3rd Party Risk Management

Microsoft Echoes Public-Private Partnership Mantra

Cloud computing introduces many vulnerabilities, but one defense - in at least the minds of some - is to focus on securing the data. But the chief security officer of Microsoft Federal thinks that's a naïve approach.

"Security is a lot of different things," Bill Billings said. "The next tendency is to get to say, 'I can't control everything so I'm going to try to just do the data.' I agree in parts of that, but I also disagree that I wouldn't run a modern operating system or modern enterprise today, nor would I run the cloud without using firewalls, intrusion detection systems and load balancing, and all of that because our customers are protecting data with encryption. It takes all the ingredients to make the apple pie and we have to make sure we can do all that."

Billings, along with Microsoft Federal Chief Technology Officer Susie Adams, discussed a wide range of issues in an interview with GovInfoSecurity.com (transcript below), including:

  • Microsoft's involvement with the federal government on various IT security initiatives.
  • FedRAMP, the new Federal Risk and Authorization Management Program, and how it will help providers more easily deliver cloud computing services to government clients.
  • Transparency, a key ingredient vendors must offer to earning trust from their governmental clients.

Adams and Billings were interviewed by GovInfoSecurity.com's Eric Chabrow.

ERIC CHABROW: Susie and Bill, why don't you describe what is Microsoft Federal and your roles there?

SUSIE ADAMS: Microsoft Federal is responsible for sales to all the federal government worldwide, so not just in the U.S. I am more broad and cover a wide variety of technologies as a CTO.

BILL BILLINGS: I am ultimately responsible for, one, understanding what the government is doing from a security prospective, and driving what I have always referred to as those unique security climates coming out of the federal government, and driving those back into products as well as work with partners to fill those requirements. The second piece to that is also evangelizing, having discussions like is on where Microsoft is going and thinking when it comes to security.

CHABROW: What are the main areas in cybersecurity that Microsoft is involved with the federal government?

BILLINGS: We are involved in quite a few different things. Just earlier this morning, Susie and I were talking with the FedRAMP folks, which is the new initiative to how do you bring clouds into the government from a security prospective. Currently, we are using the FISMA certification addressing accreditation process, and we're working with the government on a new process known as FedRAMP. We are involved with processes, from Common Criteria (for Information Technology Security Evaluation) to FIPS (Federal Information Processing Standards) to SCAP (Security Content Automation Protocol). There are a lot of the processes that the government is involved with and working with industries as Microsoft is right there with them in the trenches working through those.

ADAMS: If you think about what Microsoft does as a company, obviously we are a software company that is now moving into the services arena with our cloud services. We take a very holistic approach to security in general from a defense and depth perceptive as well as things as things like, how do we protect our online services things like Bing (Microsoft's Internet search engine). How do we protect our consumer's desktops and the software that runs on those desktops? How do we do things like anti-virus and spam? It is really a very broad topic specifically of how we help our government customers with security.

CHABROW: Let me shift the grounds a little bit looking at both of you as experts who observe the government. How would you access the job the administration is doing with cybersecurity, and second, how has Microsoft's relationship with the federal government changed since President Obama took office in January 2009?

BILLINGS: Security is such a very broad topic and it can mean so much too so many different people, from software, you know FDCC, Federal Desktop Core Configuration, all the way through the supply change security, how do we do all that? The current administration is working that space. They have brought a lot of light to it. Taking things like the CNCI (Comprehensive National Cybersecurity Initiative) effort. (cybersecurity coordinator Howard) Schmidt when he took that out and unclassified much of that. In our perceptive, it's been doing a lot of good things to bring to light, and also to recognize just how hard it is. It is not as simple as saying deploy FDCC, do TIC (Trusted Internet Connection), do you know all these other things. There is a lot of moving parts here and I think the administration is doing good job of getting the rest of the government, as well as industry, to recognize there's a lot of moving parts here.

ADAMS: A really good example I guess, what we're doing with the new administration is around cloud computing. I think one of the challenges that industry and federal agencies face was, how do we make sure that the products and services that we're purchasing that are cloud base, whether they be multi-tenant or dedicated conform with federal C&A regulations. The processes that existed previously were really more tailored toward a premise software solutions and hardware solutions, and so this work that they are doing in conjunction to create a single authority basically inside a government that consists of representatives from Department of Homeland Security, Department of Defense and GSA (Government Services Administration) is really groundbreaking work and the new administration has done a great job like putting a big foot forward that we have something that has been very difficult for the government to do in the past. If you look at C&A requirements and certifications from Department of Defense to the civilian agencies, there is some new and some big differences between the two and getting everybody to agree has been a really tough thing to do in the past, and it looks like with the FedRAMP program that they are making great strides there. We applaud that and support it completely in partnership with them.

CHABROW: Have they been reaching out to companies like Microsoft?

ADAMS: Absolutely they have been.

CHABROW: And how so?

BILLINGS: Well even over the years, the Federal Desktop Core Configuration that Microsoft has been working very closely with the government on that, and a lot of discussions around possible changes to Common Criteria so the government reached out to Microsoft, as well as others, on how do we think about those processes. It wasn't just a government kind of proverbial taking requirements and throwing over the garden wall saying, 'what say you?' It was more of asking, how do we do our own process? How do we write secure code, how do we go through those processes so that they can tailor their requirements to how industry is doing things. It is almost a cliché unfortunately, but the private and public partnership has been in the infancy stages for many years now has been another good positive thing with this administration, is really bringing that to life as both industry and government have to work together to overcome these bigger problems like security.

CHABROW: You mentioned one program, FedRAMP, which if I understand it allows various agencies to piggyback on one another's certification of products out there. I was speaking a few weeks ago with Peter Mell of NIST, who is their cloud computing expert, and he seems to think that this will allow agencies to quickly adopt cloud computing solutions. Do you agree with that?

ADAMS: Absolutely. One of the challenges for a vendor like Microsoft, you look at the promise of cloud computing. ... It's not like a traditional hosted environment configured in a particular way for each customer. This is actually a commodity based service. To be able to go to a single unified organization to get a FedRAMP seal of approval really saves a lot of time and money on both the providers perceptive as well as on the agency. Without that seal of approval we would have to go each agency that purchased a cloud product and they would have to go through those independent third party audits that can be quite lengthy depending, and that would just be not in line with the commodity base nature of cloud computing in general. With cloud computing there is a good degree of risk for each agency to say that yes I feel comfortable with those C&A requirements, and by having a consortium of agencies on board with their key technical security officers as well as executives on board, they would be able to have more eyes on the FISMA and the C&A process and be able to make the changes as are warranted as we move and as agencies move into the cloud in the future.

CHABROW: You're suggesting something I heard at the RSA 2010 conference in March, where one of the keynoters said that the three most important topics being addressed in IT security today are cloud computing, cloud computing, and cloud computing. And despite programs we were discussing, there are still many skeptics out there in and out of government who question whether cloud computing providers can adequately secure government data. A lot of concern about that, and how would you respond to that?

BILLINGS: It is an important question to us no matter who our customer is, be it the federal government or be it our commercial customers in the clouds. We have to earn the trust of that customer to trust us with their data in our cloud. With that, we have to be as transparent as possible. ... That is the crux of the security discussion is helping folks understand, helping government customers understand, what is it that we do from a security prospective and be as transparent as we can. Be it FedRAMP, be it third party audits that we are currently doing is sharing that information a number of times in the current FISMA model, every government agency would have to do their own FISMA requirement and we've already done 90, 95 percent of the heavy lifting. Why couldn't that be re-processed or reused across multiple different agencies, and it is that 5 percent that each individual agency; well I'm unique, I have to look at it differently than another agency does. Then we can have those separate discussions and show those separate things, but all the heavy lifting has been done by the FedRAMP and doing other things like that.

CHABROW: In getting that trust, one of the things I keep hearing when people talk about cloud security is that the focus needs to be on securing the data, regardless of where it exists. Is that something that you agree with and is there something that Microsoft is doing to show his clients it can secure that data?

BILLINGS: Security is a lot of different things. The next tendency is to get to say, "I can't control everything so I'm going to try to just do the data." I agree in parts of that, but I also disagree that I wouldn't run a modern operating system or modern enterprise today, nor would I run the cloud without using firewalls, intrusion detection systems and load balancing, and all of that because our customers are protecting data with encryption. It takes all the ingredients to make the apple pie and we have to make sure we can do all that.

ADAMS: A lot of people think when they are moving to the cloud that it is this new technology that people have forgotten that you will have to do a tremendous amount of work that you've never had to do before. I think that there are absolutely nuances that are very different from how people run traditional on-premise software, the main one be multi-tenant, and accessed by the Internet. Microsoft is trying to do is take advantage of the best practices that we've learned over the last 25 years of being an enterprise software company and the best practices that our customers have helped us to develop and just to continue those as we move into the clouds.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing govinfosecurity.com, you agree to our use of cookies.