2. Microsoft + Open Source
Momentum
Dead and buried:
Microsoft's holy war on
open-source software
“Years ago, Microsoft's CEO
described open source as a cancer.
Times have changed. Just ask 22-
year Redmond veteran and open-
source proponent Mark Hill.”
Charles Cooper
Redmond top man Satya
Nadella: 'Microsoft
LOVES Linux‘
Neil McAllister
Microsoft: the Open
Source Company
“This is not your dad’s
Microsoft”
Steven J. Vaughan-Nichols
Tweet
“Azure Container Service is different
and offers the broadest hint yet that
Microsoft wants to build real products
with open source, not merely leverage
it where it's convenient”
Serdar Yegulalp
3. 10+ Years of Open Source
Involvement
Docker on
Microsoft
Azure
O365+Moodle
Integration
4. We’re Reimagining Microsoft
We will empower
every person and
every organization
on the planet
to achieve more
Build the best-in-class platforms
and productivity services for the
mobile-first, cloud-first world
Create more personal computing
Reinvent productivity & business processes
Build the intelligent cloud platform
5. Your Infrastructure is a Function of Time
How do you plot your journey to the cloud?
The
Landscape
of Now!
6. The Microsoft Open Approach
For your journey to the cloud
Empowering
Customers
By Enabling
Choice
To Provide a
Trusted Cloud
Freedom to Choose
Freedom to Change
Optimal Value
Vibrant Local
IT Economy
X-Platform
Open Standards
Interoperability
Open Source Ecosystem
Engagement
Secure
Privacy & Control
Compliance
Transparent
7. +Hundreds of community
supported images on
VM Depot
SQL Server
Microsoft Azure is an Open Cloud
We’ve delivered an open, broad, and flexible cloud across the stack
Web App Gallery
Dozens of .NET & PHP
CMS and Web apps
Microsoft Azure
One in Four VMs on Azure
Runs Linux Today!
13. “The Target hackers broke into the
network using a stolen user name
and password that had been created
for the company servicing their air
conditioning systems.”
BRAIN KREBS (SECURITY BLOGGER)
Target - Exploiting Weak Identities
Source: “Cards Stolen in Target Breach Flood Underground Markets,” KrebsOnSecurity.com, December 20, 2013 13
15. THREAT
RESISTANCE
Increasing password theft
Poor password practices
Support infrastructure and costs
Cumbersome and costly MFA
deployment
Disk encryption optional
Lacking integrated DLP
Varying experience in
mobile and desktops
Platform security built
of software alone
Bootkit and rootkit
Pass-the-hash
Trusted until detected as a threat,
Not realistic facing
numerous new threats per day
15@yungchou
21. Multi-factor authentication (MFA)
On-premises
• Physical smartcard
• Reader
• User-and-smartcard specific
• Virtual smartcard
• Company issued device
• Hardware-specific pin
• User-and-device specific
Cloud-centric
• Azure Active Directory
• Identity as a Service
• 2FA as a Service
• User-specific with designated phone
Windows 10 MDM device enrollment
• Microsoft Passport
• Windows Hello biometrics as
primary
• BYOD MDM enrollment
• Device Guard and Credential Guard
21@yungchou
24. The Fappening
On August 31, 2014, a collection of almost 500 private pictures of various celebrities, mostly women,
and with many containing nudity, were posted on the imageboard 4chan, via Apple’s iCloud.
24
25. Protecting data with Enterprise Data Protection (EDP)
• Specifying “privileged apps” that can access enterprise data
• Blocking selected apps from accessing enterprise data
• Offering consistent UX while switching between personal &
enterprise apps w/ enterprise policies in place without the need
to switch environments or sign in again
https://technet.microsoft.com/en-us/library/dn985838%28v=vs.85%29.aspx 25
26. Protecting data with Enterprise Data Protection (EDP)
• Requiring Intune, Configuration Manager or an MDM solution
• Encrypting enterprise data on employee-owned & corporate-
owned devices
• Remotely wiping enterprise data off corporate devices and
employee-owned computers, without affecting the personal
data
https://technet.microsoft.com/en-us/library/dn985838%28v=vs.85%29.aspx 26
28. Windows 10 Enterprise Device Guard
• Restricts OS to run only code signed by trusted signers
• Defined by your code integrity policy through specific hardware & security configurations
• OS trusts only apps authorized by your enterprise
How it works:
1. Universal Extensible Firmware Interface (UEFI) 2.3.1 (or later) Secure Boot
• Bootkits and rootkis
• Loading/starting Windows 10 Enterprise before anything else
2. Virtualization-based security services including the core (Kernel), while preventing malware from
running early in the boot process
3. User Mode Code Integrity to ensure only trusted apps/binaries to run
4. TPM to provide an isolated hardware to helps protect user credentials, certificates and secure
information
https://technet.microsoft.com/en-us/library/dn986865(v=vs.85).aspx 28
29. Dangers - - Rootkits, Bootkits
29
• Firmware/kernel/driver rootkits
• Overwrite the system’s basic I/O system
• Bootkits
• System’s OS, infects MBR
• Allows the malicious program to be executed before the OS boots
30. Counter Measures
30
• Secure Boot
• PCs with UEFI firmware and a Trusted Platform Module (TPM) can be configured to load only
trusted OS bootloaders
• Trusted Boot
• Windows checks the integrity of every component of the startup process before loading it.
• Early Launch Anti-Malware (ELAM)
• Tests all drivers before they load and prevents unapproved drivers from loading
• Measured Boot
• PC’s firmware logs the boot process, & Windows can send it to a trusted server that can
objectively assess the PC’s health.
31. Prove to me you are healthy
IMPORTANT RESOURCES
WINDOWS
PPCH & INTUNE
Measured Boot Integrity Data (PPCH)
Client policies (AV, Firewall, Patch state (Intune)
Here is my proof
Access please
Provable PC Health (PPCH)
Approved
31
32. THREAT
RESISTANCE
Biometrics and
strong MFA with
Windows Hello
Microsoft Passport
Enterprise Data Protection (EDP)
Bitlocker auto-drive encryption
Device Guard
Credential Guard
Windows Defender
Provable PC Health
Boot integrity and
platform integrity
with Device Guard,
UEFI Secure Boot,
Trusted Boot,
Measured Boot, and
TPM 32
33. Call to action
33
• Learn Windows 10 security and “Windows as a Service”
• Microsoft Virtual Academy: http://aka.ms/MVA1
• Inventory hardware and software of your IT environment
• Microsoft Deployment Tool Kit (MDT)
• Assess your business needs for
• Windows Hello and Microsoft Passport
• Device Guard and Credential Guard
34. Call to action
34
• Roll out UEFI and Secure Boot sooner than later
• Plan your next hardware/software refresh accordingly
• X64, UEFI 2.3.1, TPM 2.0, Intel VT-x/AMD-V, Windows 10 Enterprise
• Evaluate Windows 10, Office 365, Enterprise Management Suits, and Azure AD