Posted by: Steve Lipner, Partner Director of Program Management, Trustworthy Computing
This morning, I am sitting at the inaugural Security Development Conference 2012 in Washington DC listening to people from a diverse set of companies, government agencies and academic institutions sharing their own experiences with adopting a Security Development Lifecycle (SDL) process or learning how to accelerate adoption within their own organizations. As I watched the keynotes and sessions yesterday and see Scott Charney step onto the stage today, I am reminded of the early days at Microsoft when our customers were faced with security threats that challenged their trust in our products and services. Creating the SDL was an important step in combating these threats and to this day the SDL continues to help reduce the number and severity of vulnerabilities found in Microsoft’s products.
Posted by: Richard Saunders, Director, Trustworthy Computing
Earlier today Microsoft Trustworthy Computing announced the results of a study showing the security benefits U.S. small and mid-sized businesses (SMBs) gain from cloud computing. In this study we found that U.S. SMBs using the cloud had a comparative advantage over U.S. SMBs not using the cloud in the area of security efficiency.
I’m pleased to announce that U.S. SMBs aren’t alone in seeing improved security efficiencies from using the cloud. New data shows SMBs in Singapore have had similar experiences.
Posted by: Adrienne Hall, General Manager, Trustworthy Computing
Any conversation I have with a customer that hasn't yet adopted a cloud service includes the topic of security at some point. It isn’t surprising that security frequently tops the list of cloud adoption items; yet I believe it should be on the list of top cloud adoption benefits.
A common area explored by organizations considering the cloud, small to mid-size businesses, or SMBs, often don’t have the built-in security expertise that larger entities do. This makes it difficult for them to spend time and expertise to assess the benefits of cloud computing.
In commissioning an independent study with groups of SMBs that both use and do not use cloud services in the U.S., Singapore, Malaysia, India and Hong Kong. We hoped to evaporate, okay – more realistically – lessen, concerns about security for prospective customers. Our goal was to see what, if any, security benefits companies that use the cloud realize, and to better understand the concerns of companies that have not yet adopted cloud services.
Today I’m heading off to Asia. Over the next few weeks I’m looking forward to connecting with customers, industry influentials following cloud computing, reporters and several of my colleagues at Microsoft. These conversations play a big role in shaping my perspective on the cloud trust topics that we discuss on this blog. Talking with customers provides a fresh reminder of the varying requirements at play and the different ways people are realizing the benefits of cloud computing in their own organizations. Connecting with industry experts following cloud computing also provides a sense of what’s going well and what work remains to be done.
The trip starts in Singapore where I’ll be attending the Cloud Asia conference. In particular I’m looking forward to the continuing dialogue surrounding private and public cloud offerings. The range of cloud solutions continues to grow; flexibility and choice continues to be important. From there I’ll head to India, Malaysia and Hong Kong for a full slate of press and customer meetings.
Last week, Microsoft Office Division announced that Office 365 was given Authority to Operate under the Federal Information Security Management Act (FISMA) by the Broadcasting Board of Governors.
As you might expect, governments are at the vanguard of most things security related. Entrusted to act in the public’s name and for the public interest, governmental agencies need to be sure that the technology they use for essential functions is secure and trustworthy. As part of this, in the U.S. the U.S. government has FISMA; a certification validating that a given IT solution has federal agency approval for use based on its level of security.
Posted By: Tim Rains, Director, Trustworthy Computing
A key topic when it comes to security is identity. But, the laws of identity tell us “the Internet was built without a way to know who and what you are connecting to…Since this essential capability is missing, everyone offering an Internet service has had to come up with a workaround. It is fair to say that today’s Internet, absent a native identity layer, is based on a patchwork of identity one-offs.”
Social networks like Facebook and LinkedIn have become central to theone of the primary ways in which people communicate and socialize online. At the same time there has been a steady proliferation of mobile devices like smart phones that more and more people are using to communicate with and connect to the internet. In addition, cloud based services are being adopted by more and more consumers and organizations. Identity is an important ingredient in each of these scenarios as well as at the intersection of them; many customers would like to be able to use multiple identities, including those used on social networks and those in their organization’s on-premise Active Directory, to access public and private cloud services from any device they choose to use.
Posted by: Brendon Lynch, Chief Privacy Officer, Microsoft
Yesterday morning I read an article in The New York Times that described “How to Muddy Your Tracks on the Internet.” The article gives consumers some suggestions for addressing the complicated problem of managing the information left by one’s activities online. This information has many diverse components – website visits, searches, instant messages, e-mails, social-network postings, and so on – indicating personal organizational management, technology solutions, and continued attention at industry and government levels will be important for the foreseeable future.
At Microsoft, we embrace the concept of “privacy by design.” This includes building meaningful choices into our products and services to help consumers protect their privacy and limit their online information. With Internet Explorer 9 Tracking Protection Lists, customers can choose which third-party sites can receive their information and track them online. IE 9 also features In Private Browsing, a function that helps prevent web-browsing activity being retained by the browser. The Microsoft Personal Data Dashboard Beta gives consumers greater visibility and control of their Bing search history, as well as the ability to opt-out of personalized ads. And, Microsoft Hotmail does not scan the contents of customer e-mails to serve ads.
Posted By: Tim Rains, Director, Trustworthy Computing
In the past I’ve said a perfectly operated cloud service that has vulnerabilities in it due to lackluster development processes isn’t going to help protect the data that cloud customers store and process in the cloud. As reported in the latest volume of the Microsoft Security Intelligence Report that was released just last week, the number of vulnerability disclosures across the entire software industry, including online services, has continued to trend down. Although this trend is heading in the right direction, it still means that there are thousands of software vulnerability disclosures every six months across the entire software industry.
Posted by: Tim Rains, Director, Trustworthy Computing
Most of the conversations I have about cloud computing focus on the role of cloud providers to manage the security of the services they provide to their customers. It seems like implementing security controls, providing visibility into those controls, and ensuring services meet or exceed standards and compliance requirements are themes that are top of mind for most of the customers I talk to.
I think the reason for this is that some cloud computing architectures, like software as a service, offer customers the opportunity to offload many of the aforementioned security responsibilities to their cloud providers. But I rarely hear anyone talk about the residual risk in this arrangement. The obvious place to look for residual risk is the management of the clients used to access cloud services. I have written about the consumerization of IT and BYOD in the past, and how many CISOs are being challenged to evolve their strategies for protecting their organizations’ assets.
By: Tim Rains, Director, Trustworthy Computing
Consumers of cloud services generally don’t get to see the layers of technology that they rely on. For many, this seamless delivery is part of the value proposition of cloud computing; depending on the type of deployment, customers expect their cloud provider to manage the details so they can get on with the business of running their business.
The reality though is that cloud providers leverage the services and infrastructure of many other vendors to be able to deliver a service to their customers. For example, network services to and from a data center are likely provided by two or more network providers in order to provide redundancy, load balancing, and address other architectural needs.
It’s not surprising then that for a cloud provider to deliver a reliable service that meets customers’ security, privacy and compliance requirements there is significant interdependence between each of the layers that make up the cloud.