To me, one of the benefits of moving to the Cloud is security – obviously besides availability and costs.

Recent incidents made me doubt:

• Amazon not only having significant downtime but in the same time losing customer data.
• Sony’s game network being significantly compromised.

This is definitely not to blame them but I was heavily surprised. And then, I found this study by the Ponemon Institute: Cloud computing providers: Clueless about security?

If we look at this, it gives us a really scary picture of the industry – especially if I know how much effort we (and other Cloud provider) out into securing our customer’s data. If you look at the management summary, they say:

• The majority of cloud computing providers surveyed do not believe their organization views the security of their cloud services as a competitive advantage. Further, they do not consider cloud computing security as one of their most important responsibilities and do not believe their products or services substantially protect and secure the confidential or sensitive information of their customers.
• The majority of cloud providers believe it is their customer’s responsibility to secure the cloud and not their responsibility. They also say their systems and applications are not always evaluated for security threats prior to deployment to customers.
• Buyer beware – on average providers of cloud computing technologies allocate10 percent or less of their operational resources to security and most do not have confidence that customers’ security requirements are being met.
• Cloud providers in our study say the primary reasons why customers purchase cloud resources are lower cost and faster deployment of applications. In contrast, improved security or compliance with regulations is viewed as an unlikely reason for choosing cloud services.
• The majority of cloud providers in our study admit they do not have dedicated security personnel to oversee the security of cloud applications, infrastructure or platforms.
• Providers of private cloud resources appear to attach more importance and have a higher level of confidence in their organization’s ability to meet security objectives than providers of public and hybrid cloud solutions.
• While security as a “true” service from the cloud is rarely offered to customers today, about one-third of the cloud providers in our study are considering such solutions as a new source of revenue sometime in the next two years.

What we should not think is, that the customer can just throw their data “over the wall” to the Cloud provider and then all the problems are solved. The customer still has obligations and as we state in our Cloud Computing Security Considerations paper:

Compliance and Risk Management: Organizations shifting part of their business to the cloud are still responsible for compliance, risk, and security management.

We are currently working on a series of papers for Private Clouds, Office 365 as well as Azure to show what still is the customer’s responsibility and what can be transferred to the Cloud Provider.

If you consider the points in the study above, it means that you have to do the due diligence and looking into what the provider does to secure your data. Process transparency is key in this respect!

Roger

A good paper: NSA - Best Practices for Keeping Your Home Network Secure

Roger

Yesterday we released our Security Intelligence Report v10. A few highlights/lowlights from the Key Findings section:

• Industry vulnerability disclosure trends continue an overall trend of moderate declines since 2006. This trend is likely because of better development practices and quality control throughout the industry, which result in more secure software and fewer vulnerabilities.
• Vulnerability disclosures for Microsoft products increased slightly in 2010 but have generally remained stable over the past several periods.

[…]

• The exploitation of Java vulnerabilities sharply increased in the second quarter of 2010 and surpassed every other exploitation category that the MMPC tracks, including generic HTML/scripting exploits, operating system exploits, and document exploits.
• The number of Adobe Acrobat and Adobe Reader exploits dropped by more than half after the first quarter, and remained near this reduced level throughout the remainder of the year.

[…]

• Exploits that affected Adobe Acrobat and Adobe Reader accounted for most document format exploits detected throughout 2010. Almost all of these exploits involved the generic exploit family Win32/Pdfjsc

[…]

• Microsoft Office file format exploits accounted for between 0.5 and 2.8 percent of the document format exploits that were detected each quarter in 2010.

[…]

• As in previous periods, infection rates for more recently released Microsoft operating systems and service packs are consistently lower than older ones, for both client and server platforms. Windows 7 and Windows Server 2008 R2, the most recently released Windows client and server versions, respectively, have the lowest infection rates.
• Infection rates for the 64-bit versions of Windows Vista® and Windows 7 are lower than for the corresponding 32-bit versions of those operating systems. One reason may be that 64-bit versions of Windows still appeal to a more technically savvy audience than their 32-bit counterparts, despite increasing sales of 64-bit Windows versions among the general computing population. Kernel Patch Protection (KPP), a feature of 64-bit versions of Windows that protects the kernel from unauthorized modification, may also contribute to the difference by preventing certain types of malware from operating.

[…]

• In the first half of 2010, phishers showed signs of targeting online gaming sites with increasing frequency, although this push appeared to have dwindled as social networks came under increased attack. Impressions that targeted gaming sites reached a high of 16.7 percent of all impressions in June before dropping to a more typical 2.1 percent in December.
• Phishing sites that target social networks routinely receive the highest number of impressions per active phishing site. The percentage of active phishing sites that targeted social networks increased during the final months of the year, but still only accounted for 4.2 percent of active sites in December, despite receiving 84.5 percent of impressions that month. Nevertheless, the number of active sites targeting gaming sites remained relatively high during the second half of the year, which suggests that more campaigns may be coming.

You should read the whole report, which you can find here as it is probably the best piece of intelligence out there.

And, by the way: Keep updating your systems and stay on the most current version for all your software. Probably the best protection you can get.

Roger

Fairly often I am asked whether the Security Guides for our products still exist. The good news is: They do. The bad news is: They are called differently

The previously stand-alone Microsoft product-specific security guides are now included within the Microsoft Security Compliance Manager (SCM) tool, which I blogged about several times already (e.g. New Baselines for the Security Compliance Manager).

So, if you are interested in such guides, you should do, what our product team says :

• Download and install the Security Compliance Manager tool.
• Check out the SCM TechNet Wiki for more details on how to get up and running with the tool.
• Learn more about the Security Compliance Manager.
• Questions? Comments? Tell it to the development team: secwish@microsoft.com.
• Looking for a specific security baseline? Browse away!
  • Windows Server 2008 R2 Security Baseline
  • Windows Server 2008 Security Baseline
  • Windows Server 2003 Security Baseline
  • Windows 7 Security Baseline
  • Windows Vista Security Baseline
  • Windows XP Security Baseline
  • Internet Explorer 8 Security Baseline
  • Microsoft Office 2010 Security Baseline
  • Microsoft Office 2007 SP2 Security Baseline

Microsoft Solution Accelerators

SCM is just one of the tools provided by the Microsoft Solution Accelerators team. The Microsoft Assessment and Planning Toolkit, Microsoft Deployment Toolkit, and Security Compliance Manager provide tested guidance and automated tools to help you plan, securely deploy, and manage new Microsoft technologies—easier, faster, and at less cost. All are freely available, and fully-supported by Microsoft. Learn more.

They are actually really good!

Roger

This is actually a great development to fight Child Porn:

Facebook adopts PhotoDNA and joins Microsoft and The National Center for Missing & Exploited Children to disrupt the proliferation of online child exploitation.

You find the information here.

Roger