Hi, my name is Brad Gobble and I manage ACE’s Infrastructure Security Team, a part Microsoft IT’s Information Security group. Over the next few weeks you’ll hear a lot about our services: what we do, how we do it, how we prepare our team to execute and where we’re going in the future. But before we dive too deeply in to the details I’d like to share what we mean by “Infrastructure Security” and what our guiding principles are.
Infrastructure security can be described as "the discipline dedicated to securing the platform on which applications reside." While there may be a gray line, we try to differentiate by team capability rather than by explicit technical demarcations. Yes, there is some overlap between application and infrastructure security (most notably in host configuration and hardening). However we believe that by encouraging our engineers to look beyond baseline requirements almost always yields better results and as a manager I am willing to invest in the extra cycles of my team.
ACE Services is a consulting team created to help clients ensure that they're doing what they should to keep Microsoft as reasonably secure as possible while still doing business successfully (think technical lawyers). However, it is important to point out that we do not operate as a system of jurisprudence (read: we're not traffic cops). We have embraced the fundamental notion that, as a service organization, we are here to facilitate and advise in the most efficient mode possible while enabling the business to keep moving forward. I am often confronted with the question: "If you are a Service, then aren't you optional?" Where the pairing of "Service=Optional" came from is a mystery to me, as we are all reminded of this on April 15. Security is not an option, but the ultimate responsibility lies on the asset owner to behave in a secure manner and on asset custodians to maintain a secure environment.
Ultimately, the security of information assets is a shared responsibility. While the breadth and impact of the Infrastructure security team is wide we can't be everywhere, all of the time. We rely on the individual business owners, engineers, and administrators to do the right thing. We provide guidance when they need help. This respectful collaboration works well, so much so that we have been taking our work outside the walls of Microsoft and have been delivering them to Microsoft Consulting Services' customers as well.
In the weeks and blogs to follow you will hear about the tactical reviews, strategic assessments and holistic programs the ACE Infrastructure team delivers. We invite you to watch our new podcast - "About Infrastructure Security" where I talk about our role and how our team works inside and outside of Microsoft. There will be more upcoming podcasts as well as promotional literature posted soon. For over a decade Microsoft has been focusing on securing Microsoft’s internal infrastructure; however this is the first year we've taken our proven process, knowledge and insight to our customers. The success has been exhilarating and we look eagerly to the years to come with anticipation. This is what we love to do—and we're good at it.
After experiencing what we've put together don't hesitate to contact us with questions, comments, rants or raves. We look forward to hearing from you.
ACE Team - Infrastructure Security