This is an interesting information: FTC Takes Action Against Employee Bloggers.

I am often asked about the rules and guidelines we have internally for bloggers. One is to be transparent. Whenever I blog, tweet or comment on a blog, I am always transparent that I am working for Microsoft – at least when I do this on something which is technology-related . This is actually fairly obvious to me as this has to do with my values.

Tonight I will stand in front of parents in the community I live and talk about Internet safety for kids. One of the things I want them to understand is, that you should not always believe what you read on the Internet. The article above is an other good example for that.

Roger

Related posts:

1. Council of Europe – Octopus Conference (Cooperation against Cybercrime) Day 2
2. Insider Threat of Cloud Computing
3. What Teens Do Online

I just read this article E-crime unit arrests suspected phishing gang, which shows that we are making progress in fighting cybercrime. Very good news

Roger

Related posts:

1. Council of Europe – Octopus Conference (Cooperation against Cybercrime) – Key Messages
2. Council of Europe – Octopus Conference (Cooperation against Cybercrime) Day 2
3. Council of Europe: We need ONE Cybercrime Convention

The Department of Homeland Security published a report on A Roadmap for Cybersecurity Research, I was definitely impressed!

All the themes, which are important to me are in their list :

1. Scalable trustworthy systems (including system architectures and requisite development methodology)
2. Enterprise-level metrics (including measures of overall system trustworthiness)
3. System evaluation life cycle (including approaches for sufficient assurance)
4. Combating insider threats
5. Combating malware and botnets
6. Global-scale identity management
7. Survivability of time-critical systems
8. Situational understanding and attack attribution
9. Provenance (relating to information, systems, and hardware)
10. Privacy-aware security
11. Usable security

It is great to see that this goes in the right direction! The key will be, when the research will deliver results.

Roger

Related posts:

1. Researcher at Microsoft Research wins ACM award for Privacy Protection
2. Is Security Research Ethical?
3. Analysis of the Estonian Attacks

July 1st, Scott Charney, Corporate Vice President Trustworthy Computing was testifying at a hearing of the House Committee on Oversight and Government Reform. Basically the hearing was on the benefits and risk of Cloud adoption for the US government. If you are interested in reading his full testimony, you will find it here. Additionally, Scott posted a blog on Creating Trust for the Government Cloud. Both articles are definitely worth reading if you have the time.

I tried to look at it from the angle of the generic framework we developed this January, when we released our Cloud Security Considerations Whitepaper. I used the content of the paper fairly often in the past few months and it resonates very well because of its simplicity but still completeness of the considerations raised. Basically we talk of five areas of consideration:

1. Compliance and Risk Management: Compliance requirements can be fulfilled by a skilled internal team and a certain level of process transparency by the cloud provider(s).
2. Identity and Access Management: Any digital identity system for the cloud has to be interoperable across different organizations and cloud providers and based on strong processes.
3. Service Integrity: The provider should follow a clear, defined, and provable process to integrate security and privacy in the service from the beginning and for the whole lifecycle and The service delivery capabilities of the provider and the security management and auditing needs of the customer must be aligned.
4. End Point Integrity: It is very important to include the end point in any security consideration for cloud-based services.
5. Information Protection: Implemented Data Classification helps to decide which data is ready for the cloud, under which circumstances, and with which controls.

As Scott was not addressing a general audience but the government, he took a different angle and was talking about the key responsibilities of the Cloud providers, the government and where there are shared responsibilities. Let me take some quotes from Scott’s note and frame them in the model above.

1. Compliance and Risk Management

An area, where I struggle most is that there are too many customers out there (private and public sector) who think that they can outsource a problem and then they are done. “Let’s move part of our IT to the cloud and then the cloud provider ensures our compliance” – and the industry often supports this behavior by telling the customer that they should look at it like a bank: Give us all your money and you do not have to care anymore – well recent developments in the economy showed that not even this is true! This approach simply works in fairytales.

Scott said in that respect:

Of course, the fact that a customer has transferred these responsibilities to the cloud provider — and may even have transferred legal liability by contract — is not the end of the matter. For example, citizens ultimately may hold a government accountable if data is lost or stolen, or critical data is not available when needed, notwithstanding any cloud provider agreement. Thus, a government may remain ―accountable‖ to its constituents when an incident occurs, notwithstanding any contractual apportionment of responsibility. That said, as the federal government becomes a customer of cloud services, it must be clear about its requirements — and cloud providers must be responsible for meeting those requirements.

I am personally convinced that the cloud provider need to show a certain level of transparency in order to help the customer to be compliant. The level of transparency is dependant on different factors like whether you are operating in a private or a public cloud, your requirements etc. In Scott’s words:

Defining how responsibilities for security, privacy, and reliability are allocated — and creating sufficient transparency about this allocation — represent new challenges. Both customers and cloud providers must understand their respective roles and be able to communicate compliance requirements and controls across the spectrum of services available in the cloud.

The interesting challenge now is, to clarify who takes what kind of responsibility in this. It is clearly the responsibility of the customer to have a team of people as I mentioned above to ensure compliance and a proper risk management across all the systems they operate. However, this does not mean that the cloud provider does not carry any responsibility – the contrary is the case.

The importance of assuring the confidentiality, integrity, and availability of customer data and operations is not new, but cloud computing does have the effect of shifting the responsibility (in whole or in part) for these areas to cloud service providers. Providers must rise to this new reality and provide commensurate levels of assurance for their customers.

Usually this is the point where people start to ask what we do to help here. Instead of me summarizing this, I use Scott’s words again:

Microsoft addresses this challenge through our holistic approach for managing security, privacy, and reliability that is designed to meet or exceed customer requirements. Our approach includes three cross-cutting functions to manage physical, personnel, and IT security: (1) utilizing a risk-based information security program that assesses and prioritizes security and operational threats to the business; (2) maintaining and updating a detailed set of security controls that mitigate risk; and (3) operating a compliance framework that ensures controls are designed appropriately and are operating effectively.

In order to prove our processes, Microsoft Online Services is ISO 27001:2005 and SAS 70 Type I and Type II certified – Microsoft’s online Information Security Program has been independently certified by British Standards Institute (BSI) Management Systems America as being compliant with ISO/IEC 27001:2005. To be clear: I understand the limitations of these certifications however, there is to my knowledge nothing in the market which does a better job. In my opinion we should start thinking about security metrics rather than a new standard to add to ISO 27001.

Another challenge is geo-location which may play into regulatory compliance, here we provide the ability to geo-location the customer’s data.

But on the other end, governments have their duty to look at the cloud from a risk-based approach. It is not about “we cannot do it because of…” nor is it about jumping into the cloud because it seems tempting – it is about sound risk management to bridge the gap between technology and the business:

For security, agencies must approach the cloud thoughtfully, with an unwavering commitment to evaluate threats, assess risks, and define security requirements in order to ensure risks are managed at acceptable levels.

2. Identity and Access Management

Since the publication of the End to End Trust paper, we state that running an interoperable and federate identity metasystem is key for the future. This is even more true in the cloud. However, when we talk about all these new concepts, we should not forget that most of our customers struggle with the basic processes – not necessarily with technology. When it comes to identity, Scott references it towards the end as one of the key areas to look into:

Today, there are over 1.8 billion Internet users in the world, or more than 26% of the population.  Internet users continue to grow at over 19% year over year, yet the mechanisms to provide identity, authentication, and attribution in cyberspace do not yet meet the needs of citizens, enterprises, or governments in traditional computing environments or for the cloud. The lack of trust online stems in part from our inability to manage online identities effectively. The cloud only amplifies the need for more robust identity management to help solve some of the fundamental security and privacy problems inherent in current Internet systems.

Cyber attacks are facilitated by the anonymity and lack of traceability of the Internet; malicious actors in cyberspace must be convinced that either the cost of their actions is not worth the return on investment or that there is a real chance of attribution and punishment. Mandating robust authentication for some Internet uses — such as accessing critical infrastructures — while ensuring anonymity at other times (e.g., when citizens want to access public information) can help strike the right balance between security and privacy. Modern identity systems increasingly permit users to provide elements of their identity without having to provide more information than is required for a given transaction. Additionally, in appropriate cases, hardware, software and data should be authenticated as well.

To be very clear (even though Scott is already) let me re-enforce our position: It is not about authenticating everybody as strong as possible. We need the right balance between authentication and anonymity. A key role in this plays the option to use attributes of my identity only when I use the Internet (e.g. my age or my nationality). For a lot of services, this may well be good enough.

3. Service Integrity

If you are a customer, you have to understand how your services are engineered and operated. How can you otherwise assume the responsibility you have to according to what we said above? Or even better: How can you trust a provider otherwise? Well, there is security and privacy in this and Scott just give a high level overview on what we do there:

Any analysis of the cloud must start with the technology that powers it. Microsoft has long recognized the importance of building secure and reliable software, and we devote considerable resources to ensuring the quality of our software, including adherence to the Security Development Lifecycle (SDL). The SDL consists of continuously evolving processes and tools designed to reduce the number and severity of vulnerabilities in software products and ensure appropriate and agile response when necessary. Importantly, in the context of discussing providers’ responsibilities in the cloud, it should be noted that the SDL considers and accounts for risks related to the environment in which the application will run (e.g., client computers, on-premises services, or the cloud). Thus, the SDL ensures that Microsoft cloud services are developed using secure development practices.

Online service providers can use a variety of technologies and procedures to help protect personal information from unauthorized access, use, or disclosure. Microsoft’s software development teams apply the ―PD3+C‖ principles, defined in the SDL, throughout the company’s development and operational practices (PD3+C means Privacy by Default, Privacy by Design, Privacy in Deployment and Communication)

But it is not “only” about these processes, it is about constant learning as well:

The integrity of cloud providers — including their personnel — is increasingly important, because the scale and scope of their actions can be exponentially increased in the cloud. Microsoft engineers are required to complete state-of-the-art training on many technology topics, including security and privacy, to help them keep pace with an ever-changing industry.

This is all good. I just do not think that the industry will finally move to that level unless there is a market pressure as there is a need by governments and customers all across the globe:

The government also should require that providers from which it procures cloud computing services meet the government’s operational requirements for security, privacy and reliability. As threats continue to evolve, it remains critically important that cloud providers demonstrate secure development practices and transparent response processes for their applications. More broadly, the government should, wherever practicable, ensure that the technologies it procures, acquires, and uses are built and maintained in accordance with industry best practices for secure development.

4. Endpoint Integrity

As the testimony was about the cloud, he touched on that a tiny little bit but not deeply.

5. Information Protection

Our basic claim in our paper is that you should move to the cloud once you understood your data. You have to know your classified data and understand what can be moved where. Scott was fairly clear here:

Agencies’ current struggles to identify, manage, or account for security of data and systems are not immediately solved by integrating cloud services.

I guess, that this is not only true for the US…

What does this now mean as a conclusion. Well, Scott put it that way: The Information Age has arrived and the cloud is ready for the government, but in many respects, the government is not yet ready for cloud computing. Now again, this is for the US government but my experience across EMEA shows, that this is true for almost all governments. Key pieces of a sound security strategy are missing: Implementation of data classification schemas, a clear understanding of an identity strategy etc. etc. I usually summarize it with the term of a Cybersecurity Agenda or Program, which is missing. Surprising to me was that governments often know about this and they are open to accept help – one of the reasons why we increase the coverage of senior security people across the globe again.

Additionally, it is really time to collaborate in a partnership between governments to start with but between governments and the private sector. These collaborative efforts should focus on promoting transparency around cloud computing providers’ security, privacy, and reliability practices and, in turn, helping to ensure that users can make informed choices.

If you think about the cloud keep this in mind:

The success of this transition depends on two factors: (1) the ability to adapt and advance information security programs and to communicate requirements to agencies’ cloud providers; and (2) the ability of cloud providers to meet customers’ requirements with sufficient transparency to ensure that requirements for security, privacy, and reliability are met appropriately.

The alignment and understanding of responsibility in the cloud requires greater transparency from both cloud providers and cloud customers (including enterprises and governments). The more precise and transparent we are, the greater the trust we will build, and the greater opportunity we create.

People in my community, called Chief Security Advisors, are present in almost 30 countries to help governments and customers to address key challenges and questions in this security space. But to be clear upfront: We do not have all the answers nor do we claim to have them (and honestly, I do not even think that we in the industry already know all the questions )

Roger

Related posts:

1. Customer Stories: Why it is not THAT easy to move to the Cloud
2. Insider Threat of Cloud Computing
3. Why Google Won’t Beat Microsoft on Cloud Collaboration

There seem to be policy organizations being serious about fighting piracy! Hungary, actually with 41% pirated software “not even that bad”, seems to be really serious. But before, let me just take those 41% up for a second: This means that 41% of the work you do is stolen. I think a significant negative impact to the economy.

Anyway, the Hungary police just ripped a huge BitTorrent network apart: Police Raids Tear Apart Hungarian BitTorrent Scene. As I understand, this does not really target the software market but the entertainment industry, but still, they seem to be fairly serious. Besides the servers they seized, this is to me a very strong signal towards people using pirated copies that this is not just cool but a real criminal act.

Interesting to see how this will move on.

Roger

Related posts:

1. Piracy and Legal Consequences
2. Software Piracy – A Threat to Security!
3. A Detailed Analysis of an Attack – Do We Need an International Incident Sharing Database?

One of the biggest challenges in Critical Infrastructure Protection or Incident Response is collaboration. Collaboration between the public and the private sector as the private sector is most often running the critical infrastructure; collaboration between different governments as well as incidents do not tend to stop at a country’s border.

Now, planning for such a collaboration is one thing but really trying out whether the collaboration really works is another one. Just testing whether all the communication channels come up and can get established is hard by itself.

The US was already running exercises called “Cyberstorm” within the US to test the collaboration and the plans within the US. Now it seems that they are planning to extend that: Next Cyberstorm exercise to stress international cooperation on security. This is a great development and it will be interesting to see what the results will be.

Roger

Related posts:

1. A Detailed Analysis of an Attack – Do We Need an International Incident Sharing Database?
2. Council of Europe – Octopus Conference (Cooperation against Cybercrime) Day 1
3. Analysis of the Estonian Attacks

I guess you still know the discussions a while ago where it was made public that notebooks can be searched without suspicion when you cross the border to the US. Actually the truth is, that this can happen everywhere as far as I understand. To be clear: I am not a lawyer, I am an engineer. However, when I discussed this with a lawyer, he explained to me that anything I carry with me when I cross a border can be searched – something we got used to, no? The notebook is just part of the “anything” in the statement above.

So, the nervousness is really about the customs officer keeping a notebook and getting access to the data, which is scary but again, is this any different to carrying paper across the border – except for the sheer volume but basically if you carry confidential documents across any country’s border the customs officer can search you and have a look at your paper.

So far so good but it seems that some customs officers took their time when they actually wanted to search a notebook – a few months until an year.  They simply kept it. Now a court in the US ruled that this is illegal: Judge limits DHS laptop border searches

So, while the search at entry is still acceptable due to the points I made above, the confiscation of a computer for a longer period of time seems to be illegal. Will be interesting to see how this will develop.

Roger

Related posts:

1. Schneier on US Customs Notebook Searches: Do not follow the rules
2. Legal Challenges of International Business and the Cloud
3. A Detailed Analysis of an Attack – Do We Need an International Incident Sharing Database?

This is actually an interesting question. A lot of governments enforce rules and regulations on how you have to run your car, how often you have to check it, in which condition you have to keep your tires etc. The same is true for a lot of other devices we are using.

Now, it seems that the US just passed a bill to give the president the power to order companies to deploy security updates or block a certain type of traffic. I understand where this is coming from: You need some level of authority if your critical infrastructure is under attack. Here, a lot of governments rely on the collaboration of the different players. The US seems to go one step further. Honestly, I am not completely sure whether I like it or not. It has a lot of pros and cons.

What is your view?

Roger

Related posts:

1. A Detailed Analysis of an Attack – Do We Need an International Incident Sharing Database?
2. The Importance of International Collaboration–Even in Exercises
3. Analysis of the Estonian Attacks

The debate is probably as old as the Open Source software development model: Which one is more secure: Open Source or shared source as we at Microsoft run it? I know that we could now enter a religious debate about that, which I do not want to as I do not really believe in the value of such debate.

However, it is always interesting to see who is looking how at this debate. Does it help security if everyone can see the code or does it help the attackers? We have a program which we call Government Security Program, giving governments under certain circumstances (e.g. protection of intellectual property) access to our source. Sometimes we have the debate with government officials whether having access to the code could allow an attacking government to get an advantage in the area or cyberwar or cyber espionage. Looking at that debate, OpenSource would even be worse as it means access for everybody.

Now, I just read this article: Open-Source Could Mean an Open Door for Hackers. It is about a paper looking at data from Intrusion Detection Systems and their finding is that flaws in open-source software tend to be attacked more quickly and more often than vulnerabilities in closed-source software. An interesting statement in the light that we know that there are more vulns in OpenSource software than in shared source and fairly often it is because of the lack of processes enforced to engineer security into the product from the beginning.

Another thing which is important to me is “As defenders get out their patches, the attackers have more incentive to move on to a different exploit,” Ransbotham [the author of the paper] says. In other words, having a strong incident response (besides the engineering process) is at least as important.

This should be something the industry adopts. We made our engineering process called Security Development Lifecycle public and I think our incident response is wide known as well as being a best practice. So, something people should finally come to adopt

Roger

Related posts:

1. The Debate on Security Metrics
2. We Need Solid and Strong Transparent Processes for the Cloud
3. The Importance of Application Security

Well, yes we need Cybersecurity Legislation without doubt but sometimes the legislator goes too far in my opinion. I read this article this morning: Use Google Street View Maps & Serve More Time. I quote: The state legislature in the U.S. state of Louisiana has passed a law adding extra time for committing a crime with an online map. So, you get one year more if you use an online map preparing your crime. So, what about using pictures you can find on the Internet? What about other use of technology to prepare a crime? This simply gets too complex in my opinion

Roger

Related posts:

1. A Detailed Analysis of an Attack – Do We Need an International Incident Sharing Database?
2. Council of Europe – Octopus Conference (Cooperation against Cybercrime) – Key Messages
3. Legal Challenges of International Business and the Cloud