Posted by: Tim Rains, Director, Trustworthy Computing
If you have been following our Trustworthy Computing Cloud Fundamentals Video Series you have probably seen at least two videos where we discuss the importance of transparency in cloud security controls. In addition, we have shared how the Cloud Security Alliance’s (CSA) Security Trust and Assurance Registry (STAR) can help provide that transparency to cloud providers and cloud consumers. If you haven’t seen these videos or would like a refresher, you can watch them here:
As you can see from these video interviews, both Office 365 and Windows Azure have self-assessments published in the CSA’s STAR. This was an important step in demonstrating our commitment to transparency for our cloud customers. As of late last week we are pleased to share that Microsoft Dynamics CRM has also published a self-assessment in the CSA’s STAR.
By: Tim Rains, Director, Trustworthy Computing
Earlier in this series I wrote about transparency and how the Cloud Security Alliance’s (CSA) Security Trust and Assurance Registry (STAR) provides cloud customers with some insight into how cloud providers are managing the security controls of their cloud offerings.
Office 365 was one of the first services to publish a self-assessment in the CSA’s STAR; this past week Microsoft published a second self-assessment in the STAR, this time for Windows Azure.
Industry collaboration is critical to helping businesses, governments and citizens realize safer computing experiences. It is also important in the context of cloud security. Earlier in this series I discussed the benefits of industry collaboration with the Executive Director of the Cloud Security Alliance. In this installment of the Trustworthy Computing Cloud Fundamentals Video Series, I discuss industry collaboration with Philippe Courtot, the Chairman and CEO of Qualys – a corporate member of the Cloud Security Alliance.
I have been asked more than a few times whether I think there are too many people involved in developing cloud security standards and best practices. The underlying concern is that when too many people get involved, the process of developing new standards becomes too bureaucratic and progress is slower than it should be. But, the process has to be inclusive enough so that important nuances from different markets and industries are not overlooked. This balance needs to be carefully managed.
Consumers of cloud services generally don’t get to see the layers of technology that they rely on. For many, this seamless delivery is part of the value proposition of cloud computing; depending on the type of deployment, customers expect their cloud provider to manage the details so they can get on with the business of running their business.
The reality though is that cloud providers leverage the services and infrastructure of many other vendors to be able to deliver a service to their customers. For example, network services to and from a data center are likely provided by two or more network providers in order to provide redundancy, load balancing, and address other architectural needs.
It’s not surprising then that for a cloud provider to deliver a reliable service that meets customers’ security, privacy and compliance requirements there is significant interdependence between each of the layers that make up the cloud.
Most of the conversations I have about cloud computing focus on the role of cloud providers to manage the security of the services they provide to their customers. It seems like implementing security controls, providing visibility into those controls, and ensuring services meet or exceed standards and compliance requirements are themes that are top of mind for most of the customers I talk to.
I think the reason for this is that some cloud computing architectures, like software as a service, offer customers the opportunity to offload many of the aforementioned security responsibilities to their cloud providers. But I rarely hear anyone talk about the residual risk in this arrangement. The obvious place to look for residual risk is the management of the clients used to access cloud services. I have written about the consumerization of IT and BYOD in the past, and how many CISOs are being challenged to evolve their strategies for protecting their organizations’ assets.
Posted by: Jacqueline Beauchere, Director, Trustworthy Computing Communications
For more than a decade, we at Microsoft have been protecting consumers from online safety and security risks not only by our work in Trustworthy Computing (TwC), but in our partnerships with others in industry, business, and the non-profit community – an effort we refer to as “Fostering Digital Citizenship.”
In addition to being the 10-year milestone of TwC, 2012 marks the decade anniversary of the National Cyber Security Alliance (NCSA), a not-for-profit dedicated to educating and empowering society to use the Internet safely – at home, work, and school. NCSA also focuses on protecting technology, networks, and other shared digital assets.
Microsoft is a founding member of NCSA, and I have been the company’s representative to the NCSA board of directors for more than half of its existence. In the last 10 years, NCSA has grown both in size and influence, and we’ve seen it flourish as a leading voice in Internet safety and security awareness and education.
Posted by: Adrienne Hall, General Manager, Trustworthy Computing
If you follow this blog regularly, you know that security development policies, tools and practices are at the heart of what Trustworthy Computing does. From my first ever post, to Tim Rains’ recent Cloud Fundamentals video with Steve Lipner, you can see that creating, refining and sharing best practices for how to write code with a goal of reducing the number and severity of vulnerabilities is an ever-present driver for us.
Given how important security development is to our efforts, you can imagine our excitement for the inaugural Security Development Conference taking place May 15-16 in Washington D.C. This is just around the corner and promises to be a fantastic event.
While we previewed the conference a few months ago, I want to be sure you have updated information and an outline as to what attendees can expect.
Posted by: Richard Saunders, Director, Trustworthy Computing
Today we want to introduce you to Brendon Lynch, Microsoft’s Chief Privacy Officer. In this 30-second profile series, we give an inside look at our team by informally interviewing members of Trustworthy Computing about what they do both in and out of work. We have now profiled Adrienne Hall and Steve Lipner.
- What do you do in TwC and how long have you been doing it?
I am the company’s Chief Privacy Officer (CPO). I joined the privacy team in TwC eight years ago and became the CPO in 2010. In this role I am responsible for privacy policy creation and implementation across the company, engaging with external stakeholders and influencing the creation of privacy and data protection technologies for customers.
- What’s the first thing you do every day at work?
Catch up on emails from my European colleagues and contacts. There is a lot of interest and activity in the privacy and data protection field in Europe right now so that flow of email seems to be growing.
Los Angeles-area seniors are “getting their game on,” and enjoying noticeable health and social benefits as a result. The “Exergamers Wellness Club” is an innovative public-private partnership made possible by Microsoft and other organizations. Combining online gaming, exercise, and health and wellness, the Club encourages older adults to become more socially active, and helps them keep their personal data safer online.
Microsoft teamed with the City of Los Angeles, the Partners in Care Foundation, and St. Barnabas Senior Services to bring the program to life. Microsoft Kinect for Xbox 360 serves as the exercise platform, whileMicrosoft HealthVault helps store and monitor personal health information in a trusted online place.
Started in May 2011 at a senior center in Los Angeles, the Club encourages older adults to enjoy friendly competitions in dance and bowling, using the Kinect games provided. Based on the success of this single-center pilot, Microsoft and its partners yesterday announced a plan to extend the Wellness Club to all 16 senior centers within the Los Angeles Department of Aging’s service area. But not before a “flashmob” that included some of the 60-, 70- and 80-year-olds pilot participants took to the floor, showing off what they learned over the last year.