As we all know, right now cloud computing holds center stage in the IT industry. Vendors, service providers, press, analysts and customers are all evaluating and discussing the opportunities presented by the cloud. A very important part of the discussion is security. While the benefits of cloud computing become clearer, it seems almost every day there is a new press article or analyst report indicating that cloud security and privacy are a top concern for customers. Just one example: A Microsoft survey revealed that while 86% of senior business leaders are excited about cloud computing, more than 75% are concerned about the security, access and privacy of data. Customers are right to ask how cloud vendors can work to ensure the security of cloud applications, the protection of data and the privacy of individuals. Our CEO Steve Ballmer told an audience at the University of Washington in early March that "This is a dimension of the cloud, and it's a dimension of the cloud that needs all of our best work.” At Microsoft we want to address these concerns and even help customers understand the right questions to ask. As part of our longstanding Trustworthy Computing efforts, we strive to be more transparent than anyone about how we help enable more secure cloud computing. In his recent keynote at our TechEd North America conference, Server and Tools Business president Bob Muglia discussed this issue, too, saying, “The data that you have is in your organization is yours. We’re not confused about that, and it’s incumbent on us to help you protect that information for you. Microsoft’s strategy is to deliver software, services and tools that enable customers to realize the benefits of a cloud-based model with the reliability and security of on-premises software.”
As we all know, right now cloud computing holds center stage in the IT industry. Vendors, service providers, press, analysts and customers are all evaluating and discussing the opportunities presented by the cloud.
A very important part of the discussion is security. While the benefits of cloud computing become clearer, it seems almost every day there is a new press article or analyst report indicating that cloud security and privacy are a top concern for customers. Just one example: A Microsoft survey revealed that while 86% of senior business leaders are excited about cloud computing, more than 75% are concerned about the security, access and privacy of data.
Customers are right to ask how cloud vendors can work to ensure the security of cloud applications, the protection of data and the privacy of individuals. Our CEO Steve Ballmer told an audience at the University of Washington in early March that "This is a dimension of the cloud, and it's a dimension of the cloud that needs all of our best work.”
At Microsoft we want to address these concerns and even help customers understand the right questions to ask. As part of our longstanding Trustworthy Computing efforts, we strive to be more transparent than anyone about how we help enable more secure cloud computing.
In his recent keynote at our TechEd North America conference, Server and Tools Business president Bob Muglia discussed this issue, too, saying, “The data that you have is in your organization is yours. We’re not confused about that, and it’s incumbent on us to help you protect that information for you. Microsoft’s strategy is to deliver software, services and tools that enable customers to realize the benefits of a cloud-based model with the reliability and security of on-premises software.”
A great place to start learning about Microsoft’s cloud security efforts is on the Microsoft Global Foundations Services (GFS) site. The white papers “Securing Microsoft’s Cloud Infrastructure” and “Microsoft’s Compliance Framework for Online Services” are especially informative.
GFS drives an exhaustive, centralized Information Security Program for all Microsoft cloud datacenters and the 200+ consumer and commercial services they deliver (which are all built using the Microsoft Security Development Lifecycle.) This program covers everything from physical security to compliance, including Risk Management Process, Response, and work with law enforcement; Defense-in-Depth Security controls across physical, network, identity & access, host, application and data; A Comprehensive Compliance Framework to address standards and regulations such as PCI, SOX, HIPAA, and the Media Ratings Council; and third party auditing, validation and certification (ISO 27001, SAS 70.)
If you watch the short video clip above, you’ll note Bob also calls out our focus on identity, saying “As you move to cloud services you will have a number of vendors, and you will need a common identity system.” Identity is a cornerstone of security, in general, and especially cloud security. Microsoft already provides technologies with Windows Server and our cloud offerings that customers can use to extend their existing investment in identity infrastructure (such as Active Directory) for simpler, more secure access to cloud services. There is a good TechNet article about this here, part of a whole package of cloud security guidance here.
Of course, Microsoft is not working on cloud security alone. As our chief privacy strategist Peter Cullen said in his keynote at the Computers, Freedom and Privacy (CFP) conference: "These truly are issues that no one company, industry or sector can tackle in isolation. So it is important to start these dialogs in earnest and include a diverse range of stakeholders from every corner of the globe.” Microsoft is working with customers, governments, law enforcement, partners and industry organizations, such as the Cloud Security Alliance, to collaborate on the best strategies and technologies to ensure more trustworthy cloud computing.
We encourage you to explore some of the information provided via links above, and to let us know your comments!
Joel
Jeffrey Schwartz of Redmond Magazine published an in-depth story discussing how the new Active Directory Federation Services 2.0 for Windows Server simplifies secure access to applications and services in the cloud.
The article is a good read, providing perspective from a variety of companies – most highly supportive of ADFS 2.0, some slightly critical. Overall, Schwartz says, “Numerous Windows IT pros and security experts are bullish” on the new technology and what it can do. In the article, Kevin von Keyserling of Certified Security Solutions does a good job of summing up ADFS 2.0’s benefits:
"The end user can have the same experience in the cloud as if they were inside their own network; that's one of the advantages or drivers for these large enterprises looking at taking up the Federation Services and extending it. It provides cloud services without having to stop and deal with password resets and credential management, and allows [companies] to focus on the execution of their business strategy versus the day-to-day nuances of dealing with security issues."
Patrick Harding, CTO of Ping Identity, says "ADFS 2.0 is a big deal because it validates that federated identity management is important; it's going to become a must-have for cloud computing and SaaS computing."
"The bottom line is we're streamlining how access should work and how things like single sign-on should work from on-premises to the cloud." John Chirapurath, Senior Director, Microsoft
A real-world example of ADFS 2.0 in action (not in the article) is Thomson Reuter’s Treasura web service to help professional treasurers handle cash and liquidity management, forecasting, payments and compliance.
Using Windows Identity Foundation - an extension to the Microsoft .NET Framework – and ADFS 2.0, Thomson Reuters was able to provide single sign on access to Treasura and related software through identity federation with its customers. Customers can log on to their computers once and navigate to the Treasura site and among Treasura applications without having to sign in again. They can manage and control their own authentication and access policies just once, on their own networks. The Treasura team also provided SSO access to other Thomson Reuters products, even ones that are built using Sun OpenSSO or other third-party technologies instead of Active Directory.
Because Windows Identity Foundation provides their application developers with the same familiar Windows development tools to provide single sign on without having to write custom authentication code, Thomson Reuters expects to save an average of three months of development time.
And offering one shared authentication infrastructure improves security, because developers can focus their efforts on making applications and services the best they can be, without worrying about creating authentication silos in each application that must be managed separately.
I thought I would share this entertaining and thought provoking session about cybercrime - from our TechEd North America conference last week. Andy Malone is a lively, humorous presenter!
Description: With the dark forces of Cybercrime continuing to grow, it’s critical that individuals and businesses are fully aware that doing business in the “wild west” of the 21st century can be potentially disastrous. The sophistication of the latest generation of attacks is simply mind boggling. In this hard hitting 75min session Andy Malone spills the beans on the latest tools and tactics used by the bad guys. Packed with stories, demos, tips and tricks, this is a security session you will not want to miss.