In the move to the cloud, trust has shifted, and Microsoft Trustworthy Computing corporate vice president Scott Charney says that there are now two more pillars to add to the three main ones for information security. With the cloud, users want transparency and control in addition to security, privacy and reliability.
Charney highlighted the fundamental differences in security between the pre-cloud era and today. Historically, vendors created the technology for the customer, and it is up to the customer to secure the data on-premise. Attackers would gain access to the network using four attack methods - supply chain, vulnerabilities and insecure code, social engineering and poor configurations. In response, customers, vendors and the government would try to defend the attack.
However, with the cloud, the relationship is multifaceted with multiple players. With cloud and big data, customers surrender control to the vendor.
"So you have customers asking their provider, how do you protect the fabric?" Charney said of the move to the cloud. "And also, how do we protect our stuff from your fabric? They want to be protected from the cloud as much as they want to leverage it."
Additionally, our view of the government has changed in a post-Snowden world. No longer viewed as purely good, governments also have access to lots of data and can run espionage programs.
Cyber threats have also evolved from being opportunistic to advanced persistent threats. Charney says that the attacks are more destructive. One example of a destructive attack is the Sony hack, which propelled the IT-based conversation into the board room. Destructive attacks not only disrupt your day, but the effects can be felt for years to come.
To mitigate and prevent threats, Charney advocates moving away from the password approach to hardware-based authentication. Microsoft is rapidly moving in this direction with features like Device Guard and Passport in Windows Hello.
Because hardware is the root of trust, even if credentials get phished, they cannot be used in a different place.
In terms of transparency between a customer and a vendor, Charney says that different levels of administration may be the key. Rather than giving someone persistent access, Charney says that tokens can be issued based on when access is needed or for specific types of access. Charney calls these just-in-time or just-enough privileges.
For Office 365, these privileges will be implemented in a feature called Customer Lockbox. This allows customers to require Microsoft engineers to request approval for access to service the cloud. Customers will be able to see how Microsoft accessed the content in activity logs.
Similar to how per-file encryption is handled in SharePoint Online, Microsoft will also also bring content-level encryption to email. Additionally, Microsoft will allow customers to manage and generate their own encryption keys for Office 365 data . With customers able to generate their own keys, Microsoft is transferring control back to the customers. If a customer chooses to leave the service, they can revoke Microsoft's access.
Whitelisting applications and keeping software up to date are also useful in mitigating risks. Charney says that having a strategy is great, but " it only makes a difference if actually implemented and put in the hands of customers."
- Read our review of Windows 10