As more and more businesses and organizations contemplate the role of cloud computing in their information technology strategy, trust issues inevitably become integral. Security, privacy, and reliability are important considerations that often influence if, and how, an organization can take advantage of cloud services. When evaluating potential vendors of cloud computing services, there are several key questions you should consider. For example, with regard to privacy: • | What is the cloud service provider's policy on information privacy? How does it align with your organization's policy? Does it show that the provider understands the challenges of data privacy in the cloud? | • | Does the provider have an Information Security Management System? | • | What happens if your customer data is breached? What process does the provider use to notify you so that you can comply with breach notification laws? | • | Is the provider experienced in meeting the data privacy requirements in your industry and geography? | • | Is the provider allowed to move your data to another provider if storage becomes a concern, and would you be informed? How would you move your data to another cloud provider that provides specific services, such as additional computing power for handling large databases? | It is a good idea to organize more detailed questions into categories that map to your organization's specific privacy-related processes, needs, and concerns. There are several ways to do this. Microsoft uses a framework built on ISO 27001:2005 that is described in a paper called Microsoft Compliance Framework for Online Services. Another method is to group high-level questions by topics such as secure infrastructure, identity and access control, information protection, and auditing and reporting. For important questions to consider when choosing a cloud computing services provider, download our quick reference poster. I hope that you find these questions useful in informing your future IT strategy where cloud services are concerned. If you want to learn more about Microsoft cloud services, and how we help protect customer data and business operations in the cloud, visit our Global Foundation Services Web site and check out the Online Security page. To find out how to develop and deploy more secure applications and services—for the client, the cloud, and the Web—check out the resources in this month's Security Guidance section. Best regards, Tim Rains, Group Product Manager, Microsoft Trustworthy Computing Top Stories | Windows Identity Foundation helps simplify user access for developers by externalizing user access from applications via claims and reducing development effort with prebuilt security logic and integrated .NET tools. Users can benefit through single sign-on and seamless collaboration across organizational boundaries. | | Efficiently deploy and manage new applications by reducing custom implementation work, helping establish a consistent security model, and facilitating seamless collaboration between organizations with automated federation tools. Active Directory Federation Services 2.0 includes built-in interoperability via open industry standards and claims, and it implements the industry Identity Metasystem vision for open and interoperable identity. | | With this release, federate existing SharePoint deployments, including Windows SharePoint Services 3.0 and Microsoft Office SharePoint Services 2007. Using this package, enterprise SharePoint administrators can configure their deployments to trust any WS-Federation security token service (STS), such as Active Directory Federation Services 2.0, so that an enterprise can take advantage of claims and offer their services to federation partners. | | Windows CardSpace 2.0 is the end-user component of the Microsoft user access platform for developers and IT professionals that helps simplify access to applications and other systems with an open claims-based model. The Beta 2 release has been refreshed with a variety of fixes and improvements for working seamlessly with Active Directory Federation Services 2.0. We've also improved interoperability and added a feature for automatic logon to the STS. | | Check out the Community Technical Preview releases of three new tools for Web developers. Use CAT.NET 2.0 as a command-line, single-pass data flow engine and configuration rules engine. The Web Application Configuration Analyzer 1.0 scans your development environment against best practices for .NET security configuration, IIS settings, and Microsoft SQL Server security. And with the Web Protection Library, you can easily access libraries and runtime modules including Anti-XSS that provide coverage for issues such as SQL injection and cross-site request forgery. | Security Guidance | A new function in Internet Explorer 8, XDomainRequest introduces a new security model of "origin" headers, pre-flight checks, and limited HTTP request functionality. Learn more about XDomainRequest and its effect on scripting security in this article from SANS trainers Johannes Ulrich and Jason Lam. | | Many early adopters of the Windows Azure platform still have a lot of questions about platform security and its support of cryptography. This article introduces the basic concepts of cryptography and related security within Windows Azure, and then it delves into some of the cryptography services and providers in the platform | | Get familiar with the basics behind encryption algorithms and practices used to create cryptographic schemes. Learn more about symmetric and asymmetric encryption algorithms, the SHA256 hash encryption algorithms, and how to implement them in a simple application. | | Learn how to use Microsoft Internet Security and Acceleration (ISA) Server 2006 to secure your Microsoft application infrastructure by protecting your corporate applications, services, and data across all network layers with stateful packet inspection, application-layer filtering, and comprehensive publishing tools. | | This step-by-step article describes important considerations for securing applications that are built on the Microsoft .NET Framework, from adjusting .NET Framework security on a zone-by-zone basis to limiting the Web services protocols that a server permits. | | Quickly access content, labs, and training to help you establish a standardized approach to rolling out the Microsoft SDL in your organization -- and enrich your existing development practices. This kit includes 14 content modules (with speaker notes, presenter guides, and sample comprehension questions) plus eight MSDN Virtual Labs with lab manuals -- all to help you build a customized SDL training program for your development teams. | | Explore how the Windows Live Team applied the Security Development Lifecycle to the development of new Windows Live services with ASP.NET Model View Controller. | | Take advantage of recommended security tools and practices to help make successful attacks on your applications less likely. | | Get an overview of basic secure coding techniques, and then move on to guidance for securing state data, method access, wrapper code, and other elements. | | Writing a secure ADO.NET application involves more than avoiding common coding pitfalls such as not validating user input. Explore recommendations for designing secure ADO.NET applications, working with data from a secured data source, encryption, and more. | | Get started with tools, training, downloads, and guidance to help you develop more secure applications with proven customer authentication, user access, and identity models | | Have a question about developing secure applications for the Windows platform? Check the forum for the latest best practices and tips from Microsoft and community subject matter experts. | This Month's Security Bulletins Critical: Security Bulletin Overview for January 2010 Microsoft Product Lifecycle Information Find information about your particular products on the Microsoft Product Lifecycle Web site. Microsoft provides free software updates for security and nonsecurity issues for all supported service packs. You can see a list of supported packs here. Security Events and Training | March 1 - 5 | San Francisco, California Join Microsoft Malware Protection Center General Manager Vinny Gullotto and other Microsoft security experts at this year's RSA Conference as they discuss everything from the current threat landscape to secure development, protection and access principles, virtualization security, and much more. | Upcoming Security Webcasts | Thursday, January 14, 11:00 AM Pacific Time | | Thursday, January 14, 1:00 PM Pacific Time | | Friday, January 15, 11:00 AM Pacific Time | | Thursday, January 21, 11:00 AM Pacific Time | | Upcoming security webcasts in a dynamic, interactive format. | For IT Professionals For Developers Now On Demand • | | • | MSDN Webcast: geekSpeak: Access Control Service with Michele Leroux Bustamante (Level 200) Part of the Azure Services Platform under .NET Services, the Access Control Service makes it possible for applications to delegate authentication with built-in support for a variety of credential types, and it supplies claims-transformation for dependent applications. It is a scalable on-demand solution that removes the need to provide dedicated development and IT resources for an on-site STS that can scale. This webcast will show developers how to build federated security scenarios by using the Access Control Service, your STS hosted in the cloud. | | | | Volume 7, No. 1 January 2010 | Additional Security Resources | | | © 2010 Microsoft Corporation. All rights reserved. Microsoft, Active Directory, Azure, Forefront, MSDN, SharePoint, SQL Server, Visual Basic, Windows, Windows CardSpace, Windows Live, Windows Server, and Zune are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries. The names of actual companies and products mentioned herein may be the trademarks of their respective owners. To cancel your subscription to this newsletter, reply to this message with the word UNSUBSCRIBE in the Subject line. You can also unsubscribe at http://www.microsoft.com/info/unsubscribe.htm. You can manage all your Microsoft.com communication preferences at this site. Legal Information. This newsletter was sent by the Microsoft Corporation One Microsoft Way Redmond, Washington, USA 98052 | | | |