By Steve Lipner, partner director of Software Security, Trustworthy Computing Security, Microsoft

Today marks the first day of the Security Development Conference 2013.  Security professionals from companies, government agencies and academic institutions have traveled from all over the world to learn, network and share proven security development practices that can reduce an organization’s risk. As I sit here waiting for Scott Charney to take the stage, I am reminded that it’s been almost a decade since Microsoft implemented its Security Development Lifecycle (SDL).  So much has changed in that time.  

In the past decade, Internet usage has gone from roughly 350 million people online to more than 2.4 billion. Today there are more opportunities than ever before for developers.  Windows 8 is still relatively new, the cloud is in its early stages of adoption and there has been an explosion in new mobile devices and platforms. While the Internet has created many new opportunities and ways to do business, it has also spawned a digital underground for online crime. Security breaches that have financial consequences or lead to intellectual property loss, website defacement or espionage have become a reality in today’s computing landscape.

Many of the developers I talk with generally recognize the importance of security development. Despite this, the evidence suggests that the vast majority of organizations still have not adopted security development as a fundamental professional discipline. Microsoft recently surveyed over 2200 IT professionals and 490 developers worldwide.  The survey found that only 37 percent of IT Professionals cited their organizations as building their products and services with security in mind.  Furthermore, 61 percent of developers were not taking advantage of mitigation technologies that already exist such as ASLR, SEHOP and DEP. These mitigations have been freely available to the industry for years and are often simple additions to existing development practices–and yet only a minority of developers are leveraging them.  This is concerning to me and it should be concerning to everyone who uses the Internet.

By Jeff Jones, director, Trustworthy Computing

Today in Birmingham, England, Adrienne Hall, general manager of Trustworthy Computing, received one of three Professional Security Magazine’s Women in Security awards for her leadership and significant contributions to the security industry and to women within the field. 

Adrienne regularly meets with security industry leaders in business, academia, government and law enforcement to share ideas, strategies, and discuss timely security resources that advance industry learning and collaboration. She is often a keynote speaker at and frequently tailors presentations to include Cloud Computing. In particular, the ways in which Cloud vendors need to demonstrate the security, privacy and reliability of their Cloud solutions.

Adrienne is also recognized within the security industry for her leadership on the Microsoft Security Intelligence Report (SIR), which analyzes the threat landscape of exploits, vulnerabilities, and malware using data based on telemetry from over a billion systems worldwide. Threat awareness via data, insights, and guidance provided in the SIR can be useful in helping security leaders protect their organizations, software, and users.  In addition, hundreds of thousands of people each month leverage the information contained in Security Bulletins from Microsoft, a consistent source of information published by Adrienne’s group in partnership with Microsoft’s Security Response Center. 

The goal of these various investments and partnerships is to improve the state of information security; one that she acknowledges is more a journey than a destination in today’s evolving threat landscape. 

Posted by  Adrienne Hall, general manager, Trustworthy Computing
 
As I meet with customers, some ask: public or private cloud – which has more security risk? Actually, there are different sets of risks depending on the organization and their compliance needs.

A private cloud is a pool of computing resources controlled by a particular enterprise.  Private clouds deliver a standardized set of services that are specified and architected, for the organization. The path to a private cloud is often driven by the need to maintain control of the delivery environment because of application maturity, performance and/or regulatory requirements, and business differentiation.

The opportunities offered by cloud computing requires a thorough assessment of benefits and risks. 

Here are a few reasons why you might prefer a private cloud:

- A regulatory or security concern prevents you from allowing even encrypted data to reside in a public cloud.

- An in-house, customized application requires greater reliability or speed, potentially optimized through your own network rather than relying on the Internet.

- You want control over your assets, including physical possession of the hardware on which your data resides.

A Microsoft private cloud solution creates a layer of abstraction over pooled IT resources.  Private clouds offer the scalability and pooled resources of cloud computing based on the organization’s terms, within dedicated resources in their own datacenter or perhaps in a service provider’s datacenter.

Posted by David Bills, chief reliability strategist, Trustworthy Computing

I think most cloud providers recognize how important it is for them to be able to detect, diagnose, and resolve problems that threaten to reduce the availability and reliability of the services they offer. However, due to the plethora of components and dependencies involved in a typical cloud service, rapid detection, diagnosis and resolution of issues can be rather hard to achieve.  Different root causes may manifest themselves as similar symptoms – this means it can be difficult to know for certain whether or not you have resolved an issue permanently.

For example, slow response times could be traced back to queries that haven’t been optimized or to fully-utilized network links slowing the transfer of data or to machines swapping from memory to disk and back.  How you go about solving for each of these root causes is radically different, despite the same symptom – sluggish response!

Many organizations focus their attention on incident management, but in my experience, it’s the organizations that employ a robust problem management process that achieve greater reliability, agility and efficiency when managing their cloud services.

Today Microsoft released a new whitepaper titled, “Problem management for reliable online services”. The paper describes problem management and the benefits organizations derive from implementing a robust problem management framework. It compares incident management to problem management, and describes the fundamental concepts of effective problem management and outlines the problem management processes organizations can use to help improve the reliability of their online services. The paper also includes two real-world examples of approaches to problem management used by Bing and Microsoft IT.

Posted by Jeff Jones, director, Trustworthy Computing

If you are looking for threat intelligence from Microsoft, you are likely aware of the Microsoft Security Intelligence Report which contains data and analysis from over a billion systems worldwide.  In April, we launched volume 14 of the Microsoft Security Intelligence Report which included a trip in Asia to discuss regional threat trends.  While in Singapore, Tim Rains sat down with Rico Hizon from BBC World News to discuss the threat landscape in the region.  You can watch the full episode here.

Regional threat trends are important in helping customers who do business or reside in those markets a way to better understand how to manage risk.  Tim has previously blogged about regional threat trends and provided specific actions that can be taken to help protect against threats faced in the region. In the BBC interview, you can see Tim dive deeper into the regional threat trends for Asia and discuss how customers in those markets can manage risk. For more information on the global or regional threat trends, check out our latest Microsoft Security Intelligence Report.

Posted by Adrienne Hall, general manager, Trustworthy Computing with special guest Bobby Jimenez, chief technology officer of Sindicatum Sustainable Resources

The cloud continues to transform the way organizations do business. CIOs are identifying business priorities and gaining IT efficiencies such as rapid deployment and the flexibility to grow and contract as their needs change over time.

The security features in Office 365 are helping organizations positively offset their historical security management budget and thus freeing up IT personnel to work on projects that are directly focused on their core business.

Last year I met with Bobby Jimenez, chief technology officer of Sindicatum Sustainable Resources, in Singapore about his company’s move to the cloud and today he reports on green IT, reduced costs and time efficiencies gained through Office 365. In his words, Mr. Jimenez shares his cloud experience:

Posted by Adrienne Hall, general manager, Trustworthy Computing

Today Microsoft releases volume 14 of the Microsoft Security Intelligence Report, which provides trends and insights on security vulnerabilities, exploit activity, malware and potentially unwanted software, spam, phishing, malicious websites, and security trends from 105+ locations around the world. This SIR focuses on the threat landscape in the second half of 2012 and includes trend data from previous periods.

Here’s a short summary of what you will find in the latest SIR data: industry-wide vulnerability disclosures are down; exploit activity has increased in many parts of the world; several locations with historically high malware infection rates saw improvements, but the worldwide malware infection rate increased slightly. Windows 8 has the lowest malware infection rate of any Windows-based operating system observed to date; Trojans continue to top the list of malware threats; spam volumes went up slightly; and phishing levels remained consistent.

We’ve also included some new, previously unpublished data in this volume of the report that helps quantify the value of using antimalware software. Characterizing the value of security software in a way that resonates relative to other IT investments persists as a challenge for many organizations; especially those who have successfully avoided a security crisis for a long period of time. The value of antimalware software is often the source of discussion by Security professionals. 

Based on telemetry from over a billon systems around the world, Volume 14 returns the data on malware infection rates for unprotected systems versus systems that run antimalware software.  The verdict is in: systems that run antimalware software have significantly lower malware infection rates, even in locations with the highest malware infection rates in the world.  This data will likely help many people understand the value of using antimalware software – which we continue to consider a best practice and strongly recommend to all of our customers.

I hope you find this volume of the Microsoft Security Intelligence Report useful and enlightening. I also encourage you to visit http://microsoft.com/sir and read my colleague Tim Rains’ Official Microsoft Blog post. Please let us know your thoughts about the latest SIR by commenting below.

Posted by Kim Sanchez, director, Trustworthy Computing Communications, Microsoft

Chances are you have your mobile phone with you right now. These devices allow us to keep pace with the demands of our busy digital lifestyles. They also allow us to tell everyone, everything, all the time. There are multiple opinions on the breakdown of social etiquette due to oversharing information, but there’s no denying that certain mobile phone behaviors are not only annoying, they may even be risky.

Whether it’s loud talkers or not silencing a phone during a movie, some mobile manners like pocket dialing someone because your phone isn’t locked, or tagging photos without permission, may put personal information at risk. But who is better at protecting their personal information? Men, or women?

At Microsoft, we want to know what you think. That’s why we’re kicking off our Mobile Manners and Mayhem Facebook poll. Rank your biggest mobile phone pet peeves and tell us your own mobile mayhem story. On May 20, we’ll release the results and reveal who is better at protecting themselves online, men or women.

At a very young age, we are taught to share.  Share our toys, our thoughts, our gratitude.  But in today’s digital society, all this oversharing online, may put us in harm’s way. Your personal information is a valuable commodity to criminals and, just like your personal computer, your mobile phone is equally attractive to those who would misuse this information.

Posted by Adrienne Hall, general manager, Trustworthy Computing

Today another Data Center Knowledge article posted by my colleague David Bills, chief reliability strategist, covering guiding design principles for cloud services. In the article, he explains the cultural shift and evolving engineering principles Microsoft employs to help improve the dependability of services.

David says service providers need to identify as many potential failure conditions as possible in advance and account for those during the service design phase. During this phase, design teams can also consider new dynamics such as technological advances that test performance limits, the interplay of applications, and broader industry trends.  This careful planning helps us decide exactly how the service is supposed to react if and when the unexpected occurs.  The goal is for services to be able to recover from these failure conditions with minimal to zero interruptions.

David suggests that cloud services teams employ failure mode and effects analysis to help build redundancy into cloud services. This type of analysis indicates that efforts to simplify physical infrastructure and utilize software to build resiliency into cloud services. I recommend reading David’s article and his prior Data Center Knowledge article. Both articles draw upon David’s experiences with our cloud-based infrastructure supporting more than 200 services, 1 billion customers, and 20 million businesses in more than 76 markets worldwide.

Posted by Adrienne Hall, general manager, Trustworthy Computing

Business leaders need information, tools and research to understand if adopting the cloud can deliver advantages lower IT costs, increased efficiencies, and greater flexibility.   They’re also reviewing whether the integration of cloud services into their overall IT roadmap helps address cybersecurity and privacy concerns.

Recent Wall Street Journal and Forbes news reported CIOs sentiment as follows: 

• CIOs are being understandably detailed in their review of SLAs with cloud providers to ensure privacy and security concerns are being addressed.
• Cloud skeptical CIOs are running low-risk pilots to prevent vendor lock-in and evaluate portability.
• CIOs are seeking out vendors who provide insight and analysis, along with hard data, on the benefits of cloud adoption. 

For business leaders who are evaluating cloud security and privacy, I recommend a few resources to help inform decisions. The US-CERT’s recent Cybersecurity Questions for CEOs paper and the Cloud Security Alliance’s (CSA) Critical Areas of Focus in Cloud Computing guidance provides a road map with a focus on security to adopting cloud services. I also recommend a perusal of the CSA’s Security, Trust & Assurance Registry (STAR) which documents the security controls provided by various cloud computing offerings, thereby helping business leaders assess the security of cloud providers they currently use or are considering contracting. Microsoft cloud services are in the STAR to ensure customers have the information they need to assess security and privacy capabilities.

Organizations are utilizing Microsoft Office 365 for cloud based email, calendaring, collaboration, and conferencing to improve communication and collaboration. Enterprise cloud customers are increasing the delivery of new services to their business; enhancing server security and availability; and reducing network and server fixed costs.

Movement to the cloud represents an adaptive progression of IT strategy over time.