RSS Alerts

Share

More services

Roger Halbheer

Job title:
Chief security advisor, Microsoft

Areas of expertise:
Policy, architecture, law enforcement, cybersecurity, processes

Biography:
Roger Halbheer joined Microsoft as Chief Security Advisor of Microsoft Switzerland in 2001 and was promoted to the role of Chief Security Advisor for Microsoft Europe, the Middle East and Africa (EMEA) in February 2007. Roger leads a team of national Chief Security Advisors across EMEA who work with organizations in the commercial and public sectors - including national governments, law enforcement and intelligence agencies - on information technology issues and strategies. He is a trusted advisor to C-level executives, governments and law enforcement agencies and has established relationships with security communities and government agencies across the region. Roger is a regular speaker at industry events and has worked with national and international print and broadcast media both to represent Microsoft and to provide expert comment on broader security issues. A Swiss national, Roger holds a Master of Computer Science degree from the Federal Institute of Technology in Zurich and is a Certified Information System Security Professional (CISSP). Before joining Microsoft, he was responsible for e-Business Risk Management at PricewaterhouseCoopers in Switzerland. He lives in Zurich and is married with two sons.

Tag Cloud

David Harleycloud securityMalwareComplianceSecurityWiFihackingcloud

Bloggers

Blog

Cloud Security Considerations – a different view

 

Yesterday, looking at my RSS-Feed I saw the post in here called Cloud Security Considerations – and immediately wanted to read it as we (a friend of mine and me) wrote a paper with exactly the same title. I was so thrilled that somebody else takes this to blog about – however I was disappointed. Not by the content of the post per se – just it was not what I expected.
Let me give you a different view to the cloud. When I talk to our customers, the cloud is not necessarily a technical problem for them, it is completely an emotional problem. The purchasing decision, however, should be driven by risks, risk assessment and risk appetite of the company. Another point is that customers are often still looking at it as an “all or nothing”-approach.  I am more than ever convinced that the cloud for most customers will be a hybrid approach. Some data/business processes will remain on premise, others might move to an externally hosted private cloud and again others will move to the public cloud.
This therefore led us to the point where we decided to structure the discussion in a different way and try to give it a framework. We decided that there are five areas to be considered, when you plan to move to the cloud helping to decide what to move where:
  1. Compliance and Risk Management: Organisations shifting part of their business to the cloud are still responsible for compliance, risk, and security management.
  2. Identity and Access Management: Identities may come from different providers, and providers must be able to federate from on-premise to the cloud, as well as to enable collaboration across organisation and country borders.
  3. Service Integrity: Cloud-based services should be engineered and operated with security in mind, and the operational processes should be integrated into the organisation’s security management.
  4. Endpoint Integrity: As cloud-based services originate--and are then consumed--on-premise, the security, compliance, and integrity of the endpoint have to be part of any security consideration.
  5. Information Protection: Cloud services require reliable processes for protecting information before, during, and after the transaction.
We can debate the order but our discussions with customers, where we used this model are showing that it is very much on point. If you are interested in getting more (the paper is only 8 pages J), you can download it here: Cloud Computing Security Considerations.
From a Microsoft perspective we did some additional work where we tried to apply the model then to a partner hosted private cloud and to Office 365. The private cloud paper is fairly product agnostic (not completely) and even the Office 365 can give you some good insight into how to think about it when you look into the private cloud.
The interesting thing to me is, that there are a lot of different levels to look at the cloud and this keeps the debate interesting (and confusing for the customers) J
Roger

 

Posted 16/11/2011 by Roger Halbheer

Tagged under:Cloud

RE: Cloud Security Considerations – a different view
Posted 16/11/2011 by cindy valladares
Another consideration for cloud security is that of accountability. I've recently read a blog by Dwayne Melancon on this topic at other areas of why security is even harder in the cloud http://www.tripwire.com/blog/security-controls/cloud-security-where-is-the-danger/.

Comment on this blog

You must be registered and logged in to leave a comment about this blog.

Terms & Conditions |Privacy |Website Design|Reed Exhibitions. All rights reserved. Copyright © 2012