Company XYZ is a software company which consists of $1500$ total staff, employed at the headquarters and other branches across the country. Its business model relies on electronic transactions with key customers and suppliers. Company XYZ uses a BizTalk Server implementation for its transactions. Company XYZ uses BizTalk Server to manage transactions and communications between internal and external applications. Company XYZ communicates with approximately $85$ internal applications and $2300$ trading partners. It currently processes approximately $2\mathrm{.}5$ million documents per month, and estimates that it will process $6$ million documents per month by the end of $2016.$

Company XYZ has installed all the products from Microsoft, which includes domain controllers, file servers, print servers and exchange server. All products are licensed and number of licensed purchased are enough for the company employee strength. Company XYZ uses BizTalk Server as a message broker to communicate between internal applications and to process, send, and receive correctly formatted messages to and from its suppliers and customers. Company XYZ has to process internal and external documents in different formats. This includes flat files and XML documents. Company XYZ uses a single firewall to separate its corporate computers from the Internet. As an added layer of security, Company XYZ incorporates Internet Protocol security $($IPsec$)$ communication between all its corporate servers and workstations that reside within the corporate network. Company XYZ uses IPsec to encrypt all communications within its internal domain. Company XYZ uses a file share server to receive flat files. This file share server resides outside its corporate network and domain. A firewall separates the file share server from the corporate network. Company XYZ$\text{'}$s external partners post their flat file documents on this file share server, and they communicate with the file share server through an encrypted Point$-$to$-$Point Tunneling Protocol $($PPTP$)$ pipeline. Company XYZ protects access to the file share server by partner passwords that expire every $30$ days. Company XYZ has created a custom file$-$movement application that retrieves the flat file documents from the file share server and sends them to BizTalk Server for additional processing. The internal applications for Company XYZ also use the custom file$-$movement application to pass flat files to Application Server, transforms these documents and sends them to Company XYZ$\text{'}$s trading partners.

the servers to make sure they have the correct security settings. Company XYZ logs all exceptions for review. Company XYZ uses a Microsoft Exchange server to exchange emails internally and externally. A mail exchange relay is installed outside the firewall to receive emails, check for any virus infection and then move the message to the internal exchange server. An antivirus software is installed on the exchange relay to do the virus check. Outlook web access $($OWA$)$ is provided to all the internal users to use the email system outside the company using Microsoft Outlook software installed on their laptops.

## Potential Threats and Security Concerns

Company XYZ wants to make sure that it receives and processes only messages from authenticated sources. Company XYZ also wants to make sure that it can receive and retrieve documents from outside its corporate network as safely as possible. The firewall that separates Company XYZ$\text{'}$s corporate network from the Internet only lets through traffic from port $80$ and port $443.$ The firewall rejects all other traffic. Company XYZ also wants to make sure that their email system is not hacked or cracked because they heavily rely on the email messages from clients to process their transactions. Company XYZ also want to protect its data regarding its employees, customers, transactions, financial and other documents related to business. Company XYZ wants to make sure that the employees use encrypted USBs only, they would like to distribute the digital certificate using the domain controllers. Company XYZ also wants to implement backup process to secure all critical data of the business. Company XYZ is also looking into Cloud Computing and Virtualization solutions to protect their data from disaster. Company XYZ would like to implement physical security as well and central monitoring system. Company XYZ would also like to implement VoIP system and record all the official callsto protect against any espionage.