"Do you trust the technology to do what it's going to do? People are not going to use technology they don't trust," he said at the Microsoft Cyber Trust Experience 2015 event in Singapore, alluding to high profile security breaches which have been reported recently in the media.
Galligan also noted that responsibility for cyber security is now with the C-suite. "Security concerns are no longer the priority for the IT department when they have moved from the server room to a board room. This is going to be a board room discussion, continuously," he said, noting that vendors like Microsoft have to talk not only to IT but also to the CEOs to convey their commitment to security.
Trust is still a top-three barrier to cloud technology adoption for Asia Pacific CIOs, Galligan noted, sharing survey findings that put trust is the second-most cited challenge for 79% of respondents, behind budgets in no. 1 place (81%).
Microsoft addresses the distrust with a four pronged strategy that begins with increasing transparency, Galligan said.
"This is an evolving area," he said. "We have to have a dialogue not just as a company but as an industry, to talk about transparency in a new way."
Microsoft's cloud service contracts have evolved to include clearer and more concise contract terms, specificity for where data will be located and where it will not, among other details. The level of granularity goes down to the subcontractor level, identifying third parties and notifying customers of changes.
The company invests in compliance with a wide range of national and international regulations, including with ISO 27018, a standard designed for cloud services.
 |
| Microsoft made the commitment to comply with ISO 27018, a standard for cloud service providers, very early. |
Thirdly, control of the data is with the customer, who can move cloud providers at any time. Lastly, the resilience and security of data is paramount, with access to data restricted to essential and qualified personnel only, and data encryption of customer data from user to user, when it is in transit, and also when it is 'at rest'.
 |
| Noel. |
According to Noel, things changed about four or five years ago, when organised crime realised they could make more money from cybercrime than selling drugs. "We have mafia attacking people and attacking organisations for the sake of making money," he said. "Everyone is getting attacked."
In the past, criminals targeted banks, but individuals are worth enough money today to be worth targeting, Noel explained, sharing that each address in a personal address book is worth US$0.01, while credit information can be worth up to US$50. "Easy money," he commented.
It has also gone beyond mere 'crime' to espionage, warfare, and terror, Noel said. With our reliance on technology, it is entirely possible for criminals to switch off power in a hospital, or open floodgates for a dam when they should be closed, he warned.
The revolution in cyberthreats has extended to the industry's understanding of how they occur. Where in the past a strong perimeter was considered sufficient protection, it is inadequate today when a criminal could be working from within it. "We are protecting data on the assumption that the bad guy is already on the machine," said Noel.
 |
| Microsoft secures its ecosystem in many ways. |
Microsoft works to make the ecosystem secure through several different ways, Noel said. For example, Microsoft draws on anonymised aggregated telemetry data from 600 million computers around the world; follows secure development practices, including compliance with the ISO 27034-1 standard; and maintains industry practices including through a government security programme that shares source code with governments.
Customer information is secured through encryption, multi-factor authentication, unified access management, as well as data classification and rights management, Noel said.
Elaborating on Galligan's point about restricting data access, Noel explained that Microsoft's cloud data centres are run by a skeleton crew, none of whom possess root or administrator passwords. "There is no way for them to look at information from our customers," he said.
The company has implemented predictive analytics as well. "If today you log in from Singapore to access some data on the cloud and 2 hours later and you log in from Russia, we will block that," he said, pointing out that it is impossible to fly between cities so quickly.
The company has implemented predictive analytics as well. "If today you log in from Singapore to access some data on the cloud and 2 hours later and you log in from Russia, we will block that," he said, pointing out that it is impossible to fly between cities so quickly.
The upcoming Windows 10 will be more secure than current versions of the operating system, Noel added, making all enterprises more secure, including Microsoft. For one, Windows 10 does not have passwords.
"The password is one of the weakest links in security. We have iris recognition, biometrics," he said, alluding to Windows Hello, biometric authentication technology that was introduced in this blog post in late March.
Noel also said Windows 10 will not allow malware to install itself before the antivirus software starts, and can also differentiate between the personal world and the corporate world so that sensitive enterprise documents cannot be copied over to personal devices.
"The password is one of the weakest links in security. We have iris recognition, biometrics," he said, alluding to Windows Hello, biometric authentication technology that was introduced in this blog post in late March.
Noel also said Windows 10 will not allow malware to install itself before the antivirus software starts, and can also differentiate between the personal world and the corporate world so that sensitive enterprise documents cannot be copied over to personal devices.
No comments:
Post a Comment