RSA Europe 2013: Operational Security for Online Services

By Mike Reavey, General Manager, Trustworthy Computing

Today, at the RSA Conference Europe in Amsterdam, I gave a presentation on an important update to Microsoft’s security efforts – Operational Security Assurance (OSA). The design of a secure operations methodology is part of our ongoing commitment to enable trustworthy computing in all aspects of our online services, and OSA represents the next evolution of these efforts.

Since 2004, the Microsoft Security Development Lifecycle (SDL) has helped developers to build more secure software from the ground up. But the job doesn’t end there. Attacks do not necessarily target weaknesses in software. Some attacks are operational in nature, while others, like the Flame malware, target both software vulnerabilities and operational weaknesses. Defending cloud services against network attacks requires both strong development practices, like SDL, and a strong operational security regime. The following list includes a number of ways that OSA adds considerable value to the focus on infrastructure issues and operational security:

• Use of a proven methodology for verification and continuous improvement that was first established with the SDL and is closely tied to Microsoft Security Response Center (MSRC) incident response processes.
• Support of Microsoft internal security policies that align with standards such as NIST 800-53, ISO 27001, and other related industry guidance that applies to a broad range of cloud services. It also reflects Microsoft experience in the secure operation of online services.
• Helps to protect against Internet-based external threats.
• OSA is designed to better discover attacks as a way to inform future security improvements.
• OSA prescribes key security controls that Microsoft has seen to be effective in mitigating known attacks and previously unknown vulnerabilities.
• Decades of Microsoft experience operating cloud services at scale.
• Integration with the SDL, so that changes in operations can result in changes to the development of software used in operations and vice-versa. More importantly, OSA creates a feedback cycle that Microsoft can use to update its operational processes more rapidly than a typical policy cadence can support.
• Repeatable practices and methodology that are used to actively and continuously update services to improve security and resolve incidents as quickly as possible.

As Microsoft has begun the transformation to a devices and services company, I’ve recently focused more of my time on the security of online services. This was a natural transition for me, after a long tenure heading the Microsoft Security Response Center (MSRC) and leading the Program Management team focused on proactive application of SDL in our products and services. Over my ten years at the MSRC, I’ve had the pleasure of working with amazing people, and experienced and learned many things about the practical application of security principles at scale. This included the introduction of “Patch Tuesday”, the addition of the Exploitability Index, and seriously fun activities focused on our most talented security researchers, like the BlueHat Challenge and BlueHat Bounties. Along the way, I’ve worked through some of the more challenging security incidents in the industry.

Among the important lessons I learned is: “never waste a crisis” – embrace and build from the lessons of each incident. OSA honors that strategy.

To learn more about OSA, I encourage you to check out a new white paper, called Operational security for online services overview. This paper provides additional insight into how Microsoft approaches OSA.