Posted by: Richard Saunders, Director, Trustworthy Computing

Many years ago I worked for a company in the UK that made paint. I was part of a team planning an official visit by HRH Princess Anne to open a new multi-million pound research laboratory. We thought it would be nice to assign roles to some of the people working in the new facility. One chap in particular, a renowned doctor of science no less, was given the task of opening a door for Her Royal Highness. That’s it, just open the door for her to pass through.

Come the big day, Princess Anne made her way down the hallway, got to the doctor and his door, which he opened perfectly. She paused and said to the chap “and what do you do?”

Utterly flustered, all he could manage by way of reply was: “Er, um, er. I open the doors.” She smiled and moved on. He never lived the moment down.

That’s a rather convoluted way of introducing a new series of personal profiles about people who work on Trustworthy Computing, within a division of the same name. As you may know, Trustworthy Computing (TwC) was formed 10 years ago last month. We’re proud of what we’ve achieved over the last decade, but know we have much more yet to do. We thought it would be fun to take a look at some of the people in TwC and what they do both in and out of work.

Over the next few weeks from time to time we’ll be posting 30 second profiles on some of our people. The first is on Adrienne Hall, TwC general manager and a regular blogger on this site.

Posted by: Tim Rains, Director, Trustworthy Computing

Electronic discovery, or e-discovery, is a hot topic among security professionals whose organizations are using cloud services or are evaluating using cloud services in the future.  When there is a need to perform forensic investigations to recover and collect evidence contained in the cloud for use in potential legal proceedings, cloud customers need to know that their cloud service providers can meet their needs.

It is very important that cloud customers understand how cloud providers manage e-discovery requests, so that they know these cloud vendors can properly respond to government requests for information.  Cloud providers’ e-discovery processes must be capable of meeting customer needs in a way that isn’t disruptive to the users of cloud services.

Learn more in this blog post on e-discovery in the cloud.

Posted by: Tim Rains, Director, Trustworthy Computing

If you’ve been following our Cloud Fundamentals series, you’ve heard me discuss why transparency is important for both cloud service providers and their customers.  Another important aspect of this theme that customers have discussed with me is how to get insight into the security controls used to manage cloud service offerings.

Many of the security professionals I have talked to are looking for assurances about the security practices and security controls that are used by the cloud service provider(s) that they are evaluating services from.  Information on security controls used to operate a service can then be clearly communicated to audit and enterprise risk management groups.

Today it can be challenging getting information on the security practices used by cloud providers.  Additionally it can be challenging to use such information to compare and contrast the different services offered by these providers. There are at least a couple of factors making this type of comparison harder than it should be..

Posted by: Jacqueline Beauchere, Director, Trustworthy Computing Communications, Microsoft

Each February, the world recognizes Safer Internet Day (SID), an event dedicated to promoting responsible use of the Internet and mobile technology, particularly among youth. Organized by Brussels-based Insafe and co-founded by the European Union, Feb. 7 marks the ninth installment of SID. This year’s theme, "Connecting Generations and Educating Each Other,” once again finds Microsoft playing an active role.

The company was part of the first SID, and has been a long-standing advocate ever since, particularly in Europe. Last year, the Trustworthy Computing (TwC) Group expanded Microsoft's involvement in North America by hosting three online gaming-related events in as many U.S. cities, keeping with SID's 2011 theme. This year, we're building on that success, and partnering with AARP.

Posted by: Jacqueline Beauchere, Director, Privacy, Accessibility & Online Safety, Trustworthy Computing

We all know that old saying … And, as those kids move into their teen years, their remarks become that much more intelligent, insightful, and astute.  Never was this more apparent to me than at a roundtable discussion led by Microsoft in partnership with the AARP, with a group of 18 American teenagers in New York City.

During lunch, we talked about their favorite online activities, Internet habits and practices, and how they’re connecting with adult family members using technology.  My key take-away: they don’t believe some massive, technological abyss of knowledge exists among the generations and, if a relatively small gap does persist, they don’t think it needs to be filled.

Still, adults are embracing technology and, to the extent they’re doing so to keep connected with kids, young people ask that we at least “do it right.” They articulated what I’d call two stages of online interaction:  “fundamentals” and “basics-plus.”

In the “fundamentals” category, they want adults to learn to use the PC and/or laptop correctly, as well as understand the essentials of navigating the web.  Parents and grandparents, they say, should send email “properly,” be authentic, and act and behave like adults online.  One teenage boy told us he scolded his 55-year-old mother when she was trying to be a little too hip in the digital world.  

Posted by:  Matt Thomlinson, General Manager, Trustworthy Computing Security

Today, I am excited to announce the inaugural Security Development Conference will be held in Washington D.C. on May 15-16.  This event will bring together business decision makers, security engineers, managers of software security processes, and security policy makers from companies, government agencies and academia. Attendees will learn from security experts and build professional networks that accelerate adoption of holistic and proactive security development practices.

Ten years ago, Microsoft announced the creation of Trustworthy Computing. Since then, the Security Development Lifecycle (SDL) processes and tools we implemented at Microsoft and shared publicly have been studied and applied by both software vendors and other organizations that build a variety of hardware and software.  Today, security professionals who previously asked “why should I implement the SDL” are asking “how do I implement the SDL within my organization?” Technical decision makers, business decision makers and governments are becoming increasingly aware that present-day operational security protections and regulatory compliance are not sufficient to protect the applications and infrastructures that people rely on every day. The increased demand for a more holistic and prescriptive secure development methodology has evolved into a growing community of practitioners well beyond Microsoft.

Posted by: Tim Rains, Director, Trustworthy Computing

Benchmarks and evaluation standards for cloud computing security is a topic that is top of mind for many organizations that are evaluating the potential uses of this new computing paradigm.  Many of the customers I have talked to say they would benefit from standard evaluation criteria for cloud service providers. Many customers are trying to find an adequate method to communicate potential risk to internal and external auditors. Some customers are interested in using the European Network and Information Security Agency’s (ENISA’s) set of evaluation criteria for cloud service providers as a potential baseline for future cloud provider assessments, while other customers are looking to ISO 27001 or a future ISO standard that specifically addresses cloud computing technology, and others are looking at the potential of the Cloud Security Alliance’s Security Trust and Assurance Registry (STAR).

As I mentioned in my last article, Microsoft is collaborating very closely with the industry on drafting standards and baselines for cloud service providers.  Laura Posey, a Senior Security Strategist in Trustworthy Computing at Microsoft, has been involved in this process.  Please watch this latest video in the Trustworthy Computing Cloud Fundamentals Video Series where I discuss standards for cloud computing security with Laura.

If you haven’t seen the other videos in this series, you can check them out below:

Cloud Fundamentals Video Series

• Introducing the Cloud Fundamentals Video Series
• Cloud Computing & Business Agility
• Cloud Computing Requires Transparency
• Cloud Transparency as an Element of Trust
• The Benefits of Industry Collaboration to Cloud Computing Security

Please check back on this blog regularly as we continue the Cloud Fundamentals Video Series and explore topics that are top of mind for IT professionals related to cloud security, privacy, and reliability.

Posted by: Brendon Lynch, Chief Privacy Officer for Microsoft

Whenever someone tells me, “your reputation precedes you,” my immediate thought is I hope they mean that in a good way.

As we conduct more of our lives online, it’s important to understand that every piece of personal information that exists about us online has the potential to shape the way people perceive us. Emails, texts, photos, purchases and social media interactions all contribute to the assumptions people draw. Unfortunately, many of us are unaware of the cumulative portrait painted by the sum of all this online data and the potential consequences for us in the physical world.

As we look forward to Data Privacy Day this coming Saturday, January 28, Microsoft is releasing data from a survey of 5,000 people in the US, Germany, Canada, Ireland and Spain. In it we take a look at peoples’ online behaviors and examine how the way people act online has the potential to impact not only their reputation but that of others as well.

Posted by: Tim Rains, Director, Trustworthy Computing

Security industry associations are a very important part of the computing ecosystem. Among other things they provide education, training and certification for security professionals, develop and share benchmarks and security best practices, provide forums, events and conferences for security professionals to meet, exchange information, and network with their peers. Microsoft is a member of, and helps to sponsor, several security industry associations including the Information Systems Audit and Control Association (ISACA), the International Information Systems Security Certification Consortium (ISC2), the Information Systems Security Association (ISSA), the Cloud Security Alliance (CSA).

The last security conference I attended was the CSA Congress held in November of 2011 where Microsoft was the Diamond sponsor of the event. Microsoft has been partnering closely with the CSA, and its other members, in several key CSA research initiatives including the Cloud Controls Matrix (CCM) initiative, the Consensus Assessments Initiative, the CloudSIRT initiative, the Security as a Service initiative to name a few. These initiatives are staffed by volunteer subject matter experts from across the industry who are working together to create guidance, education and best practices in security related areas that are important to the future of cloud computing.

While I was at the CSA Congress I had the chance to talk with Jim Reavis, the Founder and Executive Director of the CSA.  We talked about the biggest challenges for cloud computing security, and what Microsoft has been doing to help with these challenges.  One of the things Jim told me was "each day, a growing number of companies decide to leverage cloud computing for important business activities.  There is an immediate and compelling mandate for all of us to become better informed as to how cloud computing functions, its key benefits and considerations to establishing trust.  CSA is committed to building the trusted cloud ecosystem and we salute Microsoft’s efforts to both build robust and secure cloud services as well as offering cloud educational series in the public interest."

This is the topic of conversation in the latest installment of the Trustworthy Computing Cloud Fundamentals Video Series and I invite you to watch it.

Posted by: Adrienne Hall, General Manager, Trustworthy Computing

There’s a lot of buzz around cloud computing. My experience tells me that buzz begins to translate into wider adoption when customers are shown the tangible benefits for their organization.  

To help parse the buzz, we’ve worked on this blog to highlight the benefits of cloud computing especially as it relates to core trust elements of security, privacy and reliability. In particular, we’ve focused on the efficiency and implementation of security measures that becomes possible in cloud computing environments. For example, by outsourcing the security updating process to cloud providers, IT resources are freed up to tackle other business objectives.

Yesterday, Satya Nadella, president of Microsoft Server and Tools Business, made a similar point during his announcement of a release candidate for Microsoft System Center 2012. In Satya’s presentation one section connects to this example: “IT leaders tell me that private cloud computing promises to help them focus on innovation over maintenance, to streamline costs and to respond to the need for IT speed. We are delivering on that promise today. With System Center 2012, customers can move beyond the industry hype and speculation, and progress into the here and now of private cloud.”