Posted by Jacqueline Beauchere, Chief Online Safety Officer, Trustworthy Computing, Microsoft
As noted in a recent post, I spent the spring months on a “listening tour.” I spoke with prominent individuals both inside and outside of Microsoft, seeking opinions and insights to help inform the strategy and approach for my new role. While my position and title may be new for the company—and the industry, the commitment to Internet safety is not.
Taking into account the risks stemming from content, contact, conduct, and commerce (“The Four Cs”), a concept I shared in the first part of this post, I’ll focus this second half on how the online safety risk-landscape has evolved, current trends, and where we’re likely headed next.
By Adrienne Hall, general manager, Trustworthy Computing
Are You and Your IT Staff on The Same Page?
For business leaders to make sound decisions related to ITsecurity, they need clear, timely information that maps to business goals.
Unfortunately, many IT professionals could do better in communicatingwith executives, according to a recent study conductedby the Ponemon Institute for the IT security firm Tripwire. See more >>
When I officially assumed my new role this spring, I began a “listening tour” with the goal of further shaping Microsoft’s impact in helping to create safer, more trusted online experiences for individuals and families. I’ve spoken with—actually interviewed—dozens of influential people both inside and outside Microsoft, in the U.S. and around the world, who have chosen to make Internet safety their life’s work. Eighty-five conversations later (and counting), I’ve been gathering perspectives as to the current state of global online safety, the evolving risk-landscape, current hot topics, and where we may be headed next.
In this first of a two-part blog, I’d like to share some of those themes, including insightful reflections from my interviewees, as well as offer a few thoughts about the discipline of online safety at Microsoft.
One place to start is with a definition. When I asked experts how they define online safety, I was often met with quizzical stares or silence on the other end of the telephone line. Indeed, people who focus on online safety, or have even a portion of it as part of their day-job, know and understand what it means. But, to others, it might not be as clear. I often invoked the now-famous phrase coined by U.S. Supreme Court Justice Potter Stewart, who in 1964 was attempting to define a threshold for obscenity: We, in online safety, “know it when (we) see it.” But, to actually articulate some strictures for the field proved somewhat more challenging.
Posted by Adrienne Hall, general manager, Trustworthy Computing
As cloud computing begins to mature, organizations are looking at ways to understand the opportunities and assess their own current IT environment with regard to security, privacy and reliability practices, policies and compliance. To help organizations make informed security decisions and evaluate IT readiness for moving assets to the cloud, I recommend two resources:
First, the Cloud Security Alliance’s Security Guidance for Critical Areas of Focus in Cloud Computing guidance provides enterprises with a set of best security practices based on 14 domains involved in governing or operating the cloud. The domains align with industry standards and best practices and are written to emphasize security, stability and privacy. The CSA recommends that organizations adopt a risk-based approach to moving to the cloud and selecting security options. Their approach can help IT leaders make more informed security decisions and help reduce risk when adopting the cloud.Last fall I announced Microsoft’s new free Cloud Security Readiness Tool, which builds on CSA’s Cloud Controls Matrix (CCM). The tool provides organizations with a solid baseline into their current security, privacy and reliability practices, understand relevant regulations, and determine their readiness for cloud adoption. The tool offers a short survey and custom report to better understand systems, processes, policies and practices and evaluate how to improve your current IT state. Technical business leaders can evaluate cloud services against critical areas and compliance within common industry standards.
Posted by Adrienne Hall, general manager, Trustworthy ComputingLast week Microsoft announced three new bounty programs that encourage the security research community to report vulnerabilities in our latest browser. The concept of bounty programs is not new. Our approach is simple – we believe in building smart engagements with the security research community to create meaningful impact across the IT ecosystem. Recent news stories highlight the novel approach and explain how the new bounty programs bring more minds to the table.
All our new bounty programs are designed to work together: • Mitigation Bypass Bounty – Microsoft will pay up to $100,000 USD for truly novel exploitation techniques against protections built into the latest version of our operating system (Windows 8.1 Preview). • BlueHat Bonus for Defense – Microsoft will pay up to $50,000 USD for defensive ideas that accompany a qualifying Mitigation Bypass Bounty submission. • IE11 Preview Bug Bounty – Microsoft will pay up to $11,000 USD for critical-class vulnerabilities that affect IE11 Preview on Windows 8.1 Preview. This includes security bugs with privacy implications.