Cloud Computing | Microsoft Trustworthy Computing Blog

Cloud Computing Security News and Guidance for Businesses and Organizations

March, 2012

  • Cloud Fundamentals Video Series: Compliance in the Cloud

    Posted by:  Tim Rains, Director, Trustworthy Computing

    Many organizations want to take advantage of the cloud, but the data within existing services often contains a mix of the organization’s high, moderate, and low impact data. In this next installment of Trustworthy Computing’s Cloud Fundamentals Video Series, Jeffrey Miller, Information Security and Privacy Manager for Microsoft Health Solutions Group discusses the need to classify and segregate data to enable cloud migration while still maintaining regulatory and standards requirements applicable to sensitive data.

    Read more..

  • Cloud Fundamentals Video Series: Bring Your Own Device and the Cloud

    By: Tim Rains, Director, Trustworthy Computing

    The consumerization of IT, referred to by many people as “Bring Your Own Device” (BYOD), is a very hot topic these days as organizations grapple with the challenge of managing the risks in allowing organizational data to be placed on personal mobile devices, like smart phones.  The challenge here is that some of the devices that employees decide to bring to work with them might not have the basic security or management capabilities. This challenge is compounded by the risks associated with these same devices connecting to ubiquitous social networks and the diverse ways organizations and people are choosing to connect and share data today – such as the utilization of cloud services. 

  • Cloud Fundamentals Video Series: Cloud Computing Privacy at Microsoft, Part 2

    In my last post, I discussed the three tenets that encompass Microsoft’s approach to cloud computing privacy: responsibility, transparency and choice.   In part two of this interview, Brendon Lynch, Microsoft’s Chief Privacy Officer explains how these three tenets work using Office 365 as an example.

  • Cloud Fundamentals Video Series: The Importance of Secure Development Practices for Cloud Services

    By: Tim Rains, Director, Trustworthy Computing

    To date much of the public discourse I have seen on cloud computing security has centered on cloud service providers and how they manage the operations of their cloud service offerings. This aspect of cloud computing is very important, especially for cloud customers that have compliance obligations to maintain. A topic of equal importance that I see much less focus on in the industry is how to securely develop cloud services. After all, a perfectly operated cloud service that has vulnerabilities in it that are the product of a poor development processes isn’t going to help protect the data that cloud customers store and process in the cloud.

    Developers of cloud applications and platforms need to leverage a secure development process and use associated tools to help minimize the number and the severity of security vulnerabilities in the online services they develop. Security isn’t something they can bolt on at the end of the development process – it has to be baked into the process from the very beginning. As part of your cloud provider evaluation process, you should ask your candidate cloud providers about their development processes and how security is addressed.

  • Cloud Fundamentals Video Series: Cloud Computing Privacy at Microsoft, Part 1

    Posted by: Tim Rains, Director, Trustworthy Computing

    Cloud computing is a top of mind issue for many customers.  Protecting privacy is part of Microsoft’s long-term commitment to Trustworthy Computing, and we strive to build privacy protections into all of our products and services. 

    Cloud computing raises important considerations for organizations about how they manage information and interact with cloud service providers. In the traditional information technology model, an organization is accountable for all aspects of data protection, from how it uses personal information to how it stores and protects data stored on its own computers. Cloud computing differs because information can flow offsite to data centers owned and managed by cloud providers.  Defining the allocation of responsibilities and obligations for security and privacy between cloud customers and cloud providers—and creating sufficient transparency about the allocation—is a new challenge. 

  • TeliaSonera - Finland’s Secret for a Secure Internet

    Posted by: Tim Rains, Director, Trustworthy Computing

    Twice a year we produce the Microsoft Security Intelligence Report (SIR) – an incredibly detailed view into the threat landscape and threat trends in 100+ countries around the world. One piece of data that tends to catch people’s attention is the list of top countries that have reported the highest malware infections during the period.

    As with many lists like these, there is typically a gap between those at the top and the bottom. As a result the question we are often asked is “what is country x doing right to have such a low infection rate?”  Learn more

  • Introducing Steve Lipner

    Posted by: Richard Saunders, Director, Trustworthy Computing

    Several weeks ago we started a 30 second profile series that looks at some of the members of the Trustworthy Computing team and what they do both in and out of work. In the first profile you got to know a bit more about Adrienne Hall. Today we’ll introduce you to Steve Lipner, partner director of program management for the Security Development Lifecycle.

    - What do you do in TwC and how long have you been doing it?

    My primary responsibility in TwC is the Security Development Lifecycle (SDL) – Microsoft’s process for improving the security of the software and services we release to customers. I also work on protecting the integrity of Microsoft’s product development process and supply chain, and on government evaluations of Microsoft products and online services. I’ve been responsible for the SDL and its predecessors for almost eleven years.

  • Guest Blogger: Jim Reavis, Executive Director, the Cloud Security Alliance

    Posted by: Adrienne Hall, General Manager, Trustworthy Computing

    If I had to choose one word to describe this year’s RSA conference it would be “buzzing.”

    That was the feel on the floor of the conference earlier this month, as security professionals from across the globe came together to discuss the core security and privacy topics of today’s computing industry. From the keynotes and panel sessions to casual conversations and demonstrations in the expo hall, there was a strong sense that we (the security industry) are making progress despite increasingly determined adversaries.

    Much of what I heard and discussed with fellow delegates reaffirmed my view that the industry is getting better about designing, developing and deploying secure products and services. This is especially encouraging as the industry is experiencing a flurry of activity around new cloud computing and mobile solutions.

  • Guest Post: Jim Reavis on the RSA Conference

    Posted by: Jim Reavis, Executive Director, Cloud Security Alliance


    For our industry, the RSA Conference is the Oscars, a political convention and a college reunion, all rolled into one. We spend months preparing for this one week, and out of this one week comes a year’s worth of new initiatives we must tackle. As always, Cloud Security Alliance (CSA) had a big presence at this year’s show, with our Monday CSA Summit keynoted by Mike McConnell, a former director of the NSA. Between our summit and all the other activities I participated in, I wanted to share the impressions that stuck with me:

    Mobile computing shared the spotlight with cloud. There has been a significant growth in mobile deployments over the past year, virtually all of it relying upon public clouds for the back end. Several large companies shared stories with me of new end-to-end solutions that did not traverse the enterprise network with even a single TCP/IP packet. This was a big reason behind our announcement of CSA Mobile, a new research project to provide security practices for mobile computing as it interacts with cloud computing. Central IT control over the computing paradigm shrunk again, and those who are embracing this change and growing their knowledge of the business and even anticipating its needs seem to be in the best position. 

  • Tracking Industry Progress: Tim Rains and Marcia Savage Discuss Cloud Security

    Posted by: Richard Saunders, Director, Trustworthy Computing

    If you’re familiar with this blog you know that Tim Rains asks the questions that drive our Cloud Fundamentals video series. At the RSA conference earlier this month, the tables were turned as Tim sat down with Marcia Savage of TechTarget to discuss cloud computing security standards and provider transparency.

    As an active member of the cloud security community, these are topics that Tim has previously blogged about and discussed with leaders of the security industry. In Marcia’s video you can see Tim dive even deeper into these subjects and discuss industry progress on projects such as the Security, Trust and Assurance Registry (STAR).