Just a brief one: the Security Compliance Management Toolkit Series has been updated to incorporate Internet Explorer 8 and Windows 7. So, to help you to manage security and compliance in your environment, you should have a look at it: http://technet.microsoft.com/en-us/solutionaccelerators/cc835245.aspx

Roger

Recently we announced the availability of the Enhanced Mitigation Evaluation Toolkit. This is a toolkit which makes it easier to defend your application on different levels – free of charge. Read the post done by our Security Research and Defense guys: Announcing the release of the Enhanced Mitigation Evaluation Toolkit

Roger

At the moment I invest a lot of my time in a Whitepaper on Client and Cloud Security. There are a few fundamentals, which are already clear to me:

• You will not be able to run a trusted cloud ecosystem without a trusted client and trusted interactions. So, the End to End Trust model is needed in the cloud as well.
• A strong, federated identity metasystem is at the base of any cloud security
• Process transparency as an absolute need if you move to the cloud. If the provider tells you “you should not care about that, we take care of your security” – walk away from the deal.

This morning I read a blog post by Theresa Carlson. She is a Vice President in the Public Sector at Microsoft Us and blogged about Secure the Datacenter, Secure the Cloud. She raises the issue of process transparency as well and it is a post which is definitely worth readying.

Roger

Get ready for the swineflu:

Roger

This morning I read the following article: Microsoft can help kill fake antivirus threat. And interesting approach. The proposal is that we could white-list all the legitimate security software within the OS in order to make it harder to trick the user. Well, would this work? I am not so sure:

• First of all, what is Security Software and how do you find out? All the the security vendors can play by the rules and make sure it is detectable. But sacreware (fake anti-malware software) will probably not – or will for sure not. So, what is the difference between any legitimate application, any application which interacts with the desktop and presents a GUI vs. scareware? Scareware just show scary windows and makes you install their software – which is typically malware.
• The base technology is in Windows but it would have to be applied to security software only.
• What is legitimate security software? There are obvious ones like Symantec’s, McAfee’s, TrendMicros’, F-Secure’s, Microsoft's solutions. That’s easy. But I am sure (just an experience from the past) that there will be a pretty big gray zone which makes it very hard to decide and who decides then – us?
• Last but not least, let’s talk about the regulators. Do they (and does the market) really want us to take this decision and “certify” anti-malware solutions? This would come with a price – and reading the comments in the article below, this is one of the issues.

To me, the problem is wider spread than “just” fake anti-malware solutions. I understand that this is a problem – definitely and I understand that the thoughts of white-listing security software is attractive. But the problem is malware in general and how the criminals trick the user into installing something they do not want. This leads back to the question of the trusted stack which we address in our End to End Trust vision. To me, that’s the only approach which can be successful

Roger