Skip to main content

Trustworthy Computing

Microsoft Security Newsletter

Stay up to date with security insights, resources, best practices, and events for IT professionals and developers. Browse past newsletters or subscribe to get the latest news delivered to your inbox.

Subscribe

 

 
 
Welcome to October’s Security Newsletter!

This month’s newsletter focuses on security controls in cloud services. Having a rich set of security controls and a defense in-depth strategy helps ensure that should any one area fail, there are compensating controls in other areas to maintain security and privacy at all times. Security should be an ongoing effort that combines experienced and qualified personnel, software and hardware technologies, as well as robust processes to design, build, deploy, operate, and support a cloud service. Security must be vigilantly maintained, regularly enhanced, and routinely verified through testing.

When it comes to the cloud, your cloud provider is an important partner in helping to protect your data. This chart provides a good visual on the shared responsibility of security controls between the cloud customer and cloud provider when it comes to data protection whether you are using Infrastructure as a Service (IaaS), Platform as a Service (PaaS), and/or Software as a Service (SaaS).



Cloud provider controls – Cloud provider controls include technical capabilities, operational procedures, and policies that are enabled for customers using the service. Examples include security best practices like penetration testing and defense-in-depth to help protect against cyber threats, as well as physical and data security with access control, encryption, and strong authentication to help prevent unauthorized access.
Cloud customer controls – Cloud customer controls include features that enable customers to customize their environments based on the specific needs of their organizations. Examples include unique customer controls such as Rights Management Service and Data Loss Protection which can help empower customers to protect information.


Of course, of these are just a few examples of security controls and how a cloud provider is an important partner in helping protect data. For more in-depth information on security controls for enterprises, I encourage you to check out the many great resources included in this month’s newsletter.

Tim Rains Best regards,
Tim Rains, Director
Microsoft Trustworthy Computing


Have feedback on how we can improve this newsletter? Email us at secnlfb@microsoft.comand share your ideas.

 
Top Stories
 
Trustworthy Cloud Series: Managing Secure Cloud Operations
When it comes to choosing a cloud provider, how do you decide who to trust with your most sensitive information? Learn how Microsoft utilizes the Operational Security Assurance (OSA) framework for its cloud services, which details the approach to security controls such as vulnerability scanning, patch management, encryption, and more.

Windows 10: Continuing to Raise the Security Bar for Cybercriminals
Check out some of the highlights from Jim Alkove’s post about the important changes that are coming in Windows with regard to identity protection and access control, information protection, and threat resistance.

Microsoft’s Perspective on the Cybersecurity Framework: Next Steps for Incentives and International Harmonization
The Cybersecurity Framework issued earlier this year by the U.S. National Institute for Standards and Technology (NIST) offers the opportunity for international collaboration because it is rooted in widely-recognized international and national standards and practices. Read about Microsoft’s recently filed comments in response to NIST’s Request for Information (RFI) about our experience with the Cybersecurity Framework.

 
Security Guidance

Security Tip of the Month: Identity Management in the Age of Hybrid IT
Get detailed information on the four fundamental pillars of identity—administration, authentication, authorization, auditing—that can be useful in creating a strategic direction for an identity infrastructure in your organization.

Cloud Computing Security Architecture: The IT Pro Perspective
Get comprehensive guidance on planning for security as part of your cloud infrastructure. Start with an overview of cloud security then move on to:

Security Implications of Cloud Deployment Models
Security Considerations for Cloud Service Models
Identity and Access Management
Security Management and Monitoring
Compliance Issues in the Cloud


A Solution for Private Cloud Security
Download a comprehensive explanation of the process for designing and running security for a private cloud environment. This solution includes a blueprint guide, design guide, and operations guide.

Private Cloud Reference Guide
Find an overview of private cloud architecture and information the principles, patterns, and concepts as well as planning guides for IaaS, service delivery, operations, and systems management.

Microsoft Azure Trust Center
Explore the security controls and capabilities delivered by Microsoft Azure, and find information on how to carry out authorized penetration testing for your applications hosted in Azure.

 
Community Update
You Asked, We Answered: #AskPtH Questions and Answers
Pass-the-Hash (PtH) refers to a technique that allows an attacker to capture account logon credentials on one compromised computer, and then use those captured credentials to authenticate to other computers across the network. Many organizations who want to protect their networks are particularly interested in this technique so we opened the conversation to @msftsecurity Twitter followers and asked what questions you had about PtH. Check out the first set of short video segments answering some of the questions we’ve received to date.

Vuln Hunt: Find the Security Vulnerability Challenge #3
This particular type of vulnerability is used to attack data-driven applications found across the web. It has been around for over a decade and is one of the top threats today. Do you know what it is?

 
This Month's Security Bulletins
 

October 2014 Security Bulletins

Critical

 
MS14-056:2987107 Cumulative Security Update for Internet Explorer
 
MS14-057:3000414 Vulnerabilities in .NET Framework Could Allow Remote Code Execution
 
MS14-058:3000061 Vulnerability in Kernel-Mode Driver Could Allow Remote Code Execution


Important

 
MS14-059:2990942 Vulnerability in ASP.NET MVC Could Allow Security Feature Bypass
 
MS14-060:3000869 Vulnerability in Windows OLE Could Allow Remote Code Execution
 
MS14-061:3000434 Vulnerability in Microsoft Word and Office Web Apps Could Allow Remote Code Execution
 
MS14-062:2993254 Vulnerability in Message Queuing Service Could Allow Elevation of Privilege
 
MS14-063:2998579 Vulnerability in FAT32 Disk Partition Driver Could Allow Elevation of Privilege
 

October 2014 Security Bulletin Resources:

 
October 2014 Bulletin Release Blog Post "October 2014 Security Updates"
October 2014 Security Bulletin Webcast
Malicious Software Removal Tool: October 2014 Update


 
Security Events and Training
 
Microsoft Virtual Academy (MVA): Hybrid Cloud
Explore the advantages and flexibility of the hybrid cloud, where you can keep your critical data on-premises and get greater scale for your day-to-day operations. Learn how to optimize your organization’s IT infrastructure with Microsoft hybrid cloud technologies with best practices and detailed implementation guidance.

MVA: Private Cloud
Learn how to build, deploy, and maintain a private cloud. In these courses, you will learn about core Windows Server products, and how to use them to build and support the virtualized and physical resources that are part of your private cloud infrastructure. You will also hear about common cloud computing configuration and management practices, as well as technical details to help you be successful in building a private cloud for your business.

Dimension Data Series – The Hybrid Cloud: A Balancing Act Between Benefits and Security
Thursday, December 4, 2014 – 10:00 AM Pacific Time
Learn how to extend your datacenter to the cloud in a secure and automated way, how to secure your information in the cloud, how to manage security in a mix of private and public clouds, why a hosted private cloud can be the best solution for sensitive data and mission critical workloads.

Windows 10 for Enterprise
Thursday, November 20, 2014 – 9:00 AM Pacific Time
Be one of the first to take an early look at some of the features and functionality for business users in the next version of Windows including those that protect against modern security threats.

 
 

Essential Tools

 
Microsoft Security Bulletins
 
Microsoft Security Advisories
 
Security Compliance Manager
 
Microsoft Security Development Lifecycle Starter Kit
 
Enhanced Mitigation Experience Toolkit
 
Malicious Software Removal Tool
 
Microsoft Baseline Security Analyzer
 

Security Centers

 
Security TechCenter
 
Security Developer Center
 
Microsoft Security Response Center
 
Microsoft Malware Protection Center
 
Microsoft Privacy
 
Microsoft Security Product Solution Centers
 

Additional Resources

 
Trustworthy Computing Security and Privacy Blogs
 
Microsoft Security Intelligence Report
 
Microsoft Security Development Lifecycle
 
Malware Response Guide
 
Security Troubleshooting and Support Resources
 
Trustworthy Computing Careers
 
 
 
 
 microsoft.com/about/twcTrustworthy Computing 
 
 
 This is a monthly newsletter for IT professionals and developers–bringing security news, guidance, updates, and community resources directly to your inbox. If you would like to receive less technical security news, guidance, and updates, please subscribe to the Microsoft Security for Home Computer Users Newsletter.

© 2014 Microsoft Corporation Terms of Use | Trademarks

Microsoft respects your privacy. To learn more please read our online Privacy Statement.
 
 
 
 
Microsoft is conducting an online survey to understand your opinion of the MSDN Web site. If you choose to participate, the online survey will be presented to you when you leave the MSDN Web site.

Would you like to participate?