To me, one of the benefits of moving to the Cloud is security – obviously besides availability and costs.

Recent incidents made me doubt:

• Amazon not only having significant downtime but in the same time losing customer data.
• Sony’s game network being significantly compromised.

This is definitely not to blame them but I was heavily surprised. And then, I found this study by the Ponemon Institute: Cloud computing providers: Clueless about security?

If we look at this, it gives us a really scary picture of the industry – especially if I know how much effort we (and other Cloud provider) out into securing our customer’s data. If you look at the management summary, they say:

• The majority of cloud computing providers surveyed do not believe their organization views the security of their cloud services as a competitive advantage. Further, they do not consider cloud computing security as one of their most important responsibilities and do not believe their products or services substantially protect and secure the confidential or sensitive information of their customers.
• The majority of cloud providers believe it is their customer’s responsibility to secure the cloud and not their responsibility. They also say their systems and applications are not always evaluated for security threats prior to deployment to customers.
• Buyer beware – on average providers of cloud computing technologies allocate10 percent or less of their operational resources to security and most do not have confidence that customers’ security requirements are being met.
• Cloud providers in our study say the primary reasons why customers purchase cloud resources are lower cost and faster deployment of applications. In contrast, improved security or compliance with regulations is viewed as an unlikely reason for choosing cloud services.
• The majority of cloud providers in our study admit they do not have dedicated security personnel to oversee the security of cloud applications, infrastructure or platforms.
• Providers of private cloud resources appear to attach more importance and have a higher level of confidence in their organization’s ability to meet security objectives than providers of public and hybrid cloud solutions.
• While security as a “true” service from the cloud is rarely offered to customers today, about one-third of the cloud providers in our study are considering such solutions as a new source of revenue sometime in the next two years.

What we should not think is, that the customer can just throw their data “over the wall” to the Cloud provider and then all the problems are solved. The customer still has obligations and as we state in our Cloud Computing Security Considerations paper:

Compliance and Risk Management: Organizations shifting part of their business to the cloud are still responsible for compliance, risk, and security management.

We are currently working on a series of papers for Private Clouds, Office 365 as well as Azure to show what still is the customer’s responsibility and what can be transferred to the Cloud Provider.

If you consider the points in the study above, it means that you have to do the due diligence and looking into what the provider does to secure your data. Process transparency is key in this respect!

Roger

Internet Explorer was certified early May with a seal of “trusted software”, which is great news in my opinion. Here is the English translation of the official press bulletin:

Internet Explorer 9 passed the review of TÜV Trust IT GmbH and carries the official TÜV seal approval from today on. Within the framework of the catalog of requirements the new internet browser meets all specifications to provide highest security standards both for private users and enterprises. Internet Explorer 9 was especially praised for its Tracking Protection feature. Users can stop the spying of their surfing habits and avoid personalized advertising. To actively support the new feature the TÜV will publish its first Tracking Protection list which every user can integrate directly into Internet Explorer 9.

TÜV TRUST IT GmbH was commissioned to put Microsoft’s browser to the acid test to neutrally review the performance and safety aspects of Internet Explorer 9. In its test labs, TÜV Trust IT GmbH carefully examined the key security aspects relevant to private users as well as the special requirements for companies. The testing committee was 100 percent convinced by the Internet Explorer in almost all areas. In some aspects like the configuration options for security settings, the browser even exceeded the demands. In its conclusion, the testers stated that the Microsoft browser offers an increased level of safety for users at any time.

“Internet Explorer 9 sets new standards in safety and reliability”, says Dr. Dorothee Ritz, General Manager Consumer & Online, Microsoft Germany. “The recognized seal of approval of TÜV Trust IT confirms this on the basis of strict safety tests.”

“Compared to its predecessor Internet Explorer 9 has set the bar even higher“, says Detlev Henze,  Managing Director TÜV TRUST IT GmbH. “The new browser version offers users a broad range of new and enhanced features to protect their privacy and increase security while surfing. We will actively contribute to increased safety on the internet with a Tracking Protection list specifically developed for this new feature.”

Key security features of Internet Explorer 9

The new Tracking Protection feature in Internet Explorer 9 enables internet users to gain more control over the information they share. Many state-of-the-art web sites store data that users access via their browser. Frequently, third-party services run in the background and access the personal data of users. This can be prevented by the tracking protection feature. The addresses which are stored are recorded in a Tracking Protection list that users create themselves or can be provided by third parties. (…)

In addition to the new tracking protection the SmartScreen filter and evaluation systems of Internet Explorer 9 were strongly enhanced. SmartScreen filter is a dynamic security feature that protects against phishing attacks and malicious software. The InPrivate browsing feature ensures that the browser history, temporary internet files, form data, cookies, user names and passwords are automatically deleted. The ActiveX filtering in Internet Explorer supports users in deciding to run ActiveX controls. Thus, the controls can be blocked for all web sites or activated for trusted web sites only.

The catalog of requirements developed by TÜV TRUST IT GmbH includes technical analyses of software, organizational checks regarding software development and data security as well as compliance features. More information about the test procedure and results is available at: http://www.it-tuv.com/internet-explorer

Great news for us!

Roger

A good paper: NSA - Best Practices for Keeping Your Home Network Secure

Roger

Fairly often I am asked whether the Security Guides for our products still exist. The good news is: They do. The bad news is: They are called differently

The previously stand-alone Microsoft product-specific security guides are now included within the Microsoft Security Compliance Manager (SCM) tool, which I blogged about several times already (e.g. New Baselines for the Security Compliance Manager).

So, if you are interested in such guides, you should do, what our product team says :

• Download and install the Security Compliance Manager tool.
• Check out the SCM TechNet Wiki for more details on how to get up and running with the tool.
• Learn more about the Security Compliance Manager.
• Questions? Comments? Tell it to the development team: secwish@microsoft.com.
• Looking for a specific security baseline? Browse away!
  • Windows Server 2008 R2 Security Baseline
  • Windows Server 2008 Security Baseline
  • Windows Server 2003 Security Baseline
  • Windows 7 Security Baseline
  • Windows Vista Security Baseline
  • Windows XP Security Baseline
  • Internet Explorer 8 Security Baseline
  • Microsoft Office 2010 Security Baseline
  • Microsoft Office 2007 SP2 Security Baseline

Microsoft Solution Accelerators

SCM is just one of the tools provided by the Microsoft Solution Accelerators team. The Microsoft Assessment and Planning Toolkit, Microsoft Deployment Toolkit, and Security Compliance Manager provide tested guidance and automated tools to help you plan, securely deploy, and manage new Microsoft technologies—easier, faster, and at less cost. All are freely available, and fully-supported by Microsoft. Learn more.

They are actually really good!

Roger

This is actually a great development to fight Child Porn:

Facebook adopts PhotoDNA and joins Microsoft and The National Center for Missing & Exploited Children to disrupt the proliferation of online child exploitation.

You find the information here.

Roger