Welcome to November’s Security Newsletter!
During my travels to various security and industry events over the past year, the cloud–and, more specifically, cloud security–continues to be a very important topic of conversation among both technical and business decision makers. Whether they have already adopted the cloud, or are just in the planning stages, companies want to ensure that they can take advantage of the scalability, flexibility, and potential for cost and time savings that the cloud can offer without sacrificing the security of their data, servers, and overall IT infrastructure. That is why this month’s edition is dedicated to the topic of cloud security.
To better understand the concerns, we conducted an
http://www.microsoft.com/en-
us/news/Press/2012/May12/05-
14SMBSecuritySurveyPR.aspx
international study to help identify the barriers to cloud adoption. The results revealed that 44 percent of security concerns were cited as one of the main barriers to adoption. 61 percent felt that industry standards for cloud security would give them greater confidence and 59 percent say more transparency about the standards is needed. What’s interesting about the study is that it also revealed those who use the cloud spend on average 57 percent less time managing security than businesses that don’t use the cloud. Companies that realize the security benefits of the Cloud had more time and money to focus on their core business. What can be difficult for some organizations though is how to conduct a factual assessment of their current IT state and readiness to better understand how their IT state would change with the adoption of a cloud service.
Last month we released a free
http://www.microsoft.com/
trustedcloud
Cloud Security Readiness Tool , designed to help organizations understand and improve their IT states, helps organizations better understand and improve their current IT states, identify relevant industry regulations based on selected industries, and evaluate whether cloud adoption will meet their business needs. The tool can help IT professionals cut through the complexity of evaluating cloud adoption. The interactive tool consists of 27 questions and takes approximately 10–15 minutes to complete. After completing the survey, users are provided with a custom non–commercial report that provides recommendations on their organization’s current IT state and information to help evaluate the benefits of cloud computing.
The tool builds on the
http://www.
cloudsecurityalliance.org/
Cloud Security Alliance’s Cloud Controls Matrix, specifically designed to provide fundamental security principles to guide cloud vendors and to assist prospective cloud customers in assessing the overall security risk of a cloud provider. According to Jim Reavis, executive director of the Cloud Security Alliance "Organizations want to have a good understanding of how cloud adoption compares to their existing policies, procedures and compliance, and that can be a complex task. In the Cloud Security Alliance, industry leaders have collaborated to develop best practice security guidance and encourage vendor transparency. Microsoft’s Cloud Security Readiness Tool builds on these efforts, providing a tool and custom report enabling organizations to better understand their IT state and more easily evaluate cloud services against critical areas and compliance with common industry standards." The tool is available today and I encourage you to download it and use it as a resource when considering the cloud:
http://www.microsoft.com/
trustedcloud
www.microsoft.com/trustedcloud .
If you are interested in learning more about cloud computing as it relates to compliance, audit and certifications, evaluation standards, process transparency, service level agreements, risk management, incident response and more than I encourage you to check out our
http://blogs.technet.com/b/
trustworthycomputing/archive/
2012/08/28/cloud-fundamentals-
video-series-series-finale.
aspx
Cloud Fundamentals Video Series . The series includes interviews with some of Microsoft’s senior leaders responsible for managing Microsoft’s cloud service offerings that support more than 200 services, one billion customers, and 20 million businesses in more than 76 markets worldwide. The series also includes interviews with leading experts from across the industry.
Best regards,
Tim Rains, Director
Microsoft
Trustworthy
Computing
Top Stories
http://blogs.technet.com/b/
security/archive/2012/11/12/
blackhole-exploit-kit-
activity-peaks-as-exploit-
activity-on-the-internet-
reaches-new-heights.aspx
"Blackhole" Exploit Kit Activity Peaks as Exploit Activity on the Internet Reaches New Heights
Blacole, a family of exploits used by the so–called Blackhole exploit kit to deliver malicious software through infected webpages, was the most commonly detected exploit family in the first half of 2012 by a large margin. Learn more about this exploit, and steps you can take to evaluate the risks in your environment and mitigate them as soon as possible.
http://blogs.technet.com/b/
trustworthycomputing/archive/
2012/11/05/the-promise-of-
differential-privacy.aspx
The Promise of Differential Privacy
Microsoft has some of the world’s top privacy researchers working on a wide variety of interesting challenges, and strives to translate this research into new privacy–enhancing technologies. Differential Privacy is a technology that enables researchers and analysts to extract useful answers from databases containing personal information and, at the same time, offers strong individual privacy protections. Explore how Differential Privacy works; download the new white paper entitled, "
http://www.microsoft.com/en-
us/download/details.aspx?id=
35409
Differential Privacy for Everyone ".
Security Guidance
http://technet.microsoft.com/
security/jj863596.aspx
Security Tip of the Month: Kicking the Virtual Tires of a Cloud Provider
Evaluating a cloud provider needs to be done with care. Learn how to make the evaluation process simpler and easier to ensure that everyone can address the important factors of the cloud selection process.
http://technet.microsoft.com/
magazine/gg607453.aspx
Understanding Security Account Management in Windows Azure
There are several recommended approaches to security management for applications and services hosted on Windows Azure. Explore these recommendations along with best practices for creating and managing administrative accounts, using certificates for authentication, and handling transitions when employees begin or terminate employment.
http://blogs.msdn.com/b/
usisvde/archive/2012/03/15/
windows-azure-security-best-
practices-part-7-tips-tools-
coding-best-practices.aspx
Windows Azure Security Best Practices for Developers
Explore this seven–part blog series for a discussion of the challenges involved in designing applications for the cloud and tips on what you can do in your software to insure access to those who should have access and prevent access those who do not.
-
http://blogs.msdn.com/b/
usisvde/archive/2012/03/07/
windows-azure-security-best-
practices-part-1-the-
challenges-defense-in-depth.
aspx
Part 1: The Challenges, Defense in Depth
-
http://blogs.msdn.com/b/
usisvde/archive/2012/03/08/
windows-azure-security-best-
practices-part-2-what-azure-
provides-out-of-the-box.aspx
Part 2: What Azure Provides Out–of–the–
Box
-
http://blogs.msdn.com/b/
usisvde/archive/2012/03/09/
windows-azure-security-best-
practices-part-3-identifying-
your-security-frame.aspx
Part 3: Identifying Your Security Frame
-
http://blogs.msdn.com/b/
usisvde/archive/2012/03/12/
windows-azure-security-best-
practices-part-4-what-else-
you-need-to-do.aspx
Part 4: What Else You Need to Do
-
http://blogs.msdn.com/b/
usisvde/archive/2012/03/13/
windows-azure-security-best-
practices-part-5-claims-based-
identity-single-sign-on.aspx
Part 5: Claims–Based Identity, Single Sign On
-
http://blogs.msdn.com/b/
usisvde/archive/2012/03/14/
windows-azure-security-best-
practices-part-6-how-azure-
services-extends-your-app-
security.aspx
Part 6: How Azure Services Extends Your App Security
-
http://blogs.msdn.com/b/
usisvde/archive/2012/03/15/
windows-azure-security-best-
practices-part-7-tips-tools-
coding-best-practices.aspx
Part 7: Tips, Tools, Coding Best Practices
http://www.microsoft.com/
download/details.aspx?id=18990
Security Guidelines for SQL Azure
SQL Azure Database is a cloud database service from Microsoft that provides Web–facing database functionality as a utility service. If you are planning to connect to SQL Azure Database, or if you build secure applications on SQL Azure, make sure to consult these security guidelines.
http://social.technet.
microsoft.com/wiki/contents/
articles/6642.a-solution-for-
private-cloud-security-en-us.
aspx
A Solution for Private Cloud Security
Find a comprehensive explanation of the process for designing and running security for a robust and comprehensive private or hybrid cloud environment.
http://technet.microsoft.com/
security/hh144814.aspx
Five Security Tips for Windows Intune
Learn how to use the security features in Windows Intune, Microsoft’s cloud services solution for PC management and endpoint protection, to implement best practices that can help you better protect your PCs.
http://www.microsoft.com/
download/details.aspx?id=26552
Security in Office 365
Get an overview on how Office 365 makes it easy for users and administrators to access and use data and services while following security best practices. For more detailed information on security in Office 365, download the "
http://www.microsoft.com/
download/details.aspx?id=13602
Office 365 Security and Service Continuity Service Description " available from the Download Center.
Community Update
http://technet.microsoft.com/
magazine/hh536219.aspx
Cloud Computing: Cloud Security Concerns
While maintaining appropriate data security continues to be a prevailing concern, a cloud computing infrastructure can actually increase your overall security. Learn the reasons for this, and how you can put them to your advantage.
http://social.technet.
microsoft.com/wiki/contents/
articles/3798.identity-and-
access-management-in-the-
cloud-en-us.aspx
Identity and Access Management in the Cloud
Identity and access management (IAM) refers to the processes, technologies, and policies for managing digital identities and controlling how identities can be used to access resources. Typically, IAM includes three separate processes:
- Identity provisioning and storage
- Authentication
- Authorization
Identity management in a cloud system requires a complex collection of technologies to manage authentication, authorization and access control across distributed environments. Use this TechNet Wiki article to see how these environments might include assets both on the internal cloud (private cloud) and services accessed on the public cloud–and how they can also cross–security domains, as when two enterprise–level organizations collaborate and enable cross-domain access to users from the partner security domain.
Cloud Security Corner
http://technet.microsoft.com/
solutionaccelerators/hh324976.
aspx
Microsoft Assessment and Planning Toolkit for Microsoft Private Cloud Fast Track
Accelerate your private cloud planning with the Microsoft Assessment and Planning (MAP) Toolkit for Microsoft Private Cloud Fast Track. Get consolidated guidance and validated configurations for preconfigured Microsoft Private Cloud Fast Track infrastructures, including computing power, network, and storage architectures.
This Month's Security Bulletins
Microsoft Security Bulletin Summary for November 2012
Critical
- MS12-071:
http://technet.microsoft.com/
en-us/security/bulletin/ms12-
071
Cumulative Security Update for Internet Explorer (2761451)
- MS12-072:
https://technet.microsoft.com/
en-us/security/bulletin/ms12-
072
Vulnerabilities in Windows Shell Could Allow Remote Code Execution (2727528)
- MS12-074:
https://technet.microsoft.com/
en-us/security/bulletin/ms12-
074
Vulnerabilities in .NET Framework Could Allow Remote Code Execution (2745030)
- MS12-075:
https://technet.microsoft.com/
en-us/security/bulletin/ms12-
075
Vulnerabilities in Windows Kernel-Mode Drivers Could Allow Remote Code Execution (2761226) Important
- MS12-076:
http://technet.microsoft.com/
en-us/security/bulletin/MS12-
076
Vulnerabilities in Microsoft Excel Could Allow Remote Code Execution (2720184) Moderate
- MS12-073:
http://technet.microsoft.com/
en-us/security/bulletin/MS12-
073
Vulnerabilities in Microsoft Internet Information Services (IIS) Could Allow Information Disclosure (2733829)
November 2012 Security Bulletin Resources:
-
http://blogs.technet.com/b/
msrc/archive/2012/11/13/
november-2012-bulletin-
release.aspx
Microsoft Security Response Center (MSRC) Blog Post
- Security Bulletin Quick Overview (MP4) –
http://content3.catalog.video.
msn.com/e2/ds/89e228fd-3809-
4f6a-9a42-0128acf56208.mp4
600k |
http://content3.catalog.video.
msn.com/e2/ds/3bc71079-6ac8-
4c71-9663-a8c14bbffe1b.mp4
400k
- Security Bulletin Webcast (MP4) –
http://content5.catalog.video.
msn.com/e2/ds/75b64ba1-ac0f-
4261-bcde-361fc02bd750.mp4
3000k |
http://content1.catalog.video.
msn.com/e2/ds/dff17edc-d1ae-
471f-9002-8fdcfcd98be0.mp4
600k |
http://content2.catalog.video.
msn.com/e2/ds/00282f38-e8bf-
45be-b632-12fc27686c85.mp4
400k
-
http://blogs.technet.com/b/
msrc/p/november-2012-security-
bulletin-q-a.aspx
Security Bulletin Webcast Q&A
Security Events and Training
https://msevents.microsoft.
com/CUI/EventDetail.aspx?
EventID=1032522564
TechNet Webcast: Information About the December 2012 Security Bulletin Release
Join this webcast for a brief overview of the technical details of December’s Microsoft security bulletins. As the goal is to address your concerns, Microsoft security experts devote most of the webcast to answering the questions that you ask.
http://www.
microsoftvirtualacademy.com/
tracks/windows-azure-security-
overview
Microsoft Virtual Academy: Windows Azure Security Overview
Learn the essentials of Windows Azure Security by exploring the security and protection included at every layer. This track covers the security mechanisms included with Windows Azure at the physical, network, host, application, and data layers. Furthermore, you’ll get a basic understanding of some of the identity options you have to authenticate to Windows Azure.
http://www.
microsoftvirtualacademy.com/
tracks/enable-the-
consumerization-of-it
Microsoft Virtual Academy: Enable the Consumerization of IT
Learn how Microsoft can help you responsibly enable your users to work and communicate anywhere, anytime, on the device they choose, while properly securing and managing devices and data. This Microsoft Virtual Academy Track covers end–to–end security and access, mobile device management, information protection, and cloud management and security with Windows Intune.
– November 2012 –
In This Issue
Top Stories
Security Guidance
Community Update
Cloud Security Corner
This Month′s Security Bulletins
Security Events and Training
Essential Tools
http://technet.microsoft.com/
security/bulletin
Microsoft Security Bulletins
http://technet.microsoft.com/
solutionaccelerators/cc835245.
aspx
Microsoft Security Compliance Manager
http://www.microsoft.com/
download/en/details.aspx?id=
1677
Enhanced Mitigation Experience Toolkit
http://technet.microsoft.com/
library/cc162838.aspx
Malware Response Guide
<a href="http://www.microsoft.com/security/pc-security/malware-removal.aspx"