The World's Biggest Bullseye
A talk with the man responsible for securing Microsoft's internal network.
Imagine having the world's biggest bullseye on your back. That would fairly
describe Pete Boden, director of information security for Microsoft's IT department.
He's the guy responsible for making sure Microsoft's internal network is secure
from the hackers and crackers for whom breaking into Microsoft is the ultimate
status symbol. I wanted to find out from Boden what it was like to work in such
an environment. His answers were revealing.
Q: What are the biggest security issues facing Microsoft IT?
A: The biggest challenges we have is keeping pace with the business. Our business
is rapidly changing. Our business model has changed through globalization. A
major stress on IT is to provide a level of service around the world, including
Another area of concern is the distribution of intellectual property on our
internal network. As we work with partners and vendors, our network expands
and expands. It puts stress on the user base. And intellectual property moves
around. For example, marketing product plans and other confidential data we're
trying to protect.
We've also put a lot of resources focused on pushing our security boundary
to hosts that sit on our network. We're very diligent on software updating,
and patch quickly and thoroughly. We spend the majority of our effort maintaining
the health of our network.
Q: What was the last major security crisis you faced?
A: We had a public network incident in October 2000, and that was the impetus
of a lot of security work. It was a crisis at the time, and helped us crystallize
the trustworthy computing initiative. It was a network intrusion that didn't
involve any intellectual property, just access to the network environment by
a single individual.
Q: How many infiltration attempts do you see in a typical day?
A: It's literally thousands. It's a massive number. A lot of it is traffic
we block through firewall rules and intrusion detection. We do a lot of scanning
and probing, a lot of analysis. About 5 percent of the total traffic is deliberate
attempts to intrude on the network. A lot is automated traffic, script kiddie-type
Q: How sophisticated are most of the attacks?
A: I compare it to the millions of people playing basketball around the world,
but only 300 play in the NBA. Very few [attackers] are creative and have malicious
intent and are skilled at that level and can execute sophisticated attacks.
We have an internal attack and penetration team, white-hat hackers whose full-time
job is to try and hack into the network. We allow them a lot of latitude to
be creative. There are five working today.
Q: What do you use for patch management?
A: We use WSUS [Windows Server Update Services] in some smaller environments,
but predominantly we use SMS 2003. We push out all security updates, typically
on two-week timeframe, but we can lower the timeframe to 48 hours and push out
via SMS. Client machines have a deadline, and can be forced [to patch and update
Q: Do you use biometric authentication? If so, what kind?
A: We use smart cards for three purposes: Remote authentication through a VPN
for vendors or other outsiders; anybody with elevated access, like domain administrators,
have to authentication whether they're local or remote; and to get access to
a high-security line of business applications, like those who have access to
source code. We went with smart cards, and they have been deployed about two
years now. We've looked at biometric authentication, but haven't gone with it.
Keith Ward is the editor in chief of Virtualization & Cloud Review. Follow him on Twitter @VirtReviewKeith.