I am using it since the Beta and it is really cool. I am using Messenger (with the integration to Facebook etc.) as well as the Windows Live Writer to blog.
It rocks: Windows Live Essentials 2011 available for download now
Download and install!
Roger
This title immediately caught my attention and probably yours as well: How to detect a hacker attack – something I definitely want to know. And then I realized that the article a) is written from a techie and b) does not really cover the attacks I am worried of most. But I will address this toward the end and would appreciate your ideas as well.
If you look at the article, it gives 4 tips:
Suspiciously high outgoing traffic for dial-up and ADSL Look out for strange looking files in the root directories of your drives and/or too much disk activity. If your personal firewall is reporting blocking large packets of data from the same IP address A lot of hackers still rely on trojans and backdoors. So, if your anti-virus software starts finding a lot of those, try increasing protection, use an Internet security suite instead of a basic anti-virus
That’s just an excerpt. If I look at my mom and dad – they never look at 1 (I do not do it either), 2 (I would just see it if I would clean up my machine), 3 (It might be in the event log but who is looking at the even log?). 4 is definitely a good thing as we said since ages (actually since Blaster) that there are three things you should do to protect your PC:
If we take it to a company level, the 4 tips about might look slightly different: 1 is network monitoring (if you see the anomalies), 2 is rarely done, 3 is rarely done and 4 again I hope is done.
But what really worries is me are not the attacks we are finding with the 4 tips above. Those are not the ones, which keep me up at night as they are noisy.
What about the stealth, targeted attacks – the real attacks? They do not create a lot of traffic (as the data is slipped out slowly), they hide the files “behind” other files, the use the universal firewall tunneling protocol (called HTTP) to transfer data and the malware they are using is just written for this single purpose: To attack just you!
How do we defend against those attacks? How do we even find them? They will sneak in through social engineering and I have to admit, that I am not clear what we can do against them – really. A few things come to my mind:
What else? What do you do? I would be really interested hearing your ideas and approaches
I want to start upfront: I do not want to take a position here. I have an opinion as a person in my cultural context but I understand that this opinion is by far not the only one which is right or wrong.
This morning I read this article: FBI Drive for Encryption Backdoors Is Déjà Vu for Security Experts. This is definitely not new and we had it before. If there is a backdoor in encryption for the good guys, there will be one for the bad guys as well. However, if something bad happens to you and you want the criminals to be arrested, you will want the police to have the right means available to track the criminal down and send him/her to prison if necessary. This is kind of a dilemma.
I was once having a discussion with a former police man who said: “We can deliver an almost crime-free society – if we are willing to give up all our privacy.” And the idea is fairly simple: If a crime happens and we could immediately see who did it, the risk of committing the crime is so high, that you probably would think about it more than twice. But this is not what we want. I want my privacy – but where is the right balance? This is a discussion which is fairly old and a discussion which has to be re-visited over time and a discussion which will yield to different results in in different cultures: the US (see the laws after 9/11), in Europe, in the Middle East, in Africa or in Asia – and this is good.
So we have to understand how much privacy we are willing to give up to help the policy to combat child porn, hacking, and other illegal activities on the Internet. It will be interesting to see, where the discussion leads in the US as well as in other countries.
Finally, I am convinced that backdoors in crypto do not help to solve the problem: You will catch the stupid criminal anyway in one way or another without backdoor. The smart one will use a software to encrypt without backdoor and then the whole requirement does not help anymore…
Last week, when I was in South Africa, a partner of us pointed me to a very interesting paper by KPMG called Cloud computing: Australian lessons and experiences. What I like is, that a lot of the items I was recently raising, where actually reflected in quotes by customers of Cloud providers as well as by the general findings of the study.
I know that this is a very long post. If you do not want to read the whole post, please read at least one of the last quotes I have in here – which is by far the longest one.
Let’s start at the beginning. When I talk about the big trends having an impact on security, these are the five items I am currently raising:
When it comes to the Cloud and the security approach, Doug Cavit and me wrote a paper called Cloud Security Considerations, which I think is worth reading. It is fairly short and covers the key aspects of the Cloud in these five areas:
It is my firm believe that – if you do it right – you can increase your overall security by moving to the Cloud. At least in a lot of scenarios and with a lot of data. But it is not only about moving to the Cloud it is about how to get back as well.
So, that’s my believe and “my theory”. What about the reality? This is, what the study is all about. During my read, I copied quite some quotes from the study, which I thought are very interesting and important to all of us.
First of all, when I talk to customers, they are often reluctant thinking about the Cloud and if they do – well – they do not want start with too critical processes first as the Cloud is not seen to be ready for prime time yet. The study shows, that this is not true:
there were many instances of strategic and sensitive applications being accessed from the cloud.
Interesting. Is there more to the Cloud than just a “let’s sit and wait” approach? Could there be real benefit to it? I am convinced - but there might be a another side to your strategy as well:
This was a small enterprise that had adopted the cloud aggressively, with good outcomes, as a deliberate strategy to support rapid scalability. As the organisation grew and became more established, however, the unique industrial needs of this organisation meant that on-the-premises control would become mandatory, and a transfer back to an on-the-premises model was planned.
I once learned that in some cultures (not in the Western European one), if you write a strategy and decide upon it, you always look into ways to get out of the strategy as well if things change – if your cheese moved. A concept we should look into more often as well. What are the signals to get out and how do you do it? Think about plan B before you start plan A.
If you map this to your Cloud strategy: Think about getting to the Cloud and back. All the vendors will help you to get onto their services but how many help you to get back on premises? How do you have to convert the data and load your data back? Remember the time of document formats, where you lost most of the formatting, once you had to convert them?
Look at our stack briefly: It is actually the same technology on-premises as in the Cloud. If you use Exchange, SharePoint, OCS, whatever on-premise and the Cloud – the same. If you develop an application for Azure and want to move to your own Cloud or back on prem – this is what Windows Azure, SQL Azure, AppFabric are all about.
This scenario has to be feasible and supported.
What about the big advantage of the Cloud: the savings? Here is a customer quote from the study:
The quicker [installation] time was a cost saving. It was one of those projects that almost went under the radar; it was so smooth and so low cost.
Think about this statement for a second. If you are an IT shop, if you are a CIO, this is what you compete with! So, if your business gets this service and you as the IT organization are still running your infrastructure the way you used to do it 10 years ago, what will the user do? See my Consumerization of IT above… The user starts to take strategic IT decisions by moving to the Cloud without asking! So, do not feel too safe, just because you have a policy. And it goes further:
We can let [customers] provision themselves over the Web eventually, so they can choose our offerings, pick the one they want, get billed on a recurring basis...
This is the view of a fairly advanced IT. You have to get there to compete.
If you look at my flexibility item above. I want to be able to work where I want, when I want and how to balance my private and business life. This is where the Cloud can help. Again, a customer:
Anywhere around the world they’ve got live, useful information. That for me is the most important aspect of [cloud computing].
But security is always a concern if you plan the Cloud. The people who are still reluctant, often use security as their main area of concern:
The use of a cloud provider was seen to introduce a potential risk if the provider was unable to provide adequate protection of commercially sensitive information, especially customer information. There would also be serious consequences if cloud providers failed to maintain adequate service levels or experienced service outages.
This is definitely true. But you should look at it from a risk-based approach. You will get additional risks as you introduce a new provider. But what do you gain? What risks will be reduced or will even disappear? That’s the balance which is important. So, there is a lot of work to do as the study finds:
Security concerns were also at the forefront of conversations with managers in organisations with an unknown adoption status. These managers almost all thought that the benefits of cloud computing were, at least for the time being, more than offset by the introduction of new threats, dependencies and exposures for their organisations. Such concerns were top of mind and clearly a significant barrier to adoption.
But
Respondents generally reported that they had worked through the issues and arrived at accommodations or compromises they could live with. Nonadopters frequently cited regulatory issues as a barrier to using cloud computing.
Here, the Chief Security Advisors can help with. If we are talking about our technology and platform, involve us – that’s what we are here for.
Now – to me – the highlight of the report:
After evaluating the security capabilities of providers, however, the management in adopting organisations had come to different conclusions. They typically articulated the security issue in relative terms. On the one hand there was a consistent message that on-the-premises computing was not always as secure as people believed. As one respondent put it: People are under the illusion that because it’s sitting behind the company firewall its safe. On the other hand, they believed the key cloud service providers they were using had invested heavily in the infrastructure, skills and practices to maximise resilience to attack, and therefore were offering more security than they could build themselves. The same risks, in other words, existed in both scenarios, but they saw the risks as lower, on balance, under their cloud arrangements. Comments like this, from two different respondents, were common: We actually think our security has been improved as a result of [cloud computing]. I’m fairly certain that we’re getting a better service level through an on-demand platform like [vendor] than we would on an internally hosted application. Of particular interest here was that three organisations had gone further, with management employing cloud computing as part of a deliberate strategy to increase organisational security and resilience. They saw advantages in shifting computing away from homegrown facilities, which they considered an obvious target today, to in-the-cloud facilities that could be located anywhere, making it difficult, if not impossible, for attackers to identify.
After evaluating the security capabilities of providers, however, the management in adopting organisations had come to different conclusions. They typically articulated the security issue in relative terms. On the one hand there was a consistent message that on-the-premises computing was not always as secure as people believed. As one respondent put it: People are under the illusion that because it’s sitting behind the company firewall its safe. On the other hand, they believed the key cloud service providers they were using had invested heavily in the infrastructure, skills and practices to maximise resilience to attack, and therefore were offering more security than they could build themselves. The same risks, in other words, existed in both scenarios, but they saw the risks as lower, on balance, under their cloud arrangements. Comments like this, from two different respondents, were common:
We actually think our security has been improved as a result of [cloud computing].
I’m fairly certain that we’re getting a better service level through an on-demand platform like [vendor] than we would on an internally hosted application.
Of particular interest here was that three organisations had gone further, with management employing cloud computing as part of a deliberate strategy to increase organisational security and resilience. They saw advantages in shifting computing away from homegrown facilities, which they considered an obvious target today, to in-the-cloud facilities that could be located anywhere, making it difficult, if not impossible, for attackers to identify.
Moving to the Cloud to strategically increase security? Wow! But you can only judge, if you are ready to handle it (see the Risk Management section in our paper).
All the positive experiences in security, service, integration and customisation described in the preceding sections were associated with cloud services that has been adopted and were still in use by the respective organisations. By definition, management had concluded that they were sufficiently developed, and backed by sufficiently trusted providers, for enterprise use.
The Cloud Providers, if selected carefully, have the capability and knowledge to run your Cloud on a higher security level. This leads back to the Service Integrity above.
For this specific vendor I do [have enough confidence]…they publish information about their storage and their security model and they also publish uptime statistics, so things like that give me a certain level of confidence. But I wouldn’t have that confidence with any random vendor.
So, when we address all the technological, procedural, legal requirements, we should not forget about the people. Loss of control is probably the number 1 real concern a lot of people have. They are so used to “owning” the data and the servers that it is incredibly hard to let go.
Management attitudes were also important within the IT department. Respondents frequently had to overcome emotional hurdles associated with letting go of control. Despite being enthusiastic about the potential benefits, cloud computing still represented a significant change: they would no longer have the comfort of knowing that their computers were locked in their own buildings, could be checked at any time and were not accessed by others.
This is the first time, I read a good comprehensive paper about the reality, knowing that this is “just” a sample and “just” Australia but quite some points I am thinking about regularly were addressed and seem to be consistent with my view of the world. At least it re-enforced my firm believe that a lot of customers who are telling me that they will not move to the Cloud because of security might have to re-think their strategy and start thinking about the Cloud because of security. Otherwise they risk losing the competition between internal IT and the external Cloud provider.
If you do not drive this adoption, the adoption will drive you.
I know that I am not an OpenSource expert and to be completely clear: I do not want to complain at all but I would definitely think whether I would bet my company’s business processes on it… Let me give you my story:
March this year I migrated my blog from a SharePoint based solution to an OpenSource solution and never ever regretted it. I actually enjoy it. I described the whole migration here: Migrating My Blog. I enjoy all the different possibilities WordPress is giving me and by running on Windows Server 2008 R2, I am easily able to operate it.
So far, so really good – but… I now wanted to upgrade PHP to the latest version and I failed. I installed it, made sure that the php.ini file is back in place, restarted the machine and:
Since then I tried everything: Removing all my plug-ins, trying to look at the PHP log (which was accidentally switched on, grew tremendously but when I needed it, nothing was written in there) etc. etc. – no success. Luckily, I run my blog in a Hyper-V environment, which allows me to take a Snapshot and then fall-back to configuration I know that it works.
I started to post in the wordpress.org forum and did not get any response so far.
So, honestly, for my blog it is ok and as I said above, I do not want to complain as I did not pay for it and it is really cool stuff! But it is not business critical (even though I see a fair amount of hits every day – thanks to you all) but if I would have to run my business on it, there are two options: Either I hire a team, which has in-depth knowledge of the stuff or I just hope (which is probably not a good option for a business).
I am just a little bit frustrated. At the moment I am back to the working environment and will take another try, once I find some time to drill down further (or get a good idea from the community).
What is your view?: Stuxnet: Future of warfare? Or just lax security?
Actually I had a few very interesting discussions lately as a reaction on my post Is There Any Value in Twitter? Yes? Think Again… and I think Thibaud brought it to the point: Mass-follow is the “problem” – in other words me .
I had thought about getting out of Twitter but I will get back in. I removed all the people I was following and just added a few hand-picked. If I lost you – let me know.
Happy tweeting
I want to make you aware of the “Real Men” campaign to raise awareness about the problem of child sex slavery. If you can cope with it, listen to the press conference here:
This is a unique partnership between the Demi&Ashton Foundation and different technology companies like Google, Twitter, Facebook, Microsoft and a lot of other companies.
A very good development!
I know that this is “old news” but I wanted to make sure that everybody has seen that: We will make Microsoft Security Essentials available for small business for free. Small businesses are up to 10 PCs. This is great news as a lot of small businesses do not use Anti-Malware Software and do not need any central management.
If you want to read more details: Announcing: Microsoft Security Essentials available FREE to Small Businesses in October!
Obviously I do not like people to steal software. Additionally, from at least two perspectives it adds security risks: People are less likely to patch and pirated software often comes wit pre-installed malware, which is then hard to detect.
There is just such a case now with the iPhone: Fake iPhone jail-breaking tool packed with malware
The cloud – and now I mean the volcano cloud – showed that there is not always a real need to travel far in to get the right information at an event of conference. I delivered a keynote via LiveMeeting (Virtual Keynotes – Do we always have to travel?) during the time the planes were grounded.
Infosecurity-Magazine (where I am a member of the editorial board in the UK) runs an Infosecurity Virtual Conference – and it seems that it is quite a success. They have one for the UK (which you can find here) and one for the use (here).
This is a really interesting approach. What is even more interesting – I am part of the Cloud slot at the US conference:
1.30-2.30pm EST Creating a safer, more trusted cloud: A growing number of organizations are electing to link their existing server facilities with cloud-based storage systems, but are we, as an industry, ready for the cloud? What are the security issues that need to be addressed before going down this hybrid local server/cloud approach? Is it better to go for a private cloud option for extra security? What are the governance and regulatory issues of this approach?
1.30-2.30pm EST
If you want to listen in and ask questions, please register: Infosecurity US Virtual Conference
If you are a CISSP or an SSCP, you can even get CPE credits for attending
Looking forward “seeing” you there.
This is one of the risks, not a lot of people look into: It is fairly easy for me to setup a Facebook account in another person’s name. This is what happened to Ronald K. Noble, head of Interpol: Interpol Chief Ronald K. Noble Has Facebook Identity Stolen.
Just before I leave to Johannesburg: Dilbert on Piracy… he is soooo right
I was reading an interesting article: Forrester Pushes 'Zero Trust' Model For Security, where they mainly claim that you should not trust your internal network – something I am asking for since a long time. However, the conclusions Forrester and me are drawing are slightly different. John Kindervag – the person quoted in the article - claims that you have to do a deep inspection of the network in order to resolve the problem. I disagree for different reasons:
To me, there are other approaches we have to consider. First and foremost – and there we still agree – we have to realize and internalize that our network is untrusted or even worse that the Internet is our network. There is no such thing like “internal” and “external” anymore. This is consequences and if you take consumerization of IT into your equation it will get worse. By that I mean the trend that end-users are bringing more and more private devices into our networks to do their job (or who took really a strategic decision to have the iPhone or an iPad in your network?). End-users started to take IT strategy decisions!
What can we do with that? How do we do risk management in such an environment. There is definitely a vision we have to work towards, which is called End to End Trust. Actually Scott Charney wrote a very good paper on that: Establishing End to End Trust. However, that’s a vision – what can you do now?
Like that you can at least enforce that the devices you talk to are policy compliant. What about your information now? How can you implement data classification? You can mark the information in different ways: Flag them, have them in specialized folders, encrypt them, etc. What about the problem that the information leaves the environment it is protected? We need a persistent protection of the information you are dealing with. That’s the reason I really like Rights Management Services and have a hard time understating, why it is not used more often.
And last but definitely not least we need to focus more on managing users instead of devices. To be able to do this, we need sound identity management. This starts with processes (how do you get rid of a user-account if the user get’s laid off? I mean all the user accounts including the cloud-based ones) and technology can definitely support you on that way.
Would this solve your problems? No, but it would definitely significantly reduce the risks. It is all about Risk Management – no?
We are basically asking the industry to follow a Coordinated Vulnerability Disclosure and are therefore not in favor of public vulnerability disclosure as it puts the industry unnecessarily at risk.
Recently there was a vulnerability in ASP.NET publically disclosed. We released an advisory and you should look into implementing the suggested workaround: Vulnerability in ASP.NET Could Allow Information Disclosure.
UPDATE: A very good description by our SWI Team: Understanding the ASP.NET Vulnerability
I know that this is a very provocative question but it is one I looked into since a few months. If you follow my Twitter account, you will have realized that I dramatically reduced the number of Tweets. I currently only tweet, once I posted on my blog. But let’s start at the beginning:
I think I started to use Twitter a little bit more than 18 months ago. Initially I tried to understand how this works and how you gain followers. I understand that you have to tweet regularly and that you should focus on a theme. That is fairly easy for me as Information Security is my core competence and there is always something say. I learned as well that “following back” is the key activity on Twitter. If somebody follows you, you follow back. And then my first problem started. I checked my Twitter account approximately once a day and I got some many DMs saying “thank you for following” that I missed DMs really being targeted to me.
Then the swine flue broke out and I learned my next lesson: Speed is everything on Twitter – accuracy is second. There was so much nonsense on Twitter that it could not be used at all to gain information.
And finally the volume: Today I have approx. 23’000 followers. Interestingly, it seems that growth just stopped now even though I am not too active since about May/June:
However, the number of people clicking on the links I post on Twitter is around 20-30 at max. So, 23’000 followers– lets say 25 clicks on average (and this is high), means around 0.1% of my followers seem to be interested in what I tweet. Maybe that I tweet the wrong things? I do not think so as more than 23’000 people said that they like my Twitter profile and therefore they followed me – no?
I then looked at some of my followers: The first thing I realized is that everybody is in the race for as many followers as possible. As everybody is just “following back” and additionally uses tools to find the people who could be interested in the message to be spread – it is like a self-fulfilling prophecy. People focus on getting more followers and measure just that. Measure the click-through rate : I get much more from Facebook or LinkedIn than from Twitter and honestly I read the status updates on Facebook and LinkedIn much more as well.
And I understand why: Let’s say you follow 5’000 people, which is not too much. Let’s say, everybody tweets 5 times a day, which is a low figure. This means, you get 25’000 tweets a day, 1041 an hour, 17.4 a minute. This means there is a tweet every 3.5 seconds coming in. If you see 17 tweets on your screen, you would have to look at your screen the same minute I am pushing my tweet out… Otherwise the new messages will simply cover mine.
The sheer volume of information on Twitter is overwhelming. Does it still make sense? Is there value in there? Do you find the information you are looking for? Is this really a trusted source for information? Is it worth spending your time?
Let me know your view. I would be really interested to hear
Quite a while ago, I implemented the possibility for people chatting with me via MSN Messenger on the web. I actually created a web-page to do so: Chat with me! The whole idea was kicked-off by a colleague of mine, called Gerhard Göschl from Austria: Lass uns drüber reden
Unfortunately I had to change my LiveID and forogt to change the Chat with me! page . The account I originally used was never online anymore…
Well, I realized it now and it works again. So, if I am online, here you find me: Chat with me!
No clue what the source is but if they are right, it is scary: DRG SSH Username and Password Authentication Tag Clouds
Recently, we had an interesting discussion on Social Media. It actually all started with somebody sending a link around called http://pleaserobme.com/ to see who actually just said that they are not at home – information which can easily be gained through Twitter search. This lead then into a discussion where somebody claimed that, according to confused.com, heavy users of social media will have to pay higher home insurance in the future – shall we now delete all our social media life? Remember my post on Tired of Web 2.0? Kill your Online Identities?
Well, finally it all depends on how you organize your real life: http://gprime.net/video.php/reallifevsinternet
It will be interesting to see where this all moves
This is quite a normal scenario: A zero-day pops up on the Internet by a security researcher. Immediately afterwards we see the first exploits appearing and being integrated into the different attack tools. Now, the race started: The vendor has to develop a security update, the criminals try to exploit the vulnerability.
Part of the holy grail – so it seems – are these researchers being able to deliver a security update much faster than the vendor and the vendor then is immediately publically told that they fail. This is just happening now with Adobe: Unofficial fix brings temporary relief for critical Adobe vuln
Let me add a few thoughts on this:
Basically, it is a risk management decision, which should include at least the questions I raised above. Do not just run for the unofficial update – to me it should be really the last resort, if even!
I am just preparing my trip to South Africa next week. Our Chief Security Advisor in South Africa, Khomotso Kganyago does an outstanding job keeping my busy. He put together a great agenda – I just hope I can cope with everything he is expecting from me.
Part of it is a public lecture at the University in Johannesburg. And now, he just sent me this Facebook link: Cyber Security Agenda for South Africa with a Reference to the Cloud. Wow, I will click on “I’m Attending”, I guess…
I would be interested to see, how much impact this post has. Do you think that this drives attendance? Will be really good to see! During the preparation for this trip (and for this presentation), I was heavily impressed what I learned about the state of country regarding Cybersecurity. If you are interested in my learning – you have to join the public lecture mentioned above…
You hopefully know of the coolest thing we will launch this year: Kinect – our controller-less gaming experience for the XBox. I hope that I get the family budget approved for it, so that we can move from a Wii to an XBox. What I personally started to think about was how you could leverage Kinect as an extension of your PC, not “only” of your gaming console.
What I never thought about it yet was the implications Kinect could have, if it would be included in the devices in your home and how you could control the devices in your environment. There is a very good article you should look at Kinect's Israeli partner sees a remoteless world.
And then we should slowly start to think about the security implications of such a setup…
I know – Beta versions are not for production but as I just run production, I installed it on my work machine – just now!
The first good news is: My blog still works:
What’s new? Well, the best is you download it from here and explore yourself.
There are a few fairly cool enhancements regarding secure browsing:
All of them went through certain improvements since IE 8.
I will definitely enjoy working with the new version.
If you look at current discussions between cloud providers and customers, I see it too often that the customer leaves with the impression that the Cloud fixes all their problems. In fact – it does not. Too often I see the Cloud provider telling the customer that they should not care about security anymore – they will do it for the customer. That’s only part of the truth.
In order to shed some light into this discussion, Doug Cavit (a Principal Security Strategist at Microsoft) and me published a paper a few months ago called Cloud Security Considerations, addressing the key areas to consider, when moving to the Cloud. I used this approach very often when talking to customers, regulators and government elites. It works extremely well and seems to cover the story end to end.
Now, Doug stayed busy . He just published together with Javier Salido (a program manager in Trustworthy Computing) a paper called A Guide to Data Governance for Privacy, Confidentiality, and Compliance - Part 5: Moving to Cloud Computing. Behind this long title, there is actually a lot of good content which complements the above mentioned paper.
If you know what the Cloud is, you could skip the pages following the summary. When I talk to customers, I always tell them, that there are a few fundamental things to be in place when you consider the Cloud: Compliance and Risk Management, Identity Management, Data Classification. Fairly early in the paper, Doug and Javier draw the conclusion:
Organizations should implement a data classification policy and procedures for deciding which data is ready for the cloud, under which circumstances, and using which controls.
Usually people smile if I tell them this. And at the same time, we all know that the policy is in place but it is often not really implemented nor is the user given the technologies to really easily implement it. From a technology perspective, I love Rights Management Services and especially its implementation in Office called Information Rights Management. The corresponding templates help to attach the right classification and protect the document with just a few click.
However, this is often an awareness and process problem. Much more than technology! But back to the paper. When it comes to responsibilities, the paper is fairly clear:
Delegation does not discharge the organization from managing risk and compliance, or from having to prove compliance to the appropriate authorities.
I could not agree more! You have to manage your data – it is your data, even if you move to the Cloud! Therefore:
Compliance requirements can be fulfilled by a skilled internal team and a certain level of process transparency on the part of the cloud service provider.
Make sure you have the team in place and then ask your Cloud provider (make sure you follow this sequence ).
There is a lot of additional content in there to consider. But then they move to the point of recommending what you could do or as they call it: Elements to Consider When Moving to the Cloud:
And finally, they help to bring the Cloud related issues into the context of the Data Governance for Privacy, Confidentiality, and Compliance framework, something which can give you real hands-on tools and techniques to make it happen.
From my point of view, this is a really good paper, where you can take the parts you need at the moment: Being it a high-level understanding of the problem space or more hands-on tools. Is it simple? No, not really as the problem by itself is complex but it helps you to understand much better, how to approach it
I would just like to forward you to a blog post by Brad Smith as of today: Anti-Piracy Enforcement and NGOs.
There is one statement I would like to quote:
To prevent non-government organizations from falling victim to nefarious actions taken in the guise of anti-piracy enforcement, Microsoft will create a new unilateral software license for NGOs that will ensure they have free, legal copies of our products. This step makes sense for a couple of reasons. First, it builds on our existing work to provide NGOs with donated software, which we’ve been doing for many years in the United States and have expanded over the past few years to over 30 countries, including Russia, where we launched the Infodonor program last year. Under our existing program each NGO can obtain free of charge six different Microsoft software titles for up to 50 PCs. They can then obtain 300 new licenses every other year. In the past year, we donated software with a fair market value of over $390 million to over 42,000 NGOs around the world. (Clearly, we’re trying to donate our software to NGOs, not focus on them as anti-piracy targets.) One challenge, however, is that some NGOs in a number of countries, including Russia, are unaware of our program or do not know how to navigate its logistical processes, which involves ordering the donated software through a Microsoft partner. We’ll solve this problem by providing a unilateral NGO Software License that runs automatically from Microsoft to NGOs and covers the software already installed on their PCs. We’ll make this new, non-transferable license applicable to NGOs in a number of countries, including in Russia. We will also make it available to appropriate journalists’ organizations in order to include small newspapers and independent media. Because it’s automatic, they won’t need to take any steps to benefit from its terms.
To prevent non-government organizations from falling victim to nefarious actions taken in the guise of anti-piracy enforcement, Microsoft will create a new unilateral software license for NGOs that will ensure they have free, legal copies of our products.
This step makes sense for a couple of reasons. First, it builds on our existing work to provide NGOs with donated software, which we’ve been doing for many years in the United States and have expanded over the past few years to over 30 countries, including Russia, where we launched the Infodonor program last year. Under our existing program each NGO can obtain free of charge six different Microsoft software titles for up to 50 PCs. They can then obtain 300 new licenses every other year. In the past year, we donated software with a fair market value of over $390 million to over 42,000 NGOs around the world. (Clearly, we’re trying to donate our software to NGOs, not focus on them as anti-piracy targets.)
One challenge, however, is that some NGOs in a number of countries, including Russia, are unaware of our program or do not know how to navigate its logistical processes, which involves ordering the donated software through a Microsoft partner. We’ll solve this problem by providing a unilateral NGO Software License that runs automatically from Microsoft to NGOs and covers the software already installed on their PCs. We’ll make this new, non-transferable license applicable to NGOs in a number of countries, including in Russia. We will also make it available to appropriate journalists’ organizations in order to include small newspapers and independent media. Because it’s automatic, they won’t need to take any steps to benefit from its terms.
I think that this is a great development!