Posted by: Tim Rains, Director, Trustworthy Computing
If you’ve been following this series then you know I’ve previously written about the importance of security, compliance and privacy in the cloud. Whenever I talk to customers these themes continually come through as important topics when choosing a cloud provider. But I believe customers have an even more basic demand of their cloud vendor; they want a service that is reliable.
Cloud computing raises important considerations for organizations about how reliable their cloud provider is and what measures they have in place to deal with incidents and events that compromise reliability when they occur.
Posted by: Tim Rains, Director, Trustworthy Computing
Last week I shared some details about the Security Development Conference 2012 for those unable to attend. I also provided a recap of Richard Clarke’s keynote and included a video interview in which Richard shared his perspective on the importance of secure development to critical infrastructure.
Another keynote that took place later that day came from General Michael V. Hayden, Principal, The Chertoff Group and Former Director, U.S. Central Intelligence Agency and U.S. National Security Agency. His keynote entitled “The Persistent Threat: Understanding the Cyber Security Challenge We Face Today” was another thought provoking talk that emphasized the serious nature of cyber threats to society and the importance of taking action now. In his keynote he stated that “while the cyber threat is often intensified in terms of war fighting, the fact remains that there is serious malicious activity and resulting economic damage occurring within our private sector.” He went on to make the point that the private sector should not rely on the federal government’s ability to provide security for their systems and that private firms need to take these threats seriously and prepare appropriately.
Posted By: Tim Rains, Director, Trustworthy Computing
Security standards for cloud computing are of high interest to many organizations around the world eager to adopt cloud services that are implemented and operated using a standards based approach. Cloud providers that choose to leverage existing or emerging security standards help make it easier for potential customers to evaluate and compare the security of cloud services.
I have written more than a few articles on this blog focused on why it is important to provide visibility into how cloud services are being operated by cloud providers, particularly where security controls are concerned. Security of cloud services is top of mind for customers looking to realize the benefits of cloud computing. When cloud providers offer their customers insight into the security controls used to manage their cloud services, customers are able to evaluate whether those services meet compliance requirements they are subject to, and standards and best practices that are important to their organization.
In my two previous articles recapping the Security Development Conference 2012 I shared some insights from Richard Clarke’s keynote and General Michael V. Hayden’s keynote. The final keynote of the conference was delivered by Scott Charney, Corporate Vice President, Trustworthy Computing at Microsoft. Scott’s keynote focused on the journey that started ten years ago when Trustworthy Computing was initiated at Microsoft. Scott talked about many of the challenges we faced at Microsoft in the early days of Trustworthy Computing. Scott talked about Microsoft’s security strategy called “Establishing End to End Trust” and how it reflects many of the things we have learned about security over the years.
Earlier this month, I wrote about reliability and the importance of customers knowing what measures their cloud provider has in place to deal with incidents and events that may compromise reliability when they occur.
One of the concepts customers ask me about is recoverability – because many customers assume incidents will happen and want to understand what questions they should be asking their cloud provider to make sure they’re prepared for this.
In this episode of the Trustworthy Computing Cloud Fundamentals Video Series, I spoke with David Bills, Microsoft’s Chief Reliability Strategist, about types of incidents that may occur and how to recover.
Posted by: Richard Saunders, Director, Trustworthy Computing
I was at the Cloud Asia event in Singapore recently. One of the sessions was led by an exec from Changi Airport in which he likened internet security to airport security. Jetlag and the passing of time make me hazy on the finer points of what he said, but it was a good presentation.
It made me think that the airport analogy kind of works for Microsoft. As airport users, we are unaware of many of the security precautions in place. But a few – bag scans, pat downs, patrolling police officers etc. – are very obvious.
At Microsoft many of the users of our products are unaware of much of what we do to secure our customers’ data and give them a secure and private online experience. Take the Security Development Lifecycle(SDL), a secure development process that is applied by product groups at Microsoft in an effort to reduce the number and severity of vulnerabilities. Most people do not know it exists and yet it’s there, in the background since 2004 helping to secure our products and services every day.
Posted by: Mark Estberg, Senior Director, Online Services Security and Compliance
Microsoft’s Global Foundation Services (GFS) organization delivers the global infrastructure and network for over 200 consumer and enterprise cloud services. The security, privacy and reliability expectations of the customers served by these services must be met in order to develop the level of trust necessary to support a global shift to online and cloud computing. Each of Microsoft’s online and cloud services focus on its respective customer requirements and GFS must meet the obligations that come from all of the more than 200 services because they all reside in the GFS infrastructure. While many of the capabilities must be provided at the service layer, all services have at least some level of dependency on the cloud infrastructure built, managed, and secured by GFS.
This results in a broad set of requirements that must be met and represented by GFS. These requirements stem from regulatory and statutory sources (e.g., European Union Model Clauses, United States health care requirements including HIPAA and HITECH, United States Federal Information Security Management Act, etc.), industry sources (e.g., Payment Card Industry Data Security Standard, etc.), self-selected standards (e.g., ISO 27001, SOC 1, SOC 2, etc.), as well as risk-based security expectations commemorated in our policy and business decisions.