Dogfooding: How Microsoft IT Information Security Dogfoods, Phase 2: Perform an Assessment of the Features Only

Hi Price Oden here, I’m a principal senior security architect on the Microsoft IT Information Security (InfoSec) group. Dogfooding is part of Microsoft IT’s culture. It’s where Microsoft IT (MSIT) plays an important role and service for Microsoft’s enterprise customers. Despite the challenges of mixing testing and production on the same network and environment, MSIT trials new products at large scale in a production environment to identify and address deployment, operational and functional issues before those products reach Microsoft’s enterprise customers. In this blog, I’ll talk about the next phase of our dogfooding process, Phase 2: Perform an Assessment of the Features Only. To get an overview of the dogfooding process, read Mark Smith’s blog and also read about Phase 1 in Don Nguyen’s blog.

In phase 2, after the ACE Team performs a security design review, the Security Operations Planning and Strategy Team which I’m a part of, we conduct an assessment of the features only. For this assessment, we assess security-related features and technologies in upcoming Microsoft software products to determine how they help us in MSIT’s efforts to reduce risks in the enterprise. Our team works with the product groups to obtain the design and functional specs and early beta builds. If the product or feature is a good candidate, we’ll dive into technical details with the product group. In addition, if necessary we’ll install and configure the product and tests use cases. One example that our team was involved with was the Windows 7 BitLocker to GoTM feature. An industry trend is the explosion of removable media used in the enterprise. We prescribed Windows 7 BitLocker to GoTM as an excellent risk mitigator to protect removable media. 

Many enterprises are early adopters so if you’re thinking about starting a dogfooding process in your own organization, here’s a couple of things to consider. Rollouts to test drive new technologies can carry much of the same resource expenditure that deploying any product would have. Therefore it may be prudent to go into all deployments with a commitment to eventual production use; you can focus on a measured rollout that occurs at a non-disruptive pace. Additionally, having a vision in place is extremely valuable to guide the decision process of which technologies to deploy. Against the backdrop of a vision, each technology can be assessed to determine if it moves the organization closer to reaching its vision and if the candidate technology strategic or not. With that assessment, the organization may decide to be conservative with regards to how much financial commitment it makes in non-strategic technologies so that it doesn’t become entrenched and prohibit replacement when a strategic technology becomes available. Regardless, once a decision is made to deploy, the deployment itself needs to be well planned.

To hear more details about this phase of our dogfooding process, watch our recent video, “Dogfooding Security-Related Features” where Yale Li, senior security architect, and I share some of our experiences. Next time Steven Michalove will discuss how we influence products in the next phase of the dogfooding process...stay tuned.

-Price Oden
Principal Senior Security Architect
Microsoft Information Security