The Forgotten Part of Cloud Security – the Clients

Most of the conversations I have about cloud computing focus on the role of cloud providers to manage the security of the services they provide to their customers.  It seems like implementing security controls, providing visibility into those controls, and ensuring services meet or exceed standards and compliance requirements are themes that are top of mind for most of the customers I talk to. I think the reason for this is that some cloud computing architectures, like software as a service, offer customers the opportunity to offload many of the aforementioned security responsibilities to their cloud providers.  But I rarely hear anyone talk about the residual risk in this arrangement.  The obvious place to look for residual risk is the management of the clients used to access cloud services.  I have written about the consumerization of IT and Bring Your Own Devices (BYOD) in the past, and how many Chief Information Security Officers (CISOs) are being challenged to evolve their strategies for protecting their organizations’ assets. One great source of data to help CISOs, CSOs, security and IT professionals understand this risk is the Microsoft Security Intelligence Report (SIR).  This report is released twice per year and contains hundreds of pages of threat intelligence that help risk managers understand the strategies and tactics that attackers are using to try to compromise systems and steal confidential information.  Many organizations that I talk to around the world use the data and analysis in the report to inform their security efforts. Today we released the latest volume of the SIR, volume 12, containing data and analysis on:

  • Latest industry vulnerability disclosure trends and analysis
  • Latest data and analysis of global vulnerability exploit activity
  • Latest trends and analysis on global malware and potentially unwanted software
  • Latest analysis of threat trends in more than 100 countries/regions around the world
  • Latest data and insights on how attackers are using spam and other email threats
  • Latest global and regional data on malicious websites including phishing sites, malware hosting sites and drive-by download sites
  • “Advanced persistent threats” or APT – redefining this term and providing advice on a holistic security strategy to help manage the risk this category of threat poses, informed by Microsoft’s experience defending its assets against targeted attacks by determined adversaries.

Whether you have moved all of your IT operations to the cloud, manage everything on premise, or are somewhere between these two scenarios, don’t forget about the security of all the parts of your IT operations. I encourage you to download the new SIR and take full advantage of the new research it contains as well as the hundreds of pages of threat intelligence.  Please feel free to download the report and watch related videos at

About the Author
Tim Rains

Chief Security Advisor, Microsoft Worldwide Cybersecurity & Data Protection

Tim Rains is Chief Security Advisor of Microsoft’s Worldwide Cybersecurity & Data Protection group where he helps Microsoft’s enterprise customers with cybersecurity strategy and planning. Formerly, Tim was Director Cybersecurity & Cloud Strategy in Trustworthy Computing at Microsoft, where he Read more »