Microsoft

• magazine case

A SAFER CLIENT

Microsoft's security diagnostic services achieve a 50% increase in productivity with Modulo Risk Manager™. These services are part of the company's Trustworthy Computing, a long-term, colaborative efort to provide more secure, private, and reliable computing experiences for everyone.

Microsoft has decided to strengthen its Trustworthy Computing, an initiative that aims to offer more secure, private, and reliable computing experiences. And they have chosen Modulo Risk Manager™ to help them in the process. With the licensing of the product on its Microsoft Security Risk Assessment (MSRA)security platform, the company has improved its capacity and productivity, reducing costs, and gaining speed, quality and scalability.

MSRA, a service that is part of the Trustworthy Computing, analyzes the client's security environment, taking capacity of its speed and scalability into consideration not only the technological aspects, but also issues related to processes and people."Our aim is to help clients increase security within the Microsoft platform. We observe how they manage risks, including access control and backup solutions, and conduct a survey of vulnerabilities in each one of the client company's processes, by doing so, we help customers focus on what is realy a priority in their environment", says Anna Carolina Aranha, Microsoft's Security Manager for Latin America.

To carry out this analysis, Microsoft originally had to allocate two technicians for a period of two weeks at each client company. Among the tasks performed by these professionals included interviews, consolidation of data, and advice. The entire process was conducted manually, which consumed a large amount of the consultants' time and increased the likelihood of errors. "We needed to reduce the cost of this service in order to reach a larger number of clients, that is to say, our aim was to expandourcapacitywhilekeepingtothe budget",states the executive.

The first step towards reaching the goal was to search for a partner with experience in security consulting. "We chose Modulo because of its extensive activity in this segment. The company studied the entire MSRA program to find out which aspects could be improved", she says, adding that, based on Modulo's analysis, a methodology was developedtooptimizetheprocesses.

The adoption of the Risk Manager application was another decision that complemented the new strategy. Its main appeal was the possibility of automating taskswhichwere performed manually by the consultants. Additionally, the tool performs risk analyses, providing a broad range of automated charts, reports and recommendations, from consolidated information for executives to detailed guidance on how to perform the analyses and solve each situation.

Another highlight of Risk Manager is its capacity to create security indexes for each of the company's assets, linking them with their respective business impact. The support it provides for the definition of action plans and the updating of security policies, as well as the application's friendly interface, are also strong points of the product. Anna Carolina explains that, before the adoption of the application, the professionals used to fill out the questionnaires, consolidate the data, and present the advice.

Today, Modulo Risk Manager compiles the data and generates the security recommendations. "We conducted a study to see which procedures were standardized and could therefore be automated", she states, affirming that this guarantees the optimization of the consultant's time, which means that the consultant can now focus on aspects that demand a higher amount of human intervention.

The implementation of the product took approximately three months and the first project conducted by Microsoft involving Risk Manager was completed in June 2005.

"The process of adopting the tool was very simple. Itwas really easy and fast to integrate the application with the aims of MSRA", acknowledges Microsoft's Security Manager.

High Quality

The main target, which was to expand capacity without compromising the budget, was quickly reached. "In the past, each product required 160 hours of consulting. Now only 80 hours of the consultants' work are needed. The executive reminds us that, as a result of this gain, a higher number of Microsoft clients now have stronger security levels.

The benefits provided are not limited to the expansion of service capacity. Aspects such as the 50% reduction in the original schedule and the optimization of consultants' time should also be highlighted. "The solution allowed us to speed up the execution of our risk assessments. In a scenario in which the Trustworthy Computing initiative aims to reach an Increasing number of companies, the tool allowed us to improve the schedule, productivity, and scalability of these services", states Anna. She also com- ments on how the project has impacted the company's image. "Initiatives like this represent an incredible help to our customers security plan. That can be confirmed by the percentage of very satisfied customers, which lies above the 95% mark".

With the automation of several steps in the risk analysis process, Microsoft managed to reduce the likelihood of error and significantly cut down work force costs. The standardization of the finalreportsisalsoconsideredapositive point by the company. "We provide the client with standardized, high quality security recommendations", emphasizes the Microsoft executive.

Microsoft's agreement with Modulo goes beyond supplying the solution. It also involves the training of several Microsoft security partners. "We now qualify other companies to work using an automated process with the methodology. Therefore we can reach a larger number of clients in a standardized way, while maintaining the excellence of our services", she observes.

The project has been so successful that the information technology giant is working to expand the solution to other countries. "The process of adopting the tool is ongoing in some Latin American countries. We already have interest in this methodology from countries in Europe and our next step is to get interest in the United States, as well says Anna Carolina Aranha.