| | Trustworthy Computing | December 2013 | | Microsoft Security Newsletter | | | | | | | Welcome to December’s Security Newsletter! | This month our newsletter focuses on security considerations for cloud adoption. When choosing a cloud provider, you want a provider you can trust with your organization’s data and information. As a cloud provider to over a billion customers in 76+ markets worldwide, Microsoft understands the importance of building trust. There are three key areas Microsoft focuses on in building trust with our customers:
Development – We know that you want products and services built with security, privacy and reliability in mind. In 2004, Microsoft made secure development a mandatory process for all products by implementing the Microsoft Security Development Lifecycle (SDL). The Microsoft SDL is a holistic and comprehensive approach for writing security, privacy and reliability-enhanced code.
Operations – To provide secure operations for our customers, Microsoft has invested billions of dollars in designing our datacenters to internationally recognized standards that comply with regional laws, as well as our own stringent security and privacy policies. Our datacenters are designed with a detailed set of security controls across multiple layers so that should one layer of defense fail, there are multiple other compensatory layers. More recently, at RSA Europe in October, General Manager for Trustworthy Computing at Microsoft Mike Reavey delivered a keynote that discussed Microsoft’s methodology for Operational Security Assurance (OSA) as it relates to online services. A secure operations methodology is part of Microsoft’s ongoing commitment to enable trustworthy computing in all aspects of our online services and OSA represents the next evolution of these efforts.
Incident Response – No matter how secure and reliable services are, unexpected situations may occur– from natural disasters to emerging security, privacy or reliability threats. That’s why it’s critical that a cloud provider has a comprehensive incident response process in place. If an issue emerges at Microsoft that threatens the cloud services provided to our customers, our incident response teams such as the Microsoft Security Response Center (MSRC) mobilize resources around the world to investigate and address reports. Our incident response teams operate 24X7 across multiple locations around the world with failover capabilities in the event of a disaster. They create timely updates, provide customer guidance and workarounds to remediate and restore service for customers around the globe.
How a cloud provider handles development, operations and incident response are important security considerations when choosing a cloud provider. You should look for a cloud provider that will demonstrate a commitment to these areas through transparency and compliance. If you are ready for the cloud, assess your readiness by taking the Microsoft’s free Cloud Security Readiness Tool today! To help you better understand how to adopt and deploy secure cloud solutions for your organization, we've assembled a variety of resources and tools in this month’s newsletter. I hope you find this information helpful and wish you all a happy and safe holiday season.
| | Best regards, Tim Rains, Director Microsoft Trustworthy Computing | Have feedback on how we can improve this newsletter? Email us at secnlfb@microsoft.com and share your ideas. | | | Top Stories | | | | | Enterprise Threat Encounters: Scenarios and Recommendations – Part 1 Read the first installment in a multi-part series that will detail common security incidents faced by organizations today and provide recommended mitigations based on guidance from Microsoft’s Security Support team. Topics covered in this post include entry points, gaining administrator control, establishing roots, credential theft, and data theft.
Be a Real Security Pro – Keep Your Private Keys Private One of the many unusual characteristics of the Stuxnet malware that was discovered in 2010 was that its files were distributed with a valid digital signature, created using authentication credentials that belonged to two unrelated legitimate software companies. In the past month or so, the use of stolen certificates has become more common. Learn about this trend and the steps you can take to better secure your code-signing keys.
Security Professionals: Top Cyber Threat Predictions for 2014 Get a quick recap of recent security events, the state of the industry today, and a glimpse into the future with how Microsoft anticipates the threat landscape to evolve in 2014.
| | | Security Guidance | | | | | Cloud Basics: Security in the Cloud While designed for the government industry, this quick guide provides a high-level overview of the basic pros and cons of adopting cloud computing as well as quick checklist on what to consider when looking for a cloud provider.
Security Issues in Cloud Deployment Models Explore common security issues for the three basic models of cloud-based computing: public cloud (software, infrastructure, or platforms offered as a service by third parties over the Internet), private cloud (cloud technologies where you control the entire stack, from hardware to software, and can be located on-premises, or at a hosting provider that manages the servers dedicated to your private cloud solution), and hybrid cloud (the combination of public and private cloud).
Common Cloud Vulnerabilities The manner in which you architect your cloud computing infrastructure can have a direct impact on its resistance to failure. Public and private clouds can be affected by both malicious attacks and infrastructure failures such as power outages. This article outlines a few common challenges (and possible solutions) involved with implementing a secure and reliable cloud infrastructure for your organization.
A Solution for Private Cloud Security Access a comprehensive explanation of the process for designing and running security for a private cloud environment including planning considerations, step-by-step design guidance, and guidance on how to facilitate ongoing, effective operations. Not sure how the private cloud differs from other mechanisms for delivering cloud services? Read the Overview of Private Cloud Architecture.
Security Considerations for Infrastructure as a Service (IaaS) In terms of security requirements, IaaS must implement security effectively at the level of the host, virtual machine, compute, memory, network and storage. Explore these considerations in detail to help you better determine whether IaaS is right for your organization and, if it is right, to select an appropriate IaaS provider.
Security Guidelines for SQL Azure SQL Azure Database is a cloud database service from Microsoft. SQL Azure provides web-facing database functionality as a utility service. This document provides an overview of security guidelines for customers who connect to SQL Azure Database, and who build secure applications on SQL Azure.
Identity and Authentication in the Cloud: Office 2013 and Office 365 This downloadable technical poster illustrates and explains the new world of identity and authentication in Office 2013 and Office 365 including how identities are provisioned and how those identities are authenticated completely in the Microsoft cloud or in a hybrid (on-premises and Microsoft cloud) topology. Looking for more information on how Office 365 delivers enterprise-grade security? Download the Security in Office 365 white paper and visit the Office 365 Trust Center.
Operational Security for Online Services Overview Download an overview of how Microsoft makes its networks more resilient to attack and increases the security of its cloud-based services by extending the foundation of Microsoft cloud-based services to protect against Internet-based security threats and by incorporating best practices and methodology to continuously update services to improve security and resolve incidents as quickly as possible.
| | | This Month's Security Bulletins | | | | | December 2013 Security Bulletins
| | December 2013 Security Bulletin Resources: | | | Security Events and Training | | | | | Microsoft Webcast: Information about the January 2014 Security Bulletin Release Wednesday, January 15, 2014 Join this webcast for a brief overview of the technical details of January’s Microsoft security bulletins. Ask questions and get answers from Microsoft security experts.
Modernizing and Mobilizing your Clinical Desktop Wednesday, January 22, 2014 If you are running Windows XP or Windows 7, are concerned about the use of iPads in your environment and want to give your users an alternative, and want to address secure and HIPAA compliant mobile workflows, this webcast is for you. Learn about non-compliance with the HIPAA Security rule for Windows XP users beyond April 8, 2014 including how threats and vulnerabilities and risks to Protected Health Information will make the Windows XP platform the target of cyber-attacks and open to malware and virus intrusion.
Microsoft Webcast: Information about the February 2014 Security Bulletin Release Wednesday, February 12, 2014 Join this webcast for a brief overview of the technical details of February’s Microsoft security bulletins. Ask questions and get answers from Microsoft security experts.
TechEd North America 2014 May 12-15, 2014 – Houston, Texas In 2014, Microsoft is bringing together the best of TechEd and the Microsoft Management Summit (MMS) to help skilled technology professionals increase their technical expertise, share best practices, and interaction with Microsoft and a variety of industry experts and their peers. Explore the security aspects of data platforms and business intelligence, datacenter and infrastructure management, people-centric IT, Windows (devices and Windows Phone), and much more. Register by December 31, 2013 to get early-bird pricing on the conference as well as pre-conference seminars, which include a special workshop on "Hacking and Hardening Windows Infrastructure."
| | | | | | | | | | | | microsoft.com/about/twc | Trustworthy Computing | | | | | | This is a monthly newsletter for IT professionals and developers–bringing security news, guidance, updates, and community resources directly to your inbox. If you would like to receive less technical security news, guidance, and updates, please subscribe to the Microsoft Security for Home Computer Users Newsletter.
© 2013 Microsoft Corporation. All rights reserved. Microsoft, MSDN, Windows, Windows NT, and Windows Server are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries. The names of actual companies and products mentioned herein may be the trademarks of their respective owners.
Microsoft respects your privacy. To learn more please read our online Privacy Statement.
If you would prefer to no longer receive this newsletter, please click here.
To set your contact preferences for other Microsoft communications click here.
Microsoft Corporation One Microsoft Way Redmond, WA 98052 USA | | | | | | | |