Microsoft Security Newsletter – December 2011

	NOTE FROM THE EDITOR Welcome to the last Security Newsletter of 2011! The theme of this month's newsletter is Cloud Computing. Last month I attended the second annual Cloud Security Alliance Congress in Orlando, Florida. The Cloud Security Alliance has emerged as a leading industry authority focused on promoting the use of best practices for providing security assurance within cloud computing, and providing education on the uses of cloud computing. I learned a lot about Cloud security at the event and share some of what I learned in this recent blog post on the Trustworthy Computing blog. We have released some new videos focused on topics related to Cloud security, privacy and reliability called the Cloud Fundamentals Video Series, hosted by yours truly. If you are interested in learning about topics like compliance, standards, service level agreements, and risk management, as they related to cloud computing, these short videos should be helpful. In addition to all the great cloud computing content in this month's newsletter, check out this site dedicated to private cloud architectural resources called the Private Cloud Solution Hub. Talk to you in 2012! Best regards, Tim Rains, Director, Product Management, Microsoft Trustworthy Computing December 2011 Edition IN THIS ISSUE • Top Stories • Security Guidance • Community/MVP Update • The Business of Security • Cloud Security Corner • This Month's Security Bulletins • Microsoft Product Lifecycle Information • Security Events and Training • Upcoming Security Webcasts

Follow the Microsoft Security Response team on Twitter @MSFTSecResponse for the latest information on the threat landscape. Microsoft Office 365 Cloud-Based Productivity Service Now Helps Customers Comply with HIPAA Privacy and Security Standards With reimbursements falling and medical loss ratio minimums rising, hospitals, physicians, and health plans are under unprecedented pressure to drive down operating costs while still improving the quality and safety of patient care. Explore how Microsoft is helping remove that barrier by embedding privacy and security capabilities in Office 365 so that Office 365 is now a cloud-based platform that complies with leading information privacy and security standards for customers operating in the United States and European Union. Patterns & Practices: Cloud Security Approach in a Nutshell See how Microsoft is building on experience to secure its own cloud developments and utilizing an approach that simplifies and improves security by chunking up security in a way that helps leverage proven practices, while sharing information around emerging practices. Cloud Computing: Cloud Security Concerns While maintaining appropriate data security continues to be a prevailing concern, a cloud computing infrastructure can actually increase your overall security. Learn how then explore specific concerns around virtual cloud security in the follow-up article. Cloud Security Overview Moving to a cloud-based platform requires a change in mindset for IT security professionals. Explore key security considerations for the cloud, the differences between the public and private cloud, and why the ideal solution is often an in-house private cloud solution that exists entirely behind the firewall and hybrid clouds, but which combines private cloud systems with Internet-based (public or private cloud) services. Cloud Security: Safely Sharing IT Solutions Find out how you can share IT solutions between the fixed cost of local resources and the variable cost of cloud resources without losing control of access to enterprise assets. Identity and Access Management in the Cloud Identity and access management (IAM) refers to the processes, technologies, and policies for managing digital identities and controlling how identities can be used to access resources. Explore why identity management in a cloud system requires a complex collection of technologies to manage authentication, authorization and access control across distributed environments. Security Considerations for Infrastructure as a Service (IaaS) Gain a better understanding of common concerns and scenarios around security for and public cloud and private cloud Infrastructure as a Service (IaaS) solutions. From network security to storage and data, this article provides a number of insights that can help you implement a better, more secure IaaS. Managing the Cloud with Windows Intune Learn how the cloud-based PC management solution Windows Intune can help you keep your organization's PCs secure, updated and manageable, no matter where they are located. This article provides detail on each workspace in Windows Intune and the benefits it provides as well as background information on the technical architecture. Want more technical information on Windows Intune? Visit the Windows Intune Resource Zone on TechNet for access to a free 30-day trial and guidance on how to pilot, deploy, and leverage Windows Intune in your organization. Watch short video demonstrations and tutorials on the endpoint protection, policy, and update management features in Windows Intune. Understanding Security Account Management in Windows Azure Find out why, although cloud computing relieves some of the security burden, you still have an active role in managing access, securing communications, and ensuring data protection. Crypto Services and Data Security in Windows Azure Get an introduction to some of the basic concepts of cryptography and related security considerations with Windows Azure including key storage and persistence, immutability, and message queues. MVP Article of the Month: Designing a Cloud-Based Mobile Application for Compliance By Dan Griffin, Microsoft MVP - Enterprise Security For rapid development and deployment of a mobile application using federated authentication, the cloud is often the fastest and most cost-effective option available. Using real-world scenarios, this article analyzes how a solution can be deployed securely and successfully to the cloud while still complying with industry security standards and requirements. Enhancing Your Business and Career with the Private Cloud This exciting track from Microsoft Virtual Academy focuses on how the private cloud can help your business and your career as an IT professional. Learn about cloud business drivers and business processes, get some business and technical fundamentals, learn how to extend your private cloud to the outside world so that your "hybrid" cloud can benefit both you and your business. This track currently comprises three distinct, 200-level modules: Achieving Success with Cloud Computing Building Your Career On The Private Cloud Extending Your Private Cloud to the Outside World Introduction to the Cloud: Fundamentals This introduction video is the first in a series of videos focused on sharing some of the things Microsoft is learning from its customers around cloud security, privacy and reliability. Get insights from some of Microsoft's senior leaders responsible for managing Microsoft's cloud service offerings. TechNet Wiki Spotlight: How to Create and Configure a Private Cloud in System Center Virtual Machine Manager 2012 - Part 1 Learn how to use System Center Virtual Machine Manager 2012 to create, configure, and manage a private cloud infrastructure then move on to delegate control in part two of this TechNet Wiki article. Critical: MS11-087: Vulnerability in Windows Kernel-Mode Drivers Could Allow Remote Code Execution (2639417) MS11-090: Cumulative Security Update of ActiveX Kill Bits (2618451) MS11-092: Vulnerability in Windows Media Could Allow Remote Code Execution (2648048) Important: MS11-088: Vulnerability in Microsoft Office IME (Chinese) Could Allow Elevation of Privilege (2652016) MS11-089: Vulnerability in Microsoft Office Could Allow Remote Code Execution (2590602) MS11-091: Vulnerabilities in Microsoft Publisher Could Allow Remote Code Execution (2607702) MS11-093: Vulnerability in OLE Could Allow Remote Code Execution (2624667) MS11-094: Vulnerabilities in Microsoft PowerPoint Could Allow Remote Code Execution (2639142) MS11-095: Vulnerability in Active Directory Could Allow Remote Code Execution (2640045) MS11-096: Vulnerability in Microsoft Excel Could Allow Remote Code Execution (2640241) MS11-097: Vulnerability in Windows Client/Server Run-time Subsystem Could Allow Elevation of Privilege (2620712) MS11-098: Vulnerability in Windows Kernel Could Allow Elevation of Privilege (2633171) MS11-099: Cumulative Security Update for Internet Explorer (2618444) Security Bulletin Overview for December 2011 Microsoft Security Response Center (MSRC) Blog Post Monthly Security Bulletin Webcast Q&A Windows Media Video (WMV) iPod Video (MP4) SECURITY PROGRAM GUIDE • Microsoft SDL - Developer Starter Kit • Security Awareness Materials • Learn Security On the Job SECURITY BLOGS • Trustworthy Computing Security/Privacy Blogs • Microsoft Security Blog • MSRC Blog • ACE Team • Windows Security • Forefront Team • Solution Accelerators - Security & Compliance • Security Vulnerability Research & Defense • Security Development Lifecycle (SDL) UPCOMING CHATS • View a listing of upcoming technical chats COMMUNITY WEBSITES • IT Pro Security Community ADDITIONAL SECURITY RESOURCES • Security Help and Support for IT Professionals • TechNet Troubleshooting and Support Page • Microsoft Security Glossary • TechNet Security Center • MSDN Security Developer Center • Sign-Up for the Microsoft Security Notification Service • Security Bulletin Search Page • Microsoft Security Center • Home Users: Protect Your PC • MCSE/MCSA: Security Certifications • Subscribe to TechNet • Register for TechNet Flash IT Newsletter

Windows XP End of Support: April 8, 2014 On April 8, 2014, security patches and hotfixes for all versions of Windows XP will no longer be available. This means that, after this date, PCs running Windows XP will be vulnerable to security threats. In addition, many third party software providers are not planning to extend support for their applications running on Windows XP, which translates to even more complexity, risk, and ultimately, added management cost for your IT department if you are still managing Windows XP environments. Explore your options with this blog post from the Springboard Series and download the Windows XP End Of Support Countdown Gadget to help remind you about this important milestone. Find information about your particular products on the Microsoft Product Lifecycle Web site. See a List of Supported Service Packs: Microsoft provides free software updates for security and non-security issues for all supported service packs. Microsoft Virtual Academy: Planning, Building and Managing a Private Cloud Learn to better understand, plan for, and manage Microsoft private cloud offerings. This track begins with an introduction of Microsoft's vision for private cloud computing then provides details on how to plan a successful private cloud project. The final module will focus on implementation using a hands-on view of how Microsoft System Center Management tools help manage a private cloud, plus an in-depth discussion on how to implement these tools. There will also be demonstrations of System Center Virtual Machine Manager (VMM), Opalis, and Avicode. Microsoft Virtual Academy: Windows Azure Security Overview Learn the essentials of Windows Azure Security by covering the security protection included at every layer. This track covers the security mechanisms included with Windows Azure at the physical, network, host, application, and data layers. Furthermore, you'll walk away with a basic understanding of some of the identity options you have to authenticate to Windows Azure. For IT Professionals TechNet Webcast: Live! IT Time: Private Cloud Chat (Episode 2) (Level 200) Wednesday, December 21, 2011 10:00 AM Pacific Time TechNet Webcast: Live! IT Time: Private Cloud Chat (Episode 3) (Level 200) Wednesday, January 11, 2012 10:00 AM Pacific Time TechNet Webcast: Information about Microsoft Security Bulletins for January (Level 200) Wednesday, January 11, 2012 11:00 AM Pacific Time TechNet Webcast: Career Progression: Getting Ready for the Cloud (Level 200) Wednesday, January 18, 2012 10:00 AM Pacific Time TechNet Webcast: IT Pro's Heaven: The Private Cloud (Level 200) Wednesday, January 25, 2012 10:00 AM Pacific Time For Decision Makers Transforming IT with Microsoft Private Cloud Tuesday, January 17, 2012 8:30 AM Pacific Time Identity and Authentication Management Options for Office 365 Thursday, January 19, 2012 11:00AM Pacific Time Now on Demand TechNet Webcast: A Tale of Two Clouds: The Microsoft Hybrid Cloud Solution (Level 200) Using a public cloud has too many security concerns for some companies; small companies may be too small for a private cloud. A hybrid cloud solution takes the best advantage of the cloud and still gives you control. This webcast discusses preparing for a hybrid cloud solution starting with server virtualization and always with security considerations in mind.

This is a monthly newsletter for IT professionals and developers—bringing security news, guidance, updates, and community resources directly to your inbox. If you would like to receive less technical security news, guidance, and updates, please subscribe to the Microsoft Security for Home Computer Users Newsletter. © 2011 Microsoft Corporation. All rights reserved. Microsoft, MSDN, Windows, Windows NT, and Windows Server are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries. The names of actual companies and products mentioned herein may be the trademarks of their respective owners. Microsoft respects your privacy. To learn more please read our online Privacy Statement. If you would prefer to no longer receive this newsletter, please click here. To set your contact preferences for other Microsoft communications click here. Microsoft Corporation One Microsoft Way Redmond, WA 98052 USA

2011 Microsoft Corporation Sign up for this newsletter | Update your profile | Terms of Use | Trademarks