Cloud Security: New Challenges, Same Principles
By Adrienne Hall, General Manager, Trustworthy Computing
“There is no such thing as a secure cloud,” according to Greg Ferro, who moderated the panel discussion in which I participated at the GigaOM Structure: Europe conference. And so began a lively conversation with Greg and other industry pros.
During the panel I described three broad categories of ongoing work in relation to cloud offerings: 1) development – how we create the software behind the service, 2) data center security – how we protect the operational environment in which services are running and, 3) incident response – how we manage services if and when, the unexpected occurs.
After the panel, I was asked a few follow on questions about Microsoft’s Security Development Lifecycle (SDL), a security assurance process that introduces security and privacy into all phases of development. It has been a mandatory policy at Microsoft since 2004.
There’s no question in my mind that the wholesale adoption of this approach has helped reduce the number and severity of vulnerabilities. It also reduces costs by discovering and addressing potential security and data privacy issues early in the design phase, where changes can be made with less disruption to the overall project.
...(read more)