the world a safer place.
To transform the security industry, we need to do two things: operationalize more and more of security, and bake it deeper into our applications. We'll need to ship more expertise like best practices and automatic responses, and we'll need to shift the security story to one about risk management. This will be quite a challenge, and we sure don't have all the answers yet, but this is going to be the main thrust of what I'll be blogging about.
I hope that this blog turns into a dialog. Please feel free to leave comments, questions, and criticisms. Let's work together and nail this transformation!
- More Secure Web Access and Protection with Forefront TMG
-
Today
Microsoft is announcing the release of the Forefront Threat Management Gateway (TMG) 2010
product. Forefront TMG 2010 builds on its predecessor, ISA Server 2006,
providing all new URL filtering, web antimalware inspection, and intrusion
prevention technologies to help protect businesses against
the latest web based threats. These technologies are integrated with the
core network protection features of ISA 2006 to create a unified,
easy-to-manage secure Web gateway (SWG). The evaluation version is
available for download already and customers can now buy both Standard Edition
and Enterprise edition in three languages as of today.
As the Product Unit Manager, I oversaw the
design, engineering and release process for the TMG release. Being a long time security
professional, I am impressed with how Forefront TMG provides value to the
network security marketplace by integrating multiple web security technologies
into a single, comprehensive solution. As a secure web gateway, TMG enables safer
Internet access for users through comprehensive protection techniques against
malware, malicious web sites and vulnerabilities.
Today's information workers, guest users and
partners require web access to do their jobs, but web-based threats continue to
rise. For example, the recent Microsoft Security Intelligence Report
indicated that phishing rose significantly in the first half of 2009,
quadrupling in May, and that social networking sites accounted for 76% of all
phishing impressions. Protecting both managed and unmanaged user web
access and usage is traditionally challenging for security administrators. Many solutions only offer protection
for domain-joined, homogenous desktop environments. TMG helps protect all users whether they are managed or
despite the operating system or browser they are using to access the Internet.
In addition, multiple products and vendors create high costs and management
difficulty through "security sprawl." TMG is designed to address both the
protection as well as the management and costs challenges faced by enterprise
IT professionals, as well as small business IT managers.
TMG is a unique release from Microsoft with a
unique value proposition to both existing ISA 2006 customers, as well as new
customers looking for a SWG solution. As a SWG, TMG provides web access
and protection by integrating multiple detection technologies such as URL
filtering, Anti Malware, and intrusion prevention into a single, easy-to-manage
solution.
As part of the URL filtering solution for
TMG, one of the most exciting capabilities of the solution is the integration
of Microsoft Reputation Services. MRS is a cloud-based system hosted by
Microsoft that maintains a centralized database of in excess of 45 million web
domains and billions of web pages, aggregated from multiple sources to identify
and block malicious web sites. It utilizes the same technology that helps
protect Internet Explorer 8 users against malware and phishing sites. The
TMG/ISA blog provides a great
overview of TMG and its URL filtering capabilities.
The
second advanced capability of TMG is the Microsoft anti-malware engine
integration. Detecting, cleaning and /or blocking malware on the edge
significantly decreases the possibility that malware, Trojans or viruses will
decrease productivity of end users and create risk for the enterprise. TMG has
integrated the Microsoft Anti Malware engine to provide excellent scanning and blocking capability
at the network edge to enable productivity without compromising security.
The
third pillar of the new TMG solution for advanced web access and protection is
the Forefront Network Inspection System (NIS). NIS is a generic
application protocol decode-based traffic inspection system that uses
signatures of known vulnerabilities to detect and potentially block attacks on
network resources. NIS provides comprehensive protection for Microsoft network
vulnerabilities. It was researched
and developed by the Microsoft Malware Protection Center
through the NIS Response Team, as well as an operational signature distribution
channel which enables dynamic signature snapshot distribution. The unique value
proposition of NIS is how it helps to close the vulnerability window between
vulnerability disclosures and patch deployment from weeks to few hours. This
gives IT professionals the flexibility, as well as the peace of mind in their
environment, that may not have existed previously.
Last, but not least, TMG is built upon the
proven Windows Server 2008 and Server 2008 R2 platforms as a native 64-bit
application firewall, providing not only enhanced security and reliability, but
a hardened platform with network protection at the edge. In each of these
advanced defense-in-depth technologies, TMG also introduces HTTPS (SSL/TLS)
scanning to enable inspection of encrypted sessions, easing deployment and
management with a set of easy to use wizards and significantly improved logging
and reporting. These provide full visibility into how users are accessing the
web and whether those users are compliant with local security policies.
This is an exciting announcement and
development for the network security community. For more details, check
out my TechNet interview on TMG.
Based on the overwhelming positive community response and feedback through the
extensive beta cycle of TMG, I encourage the community needing a solution to
help protect and enable secure web access for users to download Forefront TMG 2010 today
to try it out!
David B. Cross
Product Unit Manager
- Modernize your Web Security
-
If you're like most companies, you have a solution to block or log employee access to websites. You also might have some form of network intrusion detection system (NIS) to help prevent unwanted attacks. Additionally, your company probably only relies upon the client AV software to detect malware when someone wants to download something from the web. With the release of Forefront Threat Management Gateway (TMG) you can improve upon all of the above situations to "modernize your web security" while reducing your risk and saving money.
TMG was rightfully renamed from ISA server because of all of the new capabilities it brings to the table in addition to the old functionality of ISA. TMG can now filter URLs utilizing a well-known reputation service, block malware from people trying to download files from the web over HTTP or SSL, and prevent zero-day attacks through it's own NIS.
What are some of the key reasons why you would want to switch from your existing solution(s) and/or upgrade from ISA 2006?
Reduce your Risk
- TMG protects against zero-day attacks which are compromised through signatures based on the known vulnerabilities in Microsoft products. This adds an extra layer of security for vulnerabilities which come through the web, even if the patches have not been installed on your client machines.
- TMG protects users from downloading malicious files on the web over HTTP or HTTPS through the built-in malware engine. This adds another layer of security over simply relying upon the client AV to provide protection.
- TMG protects non-Microsoft and unmanaged clients because all traffic which goes through TMG is protected via the AV scanning, URL filtering, and NIS – regardless of the browser, operating system, or whether or not it is joined to a domain or managed.
Save Money
- TMG reduces licensing costs by being able to pay only one company for NIS/URL Filtering/AV scanning instead of each of them separately. Also if you have certain licensing agreements with Microsoft, some of this functionality comes at no extra cost.
- TMG eases administration because instead of having to go to multiple servers and consoles for things like URL filtering, Malware scanning, and Network Intrusion, it’s all in one place. This frees up time of administrators, hence saving money.
- TMG reduces money spent on network bandwidth by working well with the Branch Cache functionality in Windows Server 2008 R2 and also caching website traffic.
For additional information, you can watch this video interview I had with David Cross:
- Reduce Email SPAM, Bacon, and Cost$
-
Today we tend to take it for granted that somehow SPAM email is being blocked inside our company. You probably still get some SPAM messages but to an extent, your current solution seems to do its job. So, why do anything different? Here are some reasons why you might consider change and how Forefront Protection 2010 for Exchange (FPE) helps:
Reduced Carbon Footprint – occurs when you get rid of a piece of SPAM email as early as possible, hence decreasing the utilization of the machine’s resources freeing it up to do other things or process more mail. This in turn might help to reduce the number of servers required in your organization. FPE has a significant enhancement over Forefront Security for Exchange and competitor solutions as it has a dynamic DNS block list (DNSBL). The block list is continually updated automatically which enables SPAM to be rejected early on in the process. The ideal situation is to also have it blocked in the cloud before it gets to your organization, but each step counts even blocking spam within your organization. Microsoft’s cloud spam solution is our Forefront Online Protection for Exchange (FOPE) which can also work in conjunction with FPE.
Less email Administrator time required – FPE has been designed with a “set it and forget it” mindset for an administrator in regards to SPAM. The DNSBL and Cloudmark content filtering engines are automatically updated, unlike other competitor solutions.
User productivity – gains are seen when a user doesn’t have to spend time deleting SPAM or hopefully not, clicking on links inside of SPAM. FPE offers numerous features and functionality to remove 99% of all spam which comes into your organization.
Better Security – would happen if a user never gets spam mail to prevent clicking on potentially malicious links inside spam email. The less spam a user gets, the less chance there is for a potential security threat.
To see what I mean about how FPE can reduce your bacon, you’ll find this towards the end of the video. View the original post for this video to get a breakdown for a list of what topics are being covered at what time.
To learn more about how FPE and Forefront Online Protection for Exchange (FOPE) work with Exchange 2010 for protection of SPAM and anti-virus, including further stats, check out this video with PM Mike Chan.
- Better Decisions with Secure Messaging
-
Many organizations are faced with making decisions on how to keep their communications secure. Some of these decisions are how do I keep from receiving spam or how do I make sure my sensitive company information doesn't leak? Microsoft's secure messaging solution helps make these decisions easier in large part due to the nature of bringing protection capabilities from multiple products together. For instance, Active Directory Rights Management Services (ADRMS) works with Exchange 2010 and Forefront Protection 2010 for Exchange (FPE) to ensure confidential messages automatically get protected with ADRMS and eliminate potential SPAM and viruses.
The following video explains more about the secure messaging solution and demonstrates the technologies.
You can download or comment on this video at: http://edge.technet.com/Media/Forefront-Secure-Messaging-screencast-and-interview/
- Improving both Communication and Collaboration Through Direct Access
-
When I talk to CIOs, CSOs or even IT professionals today,
there is a consistent theme in every conversation: the ever increasing
mobility of today's workforce. What are the implications to IT when it
comes to mobility? It essentially breaks down to remote access from any
device from anywhere or very simply "anywhere access". With anywhere
access, there are two pillars that must achieved: security and
connectivity. Both are equally important and paramount in the mind of
every CSO or IT professional. For many years, we have seen numerous
technologies take center stage to help accelerate connectivity or ease the pain
in getting access to the data and applications we need to be productive when on
the road or even working from a thin device. These include, but are not
limited to Remote Access Servers, Virtual Private Networks, web based portals
and even hosted services. Technologies such as SSL VPNs and single sign
on portals have eased some of the pain, but still the collaboration and ease of
communication is not seamless.
Windows 7 and Windows Server 2008 R2 change the game with how we
communicate and collaborate when travelling, working remotely or needing to
collaborate from home. It changes the game through a technology known as DirectAccess. More specifically,
DirectAccess is a new feature in the Windows 7 client and the Windows Server
2008 R2 operating systems that enables users to be seamlessly connected to
their resources, data and applications through the Internet. DirectAccess
eliminates the need for cumbersome VPN connections or software to get
connected. Collaboration and communication becomes easier than ever before.
You can learn more about the Windows 7 solution through an upcoming TechNet Webcast next month.
Forefront comes into play to help make this even easier
and more widely deployable through the Forefront Unified Access Gateway (UAG) product which is built on
the Forefront Threat Management Gateway (TMG) platform for protection and
firewall capabilities. Both products build upon the DirectAccess
technology built into Windows 7 and Windows Server 2008 R2 and extend it by
providing enterprise management, flexibility and transitional
capabilities. In short, UAG enables DirectAccess capabilities to all
servers - especially those that are still running or limited to IPv4 addresses.
This effectively provides a DirectAccess experience to legacy applications,
servers and resources. Now, to provide my personal experience in using
the beta internally, it changes the way I do work every day. I have the
freedom to work from anywhere with my laptop and smartcard, I can get access to
data and applications within seconds. I no longer have to spend
time with a VPN connection or worry about unreliable Internet links. I
can feel comfortable going to home or traveling on the road as I know I will
have access to the resources I need wherever I go.
Forefront and Windows have already made my interaction
with colleagues and my team easier than ever before. I predict in the not
too distant future it will change the way businesses communicate and
collaborate in the future. In my mind, this is what Business Ready
Security is all about - productivity without security comprises.
David B. Cross
Product Unit Manager
- Direct Access and UAG Better Together
-
Direct Access (DA) is a game-changing technology for remote access in your company; removing the need for a VPN all together. Within Microsoft, we've seen great productivity benefits to end users. We surveyed users from our DA pilot and over 87% saw instant productivity gains, overall resulting in net benefit of ~1 hour each day for users. Furthermore, Microsoft operations is saving costs by things such as not having to convert internet connected sites to dedicated lines. For more information on the business value of DA and Microsoft's implementation, watch the Direct Access MSIT video.
Ok, you know you want to implement the DA functionality which comes with Windows Server 2008 R2 and Windows 7 - but now why would you want to have Unified Access Gateway (UAG) along with it?
As discussed in the video below, here are some of the key reasons you would want to run UAG with DA:
- Access to IPv4 resources - If you have any machines inside your corporate environment which are not capable of running IPv6 or you do not want to put forth the effort to add the IPv6 stack, UAG will enable this scenario to work. This will make the transition to have full access to all of the internal resources quicker and easier.
- Scalability - DA by itself has scaling limitations. UAG works with NLB in Windows, allowing multiple UAG servers working with DA to scale your implementation of DA. Specific numbers for scalability have not been released, but are in the works.
- Central management - there is one console to control an entire array of UAG servers. Furthermore, there is a SCOM management pack for UAG to help keep central management of the product.
To hear more about the business value for UAG with DA and to learn the technical information behind how DA and UAG work, watch this video:
You can also see the breakdown of what is played when by going to the original post on TechNet Edge.
- Understanding Business Needs to Improve Communication and Collaboration
-
In Forefront, we meet customers and learn their businesses. We learn how they work and we understand their “pain points” to solve not just technology problems, but business problems. Sometimes, it is not just about ensuring security, it is about understanding the underlying needs and challenges of connectivity. In some environments, ISP reliability and quality is far from a given standard that many other places in the world take for granted. This entry is one example where we spent time to really understand our customer’s business and how we took that as our challenge to solve for them.
For example, more and more businesses today rely on their Internet Service Providers link (or ISP) to handle their outside Internet world communications. Sending emails, browsing the web and any other web related actions are essential business infrastructure services that are only available as long the ISP line is up and running. Accordingly, keeping a stable, available and reliable outside Internet connection is one of the critical tasks on every administrator’s check list.
Forefront TMG provides a new capability called ISP redundancy which basically, enables utilizing not one, but two ISP links for external connectivity, either for traffic load balancing or as a failover backup. Until today, this can either be a time consuming task or an expensive task for most businesses. Monitoring the state of an ISP or all services can be a non-trivial labor intensive or sometimes even impossible activity, especially for smaller businesses. An available solution can certainly be an expensive dedicated hardware device to perform this activity for the administrator. In some cases, the cost of these devices can exceed the entire costs of all other software and hardware infrastructure in a business.
We saw this as an opportunity to save money, time and provide a real solution to customers that either had no alternative or could not afford a solution. This is what we like to do: focus on how to make your business work more effectively or efficiently without having to make compromises. I hope to share more of these examples in the coming months. This one has already become a favorite in the very active ISA Server community.
David B. Cross
Product Unit Manager
- An Introduction on David Tesar
-
I'm no
stranger to Microsoft or security. I started at Microsoft over 7 years
ago supporting ISA 2000 server, eventually became the global lead for the ISA
health check as a Premier Field Engineer, and now in my current role as an
IT Pro Technical evangelist focus on the next wave of Forefront products.
Most people know these Forefront products by it's codename
"Stirling", but they are now officially branded the Forefront
Protection Suite (FPS). In the coming months you can expect technical
posts from me primarily focused on FPS, some of which will include
video interviews with the product team. You might notice Unified Access
Gateway or UAG (formerly Intelligent Application Gateway or IAG) is not
officially part of FPS, but I will also have some content on this product as
well.
You can find my
personal TechNet blog at http://blogs.technet.com/extreme where I plan on posting up any
non-Forefront related posts and all of the videos and posts I've created on
TechNet Edge at: http://edge.technet.com/people/extreme.
- My View on IT and Business Efficiency
-
Let’s be honest: 2009 was a year like no other from a global, economic and change perspective. Capital markets have declined, spending is reduced and efficiency is paramount in every business. Information Technology (IT) departments in small, medium and large enterprise businesses are no different. Everyone has been affected and everyone is taking long and hard looks at every business process they have and every dollar that they spend. In years past, when growth and demand was strong, many responded by adding additional labor, additional processes and additional bureaucracy into their computing environments. This cannot and will not continue.
Going forward, we need to have our systems and our computing environments be not only more efficient, but also smarter in how we run our businesses. Business efficiency is about automation. It is about intelligence in decision making. It is also about expertise and trust. If every computing decision, every threat, every piece of malware and every user attack requires the user to understand everything, make the decision themselves and manually solve the problem…we will never improve our business productivity and efficiency. We must build and provide systems that make smart decisions for users, in an automated way and build the trust into the system that enable users to focus on their expertise and their business and not the computing environment.
The computing environment is a tool that enables productivity. This is what Microsoft and Forefront are all about. This is what we strive to achieve and we intend on providing the expertise and building the trust for you to achieve these goals. I am going to share some real inside examples of how Forefront and Microsoft change the game for information technology professionals around the world in the future. Stay tuned, I look forward to driving more on this theme from a technical perspective as we get this blog rolling.
David B. Cross
Product Unit Manager
- Welcome from David Cross: Who I Am and What I Do Around Here
-
I wanted to first introduce myself
to the community as an upcoming contributor for the BIEB (Because Its
Everyone's Business) blog. My name is David B. Cross and I am
currently the Product Unit Manager for the ISA Server and Forefront TMG (Threat Management Gateway)
engineering organization. For many of the community who do not know me, I
have worked in various security teams and roles throughout the company for
almost 12 years. Previous to my current role, I spent 8 years in the
Windows Security organization of the company working in several notable areas
such as PKI, smartcards and Kerberos authentication. If anyone is
interested, Jeff Jones posted an interview with me a few years back: My team and
I also maintain a product
team blog
which we discuss not only the upcoming TMG release, but also interesting
support and technical issues facing the community. I am excited to be
participating in the coming days and months to share my perspective and
learning's from our customers about how Forefront and the Business Ready Security approach really is unique in the
industry and changes the game for many IT professionals around the world.
David B. Cross
Product Unit Manager
