How do you keep Microsoft and its internal architecture secure? The thing that's cool about security is that it's such a complicated problem, and it touches every single part of IT. We use some very standard approaches that anyone would recognize—we have a defense-in-depth strategy. We run a pretty much perimeterless environment that's very focused on security at the host and application layers, as opposed to security out in the network.
You also have a role in product quality control. What security checks do Microsoft products have to pass? Our product group has a security team that checks with its own security design lifecycles. Then, the product moves to the IT department in beta form. We deploy it in our production environment, and we have to sign off on it before it can be released to customers.
What's it like having to be Microsoft's best customer? I think that it's an accepted part of the job. Working at Microsoft is intense, and our security checks are an expected part of what we do. It would be hard to work here as just part of the operations security team and not be part of the final product.
Do you take it as a personal challenge that hackers zero in on Windows and Internet Explorer? No, I don't take it personally. If you look at the numbers, the actual statistics of Windows flaws relative to other platforms isn't out of proportion. Microsoft has demonstrated that it's one of the most responsive platform providers—when we find a flaw, we fix it. And, hey, when you have the whole world looking at it, what more could you ask for?
For the full text of this interview, visit www.searchsecurity.com/ismag.