| | | | Trustworthy Computing | October 2014 |  | | Microsoft Security Newsletter | | | | | | | | | | Welcome to October’s Security Newsletter! | This month’s newsletter focuses on security controls in cloud services. Having a rich set of security controls and a defense in-depth strategy helps ensure that should any one area fail, there are compensating controls in other areas to maintain security and privacy at all times. Security should be an ongoing effort that combines experienced and qualified personnel, software and hardware technologies, as well as robust processes to design, build, deploy, operate, and support a cloud service. Security must be vigilantly maintained, regularly enhanced, and routinely verified through testing.
When it comes to the cloud, your cloud provider is an important partner in helping to protect your data. This chart provides a good visual on the shared responsibility of security controls between the cloud customer and cloud provider when it comes to data protection whether you are using Infrastructure as a Service (IaaS), Platform as a Service (PaaS), and/or Software as a Service (SaaS).
| • | Cloud provider controls – Cloud provider controls include technical capabilities, operational procedures, and policies that are enabled for customers using the service. Examples include security best practices like penetration testing and defense-in-depth to help protect against cyber threats, as well as physical and data security with access control, encryption, and strong authentication to help prevent unauthorized access. | | • | Cloud customer controls – Cloud customer controls include features that enable customers to customize their environments based on the specific needs of their organizations. Examples include unique customer controls such as Rights Management Service and Data Loss Protection which can help empower customers to protect information. |
Of course, of these are just a few examples of security controls and how a cloud provider is an important partner in helping protect data. For more in-depth information on security controls for enterprises, I encourage you to check out the many great resources included in this month’s newsletter.
 | | Best regards,
Tim Rains, Director
Microsoft Trustworthy Computing |
Have feedback on how we can improve this newsletter? Email us at secnlfb@microsoft.com and share your ideas. | | |  | | Top Stories |  |  | | | | Trustworthy Cloud Series: Managing Secure Cloud Operations
When it comes to choosing a cloud provider, how do you decide who to trust with your most sensitive information? Learn how Microsoft utilizes the Operational Security Assurance (OSA) framework for its cloud services, which details the approach to security controls such as vulnerability scanning, patch management, encryption, and more.
Windows 10: Continuing to Raise the Security Bar for Cybercriminals
Check out some of the highlights from Jim Alkove’s post about the important changes that are coming in Windows with regard to identity protection and access control, information protection, and threat resistance.
Microsoft’s Perspective on the Cybersecurity Framework: Next Steps for Incentives and International Harmonization
The Cybersecurity Framework issued earlier this year by the U.S. National Institute for Standards and Technology (NIST) offers the opportunity for international collaboration because it is rooted in widely-recognized international and national standards and practices. Read about Microsoft’s recently filed comments in response to NIST's Request for Information (RFI) about our experience with the Cybersecurity Framework.
| | | | | Security Guidance | | | | Security Tip of the Month: Identity Management in the Age of Hybrid IT
Get detailed information on the four fundamental pillars of identity—administration, authentication, authorization, auditing—that can be useful in creating a strategic direction for an identity infrastructure in your organization.
Cloud Computing Security Architecture: The IT Pro Perspective
Get comprehensive guidance on planning for security as part of your cloud infrastructure. Start with an overview of cloud security then move on to:
A Solution for Private Cloud Security
Download a comprehensive explanation of the process for designing and running security for a private cloud environment. This solution includes a blueprint guide, design guide, and operations guide.
Private Cloud Reference Guide
Find an overview of private cloud architecture and information the principles, patterns, and concepts as well as planning guides for IaaS, service delivery, operations, and systems management.
Microsoft Azure Trust Center
Explore the security controls and capabilities delivered by Microsoft Azure, and find information on how to carry out authorized penetration testing for your applications hosted in Azure.
| | | | | Community Update | | | | You Asked, We Answered: #AskPtH Questions and Answers
Pass-the-Hash (PtH) refers to a technique that allows an attacker to capture account logon credentials on one compromised computer, and then use those captured credentials to authenticate to other computers across the network. Many organizations who want to protect their networks are particularly interested in this technique so we opened the conversation to @msftsecurity Twitter followers and asked what questions you had about PtH. Check out the first set of short video segments answering some of the questions we’ve received to date.
Vuln Hunt: Find the Security Vulnerability Challenge #3
This particular type of vulnerability is used to attack data-driven applications found across the web. It has been around for over a decade and is one of the top threats today. Do you know what it is?
| | | | | This Month's Security Bulletins | | | | | | October 2014 Security Bulletins
| | | October 2014 Security Bulletin Resources:
| | | | | Security Events and Training | | | | | | Microsoft Virtual Academy (MVA): Hybrid Cloud
Explore the advantages and flexibility of the hybrid cloud, where you can keep your critical data on-premises and get greater scale for your day-to-day operations. Learn how to optimize your organization’s IT infrastructure with Microsoft hybrid cloud technologies with best practices and detailed implementation guidance.
MVA: Private Cloud
Learn how to build, deploy, and maintain a private cloud. In these courses, you will learn about core Windows Server products, and how to use them to build and support the virtualized and physical resources that are part of your private cloud infrastructure. You will also hear about common cloud computing configuration and management practices, as well as technical details to help you be successful in building a private cloud for your business.
Dimension Data Series – The Hybrid Cloud: A Balancing Act Between Benefits and Security
Thursday, December 4, 2014 – 10:00 AM Pacific Time
Learn how to extend your datacenter to the cloud in a secure and automated way, how to secure your information in the cloud, how to manage security in a mix of private and public clouds, why a hosted private cloud can be the best solution for sensitive data and mission critical workloads.
Windows 10 for Enterprise
Thursday, November 20, 2014 – 9:00 AM Pacific Time
Be one of the first to take an early look at some of the features and functionality for business users in the next version of Windows including those that protect against modern security threats.
| | | | | | | | | | | | | | | | | microsoft.com/about/twc | Trustworthy Computing | | | | | | | | This is a monthly newsletter for IT professionals and developers–bringing security news, guidance, updates, and community resources directly to your inbox. If you would like to receive less technical security news, guidance, and updates, please subscribe to the Microsoft Security for Home Computer Users Newsletter.
© 2014 Microsoft Corporation Terms of Use | Trademarks
Microsoft respects your privacy. To learn more please read our online Privacy Statement.
If you would prefer not to receive the Microsoft Security Newsletter from Microsoft and its family of companies please click here. These settings will not affect any other newsletters you've requested or any mandatory service communications that are considered part of certain Microsoft services.
To set your contact preferences for other Microsoft communications click here.
Microsoft Corporation
One Microsoft Way
Redmond, WA 98052 USA | | | | | | | | |
