Posted by: Tim Rains, Director, Trustworthy Computing
Benchmarks and evaluation standards for cloud computing security is a topic that is top of mind for many organizations that are evaluating the potential uses of this new computing paradigm. Many of the customers I have talked to say they would benefit from standard evaluation criteria for cloud service providers. Many customers are trying to find an adequate method to communicate potential risk to internal and external auditors. Some customers are interested in using the European Network and Information Security Agency’s (ENISA’s) set of evaluation criteria for cloud service providers as a potential baseline for future cloud provider assessments, while other customers are looking to ISO 27001 or a future ISO standard that specifically addresses cloud computing technology, and others are looking at the potential of the Cloud Security Alliance’s Security Trust and Assurance Registry (STAR).
As I mentioned in my last article, Microsoft is collaborating very closely with the industry on drafting standards and baselines for cloud service providers. Laura Posey, a Senior Security Strategist in Trustworthy Computing at Microsoft, has been involved in this process. Please watch this latest video in the Trustworthy Computing Cloud Fundamentals Video Series where I discuss standards for cloud computing security with Laura.
If you haven’t seen the other videos in this series, you can check them out below:
Cloud Fundamentals Video Series
Please check back on this blog regularly as we continue the Cloud Fundamentals Video Series and explore topics that are top of mind for IT professionals related to cloud security, privacy, and reliability.
Posted by: Brendon Lynch, Chief Privacy Officer for Microsoft
Whenever someone tells me, “your reputation precedes you,” my immediate thought is I hope they mean that in a good way.
As we conduct more of our lives online, it’s important to understand that every piece of personal information that exists about us online has the potential to shape the way people perceive us. Emails, texts, photos, purchases and social media interactions all contribute to the assumptions people draw. Unfortunately, many of us are unaware of the cumulative portrait painted by the sum of all this online data and the potential consequences for us in the physical world.
As we look forward to Data Privacy Day this coming Saturday, January 28, Microsoft is releasing data from a survey of 5,000 people in the US, Germany, Canada, Ireland and Spain. In it we take a look at peoples’ online behaviors and examine how the way people act online has the potential to impact not only their reputation but that of others as well.
Posted by: Tim Rains, Director, Trustworthy Computing
Security industry associations are a very important part of the computing ecosystem. Among other things they provide education, training and certification for security professionals, develop and share benchmarks and security best practices, provide forums, events and conferences for security professionals to meet, exchange information, and network with their peers. Microsoft is a member of, and helps to sponsor, several security industry associations including the Information Systems Audit and Control Association (ISACA), the International Information Systems Security Certification Consortium (ISC2), the Information Systems Security Association (ISSA), the Cloud Security Alliance (CSA).
The last security conference I attended was the CSA Congress held in November of 2011 where Microsoft was the Diamond sponsor of the event. Microsoft has been partnering closely with the CSA, and its other members, in several key CSA research initiatives including the Cloud Controls Matrix (CCM) initiative, the Consensus Assessments Initiative, the CloudSIRT initiative, the Security as a Service initiative to name a few. These initiatives are staffed by volunteer subject matter experts from across the industry who are working together to create guidance, education and best practices in security related areas that are important to the future of cloud computing.
While I was at the CSA Congress I had the chance to talk with Jim Reavis, the Founder and Executive Director of the CSA. We talked about the biggest challenges for cloud computing security, and what Microsoft has been doing to help with these challenges. One of the things Jim told me was "each day, a growing number of companies decide to leverage cloud computing for important business activities. There is an immediate and compelling mandate for all of us to become better informed as to how cloud computing functions, its key benefits and considerations to establishing trust. CSA is committed to building the trusted cloud ecosystem and we salute Microsoft’s efforts to both build robust and secure cloud services as well as offering cloud educational series in the public interest."
This is the topic of conversation in the latest installment of the Trustworthy Computing Cloud Fundamentals Video Series and I invite you to watch it.
Posted by: Adrienne Hall, General Manager, Trustworthy Computing
There’s a lot of buzz around cloud computing. My experience tells me that buzz begins to translate into wider adoption when customers are shown the tangible benefits for their organization.
To help parse the buzz, we’ve worked on this blog to highlight the benefits of cloud computing especially as it relates to core trust elements of security, privacy and reliability. In particular, we’ve focused on the efficiency and implementation of security measures that becomes possible in cloud computing environments. For example, by outsourcing the security updating process to cloud providers, IT resources are freed up to tackle other business objectives.
Yesterday, Satya Nadella, president of Microsoft Server and Tools Business, made a similar point during his announcement of a release candidate for Microsoft System Center 2012. In Satya’s presentation one section connects to this example: “IT leaders tell me that private cloud computing promises to help them focus on innovation over maintenance, to streamline costs and to respond to the need for IT speed. We are delivering on that promise today. With System Center 2012, customers can move beyond the industry hype and speculation, and progress into the here and now of private cloud.”
You know how every once in a while you get thrown a curveball? Well, almost nine years ago a real big one came my way. In January 2003 I was responsible for global customers doing business in North America. SQL Slammer was at its height and IT managers were urgently reviewing their policies to better manage assets and ensure correct configurations were in place against known attack vectors.
The difficulties customers faced during those days stayed with me. When I joined Trustworthy Computing (TwC) in 2004 I was able to apply that experience in a group dedicated to improving security, privacy and reliability for our customers.
This month marks the 10 year anniversary of TwC. We’re proud of what we’ve achieved and of the many innovations that have become accepted as industry best practices. But it would be wrong to congratulate ourselves on a job well done; while we’ve come a long way and others have too, there is still a lot on the road ahead.
In my last blog post, I discussed some of the challenges associated with achieving acceptable levels of transparency for organizations seeking the benefits of cloud computing.
For many organizations, visibility into how their cloud providers’ infrastructure is designed and operated can help to provide reassurance that the cloud provider is providing the type of service they say they are providing, and helping cloud customers to comply with compliance obligations that might exist. In this next installment of Trustworthy Computing’s Cloud Fundamentals Video Series, Mark Estberg, Senior Director of Microsoft’s Global Foundation Services, discusses the importance of having a framework in place to help clarify the responsibilities that cloud providers and cloud customers have when leveraging different cloud computing architectures. Cloud customers are ultimately responsible for ensuring they meet the compliance obligations that apply to them. Subsequently cloud providers need to provide a level of transparency that helps their customers maintain compliance, but in a way that minimizes disruptions to operations and keeps costs low.
Mark provides more context and detail in this video and I invite you to watch it.
When Information Technology departments evaluate potential uses of cloud computing for their organization, many of them quickly realize they no longer have the near omniscient visibility into the operations environment they have when hosting those same workloads inside their own premises.
Depending on the deployment model, details pertaining to the operational aspects of a cloud service provider might be abstracted from the customers using the provider’s services. For example, in the case of a public cloud service, customers accept a reduced level of transparency in order to get the benefits, namely potential reduced costs and increased business agility, from the economies of scale that subscription-based cost sharing arrangements can create.Organizations try to manage this loss of transparency in different ways. Some customers I have talked to try to put a “right to audit” clause into the service level agreements they negotiate with their cloud providers. But I’m not sure this really provides the transparency they want, for at least a few reasons: