The Friday Interview: Pete Boden, Microsoft

3 Dec 2004

Given the opprobrium that’s often levelled at Microsoft for the perceived security weaknesses of its products, Pete Boden (pictured) might be said to have one of the worst jobs in technology. Unsurprisingly, he does not see it like that.

Boden is based at Microsoft’s HQ in Redmond, Washington, where he is a director of the corporate IT security team, responsible for all security audit and compliance functions worldwide. His job is to take care of the information security needs of Microsoft’s global network – a network that contains 350,000 nodes, spans more than 300 locations and serves some 90,000 employees and contractors worldwide.

Compromising that network has become a subject of devotion for who knows how many hackers the world over to the extent that it is effectively under constant bombardment from the outside.

“We’d see upwards of 100,000 unique intrusion attempts per month on the perimeter of our network,” Boden remarks. “We think 5pc are purposeful attacks, looking for weaknesses on our network, as opposed to 95pc, which are just simple probing and scanning activity.” Microsoft also blocks about two thirds of its 10 million daily incoming emails as either spam or viruses.

He continues: “We’ve noticed a lot of changes in [hackers’] behaviour. For example, more sophisticated hackers are very clever at looking at different ways to steal identity and credentials. They use tactics such as attacking corporate users’ home machines or their spouse’s machines – which they might occasionally use to access the corporate network – because these machines are typically less secure than their corporate one.”

In fact, says Boden, the whole security environment has become hugely more threatening in recent years. “It’s exploded. When I came into the IT security team six years ago it had 13 people and now it’s quadruple the size. The threat environment has changed from what were simple email-based virus threats to what we see now: very complex worms and exploits and sophisticated intrusion attempts – things we wouldn’t have dreamed about years ago. It has really changed the landscape for IT.”

The attacks on Microsoft’s network usually fail but some have succeeded – most publicly back in October 2000 when a successful hack into its corporate network made the front pages of the Wall Street Journal. Boden says the incident, while “very painful”, had a galvanising effect on the business to get its house in order from a security perspective.

“A lot has changed in the past year or two. We’ve become very diligent about the quality of our products. A number of years ago we actually stopped development to do a ‘security stand down’ so went through a period of 90 to 120 days of doing nothing but doing security reviews of our code. That process has now been built into the development lifecycle across all of our product groups. So we’ve seen a major shift in the level of importance of security,” Boden explains.

The goal, he says, is to achieve complete standardisation across all products groups such that they approach security in the same way and go through a similar process. This should further help reassure customers who use a combination of Microsoft products, say Windows and Exchange, within their IT infrastructure.

Boden says that Microsoft also goes to great lengths to seek out and plug potential holes it its network. As part of its risk-assessment function, his team regularly conducts penetration tests of its network perimeter, using the services of so-called ‘white hat’ hackers. “We wouldn’t hire anyone with a shady background but we look for people who act and think similar to hackers and we put them in a role where they don’t know anything about the environment,” he explains. “The look for products and potential exploits and they go after them hard.”

The trend towards remote and flexibility working has created an additional security challenge for Boden and his team. This challenge has been met by putting in place strong authentication procedures and giving mobile devices limited access to the network. “Our approach is until they can be secured in the same way that desktops and laptops can be, we restrict their access to only certain types of data such as email and calendar,” he says.

But achieving high levels of security is not just about setting rules and applying technology judiciously; security policy and education are now also recognised as being critical to averting security threats. “If someone joins Microsoft, he or she get a security briefing as part of the induction – it’s mandatory. But it’s in areas such as the protection of intellectual property and the exposure of sensitive data that education really plays a big part,” Boden notes. “So I don’t spend a lot of time telling people to run antivirus software because I can enforce that to happen through technology but I do spend a lot of time telling people ‘Here’s what we consider sensitive data and here’s how you treat it’.”

As the number of hacking attacks, viruses and spam explodes, the internet security industry has grown in tandem and, some would say, has helped cultivate the climate of fear that is driving the investment in security products and services. Boden believes that too many organisations have simply played into their hands. “A lot of large enterprises have not invested well in understanding security risk and turning it into something that helps them organise priorities and make the right investments. They need to put in place risk-assessment methodologies and ways to think through what’s the most important thing and not necessarily be sold on the fear of having data exposed or computers hacked. In the next few years, risk assessment will become a competency of IT teams in large enterprises.”

By Brian Skelly