SAN FRANCISCO. When it comes to the cloud, transparency and control are the keys to security. That's the message coming from Scott Charney, Corporate Vice-President of Microsoft's Trustworthy Computing, during a keynote at the RSA security conference here.
"As people move to the cloud, how much transparency do they get into what is going on?" Charney remarked during his keynote.
Charney said that in 2004 Microsoft started to implement its security software development lifecycle. The basic ideas was to have security in design, security by default and security in deployment. Charney said that Microsoft changed the way it updated systems and went to a regular patching cycle that aimed to help improve things.
One of the things that has changed since 2004 is that cyber attacks have become increasingly destructive. Charney said that in the past when data was stolen it didn't always have an immediate impact.
"Destructive attacks like Sony are now happening and changing the conversation," Charney said.
Charney noted that destructive attacks stop users from doing their daily business and he said that recent destructive cyber-attacks have changed the conversation in executive boardrooms.
Looking at the cloud, Charney said that there is a different type of risk with the cloud.
"As a cloud builder you love your customers, but some of your customers may be up to no good," Charney said. "Organized crime and other bad actors can subscribe to a cloud service, so how do you protect the fabric from malicious VMs."
Charney noted that it's a complex challenge where organizations want to use cloud, but still be protected from the cloud since the good guys and bad guys all share the same cloud. Fundamentally, Charney said that the challenge is about risk mitigation, not risk elimination.
From a product perspective, Charney noted that Windows 10 will have the Windows Hello and Passport capabilities, which bring new biometric authentication capabilities to the desktop and secure user credentials. Microsoft is also introducing Device Guard, which is a technology to make sure only trusted apps run on a system.
"None of this is a panacea, we just want to narrow the attack surface, so you can be more intelligent about what you look for," Charney said.
Specifically in the cloud, Microsoft Azure Key Vault will provide a cloud hosted hardware security module, and the customer lockbox for Office 365 provides enhanced customer approvals to protect user credentials. Additionally Microsoft is implementing best policies for Just in Time Administration so authorized individuals only get administrative access in a time-bounded way when needed, and will only get the access they need.
Charney said that destructive attacks have woken the market up.
"The cloud is the key, but there must be technically enforced trust boundaries with appropriate customer control and transparency," Charney said.
Microsoft's Scott Charney (Photo credit: Sean Michael Kerner)
Sean Michael Kerner is a senior editor at Datamation and InternetNews.com. Follow him on Twitter @TechJournalist
Graphic courtesy of Shutterstock.