I am talking a lot about Cloud Security. There are a few observations I made:

• Even though a lot of people are talking about the Cloud, there is still not too much knowledge about it. What is a private Cloud versus a public Cloud? What is Infrastructure as a Service, Platform as a Service, Application as a Service? And where are the key differences when it comes to risks?
• A lot of businesses look at it as an all or nothing. This is simply a massive mistake. There are workloads (like your identity management) you will wait a really long time until you move it to the Cloud and keep on premise. There are others, you might want to move immediately to the public Cloud and some of it will stay in a private Cloud.
• There is a lot of fear out there and not a lot of frameworks, which can help with to bring the whole discussion to rational level. Actually, there is a lot of material out there but not a lot, which is simple to read and consume.

That’s the reason, why Doug Cavit and me wrote the Cloud Computing Security Considerations about an year ago. We came up with 5 points to be considered, when looking at the Cloud from a security perspective:

• Compliance and Risk Management: Organisations shifting part of their business to the cloud are still responsible for compliance, risk, and security management.
• Identity and Access Management: Identities may come from different providers, and providers must be able to federate from on-premise to the cloud, as well as to enable collaboration across organisation and country borders.
• Service Integrity: Cloud-based services should be engineered and operated with security in mind, and the operational processes should be integrated into the organisation’s security management.
• Endpoint Integrity: As cloud-based services originate--and are then consumed--on-premise, the security, compliance, and integrity of the endpoint have to be part of any security consideration.
• Information Protection: Cloud services require reliable processes for protecting information before, during, and after the transaction.

These five considerations are very well received and seem to work well for the customers to address part of the points above. The number 1 question I got, however, was: How can apply this to the different scenarios?

Therefore I am happy to announce, that we just released a paper to the web called: Addressing Cloud Computing Security Considerations with a Partner Private Cloud.

We show you how to split responsibilities between the partner and the customer and what the considerations mean for both sides – as always, your feedback is more than welcome!

Finally, stay tuned: In a few days, we will do the same with the public Cloud. This time, however focused on Office365. As soon as we go live with Office365, we will publish it.

Roger

Back at the times of outsourcing, there was real tension between IT and the business. Internal IT had the “comfortable” position of having a monopoly: The business used the internal IT and basically just had to pay the bill. Then times came, where the business was not satisfied anymore. That basically started with the time of the PC. IT was in kind of a losing position: If the decentralized IT worked, it was just what users expected, if it did not, users complained. Additionally, as IT was treated as an art rather than an engineering discipline (that’s the way it is still run in a lot of occasions), cost just grew, without a real need of rationalizing. IT is critical for all the businesses but the value is hard to measure (until you lose your mail server once for a day).

Then outsourcing came and everything was getting better – not really. A lot of companies outsourced a problem – they used the same people with the same attitude and outsourced everything to the outsourcing provider. But now they had a contract – and so did the outsourcer. There were (and still are) numerous meetings I have been in, where the customer and the outsourcer were fighting, whether applying a patch is part of the contract or not and whether patch management should be done more than every six months. Finally, the customer had to learn to become a customer as well and specify their needs.

Why do I write this? Because I see similar discussions today with the Cloud. Business is not satisfied with how internal IT delivers. They are too slow, too expensive and too unreliable – therefore the business is looking at the promises of the Cloud: Fast, reliable, inexpensive. What does it really mean for the business? For IT?

• To me the business has to understand that if they move to the public cloud, there is a good chance that they have to adapt their business processes. Remember the huge ERP projects? It is not that different. This might be good as it forces the organization to clean up – but it shall be a conscious decision. Even for the part you are moving to the cloud, you still have to keep part of your responsibilities: You are still ultimately responsible for your compliance. You should keep your identity management in house and risk management for your business cannot be outsourced. You have to have a data classification, which is applied and lived – this is, how we described it in our Cloud Computing Security Considerations. Last but not least: You are the customer of a standardized service. Make sure you understand this as this will be a long-term partnership you are going for, with very, very limited flexibility of the final solution.
• If you move to the private cloud, the situation is slightly different as you might have more influence on how your solution looks like but even the private cloud is not an outsourcing as you knew it – e.g. most probably you will not be able to tell the cloud provider how they will run their datacenters. You will run on your own OS-instances (does not necessarily mean your own hardware as the solution will most probably be virtualized) but even the question of the data location might have to be negotiated. And: It definitely costs more.
• If you are an IT organization: Become a Cloud provider. Become the partner for your business in the Cloud. You business will want to have part of it in a private cloud – offer this in a way you can compete with third-parties as you will not be able to compete in the public cloud.

This decision has to be a strategic decision and not a decision taken because business does not like their own IT. For the internal IT it might be a threat (if you decide to sit and wait) or an opportunity if you take the strategic decision and opportunity.

Now, the reason for this post was actually in an article, which was sent to me: Why businesses move to the cloud: They hate IT

Roger

One of the things which surprises me often, when talking to customers is, that they do not know, when certain (key) products run out of support – and therefore no security updates will be shipped.

You should include the following dates in your plans:

• Windows XP Home: Mainstream support ended 4/14/2009
• Windows XP Professional: Extended support ends 4/8/2014 (if you did not yet plan to migrate to Windows 7, you should probably start)
• Windows Vista Ultimate and Windows Vista Home: Mainstream support ends 4/10/2012
• Windows Vista Enterprise: Extended support ends 4/11/2017
• Windows NT Server 4.0: Support ended 12/31/2004 (I guess you know that)
• Windows Server 2003, Enterprise Edition: Extended support ends 7/14/2015
• Windows Server 2003 R2 Enterprise Edition: Extended support ends 7/14/2015

If you want to see the full lifecycle database, you will find it on our Lifecycle site.

This is the general policy:

Business and Developer products

Microsoft will offer a minimum of 10 years of support for Business and Developer products. Mainstream Support for Business and Developer products will be provided for 5 years or for 2 years after the successor product (N+1) is released, whichever is longer. Microsoft will also provide Extended Support for the 5 years following Mainstream support or for 2 years after the second successor product (N+2) is released, whichever is longer. Finally, most Business and Developer products will receive at least 10 years of online self-help support.

Consumer, Hardware, and Multimedia products

Microsoft will offer Mainstream Support for either a minimum of 5 years from the date of a product’s general availability, or for 2 years after the successor product (N+1) is released, whichever is longer. Extended Support is not offered for Consumer, Hardware, and Multimedia products. Products that release new versions annually, such as Microsoft Money, Microsoft Encarta, Microsoft Picture It!, and Microsoft Streets & Trips, will receive a minimum of 3 years of Mainstream Support from the product's date of availability. Most products will also receive at least 8 years of online self-help support. Microsoft Xbox games are currently not included in the Support Lifecycle policy.

Roger

You might have known the 10 Immutable Laws Of Security since quite a while. It is kind of the “collected non-technical wisdom” of what we see in security respeonse being it in Microsoft Security Response Center or in our Security Product Support.

There is now a version 2, which is still as important as version 1 was. The 10 Laws are:

Law #1: If a bad guy can persuade you to run his program on your computer, it's not solely your computer anymore.
Law #2: If a bad guy can alter the operating system on your computer, it's not your computer anymore.
Law #3: If a bad guy has unrestricted physical access to your computer, it's not your computer anymore.
Law #4: If you allow a bad guy to run active content in your website, it's not your website any more.
Law #5: Weak passwords trump strong security.
Law #6: A computer is only as secure as the administrator is trustworthy.
Law #7: Encrypted data is only as secure as its decryption key.
Law #8: An out-of-date antimalware scanner is only marginally better than no scanner at all.
Law #9: Absolute anonymity isn't practically achievable, online or offline.
Law #10: Technology is not a panacea.

Just make sure that you keep them in mind – there is no “patch” for them . The whole set of explanations can be found here: Ten Immutable Laws Of Security (Version 2.0)

Roger

This is actually a great speech but very, very, very scary:

and the scariest part is that I never looked at it that way but he is right

Roger