Posted By: Tim Rains, Director, Trustworthy Computing
A key topic when it comes to security is identity. But, the laws of identity tell us “the Internet was built without a way to know who and what you are connecting to…Since this essential capability is missing, everyone offering an Internet service has had to come up with a workaround. It is fair to say that today’s Internet, absent a native identity layer, is based on a patchwork of identity one-offs.”
Social networks like Facebook and LinkedIn have become central to theone of the primary ways in which people communicate and socialize online. At the same time there has been a steady proliferation of mobile devices like smart phones that more and more people are using to communicate with and connect to the internet. In addition, cloud based services are being adopted by more and more consumers and organizations. Identity is an important ingredient in each of these scenarios as well as at the intersection of them; many customers would like to be able to use multiple identities, including those used on social networks and those in their organization’s on-premise Active Directory, to access public and private cloud services from any device they choose to use.
Posted by Kim Sanchez, director, Trustworthy Computing Communications, Microsoft
Chances are you have your mobile phone with you right now. These devices allow us to keep pace with the demands of our busy digital lifestyles. They also allow us to tell everyone, everything, all the time. There are multiple opinions on the breakdown of social etiquette due to oversharing information, but there’s no denying that certain mobile phone behaviors are not only annoying, they may even be risky.
Whether it’s loud talkers or not silencing a phone during a movie, some mobile manners like pocket dialing someone because your phone isn’t locked, or tagging photos without permission, may put personal information at risk. But who is better at protecting their personal information? Men, or women?
At Microsoft, we want to know what you think. That’s why we’re kicking off our Mobile Manners and Mayhem Facebook poll. Rank your biggest mobile phone pet peeves and tell us your own mobile mayhem story. On May 20, we’ll release the results and reveal who is better at protecting themselves online, men or women.
At a very young age, we are taught to share. Share our toys, our thoughts, our gratitude. But in today’s digital society, all this oversharing online, may put us in harm’s way. Your personal information is a valuable commodity to criminals and, just like your personal computer, your mobile phone is equally attractive to those who would misuse this information.
Posted by: David Bills, chief reliability strategist, Trustworthy Computing
As the adoption of cloud computing continues to rise, and customers demand 24/7 access to their services and data, reliability remains a challenge for cloud service providers everywhere. As I said in the recent Cloud Fundamentals video on reliability, it’s not a matter of if an outage will occur; it’s strictly a matter of when. This means it’s critical for organizations to understand how best to design and deliver reliable cloud services. Microsoft manages a cloud-based infrastructure supporting more than 200 services, 1 billion customers, and 20 million businesses in more than 76 markets worldwide. So we understand what it takes to build and deliver highly-reliable cloud platforms, solutions, and services that are secure and private.
Posted by: Tim Rains, Director, Trustworthy Computing
Last week I attended the Security Development Conference 2012 (SDC 2012). As Steve Lipner wrote in his article about the event, the conference enabled people from companies, government agencies and academic institutions to share their own experiences adopting a Security Development Lifecycle (SDL) process thus helping others learn how to accelerate adoption within their own organizations. Speakers and panelists were in attendance from a variety of organizations including Adobe, BlackBerry, Cisco, IBM, Intel, Itron, Lockheed Martin, Microsoft, NIST, NSA, Salesforce.com, Red Hat and others.
Posted by Jacqueline Beauchere, director, Trustworthy Computing Communications, Microsoft
Fewer than 15 percent of U.S. undergraduates are pursuing degrees in science and engineering. U.S. math and science test scores lag those of other nations, chiefly China and India. U.S. high schools are falling behind the rest of the world in computer science, and too few women and minorities are employed in science, technology, engineering and math (STEM) fields.
STEM subjects are arguably the foundation of our global economic future. Such skills are essential for almost any job, and are certainly imperative for nations to compete in an evolving marketplace. Indeed, STEM expertise likely holds the key to daunting global challenges, such as healthcare, hunger, poverty, and climate change. The U.S. Labor Department projects that by 2014, the U.S. will have more than two million job openings in STEM fields. The bottom line is: Will we be able to fill them?
Posted by Richard Saunders
For anyone who wants a primer on the security, privacy and reliability issues involved in the move to cloud computing, this video featuring Doug Cavit, principal security program manager and chief security strategist at Microsoft, is worth a watch.
In the past I’ve said a perfectly operated cloud service that has vulnerabilities in it due to lackluster development processes isn’t going to help protect the data that cloud customers store and process in the cloud. As reported in the latest volume of the Microsoft Security Intelligence Report that was released just last week, the number of vulnerability disclosures across the entire software industry, including online services, has continued to trend down. Although this trend is heading in the right direction, it still means that there are thousands of software vulnerability disclosures every six months across the entire software industry.
By: Tim Rains, Director, Trustworthy Computing
To date much of the public discourse I have seen on cloud computing security has centered on cloud service providers and how they manage the operations of their cloud service offerings. This aspect of cloud computing is very important, especially for cloud customers that have compliance obligations to maintain. A topic of equal importance that I see much less focus on in the industry is how to securely develop cloud services. After all, a perfectly operated cloud service that has vulnerabilities in it that are the product of a poor development processes isn’t going to help protect the data that cloud customers store and process in the cloud.
Developers of cloud applications and platforms need to leverage a secure development process and use associated tools to help minimize the number and the severity of security vulnerabilities in the online services they develop. Security isn’t something they can bolt on at the end of the development process – it has to be baked into the process from the very beginning. As part of your cloud provider evaluation process, you should ask your candidate cloud providers about their development processes and how security is addressed.
Posted by: Tim Rains, Director, Trustworthy Computing Communications
In my last blog post, I mentioned Ernst & Young’s 14th annual Global Information Security Survey. One very interesting aspect of this survey is related to the use of mobile computing platforms.
The report states, “our survey shows that the adoption of tablets and smartphones ranked second-highest on the list of technology challenges perceived as most significant, with more than half of respondents listing it as a difficult or very difficult challenge.”
By Adrienne Hall, general manager, Trustworthy Computing, Microsoft
Today at RSA I’m attending the Cloud Security Alliance (CSA) summit where Scott Charney, corporate vice president of Trustworthy Computing, just received the CSA Industry Leadership award. For background, Scott is the leader of Trustworthy Computing, where his responsibilities include security strategy at Microsoft and the extension of solutions more broadly across the IT industry such as the Security Development Lifecycle.. Scott’s award recognizes his many contributions in the field of Security and his early engagement discussing security research and best practices for customers during the CSAs early days. Recently, Microsoft became the first major provider to complete a CSA STAR entry, which allows potential cloud customers to review the security practices of providers.
Tomorrow morning Scott will present an RSA keynote entitled: Making a Case for Security Optimism. He will share key security industry accomplishments that will have long-term impact and together form a basis for optimism. On Wednesday night, we’re looking forward to hosting what will be a great industry appreciation party and on Thursday morning Jeff Jones and Tim Rains on my team will present on the global threat landscape in a Security Intelligence Report (SIR) session. Jeff recommends, in his post, a few Microsoft sessions to attend during RSA and throughout the week he’ll report on our daily experiences at the show. This is already proving to be an exciting week here at RSA!