Cloud Computing – Cyber Trust Blog In-depth discussion of security, cybersecurity and technology trends affecting trust in computing, as well as timely security news, trends, and practical security guidance Tue, 24 May 2016 16:21:04 +0000 en-US hourly 1 Estonia leading the way in driving digital continuity for government services Tue, 24 May 2016 16:19:02 +0000 Read more »]]> We are at the threshold of unprecedented value creation for industry and society, driven by the accelerating pace of change enabled through digital technology. Whether it is about bringing together patient records so they can be shared quickly for better patient outcomes, or reimagining connectivity and predictive maintenance for cars to meet the expectations of road safety, digital transformation is changing how we work and live.

Called the Fourth Industrial Revolution, this significant disruption of traditional industries is fueled by speed, the falling cost of technology and how quickly companies are growing. There is broad agreement that the economic opportunity from digital transformation could be as high as $100 trillion across all industries over the next decade. But this impact is broader than economics alone. For instance, Governments must also consider the unique role they play in communities – literally holding the keys to the city, powering the grids, administering the most critical public systems. And it’s not just about implementing this or that technology to improve services, but building digital resilience to minimize interruption. Estonia is a great example of a government reinventing its systems. Microsoft is a proud partner.

Long considered a member of the Public Sector “Digital Masters,” Estonia continuously demonstrates a transformative vision. From embracing incubation and innovation, to trying out new ideas in a thoughtful, bold and measured way, stuff happens first in Estonia.

After exploring the broad concept of a digital “data embassy” (the focus of a joint Phase I research project), Estonia and Microsoft were interested in advancing strategic Information and Communications Technology (ICT) principles around “digital continuity.” In the face of natural or man-made interference, could cloud capabilities enhance digital resilience of government services? The Estonian Chief Information Officer and Microsoft set the course to find out.

In the process of this joint research project, we chose to evaluate the technical and policy aspects of “failing over” a critical government service in Microsoft Azure in the event of a disruption – part of a core element of meeting the needs of an advanced digital society and innovative government. Microsoft and the Estonian Ministry of Economic Affairs and Communications assessed the Estonia Land Register, the official digital record of land ownership in Estonia. Could the records be migrated to, and hosted on, the Microsoft Azure cloud computing platform? What technical and policy questions needed to be considered? Today, we published a video and our Proof of Concept findings in a Summary Report.

The Summary Report concludes with six recommendations for any government considering cloud computing. We continue to evaluate some of the harder questions about the operational requirements needed to support effective migration to and how to build trust in the public cloud.

Microsoft is delighted to participate in, learn from, and co-lead research projects such as this one, with the Estonia CIO and team. Public-private partnerships can advance digital transformation for governments, in turn, helping them better serve their citizens, empower their employees, optimize operations and transform their societies.

Microsoft Trust Center adds new cloud services and certifications Tue, 19 Apr 2016 14:00:26 +0000 Read more »]]> The Microsoft Trust Center is expanding, and today we’re adding more of our enterprise cloud services—Microsoft Commercial Support, Microsoft Dynamics AX, and Microsoft Power BI. These services join Microsoft Azure, Microsoft Dynamics CRM Online, Microsoft Intune, and Microsoft Office 365 into the Trust Center.

Additionally, we are adding two new compliance attestations, ENS in Spain and FACT in the UK. These two new certifications, added to those announced in March—CS Mark in Japan and MPAA— bring our total to 37—the most comprehensive of any major cloud service provider in the world.

We launched the Trust Center in November 2015 to create a central point of reference for cloud trust resources and to detail our commitments to security, privacy and control, compliance, and transparency. It is here that we document our adherence to international and regional compliance certifications and attestations, and lay out the policies and processes that Microsoft uses to protect your privacy and your data. Here, too, you’ll find descriptions of the security features and functionality in our services as well as the policies that govern the location and transfer of the data you entrust to us.

The new Microsoft compliance certifications and attestations include:

  • ENS. The Esquema Nacional de Seguridad (National Security Framework) in Spain provides ICT security guidance to public administrations and service providers. Microsoft was the first cloud service provider to receive the ENS certification—for Azure and Office 365.
  • FACT. The Federation Against Copyright Theft in the UK developed a certification scheme based on ISO 27001 that focuses on physical and digital security to protect against the theft of intellectual property. Azure was the first multitenant public cloud to achieve FACT certification.
  • MPAA. Azure was the first hyperscale cloud provider to comply with the Motion Picture Association of America guidance and control framework for the security of digital film assets.
  • CS Mark. The Cloud Security Mark is the first security standard for cloud service providers in Japan. Microsoft achieved a CS Gold Mark for all three service classifications: Azure for IaaS and PaaS, and Office 365 for SaaS.

The Trust Center website reflects the principles that underpin our products and services:

  • Security. Get an overview of how security is built into the Microsoft Cloud from the ground up, with protection at the physical, network, host, application, and data layers so that our online services are resilient to attack.
  • Privacy and control. Get visibility into our datacenter locations worldwide, data access policies, and data retention policies, backed with strong contractual commitments in the Microsoft Online Services Terms.
  • Compliance. Here you’ll find comprehensive information on Microsoft Cloud certifications and attestations such as EU Model Clauses, FedRAMP, HIPAA, ISO/IEC 27001 and 27018, PCI-DSS, and SOC 1 and SOC 2. Each compliance page provides background on the certification, a list of compliant services, and detailed information such as implementation guides and best practices.
  • Transparency. The Microsoft Cloud is built on the premise that for you to control your customer data in the cloud, you need to understand as much as possible about how that data is handled. You’ll find a summary of the policies and procedures here.

Visit the Microsoft Trust Center.

Microsoft Trusted Cloud Security Summit Wed, 13 Apr 2016 23:41:30 +0000 Read more »]]> Earlier this month, Microsoft hosted its third Trusted Cloud Security Summit in Washington DC. The event brought together a wide range of security stakeholders from the different Microsoft cloud offerings and over a 100 federal department and agency participants, particularly those looking to adapt the FedRAMP High baseline, such as the Department of Homeland Security, Federal Bureau of Investigations, Department of Justice, State Department, the Treasury and the Food and Drug Administration, amongst others. The interest in the event reflected the broader US government prioritization of cybersecurity, which was underlined by the announcement made by President Obama in February, introducing the new Cybersecurity National Action Plan.

Ensuring the security of government agencies using cloud technologies follows a similar vein and has been central to the government since the introduction of the Cloud First policy in 2011. The Federal Risk and Authorization Management Program, better known as FedRAMP, was developed shortly thereafter and has for a number of years served as a process which provides a standardized, government-wide approach to security assessment, authorization, and continuous monitoring for cloud services. The original process supported migration of low and moderate impact workloads to the cloud and has helped many government agencies make that critical move. However, that has not been the case for some of the more critical services.

The FedRAMP High baseline aims to provide a higher categorization level for confidentiality, integrity and availability of cloud services; i.e. for those considered critical to government operations. While the High baseline addresses only 20% of government information and systems, it comprises over 50% of federal IT spend, reflecting a significant cost savings potential when migrating these workloads to the cloud. The pilot we participated in represented the last step in a year-long effort to develop the High baseline. The draft baseline has already been through two rounds of public comment and review from a Tiger Team from across multiple federal agencies.

Since FedRAMP was established, Microsoft has worked closely with the FedRAMP program management office to ensure our Federal cloud solutions meet or exceed public sector security, privacy and compliance standards. Our March Summit established that this has not changed, as it confirmed Microsoft as one of only three cloud service providers to be included in the FedRAMP High Baseline pilot and was on that point on track to achieve the appropriate level. Building on the FedRAMP authorization, Azure Government is also on track to achieve the DISA Level 4 authorization shortly, covering unclassified data that requires protection against unauthorized disclosure or other mission-critical data (i.e. controlled unclassified data).

The event itself, examined the development process of the FedRAMP High Baseline, as well its impact on federal cloud adoption. Matt Goodrich, Director for FedRAMP in GSA’s Office of Citizen Services and Innovative Technologies (OCSIT) talked about how the revision of the process will benefit both providers and the government, for example by limiting the certification time and providing more transparency, predictability and risk focus upfront through a focus on core capabilities instead of an exclusively controls-centric approach.

The Summit also served to examine some of Microsoft’s security capabilities that address other federal government cloud security priorities, including DOD’s FedRAMP+ and DHS’s Trusted Internet Connections programs. While both initiatives leverage the original FedRAMP process, they augment unique requirements for providers to demonstrate additional levels of assurance and operational visibility- capabilities that Microsoft’s cloud offerings can meet today.

For more on the security announcement made by Azure on the day, take a look at Matt Rathbun’s (Cloud Security Director, Azure) blog here.

What’s The Art of War got to do with cybercrime? Quite a bit, actually. Mon, 11 Apr 2016 17:37:12 +0000 Read more »]]> Sun Tzu wrote that mastery in the art of war is about subduing one’s enemy without having to fight. As the modern world contends with increasingly sophisticated cyberattacks from both criminal and political adversaries, this 2500-year-old cliché is key to enterprise security strategy.

Today, the “bad guys” of the Internet are both professional in their business tactics and entrepreneurial in how they leverage opportunity. They’re well-organized and use a mature supply chain. They’re operating cloud-based services offering bots, exploit kits, and more. Cybercrime as a Service (CaaS) shares many of the features of legitimate enterprises, and cyber warfare has become as much about business as it is about malfeasance.

The variety and frequency of attacks can make defending against cybercrime feel like a Sisyphean effort, but understanding the motivations and socio-economic model of modern cybercrime provides practical insight to protect, detect, and respond to likely attacks.

Know the adversary

There are many sorts of criminals who use the Internet for chaos and profit. The lone “haxx0r” trying his “leet skillz” against the establishment is still a relevant trope, but most of today’s cybercriminals operate in increasingly sophisticated teams.

  • Non-professional hackers. Non-professional hackers tend to use cobbled-together kits and communicate in open forums. Success is often due to luck as much as skill, but it only takes one breach to cause hundreds of millions of dollars in damage to a vulnerable enterprise.
  • Black hat hackers. These are the industrial-grade hackers who combine business expertise with technical prowess to create and use CaaS services. Their customers are other black hats, non-professionals, state-sponsored groups, and some rogue ones. Black hat hackers underpin a multibillion-dollar Dark Web economy that crosses borders and trades in compromised and stolen data.

Motives of malicious hackers can range from theft for barter and profit to professional fame or even a vendetta. Understanding these motives is to your advantage. If you can increase the level of effort required to breach your network and reduce or eliminate the attacker’s potential ROI, then you decrease interest in your system as a target for cybercrime.

Survey the battlefront

The Dark Web is both marketplace and delivery system for cybercrime activities, though to be clear, not everyone using the Dark Web is engaged in commercial/criminal hacking. The appeal of not being tracked lures many to anonymity networks (such as Tor) where activities include peer-to-peer file sharing, black market trafficking, political organizing, and so on. Anonymity and untraceability make the Dark Web the environment of choice to run botnets and buy and sell CaaS services.

Black hat hacking methods might vary based on a region or culture, but globalization is as much a factor in production, labor, and monetization patterns of CaaS as it is for legitimate multinational enterprises.

Recon enemy tactics

From exploit kits to ransomware, the products and services of CaaS are numerous and evolving. Cybercriminals use attack methods that are elusive by default and designed to exploit their target’s specific vulnerabilities. For a deep dive on black hat methodology, read “Understanding Cybercrime,” a Microsoft white paper. Here are some common CaaS services:

  • Exploit kits. Black hats buy and sell kits that target software vulnerabilities to infect PCs and devices with malware.
  • Anti-AV. These are services that allow cybercriminals to distribute malware without fear of being detected by commercial anti-virus products.
  • Breaching services. Black hats buy and sell tools and hacking services for breaching websites and company systems.
  • Compromised account data. Black hats can sell any of the assets they steal, or trade in stolen data among 2nd– and 3rd-party cybercrime entities.

Craft a defensive strategy

Another warfare truism is that the attacker only needs to succeed once, while the defender must succeed every time. Therefore, the goal in cybersecurity is not about being able to fight attacks from all comers; instead, it’s about making your enterprise so difficult or costly to attack that cybercriminals prefer to look elsewhere.

  • Examine your company’s business model and infrastructure from an adversary’s point of view. What do you have that might appear valuable to an attacker? Profile the type of person or organization who might have the motive, means, and opportunity to attack your interests.
  • Think through what would happen in the event of a data breach. An “assume breach” strategy emphasizes breach detection, incident response, and effective recovery. “Wargame” potential scenarios to fine-tune your defenses, so you’re able to respond quickly to threats and minimize impact.
  • Remember that people are both your greatest asset and your biggest potential liability. Social engineering (i.e., exploiting human nature) is one common way that black hats attack businesses and individuals. Identify points of vulnerability in regular human processes, such as when people switch between work and personal activities on devices. Train your teams to be smart and empowered defenders.

By the way, you might want to check out a test that Microsoft developed to help identify stack defense against attacks in the wild. Find out where your company’s gaps are and where you’re overdefended.

Last but not least, cultivate alliances

Business leaders sometimes worry that moving business processes to the cloud will increase vulnerability to cybercrime threats, but the reverse is actually true. At the risk of stretching the military strategy analogy, businesses defending themselves against cybercrime are more effective when they share intelligence, work together to contain enemy resources, and coordinate countermeasures.

CISOs must consider pros and cons when it comes to outsourcing data defense strategy, but walling in the enterprise is seldom a viable solution. (Military history is full of examples showing how well walls work. Which is not very.) Stay on top of threat intelligence through information security groups such as the Information Sharing and Analysis Center (ISAC) specific to your industry.

And it’s good to have help. At Microsoft, our Trusted Cloud commitment to enterprise customers is founded in 30+ years of studying malicious hacking and developing technology to defend against it. We have end-to-end expertise deploying on-premises and cloud-based networking solutions, infrastructure, and formal processes.

The Microsoft Digital Crimes Unit (DCU), in partnership with international law enforcement and global cybersecurity experts, works to discern patterns across the cloud, across industries, and across borders for comprehensive threat modeling, which enables us to develop predictions about cybercriminal behavior. In addition to disrupting cybercrime, the DCU focuses on child protection and preserving intellectual property rights. Read how the Microsoft DCU fights cybercrime in “Digital Detectives.”

To paraphrase The Art of War, success in battle comes from knowing the enemy’s motivations, means, and methods as well as you know your own.

Microsoft Cloud App Security is generally available Wed, 06 Apr 2016 15:00:16 +0000 Read more »]]> Today, we are announcing that Microsoft Cloud App Security is now generally available as the latest addition to the secure platform we are building at Microsoft.

Cloud App Security, based on our Adallom acquisition, is a comprehensive cloud-delivered service built for IT and security teams to help combat one of the top security concerns today: “How can we gain deeper visibility, stronger controls and enhanced protection for cloud apps?”

The solution provides a set of capabilities to help companies design and enforce a process for securing cloud usage; from discovery and investigation capabilities, to granular control and protection. It is easy to deploy, setup and use and provides out-of-the-box value immediately, as well as rich tutorials for unlocking advanced capabilities.

Why do you need Cloud App Security?

Cloud applications are in use by most enterprises today, and we will soon reach the time where more corporate data will be stored in the cloud than on-premises. Moreover, everyone is using the cloud, and even companies without official SaaS apps in use have substantial Shadow IT usage of cloud. We know from past customer surveys that over 80% of employees admitted to using unapproved SaaS apps for corporate usage.

Let me share some brand new data from Microsoft Cloud App Security that will help put the scope of the Shadow IT challenge that many organizations face, into perspective:

  • On average, each employee uses 17 cloud apps, but many organizations don’t know what is in use, or whether these apps meet security, privacy and compliance requirements
  • In 91% of organizations, employees grant their personal accounts access to the organization’s cloud storage
  • 70% of the organizations allow cloud admin activity from non-corporate, unsecured networks
  • 75% of privileged cloud accounts are not in use. These accounts might be eating up the cost of a license, or worse, increasing the attack surface of the organization
  • On average, an organization shares 13% of its files externally, of which 25% are shared publicly

For security teams, it is important to have deep visibility, strong controls and threat protection for cloud apps. That is why we created Cloud App Security: to provide you with an easy and comprehensive solution so you can gain visibility into your cloud app usage and start controlling it via policy.

Why Microsoft?

As the need for visibility and control into cloud apps has increased the market for cloud app security, the Cloud Access Security Broker (CASB) market, has been one of the most active markets in the security space. Over several years, multiple companies have tried to provide an answer to this growing customer need; however, a comprehensive solution has yet to emerge. Today, customers often use only basic discovery capabilities without really leveraging cloud control capabilities. The crux of the matter is that cloud security is a paradigm shift from classic network-based security to something new and the market is waiting for a solution that can solve the different security issues across identity, device, data and application.

What do you get with Cloud App Security?

  • App Discovery: Cloud App Security identifies all cloud applications in your network—from all devices—and provides risk scoring and ongoing risk assessment and analytics
  • Data Control: With special focus on sanctioned apps, you can set granular controls and policies for data sharing and loss prevention (DLP) leveraging API-based integration. You can use either out-of-the box policies or build and customize your own
  • Threat Protection: Cloud App Security provides threat protection for your cloud applications leveraging user behavioral analytics and anomaly detection

How does the product work?

So let’s get into the details, the product we are announcing today has two main components; discovery of cloud usage in the company using log-based traffic analysis and granular control for sanctioned apps leveraging API-based integration. They can be deployed and configured within minutes, so easy that we can do it together in this blog:

Step 1: Upload network logs for analysis

As a first step, you grab network logs from any egress network device (see supported list here) and upload a sample log for immediate visibility. You can also configure an automatic collector at a later stage.

Step 2: Connect your sanctioned apps

Connecting an app is an easy one-click process. Simply click the “Connect an app” button and follow the relevant link (see list of supported apps for API integration here). Once you approve access, an Oauth token is created and Cloud App Security starts scanning the cloud app for users, data and activities.

That’s it! In two simple steps, Cloud App Security is connected and working. You can start handling out-of-the-box alerts or experiment with data control policies (more on this on upcoming blogs).

Without further ado, you are all invited to check it out! Visit our product page at and request a trial. We have detailed technical documentation to help you through the journey!

And of course, we would love to hear any suggestions or feedback you have.

Best Regards,

The Cloud App Security team

IoT webinar covers security tips for expanding interconnections Mon, 04 Apr 2016 16:24:33 +0000 Read more »]]> Cloud computing. Big data. The Internet of Things (IoT). Today, the continuous connection of smart products is unmatched at improving customer connections and providing opportunities for businesses to differentiate their products and services. You can listen to social buzz, see how people are using products and services in real time, and enhance your customers’ experiences with rolling feature updates.

At the same time, the always-on interconnectedness opens up attractive attack vectors for cybercrime and zombie bots. Securing your network and protecting your customers in the IoT landscape presents new complexities, but the good news is that comprehensive and effective defense is not only possible, it’s actually not that hard to acquire. All you need is a new mindset.

We’ll cover that new mindset, along with practical security tips you can use right away, in our upcoming webinar: Are my robots going to attack me? Tips for a secure IoT strategy. Don’t miss it!

Reserve your webinar seat now.

Helping you stay ahead of threats is one of the ways Microsoft puts our Trusted Cloud principles to work for our customers. Because trust in technology is critical, particularly where zombie robots are concerned.

Visit the Trusted Cloud

Cloud Security Alliance Summit 2016: I Survived the Shark Tank Mon, 21 Mar 2016 18:23:50 +0000 Read more »]]> A few weeks back I had the opportunity to I speak at the Cloud Security Alliance Summit 2016 held in San Francisco, California. Microsoft was a Platinum sponsor of the event. I participated in a panel discussion on cloud security that focused on lessons learned from a cloud services provider’s point of view. Google, Dropbox, and Rackspace also participated on the panel.

The panel was moderated by Robert Herjavec, CEO of the Herjavec Group and star of ABC’s Shark Tank. Robert was a gracious and fun moderator to work with and I managed to survive the panel without a shark bite!

Also from Microsoft, Bruce Cowper delivered a keynote titled “Trusted Cloud” in which Bruce discussed the gap between how much people trust their on-premises infrastructure and the enterprise cloud services they consume, and examined reasons for the difference.

Tim Rains
Director, Security

The Trusted Cloud: what do privacy and control really mean? Mon, 21 Mar 2016 13:00:10 +0000 Read more »]]> Data is today’s currency. Cloud computing and the Internet of Things are driving a business transformation that measures value in billions of petabytes. The cloud is a powerful game-changer for businesses all over the world, but with that power comes great responsibility. Managing the volume, variety, and disparate sources of data generated through mobile devices and other activities is a global challenge for enterprise.

Unsurprisingly, businesses have many questions about how customer and enterprise data is managed, used, and protected in the cloud. According to a recent Intralinks survey of over 300 IT decision makers, less than half of companies surveyed “monitor user activities and provide alerts to data policy violations,” while only 53 percent “classify information to align with access controls.” And here’s the kicker: a little under half of the surveyed companies have no policies or controls in place to govern access.

Data privacy and access control must be taken together because it’s impossible to meaningfully achieve the one without robustly addressing the other. An organization may set up its cloud with the world’s best security to keep data private, but then fail to use access control policies effectively to prevent data leaks or unauthorized access. From both a technological and a privacy perspective, CIOs and IT leaders must pay attention to how, when, where, and by whom their company’s petabytes may be legitimately accessed. Moreover, they need to manage access control to ensure compliance from legal, risk management, and regulatory standpoints.

The issue has become more urgent since the invalidation of the EU – US Safe Harbor Framework impelled nations as well as businesses and individual citizens to examine the meaning of privacy in data residency regulations around the globe. How government surveillance and law enforcement relate to the access control policies governing private data is a current, evolving concern for enterprise.

This is why we’ve put all of our engineering expertise as well as our industry leadership into the privacy and control commitment that underpins the Microsoft cloud. When you entrust your data to our cloud services, you retain control of the data as well as access to it. Learn how to use access control policies and get technical resources in the Microsoft Trust Center.

What privacy and control mean in the Trusted Cloud

Our Trusted Cloud principles drive our commitment to use customers’ data responsibly, be transparent about our privacy practices, and offer meaningful privacy and control choices to our customers.

You own your data, not us. When you use a Microsoft cloud service, you keep the ability to take your data with you when you terminate an agreement. When a subscription expires or you terminate your contract, Microsoft follows a 90-day retention policy and strict standards for overwriting storage before reuse.

Your data is not used for marketing. Our enterprise business model is not based on exploiting customer data. We do not use your data for purposes such as advertising that are unrelated to providing the cloud service.

We don’t use standing access.   We’ve engineered our cloud services so that the majority of operations are fully automated. Only a small set of activities require human involvement; access to your data by Microsoft personnel is granted only when necessary for support or operations, then revoked when no longer needed.

You can choose your datacenter location. Depending on which Microsoft cloud services you have, you may have flexibility in choosing where your data physically resides. Your data may be replicated for redundancy within the geographic area, but not transmitted outside it.

We protect data from government surveillance. Over several years, we’ve expanded encryption across all our services and reinforced legal protections for customer data. And we’ve enhanced transparency so that you can be assured that Microsoft does not build “back doors” into our products and services, nor do we provide any government with direct or unfettered access to customer data.

Law enforcement requests must go through you. Microsoft will not disclose your data to a third party except as you direct or as required by law. We’ll attempt to redirect third parties to request customer data directly from the data owner.

Headed to RSA? Here’s your event guide for trust in cloud services Tue, 16 Feb 2016 19:14:37 +0000 Read more »]]> RSA Conference 2016 is fast approaching. The conference agenda is packed to cover the rapidly evolving issues in information security, with trust in cloud computing at the forefront. We’ll be there to lead industry discussions about trust in keynotes, deep-dive sessions and the expo hall.

Since planning your itinerary is a must to get the most out of RSA, here’s a preview of where and when Microsoft Security and Trusted Cloud activities are happening.

Preconference at the CSA Summit

Monday, Feb. 29, 2 p.m.

Leap Day, leap event — if you’re attending the ancillary Cloud Security Alliance (CSA) Summit, check out Microsoft GM Doug Hauger’s Trusted Cloud keynote. He’ll share the results of a recent survey on the “trust gap” between on-premises and cloud services, and examine the factors that drive trust in security leadership thought processes when making trust decisions.

Brad Smith’s keynote

Tuesday, March 1, 8:50 a.m.

Trust in the Cloud in Tumultuous Times

We are living in extraordinary times. While the evolution of cloud computing has transformed the way we work, recent geopolitical events have precipitated debates on the roles that governments and industry should play in defending and securing society, and the appropriate balance between security, privacy and the freedom of expression. Join Microsoft President and Chief Legal Officer Brad Smith as he puts modern events into context and discusses a path forward.

Trusted Cloud in North Expo, booth 3505  

Come chat with the Trusted Cloud team at the Microsoft booth in the North Expo. We’ll be there throughout the conference to discuss trust in cloud computing and answer your questions about security, privacy, compliance and transparency.

Microsoft and Trusted Cloud sessions at RSA 2016

Monday, Feb. 29

TCG: Securing the IoT With Trusted Computing 8:30 a.m.–12:30 p.m.

The root of security in the Internet of Things begins with trust, including trusted device identity and secure communications with protection of sensitive information. These foundational elements must come together to provide a more secure IoT solution. In this half-day RSA Conference session, you’ll hear from Microsoft Software Architect Paul England and industry leaders and see demonstrations of IoT security in action.

Wednesday, March 1

Hot Topics in Privacy: A Conversation with Adobe, Google and Microsoft  1:10 PM – 2:00 PM

Rapid expansion of social media, mobile devices, sharing culture and the Internet of Things pushed privacy to the top of consumers’ minds. With a pending European Data Protection Regulation, consumers want control of their data and breaches. There is no end to privacy issues facing society. Join privacy leaders from Google, Adobe and Microsoft as they explore the hot topics facing the industry.

Bringing Cybersecurity to the Boardroom 3:30 PM – 4:20 PM

As cybersecurity becomes a more pressing issue to the enterprise, security leaders are finding themselves presenting cybersecurity risks and strategies to a new group: the board of directors. Microsoft CVP and CISO Bret Arsenault will share his learnings on working with boards to provide the right level of risk awareness and to drive informed investments for an enterprise-level cybersecurity program.

Wednesday, March 2

Machine Learning and the Cloud: Disrupting Threat Detection and Prevention 10:20–11:10 a.m.

Machine learning with large data sets gives unprecedented insights and anomaly detection capability. Mark Russinovich, chief technology officer for Microsoft Azure, will explain how Microsoft uses the agility and scale of the cloud to protect its infrastructure and customers. Learn about the application of data mining and machine learning algorithms and security domain learnings to the vast amounts of data and telemetry gathered by its many different systems and services.

SaaS Attacks Happen: How cloud scale changes the security game 10:20 AM – 11:10 AM

Gain insights into how cloud security engineering is evolving to not only meet the unique risks of SaaS, but to leverage the advantages that this scale and uniformity can offer. Take a behind-the-scenes look at how Office 365 applies these unique SaaS security principles to protect hosted users and organizations from breach

Tracking Hackers on Your Network With Sysinternals Sysmon 11:30 a.m.–12:20 p.m.

Sysinternals Sysmon is an advanced system monitoring service that logs file manipulation, process and image loading, and other events that can be used to identify the presence of an attacker. Microsoft Azure CTO Mark Russinovich continues his RSA teaching tour with tips and tricks that will help you get the most out of this powerful hacker hunting tool.

Using Cloud-Scale Intelligence to Address Security Challenges 11:30 a.m.–12:20 p.m.

The rise of the cloud brings a new wave of evolution in security challenges. Microsoft CVP and CISO Bret Arsenault and Julia White, Cloud Platform general manager, will suggest new approaches that users and providers of cloud services can take to secure cloud platforms. They’ll examine Microsoft’s role in the world of cloud security, explain how to use cloud-scale security intelligence to improve protection, and discuss how to work with partners to enable additional security tools.  

Thursday, March 3

Managing Complex M&A Security Risks — A Detailed Case Study 9:10–10 a.m.

In this informative talk, Microsoft Director of Information Security & Risk Management Ahmad Mahdi will walk through the step-by-step approach one information security organization took to secure a massive acquisition with a global footprint. The acquisition included thousands of new employees and a myriad of technical, geopolitical and financial considerations.

Deconstructing Identity in Security 9:10–10 a.m.

Identity experts from across the industry — including Kim Cameron, Microsoft chief identity architect and distinguished engineer — will tackle tough questions and offer unique points of view on the role identity plays in security. They will deconstruct what identity means to security by sharing how their companies are building identity into the most popular cloud services in the world, and by showing what can be done to strengthen identity in a borderless world.

Data Classification—Reclaiming Infosec’s Redheaded Stepchild   9:10 AM – 10:00 AM

This session will explore the changing role data classification plays in data centric security and why security teams need to own the process.

Cloud Attacks Illustrated: Insights From the Cloud Provider 11:30 a.m.–12:20 p.m.

The past five years has seen remarkable growth in cloud services, and the trend is only growing stronger. As expected, attackers have been fast to respond and adapt attacks to cloud computing trends. Microsoft’s Craig Nelson, Azure security response manager, and Tomer Teller, senior security research PM, will show you the latest attack surfaces, trends, statistics and vectors that Microsoft has gathered from its own public cloud infrastructure.

Cloud Attacks Illustrated: Insights From the Cloud Provider (Focus-On) 2:10–3 p.m.

Continue the Cloud Attacks Illustrated: Insights from the Cloud Provider topic in a smaller group discussion and Q&A with Craig and Tomer. Note that this discussion-based session is limited to 50 attendees and no new slides will be presented. Admission to this session is first come, first served, so make sure to check the RSA program for scheduling details.

Managing Complex M&A Security Risks — A Detailed Case Study (Focus-On) 2:10–3 p.m.

Continue the earlier Managing Complex M&A Security Risks conversation in a smaller group with Q&A with Ahmad Mahdi. As noted in the Focus-On session above, attendance is limited to 50 and no new slides will be presented. Check the RSA program for details about Focus-On sessions.

Managing Complex M&A Security Risks – A Detailed Case Study (Discussion Session)  2:10 PM – 3:00 PM

Continue the Managing Complex M&A Security Risks – A Detailed Case Study conversation in a smaller group discussion and Q&A with the presenter. This session will be discussion based—no new slides will be presented. This session is limited to 50 attendees. Adding a session to your Schedule does not guarantee you a seat. Admission to this session is on a first come, first served basis.

Cloud security controls series: Azure Security Center Fri, 11 Dec 2015 14:00:24 +0000 Read more »]]> The “holy grail” of security capabilities that I’ve heard so many CISOs talk about, enables them to manage the security of the systems in their organization using a policy-based approach that provides them with a single place to monitor which systems meet their security policies, which systems do not meet policies and also helps them remediate the issues with non-compliant systems.

Taking this policy-based approach a giant step further by augmenting it with cloud scale security data analytics and credible threat intelligence feeds from Microsoft and trusted third parties, and then tightly integrating all of these capabilities with your organization’s identity management strategy and on-premises Security Information and Event Management (SIEM), and this looks a lot like the security nirvana that so many of the CISOs I know, have been asking for.

This is essentially what the new Azure Security Center does; it provides integrated security monitoring and policy management for your Azure resources across your organization’s Azure subscriptions. This is a brand new capability in Microsoft Azure, that is now in public preview.

The capabilities of the Azure Security Center have been conveniently categorized into prevention, detection, and response capabilities (I have circled these in red in the screen shot below). I describe this as convenient because it aligns well with the “protect, detect, and respond” security strategy that so many of the enterprise customers I talk to are actively using today.

Policy-based Monitoring
Azure Security Center enables organizations to monitor and manage Azure resources such as virtual machines, networking resources, SQL resources, and applications. Setting a security policy on your Azure subscription and enabling data collection (seen in the screenshot below) will define which security expert recommendations you want to see based on the data and analysis of the security configurations and events collected on your Azure resources.

When data collection is enabled, a data collection agent is automatically installed on each virtual machine in the Azure subscription that the policy applies to. This will enable Azure Security Center to provide a data-driven view of what is happening with all of these resources. You decide where (which Azure region) the data collected on your Azure resources resides in order to maintain any data residency policies your organization might have.

More information on security policies in the Azure Security Center is available in this article: Setting security policies in Azure Security Center.

Security Expert Recommendations
The Azure Security Center periodically analyses the security state of your Azure resources; the data collected from the virtual machines in your Azure subscription enables Azure Security Center to monitor the state of your Azure resources against the policy and provide you with recommendations for the areas that you specified in the policy. When potential security vulnerabilities are identified, recommendations are created. The recommendations guide you through the process of configuring the security controls that mitigate the vulnerabilities that were identified. This capability will help countless organizations that don’t have fulltime security experts on staff.

In the example screen shot below issues are identified by resource (virtual machines, networking, SQL, applications) and by severity (high, medium, low). From the identified issues, numerous different recommendations are generated and listed.

Here’s a less complicated example. Once I enabled data collection and defined a security policy for my Azure subscription that included “Access Control Lists on endpoints”, a medium severity recommendation appeared in the list of recommendations.

This alerted me to the fact that my virtual machine in Azure had two unprotected endpoints (PowerShell and Remote Desktop) and recommended that Access Control Lists for these ports be implemented (seen in the screen shot below). Clicking on Remote Desktop in the list gave me the opportunity to configure the Access Control List.


More information on security recommendations in the Azure Security Center is available in this article: Implementing security recommendations in Azure Security Center.

Automatically Identifies Threats and Enables Response
A big part of the Azure Security Center’s value proposition are its threat detection and response capabilities. It automatically collects and analyzes log data from Azure resources, network traffic, and partner solutions like firewalls and anti-malware software. It uses this data to detect threats and generate a list of prioritized alerts (seen in the screen shots below).

A closer look at the RDP activity detected in this example reveals the details in the screen shot below. Azure Security Center will make context-aware suggestions on what response actions can help with items in the list. In the case of the suspicious RDP activity this might include action like filtering the IP address that is connecting to the system’s RDP port by using a Network ACL or a Network Security Group rule.


Detecting meaningful security events through all the noise generated in a large IT environment is challenging, even in environments that have one or more SIEM systems deployed.  Azure Security Center will help security teams cut through the noise to more easily detect threats and material security events that might otherwise appear to be noise or anomalies in logs that have not been aggregated and analyzed.

Azure Security Center can detect and help remediate many types of attacks. Some examples include network based attacks like Remote Desktop Protocol (RDP) grinding/abuse (seen in the screen shot above), and compromised virtual machines using the large scale threat intelligence and machine learning capabilities built into Azure Security Center.

More information on security alerts is available in this article: Managing and responding to security alerts in Azure Security Center.

For those organizations that want to export data from Azure, there’s an API available to help do this. I discussed the API and PowerShell script in a previous article on Azure Active Directory‘s Access and Usage Reports.

I’m just scratching the surface of the capabilities in the brand new Azure Security Center. I am very excited about its set of capabilities because so many security experts and CISOs will benefit from them.

Here are some more resources for you to learn more about the Azure Security Center:

Azure Security Center now available
Getting started with Azure Security Center
New Azure Security Center helps you prevent, detect, and respond to threats (video)
Azure Security Center videos

Tim Rains
Chief Security Advisor
Enterprise Cybersecurity Group