This is Rob Cooper, Senior Engineer for ACE Infrastructure (also known internally as ICE for you William Gibson fans). Thanks to Irfan Chaudhry, Director of the ACE Team, for giving us a good overview and history of ACE and how ACE’s role has expanded over the years. I’m with ACE Infrastructure (also known as ICE). Our role is to focus on the implementation of technology. It may be an internal LOB (line of business) application, a third-party product or new hardware or network appliances. Mergers and Acquisitions are one of our responsibilities. Although our role is diverse, most functions can be described by a small number of services. On our team, reviews are divided into Security Consultation Reviews, Security Design Reviews and Security Compliance Reviews.
Security Consultation Reviews are when a project team asks us for advice on how to proceed, while they’re still in the design and development stages. Consultation Reviews are optional, but extremely helpful.
Security Design Reviews are for a project that has a complete (or nearly complete) design and is ready to release. Obviously, Security Design Reviews are simplified if a project has completed a Security Consultation Review. Mitigation steps and design changes are likewise much easier while the project is still in the design phase. Can a design change between the Consultation Review and a Design Review? Certainly, but the Consultation Review helps guide the project, and helps the infrastructure team get early visibility into the project and creates an early relationship with the project team, both of which help considerably.
Security Compliance Reviews are scheduled for a reasonable timeframe after project implementation. This varies, but most projects can be reviewed within 60 days of deployment. Larger projects may require more time, or have multiple reviews for individual subcomponents. Security Compliance Reviews verify that identified risks and proposed mitigation steps from the Design Review have been implemented.
ACE Infrastructure then has a very practical role tied to which decisions are made about how a deployment is configured and when a deployment occurs. This is different than an application review, which analyzes all possible configurations. Let’s take IIS as an example. An application review focused on authentication may look at all authentication methods, from certificate authentication all the way down to clear-text credentials. The application review is to ensure the highest level of encryption is available to IT professionals and other IIS customers. An infrastructure review is focused on a particular deployment, so reviewing authentication might determine which methods of authentication may be used and which must not be used.
Over the next several months (and hopefully beyond), I will be providing a particular view into some of the tools we use, many of which are developer-focused tools (including the Microsoft Threat Analysis & Modeling Tool). Other approaches come from years of experience of infrastructure deployments. It is our intention to share how we use existing tools, how we leverage previous work and experience and the most effective way to increase security during implementation. Please look for the following:
· Examples of known change types, including how to leverage these for an expedited workflow.
· Explanations and descriptions of well-settled policies that can help you understand why these policies are in place, and well-known alternatives that can be both effective and secure.
· How to leverage development tools (primarily the Microsoft Threat Analysis & Modeling Tool), including templates, examples and flowcharts that help us to help you.
Security infrastructure services at Microsoft are both exciting and challenging. We typically work with pre-released products and we can assist in making these products more secure. In future posts I hope to share how early engagement of our services can help your product in the long run. As a paranoid security engineer I might not provide specific implementation details, but I do hope to tell you some stories from the trenches that show how we can help.
Watch my podcast “Infrastructure Security Engineering” as I discuss how we try to balance security between the application and infrastructure side.
Thank you and I look forward to sharing these with you in the future and in hearing your feedback.
ACE Team – Infrastructure Security