Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

2/28/2012
09:25 PM
Dark Reading
Dark Reading
Products and Releases
50%
50%

Microsoft Outlines Evolved Security, Privacy And Reliability Strategies For Cloud And Big Data

Trustworthy Computing Next advocates for continued focus amid new computing inflection points

Click here for more articles.

SAN FRANCISCO, Feb. 28, 2012 /PRNewswire/ -- Today at the RSA Conference 2012, Scott Charney, corporate vice president of Microsoft Trustworthy Computing, shared his vision for the road ahead as society and computing intersect in an increasingly interconnected world. In a new paper, "Trustworthy Computing (TwC) Next," Charney encouraged industry and governments to develop more effective privacy principles focused on use and accountability, improve end-to-end reliability of cloud services through increased fault modeling and standards efforts, and adopt more holistic security strategies including improved hygiene and greater attention to detection and containment.

(Logo: http://photos.prnewswire.com/prnh/20000822/MSFTLOGO)

Ten years ago, the computing ecosystem was at a crossroads when Bill Gates introduced TwC and called for industry collaboration. Today, technology and society are more interconnected than ever. Big data's strain on privacy protection, the shifting relationship between government and the Internet, and the evolving threat model all raise new challenges for industry and governments globally.

"We are at another inflection point, with expectations for better security, privacy and reliability growing at an exponential rate," Charney said. "Now is the time for industry and governments to develop and adopt strategies and policies that balance business and societal needs with individuals' choices."

The Cloud and Big Data

The proliferation of devices and cloud services has resulted in a massive aggregation of global data, also known as big data. While offering many potential societal benefits, this collection of data poses unique challenges. From a security perspective, big data represents a valuable target for attackers. As the cloud and devices become more integrated with society, people also become increasingly dependent on the reliability and availability of data and services to function. Finally, the massive increase in the amount and types of data available for collection, analysis and dissemination has strained traditional rules to protect privacy.

One solution for the privacy challenge is for government, industry, academia and consumer groups to collaborate in updating current privacy principles to address the world of big data. These revised principles should place a greater focus on appropriate uses of data. They should also include an "accountability" principle to help ensure organizations use and protect data in ways consistent with individual and societal expectations. Together, these principles can help reduce the burden on the consumer and shift greater responsibility to the data collector.

"Microsoft has long been a contributor to the global debate and discussion on the future of privacy," said Malcolm Crompton, managing director of Information Integrity Solutions Pty Ltd. "The global framework proposed by Scott Charney tackles head-on many of the difficult realities of today's environment. It's a great contribution to the dialogue."

The Role of Government

The advent of big data has also been challenging for governments. Any transformative technological change that recasts the way people live will engender deeper government engagement. This is because governments' relationship with the Internet is a complex one. In the TwC Next white paper, Charney said governments globally are simultaneously users of the Internet, protectors of individual users as well as the Internet itself, and exploiters that capitalize on the power of technology for a variety of purposes.

In times of need, governments may use online services to keep citizens informed, and first responders can react more effectively than those not using cloud-based services because they have GPS devices, mapping capabilities, street views, videoconferencing and other cloud-based services. Such benefits only materialize, however, if these systems meet reasonable expectations of overall service reliability.

Recognizing this fact, governments may play an increasingly active role in many aspects of the Internet. Some nations are looking at legislatively mandating the adoption of information risk-management plans for those managing information and computing systems.

The Evolving Threat Landscape

While the quality of code has improved and infection rates have declined for products developed under Microsoft's Security Development Lifecycle, the threat landscape continues to evolve. Opportunistic threats have been supplemented by attacks that are more persistent and, in many cases, far more worrisome. While some of these attacks have been called "Advanced Persistent Threats," that term is often a misnomer. Some are advanced, but many are not; attack vectors are often traditional and unsophisticated. What marks these attacks is that the adversary is willing to persist over time and is firmly resolved to penetrate a particular victim.

"The new security challenges today are to some extent the same as the old security challenges. They've just been magnified," said Alan Levine, chief information security officer at Alcoa Inc. "An organization may be targeted by a determined adversary who has the time, skills and tenacity to prevail."

Companies must improve their basic hygiene approach to counter the opportunistic threats and make even persistent and determined adversaries work harder. This can be accomplished by designing systems not just to prevent attacks and recover from them, but also to detect successful attackers quickly and contain them so that their unauthorized access or disruption is limited. This new paradigm of protect, detect, contain and recover can serve as a practical foundation for managing risk in the age of persistent and determined adversaries.

More information about Microsoft's vision for TwC Next is at http://www.microsoft.com/presspass/presskits/security.

Founded in 1975, Microsoft (Nasdaq "MSFT") is the worldwide leader in software, services and solutions that help people and businesses realize their full potential.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
News
Inside the Ransomware Campaigns Targeting Exchange Servers
Kelly Sheridan, Staff Editor, Dark Reading,  4/2/2021
Commentary
Beyond MITRE ATT&CK: The Case for a New Cyber Kill Chain
Rik Turner, Principal Analyst, Infrastructure Solutions, Omdia,  3/30/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-29445
PUBLISHED: 2021-04-16
jose-node-esm-runtime is an npm package which provides a number of cryptographic functions. In versions prior to 3.11.4 the AES_CBC_HMAC_SHA2 Algorithm (A128CBC-HS256, A192CBC-HS384, A256CBC-HS512) decryption would always execute both HMAC tag verification and CBC decryption, if either failed `JWEDe...
CVE-2021-29446
PUBLISHED: 2021-04-16
jose-node-cjs-runtime is an npm package which provides a number of cryptographic functions. In versions prior to 3.11.4 the AES_CBC_HMAC_SHA2 Algorithm (A128CBC-HS256, A192CBC-HS384, A256CBC-HS512) decryption would always execute both HMAC tag verification and CBC decryption, if either failed `JWEDe...
CVE-2021-29451
PUBLISHED: 2021-04-16
Portofino is an open source web development framework. Portofino before version 5.2.1 did not properly verify the signature of JSON Web Tokens. This allows forging a valid JWT. The issue will be patched in the upcoming 5.2.1 release.
CVE-2021-29452
PUBLISHED: 2021-04-16
a12n-server is an npm package which aims to provide a simple authentication system. A new HAL-Form was added to allow editing users in version 0.18.0. This feature should only have been accessible to admins. Unfortunately, privileges were incorrectly checked allowing any logged in user to make this ...
CVE-2021-29444
PUBLISHED: 2021-04-16
jose-browser-runtime is an npm package which provides a number of cryptographic functions. In versions prior to 3.11.4 the AES_CBC_HMAC_SHA2 Algorithm (A128CBC-HS256, A192CBC-HS384, A256CBC-HS512) decryption would always execute both HMAC tag verification and CBC decryption, if either failed `JWEDec...