I am convinced that there are workloads that can and should be moved to the Cloud: For security reasons as well as for economical reasons. E-Mail might well be the first one of them.

There is a good post on that: Editor’s Note: Email, the Lowest-Hanging Fruit of the Cloud

Roger

Related posts:

1. Why Google Won’t Beat Microsoft on Cloud Collaboration
2. Customer Stories: Why it is not THAT easy to move to the Cloud
3. Cloud Computing: Benefits and Risks of Moving Federal IT into the Cloud

Even though it might be obvious, compliance is not only about protecting data but identities as well – and more. Jon Collins, Freeform Dynamics, whom I value high, wrote a good article: Doing the right thing on ID management isn’t enough… – you should read it!

Roger

Related posts:

1. Security Compliance Management – Solution Accelerator Available
2. Security Compliance Management Toolkit
3. Best Practices for Microsoft PKI & Certificate Management

July 1st, Scott Charney, Corporate Vice President Trustworthy Computing was testifying at a hearing of the House Committee on Oversight and Government Reform. Basically the hearing was on the benefits and risk of Cloud adoption for the US government. If you are interested in reading his full testimony, you will find it here. Additionally, Scott posted a blog on Creating Trust for the Government Cloud. Both articles are definitely worth reading if you have the time.

I tried to look at it from the angle of the generic framework we developed this January, when we released our Cloud Security Considerations Whitepaper. I used the content of the paper fairly often in the past few months and it resonates very well because of its simplicity but still completeness of the considerations raised. Basically we talk of five areas of consideration:

1. Compliance and Risk Management: Compliance requirements can be fulfilled by a skilled internal team and a certain level of process transparency by the cloud provider(s).
2. Identity and Access Management: Any digital identity system for the cloud has to be interoperable across different organizations and cloud providers and based on strong processes.
3. Service Integrity: The provider should follow a clear, defined, and provable process to integrate security and privacy in the service from the beginning and for the whole lifecycle and The service delivery capabilities of the provider and the security management and auditing needs of the customer must be aligned.
4. End Point Integrity: It is very important to include the end point in any security consideration for cloud-based services.
5. Information Protection: Implemented Data Classification helps to decide which data is ready for the cloud, under which circumstances, and with which controls.

As Scott was not addressing a general audience but the government, he took a different angle and was talking about the key responsibilities of the Cloud providers, the government and where there are shared responsibilities. Let me take some quotes from Scott’s note and frame them in the model above.

1. Compliance and Risk Management

An area, where I struggle most is that there are too many customers out there (private and public sector) who think that they can outsource a problem and then they are done. “Let’s move part of our IT to the cloud and then the cloud provider ensures our compliance” – and the industry often supports this behavior by telling the customer that they should look at it like a bank: Give us all your money and you do not have to care anymore – well recent developments in the economy showed that not even this is true! This approach simply works in fairytales.

Scott said in that respect:

Of course, the fact that a customer has transferred these responsibilities to the cloud provider — and may even have transferred legal liability by contract — is not the end of the matter. For example, citizens ultimately may hold a government accountable if data is lost or stolen, or critical data is not available when needed, notwithstanding any cloud provider agreement. Thus, a government may remain ―accountable‖ to its constituents when an incident occurs, notwithstanding any contractual apportionment of responsibility. That said, as the federal government becomes a customer of cloud services, it must be clear about its requirements — and cloud providers must be responsible for meeting those requirements.

I am personally convinced that the cloud provider need to show a certain level of transparency in order to help the customer to be compliant. The level of transparency is dependant on different factors like whether you are operating in a private or a public cloud, your requirements etc. In Scott’s words:

Defining how responsibilities for security, privacy, and reliability are allocated — and creating sufficient transparency about this allocation — represent new challenges. Both customers and cloud providers must understand their respective roles and be able to communicate compliance requirements and controls across the spectrum of services available in the cloud.

The interesting challenge now is, to clarify who takes what kind of responsibility in this. It is clearly the responsibility of the customer to have a team of people as I mentioned above to ensure compliance and a proper risk management across all the systems they operate. However, this does not mean that the cloud provider does not carry any responsibility – the contrary is the case.

The importance of assuring the confidentiality, integrity, and availability of customer data and operations is not new, but cloud computing does have the effect of shifting the responsibility (in whole or in part) for these areas to cloud service providers. Providers must rise to this new reality and provide commensurate levels of assurance for their customers.

Usually this is the point where people start to ask what we do to help here. Instead of me summarizing this, I use Scott’s words again:

Microsoft addresses this challenge through our holistic approach for managing security, privacy, and reliability that is designed to meet or exceed customer requirements. Our approach includes three cross-cutting functions to manage physical, personnel, and IT security: (1) utilizing a risk-based information security program that assesses and prioritizes security and operational threats to the business; (2) maintaining and updating a detailed set of security controls that mitigate risk; and (3) operating a compliance framework that ensures controls are designed appropriately and are operating effectively.

In order to prove our processes, Microsoft Online Services is ISO 27001:2005 and SAS 70 Type I and Type II certified – Microsoft’s online Information Security Program has been independently certified by British Standards Institute (BSI) Management Systems America as being compliant with ISO/IEC 27001:2005. To be clear: I understand the limitations of these certifications however, there is to my knowledge nothing in the market which does a better job. In my opinion we should start thinking about security metrics rather than a new standard to add to ISO 27001.

Another challenge is geo-location which may play into regulatory compliance, here we provide the ability to geo-location the customer’s data.

But on the other end, governments have their duty to look at the cloud from a risk-based approach. It is not about “we cannot do it because of…” nor is it about jumping into the cloud because it seems tempting – it is about sound risk management to bridge the gap between technology and the business:

For security, agencies must approach the cloud thoughtfully, with an unwavering commitment to evaluate threats, assess risks, and define security requirements in order to ensure risks are managed at acceptable levels.

2. Identity and Access Management

Since the publication of the End to End Trust paper, we state that running an interoperable and federate identity metasystem is key for the future. This is even more true in the cloud. However, when we talk about all these new concepts, we should not forget that most of our customers struggle with the basic processes – not necessarily with technology. When it comes to identity, Scott references it towards the end as one of the key areas to look into:

Today, there are over 1.8 billion Internet users in the world, or more than 26% of the population.  Internet users continue to grow at over 19% year over year, yet the mechanisms to provide identity, authentication, and attribution in cyberspace do not yet meet the needs of citizens, enterprises, or governments in traditional computing environments or for the cloud. The lack of trust online stems in part from our inability to manage online identities effectively. The cloud only amplifies the need for more robust identity management to help solve some of the fundamental security and privacy problems inherent in current Internet systems.

Cyber attacks are facilitated by the anonymity and lack of traceability of the Internet; malicious actors in cyberspace must be convinced that either the cost of their actions is not worth the return on investment or that there is a real chance of attribution and punishment. Mandating robust authentication for some Internet uses — such as accessing critical infrastructures — while ensuring anonymity at other times (e.g., when citizens want to access public information) can help strike the right balance between security and privacy. Modern identity systems increasingly permit users to provide elements of their identity without having to provide more information than is required for a given transaction. Additionally, in appropriate cases, hardware, software and data should be authenticated as well.

To be very clear (even though Scott is already) let me re-enforce our position: It is not about authenticating everybody as strong as possible. We need the right balance between authentication and anonymity. A key role in this plays the option to use attributes of my identity only when I use the Internet (e.g. my age or my nationality). For a lot of services, this may well be good enough.

3. Service Integrity

If you are a customer, you have to understand how your services are engineered and operated. How can you otherwise assume the responsibility you have to according to what we said above? Or even better: How can you trust a provider otherwise? Well, there is security and privacy in this and Scott just give a high level overview on what we do there:

Any analysis of the cloud must start with the technology that powers it. Microsoft has long recognized the importance of building secure and reliable software, and we devote considerable resources to ensuring the quality of our software, including adherence to the Security Development Lifecycle (SDL). The SDL consists of continuously evolving processes and tools designed to reduce the number and severity of vulnerabilities in software products and ensure appropriate and agile response when necessary. Importantly, in the context of discussing providers’ responsibilities in the cloud, it should be noted that the SDL considers and accounts for risks related to the environment in which the application will run (e.g., client computers, on-premises services, or the cloud). Thus, the SDL ensures that Microsoft cloud services are developed using secure development practices.

Online service providers can use a variety of technologies and procedures to help protect personal information from unauthorized access, use, or disclosure. Microsoft’s software development teams apply the ―PD3+C‖ principles, defined in the SDL, throughout the company’s development and operational practices (PD3+C means Privacy by Default, Privacy by Design, Privacy in Deployment and Communication)

But it is not “only” about these processes, it is about constant learning as well:

The integrity of cloud providers — including their personnel — is increasingly important, because the scale and scope of their actions can be exponentially increased in the cloud. Microsoft engineers are required to complete state-of-the-art training on many technology topics, including security and privacy, to help them keep pace with an ever-changing industry.

This is all good. I just do not think that the industry will finally move to that level unless there is a market pressure as there is a need by governments and customers all across the globe:

The government also should require that providers from which it procures cloud computing services meet the government’s operational requirements for security, privacy and reliability. As threats continue to evolve, it remains critically important that cloud providers demonstrate secure development practices and transparent response processes for their applications. More broadly, the government should, wherever practicable, ensure that the technologies it procures, acquires, and uses are built and maintained in accordance with industry best practices for secure development.

4. Endpoint Integrity

As the testimony was about the cloud, he touched on that a tiny little bit but not deeply.

5. Information Protection

Our basic claim in our paper is that you should move to the cloud once you understood your data. You have to know your classified data and understand what can be moved where. Scott was fairly clear here:

Agencies’ current struggles to identify, manage, or account for security of data and systems are not immediately solved by integrating cloud services.

I guess, that this is not only true for the US…

What does this now mean as a conclusion. Well, Scott put it that way: The Information Age has arrived and the cloud is ready for the government, but in many respects, the government is not yet ready for cloud computing. Now again, this is for the US government but my experience across EMEA shows, that this is true for almost all governments. Key pieces of a sound security strategy are missing: Implementation of data classification schemas, a clear understanding of an identity strategy etc. etc. I usually summarize it with the term of a Cybersecurity Agenda or Program, which is missing. Surprising to me was that governments often know about this and they are open to accept help – one of the reasons why we increase the coverage of senior security people across the globe again.

Additionally, it is really time to collaborate in a partnership between governments to start with but between governments and the private sector. These collaborative efforts should focus on promoting transparency around cloud computing providers’ security, privacy, and reliability practices and, in turn, helping to ensure that users can make informed choices.

If you think about the cloud keep this in mind:

The success of this transition depends on two factors: (1) the ability to adapt and advance information security programs and to communicate requirements to agencies’ cloud providers; and (2) the ability of cloud providers to meet customers’ requirements with sufficient transparency to ensure that requirements for security, privacy, and reliability are met appropriately.

The alignment and understanding of responsibility in the cloud requires greater transparency from both cloud providers and cloud customers (including enterprises and governments). The more precise and transparent we are, the greater the trust we will build, and the greater opportunity we create.

People in my community, called Chief Security Advisors, are present in almost 30 countries to help governments and customers to address key challenges and questions in this security space. But to be clear upfront: We do not have all the answers nor do we claim to have them (and honestly, I do not even think that we in the industry already know all the questions )

Roger

Related posts:

1. Customer Stories: Why it is not THAT easy to move to the Cloud
2. Insider Threat of Cloud Computing
3. Why Google Won’t Beat Microsoft on Cloud Collaboration

Well, it is not me saying that, it is actually Clint Boulton, eWeek. He published an article on 10 Reasons Why Google Won’t Beat Microsoft in Cloud Collaboration and they are:

1. Microsoft Is Big, Getting Bigger
2. Local Still Preferable?
3. Microsoft Now Lives in the Cloud
4. Bang for the Buck Lies with Microsoft
5. Serena Said It and Did It (Serena moved from Microsoft to Google Apps and then came back to our Cloud solution)
6. Limited Browser
7. Customer Service
8. Enterprise?
9. Google Billboards?!
10. Good Enough

I do not agree with all the points but what is really interesting to me is that he does not really talk about security. I am convinced that there have to be a few areas where the solutions of the different cloud providers have to be compared like the security and transparency of the the way the Cloud is run (e.g. we are ISO 27001 certified), the ability to federate the identities from on-premise to the Cloud (ask your provider), monitoring and management from the client to the server on premise to the cloud…

I am convinced that this discussion will change fairly soon as well!

Roger

Related posts:

1. Customer Stories: Why it is not THAT easy to move to the Cloud
2. Cloud Computing: Benefits and Risks of Moving Federal IT into the Cloud
3. We Need Solid and Strong Transparent Processes for the Cloud

An interesting post (by a Microsoft employee) on the Google cost calculator. An interesting read on the way they compete….

Lies, Damned Lies and the “Gone Google” Calculator

Roger

Related posts:

1. Why Google Won’t Beat Microsoft on Cloud Collaboration
2. This is about processes: Google Chrome Vulnerable to Carpet Bombing
3. When it comes to security, who do you trust more – Microsoft or Google?

This morning I was reading an article called Google seeks to assure customers on cloud security practices on ComputerWeekly. I had to read this – obviously . It references a paper written by the Google Security Officer called Security Whitepaper: Google Apps Messaging and Collaboration Products. So, I read through it and to me it reflects – unfortunately – the state a lot of Cloud providers are in. Google (and not only Google to be fair), shows how good their physical security to their datacenter is, how they apply access control, monitoring, patch management etc. To me, kind of the standard security practices which I expect them to follow. It is just interesting that to my knowledge Google does not hold an ISO 27001 certification yet – but this is more a side-note.

What really stroke me, is that they do not at all talk about their engineering practices. They always talk about Secure Programming or Implementation Level Security – this is not the whole story as we at Microsoft learned the hard way. It is not about the code as such and if I would have to choose between looking at the code and looking at the engineering practices, I would choose the later. A good product is “just” the outcome of a good process, something we learned in engineering at the university when I was there. So, looking into the code is just the smaller part of the story.

Bearing that in mind, I actually searched for the engineering practices they have and actually found them: Google’s Engineering organization does not require Product Development teams to follow a specific software development process; rather, teams choose and implement processes that fit the project’s needs. As such, a variety of software development processes are in use at Google, from Agile Software Development methodologies to more traditional, phased processes. If I learned one thing during my whole security career then it is that you need fairly strong processes to ensure security – being it on the network or in the design of applications.

That’s the reason we have our Security Development Lifecycle in place. Do not get me wrong, this will not lead to perfect security as there is no such thing like perfect security. However, I am definitely convinced that looking at product security makes less sense than looking into the process the product was engineered. Knowing that it is a requirement for governments, Common Criteria targets at the result and not at the process.

Therefore, statements like: Designed in-house from the ground up, Google’s production servers are based on a stripped and hardened version of Linux that has been customized to include only the components necessary to run Google applications, such as those services required to administer the system and serve user traffic. The system is designed for Google to be able to maintain control over the entire hardware and software stack and to help provide a secure application environment. would not really make me feel any better in the light of what I wrote above.

We as an industry should definitely put more emphasis into the development lifecycle rather than code security and the product as such – I am clear that secure programming as such as well as tools to do static code analysis are important as well and not to be forgotten.

Rather than re-invent the wheel, I would ask Google (and others) to join SafeCode which exactly targets the process/engineering approach.

Roger

Related posts:

1. Security – A Feature Discussion? Some Thoughts on Google’s Chrome OS
2. Open Source and Hackers
3. Secure Development: More than „just“ code!

Kim Cameron, one of our key identity architects had an interesting presentation on identity in the cloud and a corresponding interview. Both are worth looking at if you are planning to move into the direction of the cloud. Especially as it is definitely one of the key challenges:

This is Kim’s presentation:

If you want his slides, here they are.

And finally he was interviewed after the presentation. It gives you more insights into our thoughts around identity and identity federation:

Remember, from my point of view, identity processes, management and federation are key ingredients for a successful cloud strategy

Roger

Related posts:

1. Customer Stories: Why it is not THAT easy to move to the Cloud
2. Cloud Computing: Benefits and Risks of Moving Federal IT into the Cloud
3. Why Google Won’t Beat Microsoft on Cloud Collaboration

Ait ss you know from my postings on Cloud and security and the paper on the Cloud Security Considerations we wrote, I am convinced that there are five areas you should look at, when you try to migrate to the Cloud:

1. Compliance and Risk Management
2. Identity and Access Management
3. Service Integrity
4. Endpoint Integrity
5. Information Protection

The details on these five points are in the paper above. However, I was missing customer stories on that. I had a lot of discussions with customers and they all agreed on the model but I had not too many customers which were ready to talk about these challenges publically.

Recently we published some customer stories, which are worth looking at – even though they are “just” Microsoft case studies.

Let’s start with Why Phaeton Automotive Chose Exchange 2010: There were a few statements, which stroke me (those are customer quotes, not ours). The customer said that We’d been using Google Apps to manage employee messaging and collaboration needs but wanted better security and privacy. Google Apps was inadequate in meeting business needs. I do not want to challenge Google’s security. What I want to show here is that obviously the customer moved to the cloud “just trusting” that the provider will solve their security challenges – see Consideration #1 above. Even #2 was violated: It didn’t allow single sign-on service, user migration and couldn’t help us centrally manage multiple domains.

When we move on to Rexel: Electrical Distributor Picks Proven Microsoft Messaging Technology over Google Apps, we see law consideration #3 kicking in: With Exchange Online, we knew that we were not taking major risks. Google has less experience in the corporate world, and I don’t think it makes sense to take risks that you can avoid.

Last but not east Serena: Customer Story: Why Serena Software is Going with BPOS. It is again about the the service delivery and service integrity: They deliver trustworthy, enterprise-class solutions – with the performance, security, privacy, reliability and support we require. We know that Microsoft is a leader in the providing these kinds of solutions, and in our discussions with them, it became clear that they are 100% committed to Serena’s success and delivering solutions that drive the future of collaboration

So, it seems that these considerations are really important. We did not look at #5 – Information Protection which is the absolute base for any cloud implementation. You have to understand what you want to move to which implementation of the cloud and which cloud provider.

Roger

Related posts:

1. Why Google Won’t Beat Microsoft on Cloud Collaboration
2. Mature your IT and then move to the Cloud
3. Insider Threat of Cloud Computing

The week before the last one, it happened to me – like it happened to thousand of other travelers all across the globe: I got stranded. Luckily for me I should have been flying out from home rather than flying home and being “stuck” home is much easier to handle

At least for me. I was actually to fly to Croatia to keynote a huge customer event and hold a session on Cloud Security in addition – and I was still at home. Therefore we decided to do something which we always talk about but rarely really implement: I did the keynote on LiveMeeting – we used the Cloud.

It was an interesting experience. In the past I only did LiveMeetings with customers, therefore more a 1:many meeting, only once before I did a large audience. What did I/we learn?

• For non-English literate people, it is harder to follow the presentation on slides and video compared to me being on stage.
• I am not seeing the audience, so I am talking to the camera. Something the people working in TV probably are used to – I am not. The audience basically could have left the room without me noticing it…
• In large audiences you need somebody running the event and moderating questions on site.
• It worked really, really well and the customers where fairly impressed by this.

To me, there is the question why we do not do that more often. Instead of flying in to a country in the afternoon of a given day, have a customer meeting in the morning and flying back home in the afternoon, I could have breakfast with the family in the morning, having the customer meeting in my home office and have lunch with the kids, when they come from school. Saved a lot of money, saved a lot of energy and CO2…

Often it is just a matter of wanting to do it. As soon as we do not find a date where we can physically meet, we do it on LiveMeeting and realize – for a lot of cases, it just works.

Therefore let’s save money and energy and leverage technology much, much more!

Roger

Related posts:

1. Security through Collaboration
2. Live-Tweet from Analyst Event
3. Customer Stories: Why it is not THAT easy to move to the Cloud

I recently came across a paper called Shadows in the Cloud, which is actually a follow-up report of Tracking GhostNet: Investigating a Cyber Espionage Network, an investigation of the attacks on the office of the Dalai Lama and some governmental bodies. The report is written by two bodies who had the privilege to investigate those attacks: the Information Warfare Monitor and the Shadowserver Foundation.

Even though the report is out since quite some weeks, I think it makes sense to dig in it here as there are a few fairly remarkable conclusions and statements in there. One of the key things we should think about globally is an International Incident Sharing Database (see the end of the post).

Sharing and Collaboration

If you are a regular reader of my blog posts, you know that I am a big supporter of international collaboration and I am clear about the need of a common set of rules to establish this collaboration. If you read through the paper, you see in different areas that they were challenged during the investigation. On page 8 that state that On our side, we felt unsure about the protocol around information sharing, and were in an awkward position to be able to give information over to governments and affected parties directly without being entirely clear about whom would be responsible and whether or not our interlocutors were appropriate authorities. The notification problems around Ghostnet informed our approach to the Shadows in the Cloud investigation, including being more conscious from the outset of documenting our notification procedures. Think about that for a second. You investigate a security incident e.g. in your company. During the investigation you realize that you are not the only victim but that there are others, being it companies or governments. What do you do with this information? Whom do you contact? How can you be sure that this information gets into the right hands? A fairly hard question to answer and finally, what kind of information are you allowed to pass on? Additionally, Information sharing, generally speaking, is immature and underdeveloped, often hampered by proprietary concerns surrounding the commercial market for cyber security services (page 10) and Information sharing among victims of network intrusions and espionage is rare (page 10). Well, what I see fairly often is, that incidents do not happen as they are not supposed to happen. Rarely somebody talks openly about what happened to them.

In order to combat such attacks, the legal collaboration is key (again ). As otherwise, it points to the possibility of a perfect storm that may result from a lack of international consensus, ill-developed and implemented security practices, a paucity of notification mechanisms, and the growing confluence of cyber crime, traditional espionage, and the militarization of cyberspace (page 10). This simply tells us that we will lose the fight without international legal collaboration and harmonization as well as the willingness of the public and the private sector to share information.

Technology

From a technical perspective, they started to use Internet-based services. For example, they used Twitter to control the botnet as well as free mail services like Gmail and free blog services like Baidu. This is to enhance the command and control infrastructure of a botnet, something I was never aware of but is actually a logical enhancement of what we know already. The next point, when it comes to technology is the software they seem to have exploited: We observed the group using PDF, PPT, and DOC file formats to exploit Adobe Acrobat and Acrobat Reader, Microsoft Word 2003 and Microsoft PowerPoint 2003 – old software, software which was designed to cope with completely different threats than the ones existing today! And even is they decided to stay on the previous versions: The Microsoft Word 2003 and PowerPoint 2003 files were mostly older exploits, which have been circulating in the underground hacker community for some time. In other words: It is about patch management again… But to be fair, they fell victim of some vulnerabilities in PDF which were not patched at the time of the attack.

Source

Finally let’s think about the people behind the attacks. It is a joint understanding that the attacks originated from China. The Chinese government was accused to be the source behind it but they denied it and it has never been proven otherwise. Generally – not only in China – it can be expected that there is a close collaboration between governments and the hacking or as the report states: The degrees of the reported relationship vary between “authorize” to “tacit consent” to “tolerate” (Henderson 2007b).

Conclusions

What can we learn from the report? Actually nothing new, it just re-enforces my view of the world:

• We have to be better in sharing incident information. This has two sides: One is between victims. There has to be a way (and, honestly, I do not have a solution yet) to find the right contact within a government or an organization to help them understand that they were attacked.
• We need smooth and fast international legal collaboration. This has to be based on a solid harmonized legislation.
• There are two calls when it comes to your software maintenance: Make sure you are on the latest version of your software and make sure you are patched. Patch Management is one of your fundamental processes in your organization!

And now to the final point I am thinking of since quite a while. The airline industry suffered initially from quite some technical incidents. The way the industry finally dealt with it was, to establish a sharing of incident information (as well as near misses) and a global body taking care of the airline safety (and the willingness of the governments to collaborate and share). The same actually started now in certain countries in the healthcare sector.

When it comes to Information Security we all deny incidents unless they become public – because we fear an impact on our reputation. We have to start thinking differently. We need a place where we are able to (anonymously?) file incident which happened or ways somebody was attacked to be shared between security professionals. That’s the only way where we can learn collectively and increase the pace of the products becoming better at defending and security professionals improve their skills in protecting the critical information. The critical question is who can own such a database? It has to be an organization which is trusted internationally and therefore cannot be state-owned. It could be an international association or and inter-governmental organization. Ideas are very welcome as I am convinced that there is a huge need of an International Incident Sharing Database.

Roger

Related posts:

1. Legal Challenges of International Business and the Cloud
2. The Importance of International Collaboration–Even in Exercises
3. Council of Europe – Octopus Conference (Cooperation against Cybercrime) Day 2