Cloud Computing | Microsoft Trustworthy Computing Blog

Cloud Computing Trends Report: Understanding IT Maturity Practices

2013-05-24T00:10:00Z

By Adrienne Hall, general manager, Trustworthy Computing

Many organizations considering cloud adoption can benefit from timely trends research and simple, well-organized information about their current IT state to better assess the benefits of adopting a particular cloud service.

Today Microsoft released the new Trends in cloud computing report, which analyzes the results of current IT maturity and adoption practices of organizations worldwide that have used the free Cloud Security Readiness Tool (CSRT). The data consists of answers provided by people who used the CSRT over a six-month period between October 2012 and March 2013. This trends report helps organizations understand and evaluate IT security areas that are strengths and weaknesses. For example, areas of strength for those who utilized the tool are information security (through deployment of antivirus /antimalware software), security architecture, and facility security. Areas of weakness are human resources security, operations security, information security (through consistent incident reporting), legal protection and operations management.

In October 2012, Microsoft released the free Cloud Security Readiness Tool (CSRT) to help organizations assess their IT environment and evaluate the benefits of cloud adoption. Organizations are using the CSRT to better understand their systems, processes, policies, and practices. The tool provides a survey and a custom, noncommercial report organizations can understand and improve their current IT state, learn about relevant industry regulations, and receive guidance on how to evaluate different cloud options.

Jeff Jones on my team provides insights on the new trends in cloud computing report. I recommend taking time to run the CSRT survey and read the custom report about your current IT state so you can evaluate the benefits of cloud adoption or growing services if you’re already in the cloud.

Want a New Job? Online Reputation Matters

2013-05-22T14:00:00Z

Posted by Jacqueline Beauchere, Chief Online Safety Officer, Microsoft

Almost 46 percent of Internet users are going online to find a job, according to recent data. That total nearly doubles when it comes to hiring managers using the Internet to screen prospective candidates.

Increasingly, such statistics, coupled with conversations about online reputation – like the one at last week’s 2013 FOSI European Forum – continue to show that in today’s digital world, online information is just as important as an individual’s past employment history.

Held in Dublin and sponsored by The Family Online Safety Institute (FOSI), last week’s event brought together some 150 representatives from government, including Frances Fitzgerald, the Irish Minister for Children and Youth Affairs; industry leaders from companies such as Microsoft, Facebook, and Twitter the education sector, civil society, and the advocacy community to discuss, “The Year of the Digital Citizen: Online Safety, Data Protection, and Privacy.”

It was a question and comment from an audience member that sparked additional conversation, and underscored for me and others the ongoing need to attentively safeguard one’s digital reputation.

Microsoft examined the question of online reputation closely in depth in 2010. At the time, we released what was then considered by many as ground-breaking research: we spoke to recruiters and hiring managers, as well as consumers, in five countries, asking them about the impact of individuals’ social media profiles on potential hiring. Others have since followed suit with similar research. We routinely counsel teens and adults alike to think before uploading photos or videos with even the slightest hint of questionable or unflattering content; to walk away from their keyboards before responding to a “flame,” and to exercise the same care and consideration for their posts, photos, and videos that mention or feature others. In turn, we do our level best to help people of all ages and abilities better protect their personal information, and understand how to best manage the information that circulates about them online.

Here are some quick tips to help protect and manage your Online Reputation:

From time to time, conduct your own “reputation report”
• Search all variations of your name via multiple search engines.

Evaluate whether the results reflect the reputation you’d like to share with the world
• If the information is inaccurate or less favorable, respectfully request that the person who posted the content remove it or correct an error. If he or she won’t, contact the hosting site’s administrator.

Consider separating your professional and personal profiles
• Remember that your image online can be a determining factor for hiring managers and application reviewers. Be sure to use different e-mail addresses, screen names, referring blogs, and websites for each profile; avoid cross-referencing to personal sites.

Adjust your privacy settings
• In Internet browsers, social networking sites, personal blogs and other places where you maintain personal data, use privacy settings to help manage who can see your profile or photos; how people can search for you; who can comment, and how to block unwanted access.

Think before you share
• Consider what you post, particularly personal photos and videos; who you share information with, and how it might reflect on your reputation. Let others know what you do and do not want shared.

Be a good digital citizen
• Be respectful of those with whom you engage directly. It reflects on both you and them, and becomes engrained in your respective online reputations.

The more proactively you manage your information online, the more opportunities you will have to ensure your online reputation if one of which you can be proud. For additional guidance, regularly check our Safety & Security Center, where all of our tools and materials are housed. “Like” our page on Facebook, and follow us on Twitter.

The time is now. Security Development Must be a Priority for Everyone

2013-05-14T16:00:00Z

By Steve Lipner, partner director of Software Security, Trustworthy Computing Security, Microsoft

Today marks the first day of the Security Development Conference 2013. Security professionals from companies, government agencies and academic institutions have traveled from all over the world to learn, network and share proven security development practices that can reduce an organization’s risk. As I sit here waiting for Scott Charney to take the stage, I am reminded that it’s been almost a decade since Microsoft implemented its Security Development Lifecycle (SDL). So much has changed in that time.

In the past decade, Internet usage has gone from roughly 350 million people online to more than 2.4 billion. Today there are more opportunities than ever before for developers. Windows 8 is still relatively new, the cloud is in its early stages of adoption and there has been an explosion in new mobile devices and platforms. While the Internet has created many new opportunities and ways to do business, it has also spawned a digital underground for online crime. Security breaches that have financial consequences or lead to intellectual property loss, website defacement or espionage have become a reality in today’s computing landscape.

Many of the developers I talk with generally recognize the importance of security development. Despite this, the evidence suggests that the vast majority of organizations still have not adopted security development as a fundamental professional discipline. Microsoft recently surveyed over 2200 IT professionals and 490 developers worldwide. The survey found that only 37 percent of IT Professionals cited their organizations as building their products and services with security in mind. Furthermore, 61 percent of developers were not taking advantage of mitigation technologies that already exist such as ASLR, SEHOP and DEP. These mitigations have been freely available to the industry for years and are often simple additions to existing development practices–and yet only a minority of developers are leveraging them. This is concerning to me and it should be concerning to everyone who uses the Internet.

Furthermore, the survey revealed the biggest roadblocks that prevent organizations from adopting a security development process were 1) lack of management approval, 2) lack of training and support and 3) cost. Today at the Security Development Conference, Microsoft and others are taking steps to eliminate these barriers and to help close the gap on security development adoption.

Management Approval – Standardization and compliance can help overcome many of the barriers involved with management approval. The International Organization for Standardization (ISO) and International Electrotechnical Commission (IEC) recognized the need for standards around security development processes and released ISO/IEC 27034-1. This new international standard is the first of its kind to focus on the processes and frameworks needed to build a comprehensive software security program. ISO/IEC 27034-1 is an important step in the right direction for security and opens up a number of possibilities for organizations. Microsoft recognizes this important milestone in security development and today announces through its Declaration of Conformity that Microsoft’s SDL conforms to ISO 27034-1. We hope that by publically conforming to this standard, we can serve as an example for other businesses looking to make a commitment to secure development.

o For businesses that develop or sell software, this standard provides a common validation language for security development practices, offers a clear and simple outline for adopting a security development framework and can serve as a competitive differentiator in the marketplace.
o For customers purchasing software or services from vendors, this standard provides a single “language” for purchasers to demand secure development across industries, platforms and regions

For more information on ISO 27034-1, I recommend checking out a paper released today, commissioned by Microsoft and published by Reavis Consulting Group, LLC titled “The emergence of software security standards: ISO/IEC 27034-1:2011 and your organization.”

Many industries are faced with the uphill battle of securing their infrastructures and conforming to industry regulations. An example of a sector addressing this very challenge is the healthcare industry. Today, Microsoft also released a paper titled "Secure Software Trends in Healthcare" that speaks to this industry challenge and demonstrates how the SDL can have a positive impact.

Training and Support –Microsoft provides free, downloadable tools and guidance on its SDL Website including SDL for Agile, the Threat Modeling tool and the Attack Surface Analyzer, to help automate and enhance the SDL process, gain efficiencies, and ease the implementation of the SDL. To help with implementation, Microsoft’s Partner Network includes a number of members committed to helping customers adopt secure development practices based on SDL.. In addition to these resources, today The Software Assurance Forum for
Excellence in Code (SAFECode) announced new free online training courses on security development.

Cost - Lastly, IT professionals and developers cited cost as a major hindrance to adopting a security development framework. But truth be told, a secure product isn’t the only benefit that comes out of implementing this process–writing secure code also leads to real cost savings. The Aberdeen Group study also showed that companies adopting a “secure at the source” (Microsoft SDL-like) strategy realized a very strong 4.0-times return on their annual investments in application security. Forrester reconfirms this finding by stating that those practicing SDL specifically reported visibly better ROI than the overall population.

With a growing number of applications today, developers have no shortage of work. And the competition is also tough for developers. Every new software product and app must battle with competitive offerings. We’ve been in this situation before, and security too often took a back seat to the commercial pressures of being first to market, or to stand out with amazing features. But this time I hope it’s different. Cyber criminals are, unfortunately, a very real and common threat and the impact they can have on us as individuals and as organizations is well understood. As a result, organizations that use software must demand software products that are more secure, and developers must implement secure development as a means to satisfy that demand and stay competitive.

Professional Security Magazine Recognizes Microsoft Security Leadership

2013-05-13T19:00:00Z

By Jeff Jones, director, Trustworthy Computing

Today in Birmingham, England, Adrienne Hall, general manager of Trustworthy Computing, received one of three Professional Security Magazine’s Women in Security awards for her leadership and significant contributions to the security industry and to women within the field.

Adrienne regularly meets with security industry leaders in business, academia, government and law enforcement to share ideas, strategies, and discuss timely security resources that advance industry learning and collaboration. She is often a keynote speaker at and frequently tailors presentations to include Cloud Computing. In particular, the ways in which Cloud vendors need to demonstrate the security, privacy and reliability of their Cloud solutions.

Adrienne is also recognized within the security industry for her leadership on the Microsoft Security Intelligence Report (SIR), which analyzes the threat landscape of exploits, vulnerabilities, and malware using data based on telemetry from over a billion systems worldwide. Threat awareness via data, insights, and guidance provided in the SIR can be useful in helping security leaders protect their organizations, software, and users. In addition, hundreds of thousands of people each month leverage the information contained in Security Bulletins from Microsoft, a consistent source of information published by Adrienne’s group in partnership with Microsoft’s Security Response Center.

The goal of these various investments and partnerships is to improve the state of information security; one that she acknowledges is more a journey than a destination in today’s evolving threat landscape.

Adrienne shifted her focus to the field of Security in 2004. In living through the havoc viruses caused several customers during that timeframe, Adrienne decided to join Trustworthy Computing to help greater numbers of customers detect, contain, recover from, and prevent cyberattacks.

This award recognizes her work on a global level and joins last October’s recognition from the Executive Women’s Forum for Security, Privacy and Risk Management Professionals where she was a Finalist in the Corporate Practitioner category.

Evaluating Security Needs for Private Cloud

2013-05-09T15:00:00Z

Posted by Adrienne Hall, general manager, Trustworthy Computing

As I meet with customers, some ask: public or private cloud – which has more security risk? Actually, there are different sets of risks depending on the organization and their compliance needs.

A private cloud is a pool of computing resources controlled by a particular enterprise. Private clouds deliver a standardized set of services that are specified and architected, for the organization. The path to a private cloud is often driven by the need to maintain control of the delivery environment because of application maturity, performance and/or regulatory requirements, and business differentiation.

The opportunities offered by cloud computing requires a thorough assessment of benefits and risks.

Here are a few reasons why you might prefer a private cloud:

- A regulatory or security concern prevents you from allowing even encrypted data to reside in a public cloud.

- An in-house, customized application requires greater reliability or speed, potentially optimized through your own network rather than relying on the Internet.

- You want control over your assets, including physical possession of the hardware on which your data resides.

A Microsoft private cloud solution creates a layer of abstraction over pooled IT resources. Private clouds offer the scalability and pooled resources of cloud computing based on the organization’s terms, within dedicated resources in their own datacenter or perhaps in a service provider’s datacenter.

The following key attributes are common across both public and private cloud deployment models:

Pooled Resources
In a private cloud, core resources such as computing, storage, and network are implemented as a resource pool. This enables dynamic provisioning of applications and services.

Self-service
Once resources are pooled, applications and resources are delivered as services. Consumers of these services can request, configure, and manage these IT services as they see fit through an administrative portal that allows automated provisioning.

Elasticity
Because resources are pooled, they can be expanded or diminished through automation or workflow processes resulting in an environment with resources that scale up or down to meet changing business or usage needs.

Usage-based
With resources as services, usage can be metered so that one only pays for the resources that are actually being consumed.
Taking time to evaluate your security risk tolerance and potential exposures will provide the context to pick and choose the best options for your organization and deployment.

To learn more about Microsoft private cloud, I recommend please read this white paper and exploring the following resources TechNet article: Blueprint for Private Cloud Security.

Problem management for reliable online services

2013-05-07T15:30:00Z

Posted by David Bills, chief reliability strategist, Trustworthy Computing

I think most cloud providers recognize how important it is for them to be able to detect, diagnose, and resolve problems that threaten to reduce the availability and reliability of the services they offer. However, due to the plethora of components and dependencies involved in a typical cloud service, rapid detection, diagnosis and resolution of issues can be rather hard to achieve. Different root causes may manifest themselves as similar symptoms – this means it can be difficult to know for certain whether or not you have resolved an issue permanently.

For example, slow response times could be traced back to queries that haven’t been optimized or to fully-utilized network links slowing the transfer of data or to machines swapping from memory to disk and back. How you go about solving for each of these root causes is radically different, despite the same symptom – sluggish response!

Many organizations focus their attention on incident management, but in my experience, it’s the organizations that employ a robust problem management process that achieve greater reliability, agility and efficiency when managing their cloud services.

Today Microsoft released a new whitepaper titled, “Problem management for reliable online services”. The paper describes problem management and the benefits organizations derive from implementing a robust problem management framework. It compares incident management to problem management, and describes the fundamental concepts of effective problem management and outlines the problem management processes organizations can use to help improve the reliability of their online services. The paper also includes two real-world examples of approaches to problem management used by Bing and Microsoft IT.

In my experience, it is often difficult for organizations to dedicate the resources required to implement a robust problem management methodology, but the return on investment realized by organizations that do make the commitment to problem management can be very beneficial. Problem management teams investigate why each incident occurred and correlate that information with data gathered from previous incidents to look for similarities. By stepping back and looking at the big picture, they can often identify patterns which would otherwise be overlooked – patterns that lead to permanent solutions.

If you are deploying cloud services at scale, either as a cloud provider providing infrastructure, platform or software solutions, or as an independent software vendor, or even if you are a customer managing your own private cloud at scale, I encourage you to download this paper, and read more about how to successfully implement a problem management methodology meant to improve the reliability of your online services.

Threat Trends: Tim Rains discusses Asia Threat Landscape with Rico Hizon - BBC World News

2013-05-06T19:24:00Z

Posted by Jeff Jones, director, Trustworthy Computing

If you are looking for threat intelligence from Microsoft, you are likely aware of the Microsoft Security Intelligence Report which contains data and analysis from over a billion systems worldwide. In April, we launched volume 14 of the Microsoft Security Intelligence Report which included a trip in Asia to discuss regional threat trends. While in Singapore, Tim Rains sat down with Rico Hizon from BBC World News to discuss the threat landscape in the region. You can watch the full episode here.

Regional threat trends are important in helping customers who do business or reside in those markets a way to better understand how to manage risk. Tim has previously blogged about regional threat trends and provided specific actions that can be taken to help protect against threats faced in the region. In the BBC interview, you can see Tim dive deeper into the regional threat trends for Asia and discuss how customers in those markets can manage risk. For more information on the global or regional threat trends, check out our latest Microsoft Security Intelligence Report.

SMB CTO Reports on Security Management and Green IT with the Cloud

2013-04-23T16:30:00Z

Posted by Adrienne Hall, general manager, Trustworthy Computing with special guest Bobby Jimenez, chief technology officer of Sindicatum Sustainable Resources

The cloud continues to transform the way organizations do business. CIOs are identifying business priorities and gaining IT efficiencies such as rapid deployment and the flexibility to grow and contract as their needs change over time.

The security features in Office 365 are helping organizations positively offset their historical security management budget and thus freeing up IT personnel to work on projects that are directly focused on their core business.

Last year I met with Bobby Jimenez, chief technology officer of Sindicatum Sustainable Resources, in Singapore about his company’s move to the cloud and today he reports on green IT, reduced costs and time efficiencies gained through Office 365. In his words, Mr. Jimenez shares his cloud experience:

“Sindicatum had taken great strides in reducing its costs and carbon footprint while facilitating employee collaboration. Office 365 has enabled our company to take a giant leap forward in these areas:

Reduced Carbon Footprint
A study conducted by Microsoft together with Accenture and WSP Environment & Energy found that energy use and carbon emissions can be reduced by more than 90 percent for small deployments. Based on this, our estimates show that moving to the cloud reduces our carbon footprint in the near term by 30 percent.

Reduced Cost
By reducing the dependences of on-premise servers and the time required to manage them, we have significantly reduced our IT costs usually allocated for server infrastructure maintenance and support.

Fast Migration and Growth
Sindicatum was able to migrate to Office 365 in less than two months and our employees didn’t need extensive training to use the web-based solution. The power and ease-of-use of Office 365 provides the company with more ways to grow. Office 365 allows us to enjoy the same powerful business productivity tools as larger enterprises, while also giving our growing organization the flexibility and scalability to stay competitive in today’s connected marketplace.”
______

As Bobby shared, Sindicatum’s move to a Cloud Service has contributed to their carbon reduction goals, reduced costs and increased agility.

Whatever your business priorities may be right now, it’s important to develop a holistic, thoughtful approach to cloud adoption. Microsoft’s cloud services are Windows Azure, Dynamics, and Office 365, which can be adopted in any flavor (public or private) according to the needs of an enterprise.

Microsoft Releases Security Intelligence Report (SIR): New Data and Analysis on the Threat Landscape

2013-04-17T15:00:00Z

Posted by Adrienne Hall, general manager, Trustworthy Computing

Today Microsoft releases volume 14 of the Microsoft Security Intelligence Report, which provides trends and insights on security vulnerabilities, exploit activity, malware and potentially unwanted software, spam, phishing, malicious websites, and security trends from 105+ locations around the world. This SIR focuses on the threat landscape in the second half of 2012 and includes trend data from previous periods.

Here’s a short summary of what you will find in the latest SIR data: industry-wide vulnerability disclosures are down; exploit activity has increased in many parts of the world; several locations with historically high malware infection rates saw improvements, but the worldwide malware infection rate increased slightly. Windows 8 has the lowest malware infection rate of any Windows-based operating system observed to date; Trojans continue to top the list of malware threats; spam volumes went up slightly; and phishing levels remained consistent.

We’ve also included some new, previously unpublished data in this volume of the report that helps quantify the value of using antimalware software. Characterizing the value of security software in a way that resonates relative to other IT investments persists as a challenge for many organizations; especially those who have successfully avoided a security crisis for a long period of time. The value of antimalware software is often the source of discussion by Security professionals.

Based on telemetry from over a billon systems around the world, Volume 14 returns the data on malware infection rates for unprotected systems versus systems that run antimalware software. The verdict is in: systems that run antimalware software have significantly lower malware infection rates, even in locations with the highest malware infection rates in the world. This data will likely help many people understand the value of using antimalware software – which we continue to consider a best practice and strongly recommend to all of our customers.

I hope you find this volume of the Microsoft Security Intelligence Report useful and enlightening. I also encourage you to visit http://microsoft.com/sir and read my colleague Tim Rains' Official Microsoft Blog post. Please let us know your thoughts about the latest SIR by commenting below.

Men or women - Who is better when it comes to their mobile manners?

2013-04-11T19:13:00Z

Posted by Kim Sanchez, director, Trustworthy Computing Communications, Microsoft

Chances are you have your mobile phone with you right now. These devices allow us to keep pace with the demands of our busy digital lifestyles. They also allow us to tell everyone, everything, all the time. There are multiple opinions on the breakdown of social etiquette due to oversharing information, but there’s no denying that certain mobile phone behaviors are not only annoying, they may even be risky.

Whether it’s loud talkers or not silencing a phone during a movie, some mobile manners like pocket dialing someone because your phone isn’t locked, or tagging photos without permission, may put personal information at risk. But who is better at protecting their personal information? Men, or women?

At Microsoft, we want to know what you think. That’s why we’re kicking off our Mobile Manners and Mayhem Facebook poll. Rank your biggest mobile phone pet peeves and tell us your own mobile mayhem story. On May 20, we’ll release the results and reveal who is better at protecting themselves online, men or women.

At a very young age, we are taught to share. Share our toys, our thoughts, our gratitude. But in today’s digital society, all this oversharing online, may put us in harm’s way. Your personal information is a valuable commodity to criminals and, just like your personal computer, your mobile phone is equally attractive to those who would misuse this information. The good news: you can help protect yourself with some simple proactive steps:

· Adjust your privacy settings for Internet browsers, social networking sites, personal blogs and other places where you maintain personal data. According to our research, 49 percent of adults do not use privacy settings on social networking sites.

· Think before you share (particularly personal photos and videos), who you share the information with, and how it reflects on your reputation. Let others know what you do and do not want shared, and ask them to remove anything you don’t want disclosed.

· Be a good digital citizen by always being respectful online. Respect the privacy and reputation of yourself and others online.

Lock your computer and accounts with strong passwords and your mobile phone with a unique, four-digit PIN.
Do not pay bills, bank, shop, or conduct other sensitive business over “borrowed” or public Wi-Fi hotspots.
Watch for snoops. People scouting for passwords, PINs, user names, or other such data may be watching your fingers or the screen as you type.

Look for signs that a Web page is secure and legitimate. Before you enter sensitive data, check for evidence of encryption (e.g., a web address with “https” and a closed padlock beside it. (The lock might also be in the lower right corner of the window.)

The more proactively you manage your information online, the more opportunities you will have to help keep your personal information safer. For additional guidance regularly check our Safety & Security Center, where all of our tools and materials are available. “Like” our page on Facebook and take the poll, and follow us on Twitter.