Posted by David Bills, chief reliability strategist, Trustworthy Computing

When we’re talking about cloud services, I’m a firm believer in the idea that services failure will occur – it’s not a matter of if, it’s strictly a matter of when. This is because the more complex things become, the more challenging it is to anticipate and predict failures. As a result, designing services to withstand failure, as well as having a plan in place to recover the service quickly, is critical in building trust and maintaining long-term relationships with customers.

Posted by: Richard Saunders, Director, Trustworthy Computing

Last week, Microsoft Office Division announced that Office 365 was given Authority to Operate under the Federal Information Security Management Act (FISMA) by the Broadcasting Board of Governors.

As you might expect, governments are at the vanguard of most things security related. Entrusted to act in the public’s name and for the public interest, governmental agencies need to be sure that the technology they use for essential functions is secure and trustworthy. As part of this, in the U.S. the U.S. government has FISMA; a certification validating that a given IT solution has federal agency approval for use based on its level of security.

Posted by: Jeff Jones, director, Trustworthy Computing

BYOD policies could easily backfire on businesses, unless closely monitored to maintain benefits for employees and the company.  I recently wrote a 3-part series on the Microsoft Security Blog called Motivations, Risks and Rewards of the BYOD Trend that examined what the BYOD trend is and then looked at it from the perspective of employees and the perspective of organizations.

Few topics have evoked such responses as I got from this series, such as this comment from Jane:

A sad example of workplace pushing off its responsibility to workers.

Many social services require staff to transport clients in their OWN car, and do not offer to pay increased insurance costs. The employer is supposed to provide the tools, equipment and safety measures to the worker. The idea that you bring the tools to work, makes the worker more of a private contractor. Several issues arise such as ...who then owns the intellectual property if the worker brings their own computer or phone? Several boundary issues emerge if workers blend information used/shared with personal mail lists. This idea saves a buck but the industry looses control over its property.

What compensation is offered for worker providing essential equipment to the company? Sadly we just continue to see erosion the employee benefits, pay and inflation of taxes that cut into a good standard of living for workers.

Posted by Jacqueline Beauchere, director, Trustworthy Computing Communications, Microsoft

Calling all young people between the ages of 13 and 18*:  Do you sing, act, write, or otherwise create?  Get those creative juices flowing; put your “mad (artistic) skillz” to work, and help promote a positive message about life online. 

Today, Microsoft is launching its first-ever Safer Online Teen Challenge.  Teens are encouraged to submit creative works that champion one of many key messages about being smarter and more secure on the Internet.  Works must be submitted by April 12, 2013, and our hundreds of thousands of thoughtful and learned Facebook fans will help select winners in five inspired categories:  song, story/cartoon, skit/presentation, survey, and video.  All submissions require English translations, but works are welcome in any language and from basically every corner of the world.  Successful submissions may be featured on Microsoft‘s web properties – visited by millions – and cool prizes will be awarded to the most popular, compelling, and inventive entries. The contest starts right in time for the December holidays, so teens can imagine and create their visions over the school break. 

Posted by David Bills, chief reliability strategist, Trustworthy Computing

Over the past couple weeks I have posted blogs talking about service reliability organizational goals, as well as causes of service outages and the associated mitigation strategies.  Today I’d like to share some insight into just one of the methods Microsoft uses to design and build cloud services to help ensure our services can respond gracefully to outages. It’s not a new concept, but one that I believe is useful for providers and customers alike to be thinking about.

Just as threat modeling is an important step in the design process when security-related issues are being evaluated, fault modeling is an important step in the design process for building reliable cloud services. It’s about identifying the interaction points and dependencies of the service and enabling the engineering team to identify where investments should be made to ensure the service can be monitored effectively and issues detected quickly. And, in turn, even guiding the engineering team toward effective coping mechanisms so the service is better able to withstand, or mitigate, the fault.

Posted by: Tim Rains, Director, Trustworthy Computing

A big part of my job is talking to Chief Security Information Officers, Chief Security Officers, as well as VPs and Directors who manage risk for their organizations. For them, one of the top priorities that has emerged in the past couple of years is cloud computing. The businesses that these security executives support are evaluating the potential benefits of cloud computing and some have already started leveraging this new paradigm in an effort to increase productivity and lower costs. Security executives are, more often than not, involved in the evaluation and deployment processes for new online services.

Posted by Adrienne Hall, general manager, Trustworthy Computing

Today Microsoft releases volume 14 of the Microsoft Security Intelligence Report, which provides trends and insights on security vulnerabilities, exploit activity, malware and potentially unwanted software, spam, phishing, malicious websites, and security trends from 105+ locations around the world. This SIR focuses on the threat landscape in the second half of 2012 and includes trend data from previous periods.

Here’s a short summary of what you will find in the latest SIR data: industry-wide vulnerability disclosures are down; exploit activity has increased in many parts of the world; several locations with historically high malware infection rates saw improvements, but the worldwide malware infection rate increased slightly. Windows 8 has the lowest malware infection rate of any Windows-based operating system observed to date; Trojans continue to top the list of malware threats; spam volumes went up slightly; and phishing levels remained consistent.

We’ve also included some new, previously unpublished data in this volume of the report that helps quantify the value of using antimalware software. Characterizing the value of security software in a way that resonates relative to other IT investments persists as a challenge for many organizations; especially those who have successfully avoided a security crisis for a long period of time. The value of antimalware software is often the source of discussion by Security professionals. 

Based on telemetry from over a billon systems around the world, Volume 14 returns the data on malware infection rates for unprotected systems versus systems that run antimalware software.  The verdict is in: systems that run antimalware software have significantly lower malware infection rates, even in locations with the highest malware infection rates in the world.  This data will likely help many people understand the value of using antimalware software – which we continue to consider a best practice and strongly recommend to all of our customers.

I hope you find this volume of the Microsoft Security Intelligence Report useful and enlightening. I also encourage you to visit http://microsoft.com/sir and read my colleague Tim Rains’ Official Microsoft Blog post. Please let us know your thoughts about the latest SIR by commenting below.

Posted by: Jacqueline Beauchere, Director, Online Privacy and Safety

Before I go any further, I want to assure you that this is a legitimate Microsoft blog, and that I genuinely work for the company.

If you’ve received an unsolicited phone call from someone claiming association with Microsoft and offering technical support, or help with a security problem you didn’t know you had, I wouldn’t blame you for doubting me.

Unfortunately, in today’s day and age, a little suspicion is a good thing because increasingly devious, determined and resourceful criminals want to steal from you. Cash is what they really want, but personal information they can exploit for financial gain – that’ll do nicely, too, thank you.

By: Tim Rains, Director, Trustworthy Computing

The consumerization of IT, referred to by many people as “Bring Your Own Device” (BYOD), is a very hot topic these days as organizations grapple with the challenge of managing the risks in allowing organizational data to be placed on personal mobile devices, like smart phones.  The challenge here is that some of the devices that employees decide to bring to work with them might not have the basic security or management capabilities. This challenge is compounded by the risks associated with these same devices connecting to ubiquitous social networks and the diverse ways organizations and people are choosing to connect and share data today – such as the utilization of cloud services. 

Posted by: Tim Rains, Director, Trustworthy Computing

Security industry associations are a very important part of the computing ecosystem. Among other things they provide education, training and certification for security professionals, develop and share benchmarks and security best practices, provide forums, events and conferences for security professionals to meet, exchange information, and network with their peers. Microsoft is a member of, and helps to sponsor, several security industry associations including the Information Systems Audit and Control Association (ISACA), the International Information Systems Security Certification Consortium (ISC2), the Information Systems Security Association (ISSA), the Cloud Security Alliance (CSA).

The last security conference I attended was the CSA Congress held in November of 2011 where Microsoft was the Diamond sponsor of the event. Microsoft has been partnering closely with the CSA, and its other members, in several key CSA research initiatives including the Cloud Controls Matrix (CCM) initiative, the Consensus Assessments Initiative, the CloudSIRT initiative, the Security as a Service initiative to name a few. These initiatives are staffed by volunteer subject matter experts from across the industry who are working together to create guidance, education and best practices in security related areas that are important to the future of cloud computing.

While I was at the CSA Congress I had the chance to talk with Jim Reavis, the Founder and Executive Director of the CSA.  We talked about the biggest challenges for cloud computing security, and what Microsoft has been doing to help with these challenges.  One of the things Jim told me was "each day, a growing number of companies decide to leverage cloud computing for important business activities.  There is an immediate and compelling mandate for all of us to become better informed as to how cloud computing functions, its key benefits and considerations to establishing trust.  CSA is committed to building the trusted cloud ecosystem and we salute Microsoft’s efforts to both build robust and secure cloud services as well as offering cloud educational series in the public interest."

This is the topic of conversation in the latest installment of the Trustworthy Computing Cloud Fundamentals Video Series and I invite you to watch it.