Posted by Adrienne Hall, general manager, Trustworthy Computing As I meet with customers, some ask: public or private cloud – which has more security risk? Actually, there are different sets of risks depending on the organization and their compliance needs.
A private cloud is a pool of computing resources controlled by a particular enterprise. Private clouds deliver a standardized set of services that are specified and architected, for the organization. The path to a private cloud is often driven by the need to maintain control of the delivery environment because of application maturity, performance and/or regulatory requirements, and business differentiation.
The opportunities offered by cloud computing requires a thorough assessment of benefits and risks.
Here are a few reasons why you might prefer a private cloud:
- A regulatory or security concern prevents you from allowing even encrypted data to reside in a public cloud.
- An in-house, customized application requires greater reliability or speed, potentially optimized through your own network rather than relying on the Internet.
- You want control over your assets, including physical possession of the hardware on which your data resides.
A Microsoft private cloud solution creates a layer of abstraction over pooled IT resources. Private clouds offer the scalability and pooled resources of cloud computing based on the organization’s terms, within dedicated resources in their own datacenter or perhaps in a service provider’s datacenter.
Posted by: Tim Rains, Director, Trustworthy Computing
The physical security of the data centers where cloud services are hosted is a very important aspect of security to all of the customers I talk to. After all, if an attacker can gain physical access to the hardware hosting a service and storing sensitive data, that attacker has a range of malicious options available to them including attempting to steal or damage services and data. It is mandatory for cloud providers to provide physical security controls for the services they manage on behalf of their customers.
In my last post, I discussed the three tenets that encompass Microsoft’s approach to cloud computing privacy: responsibility, transparency and choice. In part two of this interview, Brendon Lynch, Microsoft’s Chief Privacy Officer explains how these three tenets work using Office 365 as an example.
When Information Technology departments evaluate potential uses of cloud computing for their organization, many of them quickly realize they no longer have the near omniscient visibility into the operations environment they have when hosting those same workloads inside their own premises.
Depending on the deployment model, details pertaining to the operational aspects of a cloud service provider might be abstracted from the customers using the provider’s services. For example, in the case of a public cloud service, customers accept a reduced level of transparency in order to get the benefits, namely potential reduced costs and increased business agility, from the economies of scale that subscription-based cost sharing arrangements can create.Organizations try to manage this loss of transparency in different ways. Some customers I have talked to try to put a “right to audit” clause into the service level agreements they negotiate with their cloud providers. But I’m not sure this really provides the transparency they want, for at least a few reasons:
Posted by: Steve Lipner, Partner Director of Program Management, Trustworthy Computing
This morning, I am sitting at the inaugural Security Development Conference 2012 in Washington DC listening to people from a diverse set of companies, government agencies and academic institutions sharing their own experiences with adopting a Security Development Lifecycle (SDL) process or learning how to accelerate adoption within their own organizations. As I watched the keynotes and sessions yesterday and see Scott Charney step onto the stage today, I am reminded of the early days at Microsoft when our customers were faced with security threats that challenged their trust in our products and services. Creating the SDL was an important step in combating these threats and to this day the SDL continues to help reduce the number and severity of vulnerabilities found in Microsoft’s products.
Posted by: Adrienne Hall, General Manager, Trustworthy Computing
You know how every once in a while you get thrown a curveball? Well, almost nine years ago a real big one came my way. In January 2003 I was responsible for global customers doing business in North America. SQL Slammer was at its height and IT managers were urgently reviewing their policies to better manage assets and ensure correct configurations were in place against known attack vectors.
The difficulties customers faced during those days stayed with me. When I joined Trustworthy Computing (TwC) in 2004 I was able to apply that experience in a group dedicated to improving security, privacy and reliability for our customers.
This month marks the 10 year anniversary of TwC. We’re proud of what we’ve achieved and of the many innovations that have become accepted as industry best practices. But it would be wrong to congratulate ourselves on a job well done; while we’ve come a long way and others have too, there is still a lot on the road ahead.
By Paul Nicholas, senior director Security, Trustworthy Computing
Have you ever wondered what factors contribute to how well a country or region is addressing cybersecurity issues? Today, I have the pleasure of presenting alongside my colleague, Kevin Sullivan at George Washington University’s Homeland Security Policy Institute in Washington DC on exactly that topic. During the lecture we will discuss key findings from a new special edition of our Microsoft Security Intelligence Report that focuses on “Measuring the Impact of Policy on Global Cybersecurity”.
This new report takes a look at cybersecurity in a world where the demographic of the internet is rapidly changing. Current projections indicate that internet users will double by 2020 to four billion worldwide, with large populations of users located in China, India and Africa. This change, coupled with a consistently evolving cybersecurity threat landscape will require governments around the world to look more broadly than ever before to understand the impact of the decisions that are being made today.
There’s a lot of buzz around cloud computing. My experience tells me that buzz begins to translate into wider adoption when customers are shown the tangible benefits for their organization.
To help parse the buzz, we’ve worked on this blog to highlight the benefits of cloud computing especially as it relates to core trust elements of security, privacy and reliability. In particular, we’ve focused on the efficiency and implementation of security measures that becomes possible in cloud computing environments. For example, by outsourcing the security updating process to cloud providers, IT resources are freed up to tackle other business objectives.
Yesterday, Satya Nadella, president of Microsoft Server and Tools Business, made a similar point during his announcement of a release candidate for Microsoft System Center 2012. In Satya’s presentation one section connects to this example: “IT leaders tell me that private cloud computing promises to help them focus on innovation over maintenance, to streamline costs and to respond to the need for IT speed. We are delivering on that promise today. With System Center 2012, customers can move beyond the industry hype and speculation, and progress into the here and now of private cloud.”
If you have been following our Trustworthy Computing Cloud Fundamentals Video Series you have probably seen at least two videos where we discuss the importance of transparency in cloud security controls. In addition, we have shared how the Cloud Security Alliance’s (CSA) Security Trust and Assurance Registry (STAR) can help provide that transparency to cloud providers and cloud consumers. If you haven’t seen these videos or would like a refresher, you can watch them here:
As you can see from these video interviews, both Office 365 and Windows Azure have self-assessments published in the CSA’s STAR. This was an important step in demonstrating our commitment to transparency for our cloud customers. As of late last week we are pleased to share that Microsoft Dynamics CRM has also published a self-assessment in the CSA’s STAR.
Electronic discovery, or e-discovery, is a hot topic among security professionals whose organizations are using cloud services or are evaluating using cloud services in the future. When there is a need to perform forensic investigations to recover and collect evidence contained in the cloud for use in potential legal proceedings, cloud customers need to know that their cloud service providers can meet their needs.
It is very important that cloud customers understand how cloud providers manage e-discovery requests, so that they know these cloud vendors can properly respond to government requests for information. Cloud providers’ e-discovery processes must be capable of meeting customer needs in a way that isn’t disruptive to the users of cloud services.
Learn more in this blog post on e-discovery in the cloud.