EXCLUSIVE: How Microsoft is building Kiwi trust in the era of cloud computing

"Cloud is not about security, it's about trust."

Perhaps the most intuitive principle of learning, traceable to ancient Greece and Aristotle; “it is frequent repetition that produces a natural tendency.”

But has the art of hammering home, in the modern world of desensitisation, inadvertently replaced emphasis with exaggeration when debating the dangers of cyber security?

“Absolutely not,” says Pierre Noel, Chief Security Officer, Microsoft Asia, with a wry smile and a head shake, when speaking exclusively to Computerworld New Zealand.

“As a business in New Zealand, if you have information that is of value to somebody else, then I say welcome to the team.”

The team being the 500,000 plus businesses up and down the country currently battling to keep their virtual perimeters secure, some taking cyber security seriously, others with a pinch of Kiwi salt.

But in all fairness they paid attention the first time, remember.

Heck, they even glanced up from their desktops when a breach of Sony Pictures Entertainment revealed Angelina Jolie to be a “minimally talented spoiled brat”, when Target agreed to pay hack victims US$10 million damages and even when JP Morgan reported that 76 million households and seven million small businesses were exposed across America.

Yet in 2015, for many businesses it no longer feels like ‘news’ when the hacking of another giant corporation is reported, with the industry severely fatigued on the topic of cyber security.

“For those questioning the rise of cyber crime, they should speak to Interpol,” says Noel, drawing on 25 years of international experience in Information Security and Enterprise Risk Management.

“Businesses must realise that when it comes to the organised crime gangs of the world, the mafia and the drug lords realised four or five years ago that they could make more money through cyber crime than by selling drugs.

“During the past five years we’ve seen a creation of a complete ecosystem as part of the organised crime community, with criminals now tasked with weaponising malware to make a lot of money.”

Alluding to the widely held belief of ‘it won’t happen to me’, or even the commonly used ‘ignorance is bliss’ approach in business, Noel referred back to December 2014, to the story of a German steel factory being brought to its knees by an online security breach.

The gist? “It’s a steel factory, you wouldn’t think it would be a target but it was subject to blackmail,” Noel explains.

According to media reports, hackers blackmailed the organisation with a message threatening to disrupt the factory’s systems unless a significant ransom was paid.

The factory, refused to pay.

Two weeks later, the factory suffered massive damage after hackers managed to access production networks, allowing them to tamper with the controls of a blast furnace, crippling operations as reported in the German government’s annual IT security report.

"Businesses must be advised beforehand,” Noel adds. “They must be advised by all parties, including law enforcement agencies before such incidents happen so we can all agree on some basic principles of what needs to be done.

"To often, businesses are caught in such a situation without having thought their way through in the first place, so it is critical to be prepared.”

For Noel, in referring back to the hack, when the factory is in meltdown and panic has set in, “this does not want to be the first time you’re aware of the situation."

“Create a resilient plan so you know when to speak to police, when to ask the CEO to step in, when to call on law enforcement," he explains.

The same advice applies to the many large enterprise organisations in New Zealand, through the mid-tier and down to the 460,000 small businesses operating nationwide, with Noel emphasising the ability to “reinvent yourself in the face of a crisis.”

While it may go without saying in the modern day, Noel believes all organisations should “assume breach”, forming an acceptance that a hack is inevitable but crucially, understanding how the company can “withstand the hit.”

“Enterprises must assume breach and work on the assumption that they will get hacked, in fact it may already be happening right now,” Noel adds.

But as the CSO, the executive in the corporation responsible for the security of personnel, physical assets and information in both physical and digital form, is such an acceptance an admission of helplessness? Or even incompetency?

“As a CSO, my job should not depend on preventing security attacks,” adds Noel, who in his previous life held the responsibility of IBM Security portfolio at a global scale. “If this is how I am incentivised and rewarded at the end of the year, I will resign immediately.

Page Break

“CSOs must be rewarded on ensuring that no incident will have a significant impact on the organisation. It's an ongoing battle and in terms of preventing attacks, one the CSO will never win.

“It’s important to change the perception and ask, what is the core responsibility of the CSO? It is not to be the company’s perimeter defence and ensure there is no incident, this is impossible.

“I prefer the term CRO, Chief Resilient Officer because this is where the key responsibility lies, ensuring that no security breach results in long-term damage to the organisation.”

Why New Zealand?

In 4Q14, 9.4 percent of computers in New Zealand encountered malware, compared to the 4Q14 worldwide encounter rate of 15.9 percent.

In addition, the annual Microsoft Security Intelligence Report detected and removed malware from 2.8 of every 1,000 unique computers scanned in New Zealand in 4Q14, a CCM score of 2.8, compared to the 4Q14 worldwide CCM of 5.9.

“Why New Zealand? What would hackers want with my data?” Noel asks. “The truth is that Kiwi SMBs are a key third party to larger enterprises but also, we are in an era of greater innovation and if you’re a small start-up hoping to create the next Twitter in your garage on five computers, you’re an attractive prospect to hackers.

“In New Zealand, and across the world, our findings show that most businesses have been breached for an average of 245 days before they actually realise and act. Hackers are simply sat waiting for value.

“If you think about persistent threats, it’s really about hackers burrowing their way into a network, staying for a long period of time, waiting, watching and looking for value.”

Speaking at Microsoft HQ in Auckland, Noel - alongside colleagues Paul Nicholas, Senior Director of Microsoft’s Trustworthy Computing, and Kevin Sullivan, Principal Security Strategist of Microsoft’s Global Security Strategy and Diplomacy Team - believes that New Zealand government agencies, local government and businesses are increasingly find themselves considering the implications of cybersecurity issues have on operations.

Given the nature of this issue, Noel believes the need for shared understanding and connected global approaches “grows ever more important.”

“We came to New Zealand to talk to our Government customers, as well as policy makers, who are thinking about the future of New Zealand in terms of cyber security, and to document their experiences and challenges,” adds Noel, who is currently helping several nations in Asia to build cyber security infrastructure and framework from the ground up.

While in New Zealand, Noel and his team focussed on informing discussions about the future design of New Zealand’s regulatory, policy and institutional arrangements for cybersecurity, sharing knowledge and lessons learned from cybersecurity engagements with other governments.

By engaging in dialogue regarding the cybersecurity issues facing Kiwi sectors such as finance, healthcare and both central and local government, Noel shared how organisations in New Zealand can increase resilience in the face of the growing array of rapidly evolving cyber threats.

“What attracted Microsoft to New Zealand in particular was the positive cyber security future of the country,” Noel explains. “If you look at the numbers and growth that is going to take place here, such as 100 percent growth in broadband, 82 percent in science, technology etc - this is exciting.

“The conversations we’ve been having centre around resilience. That’s the conversation as opposed to ‘here’s your checklist with 317 items’, as it is about creating a culture that allows businesses to withstand the hit and innovate.”


But in 2015, as vendors with vested interests in spouting the perils of lax security strategies up the ante, and with cloud adoption in New Zealand on the rise, who should Kiwi businesses trust?

“Cloud,” says Noel, pausing to answer, “is not about security, it is about trust.

“Trust is the reason why businesses may intellectually consider cloud but may be resistant to actually using it. They require confidence that security will be managed in a proper way.

“So much so that I am willing to bet that the way we implement both security and privacy in the Microsoft cloud is better than any other company in New Zealand.

“But does this mean businesses should follow blindly because Microsoft’s Chief Security Officer said so? Absolutely not, it’s a journey.”

In the eyes of Noel, in taking a simplistic approach to the situation, businesses won’t use technology they don’t trust.

And it’s trust that for Noel, in heading the regional division of a tech giant responsible for managing over 200 online services, serving over 20 million businesses and more than a billion customers, is a topic not taken lightly at Microsoft.

In a bid to develop and safeguard the trust it has with its customers and users, Microsoft has reinforced its commitment to data privacy of its customers as well as the best practices put in place to ensure that the data is secure.

Likewise, the importance of adopting transparency in the processes around data storage and access is another crucial topic for Noel and his regional team, as well as Microsoft’s efforts to ensure compliance to regulatory standards across countries.

“We are one of the most adept organisations in the world,” he adds. “I’m not saying we are perfect, but we know what we’re doing in the cloud.”

Page Break

During Noel’s visit to Kiwi shores, he also felt it imperative to discuss how Microsoft is trying to make itself more resilient, and therefore minimising the risk for businesses considering cloud.

In the context of it, Microsoft could argue that as a cloud service provider, the company has invested significantly more money and resourcing than rival firms to ensure its cloud data centre is locked tight and secure.

While trust doesn’t come cheap, is throwing money at a data centre the best way to ensure victory in the war of trust?

“Again, absolutely not,” reaffirms Noel, keen to look past the vendor hype and instead lay the foundations of long-term confidence in the cloud. “This shouldn’t mean businesses should follow Microsoft and put everything in the cloud, but there is another side to this.

“Microsoft has a presence in so many countries worldwide, and we adhere to so many obligations and of course, collect a lot of intelligence not only from our technology but around what is happening on a country by country basis.

“We can spot things and we can share this information with stakeholders, enterprise and Government. Contrary to what people assume, I’m not in New Zealand to sell, I’m here to establish a trusted relationship with the market with what we at Microsoft consider to be best practice.”

In recognising that trust is necessary for organisations and individuals to fully embrace and benefit from cloud services, Microsoft’s Trustworthy Cloud initiatives are built around many years of experience, forging a commitment to security, privacy, and transparency principles, and on leading industry practices.

Although the cloud can be abstract, Noel insists that the Microsoft approach to delivering a trustworthy cloud is not.

“This is our DNA,” Noel adds. “This is what we stand for and essentially the main reasons why any organisation should trust Microsoft as a cloud service provider.

“Some standards are not worth the paper they are written on but some, such as this, are best practice which helps to paint a picture of how to approach security in the cloud.”

At present, the local branch of Microsoft in New Zealand has an agreement with the Kiwi Government, as well as other Governments on the planet, around the topic of transparency.

“This provides access to our source code and access to the people who have written security access codes to Windows, Azure etc,” Noel adds. “It’s designed to provide transparency and offer assurances because it allows third-party auditors to examine our code, make sure there are no back doors and ensure that the correct controls are implemented.

“We adopted a similar approach in Australia, we exposed everything and after an independent assessment they said; ‘Yes, you’re compliant’.”

For Noel, the issue of trust is as equally important to the notion of privacy as well as security, insisting that “we stand by strong principles and take privacy to our heart.”

“It’s crucial for us to show the way we handle data, make customers understand that it isn’t our data and that we don’t touch it,” he adds.

NZ Cloud

In October 2013, the Kiwi Cabinet agreed on a cloud computing risk and assurance framework for government agencies, to sit within the wider ICT Assurance Framework as a key marker for organisations moving to the cloud.

The agreed approach is based on case-by-case consideration by agency chief executives with Government Chief Information Officer (GCIO) oversight, of all cloud computing decisions, whether hosted onshore or offshore, that balances the risk and benefits appropriately.

In the All-of-Government Cloud Computing Report, released in April 2014, further cloud principles included the view that agency Chief Executives are ultimately responsible for decisions to use cloud services and that no data above restricted should be held in a public cloud, whether it is hosted onshore or offshore.

Delving deeper on the topic of security, Cabinet agreed that if the system is likely to be a cloud service, Public and non-Public Service departments must use the guidelines in the report to ensure appropriate and consistent consideration of cloud computing issues, which includes privacy and security which are set out in the 105-question New Zealand Government framework.

As reported first by Computerworld New Zealand last month, Microsoft New Zealand demonstrated Microsoft Azure’s ability to provide secure cloud computing by meeting such standards in May of this year.

"This is a great step forward for us in being able to show both public and private sector customers how Microsoft addresses important security, privacy and sovereignty issues," said Russell Craig, National Technology Office, Microsoft New Zealand, to Computerworld New Zealand following the report.

“None of our competitors have done anything like this. If you represent a New Zealand government organisation that is considering adopting Azure, this information will assist your analysis.”

What Microsoft is seeing on both a local and global scale is that companies are moving to the cloud fast than anticipated, creating a greater emphasis on the need for secure cloud practices across the board.

In December 2014, Redmond revealed that New Zealand small-medium businesses were leading the world when it comes to Office 365 adoption, with 15 percent of the market now moving to the cloud with Microsoft.

"Backing up on global trends, what we’re seeing in New Zealand in terms of Office 365 adoption is perhaps more advanced than other markets,” said [[xref: |Paul Muckleston, Managing Director, Microsoft New Zealand, to Computerworld New Zealand at the time.]]

Page Break

Generally speaking, cloud computing, whether that it public, hybrid or private, continues to grows in popularity in New Zealand, with adoption rates on the rise.

For Noel, in representing the entire Asia-Pacific region, some companies have decided to utilise Microsoft because “as a cloud provider we have more people focused on security, response and privacy controls that some businesses have in their entire organisation, so maybe it’s better for us to take care of it.”

As the industry knows, the dialogue has changed from not if, but when businesses move to the cloud, with organisations gradually building the blocks of trust when it comes to moving important enterprise assets to the skies.

“The least they are looking for is a baseline assurance that it is secure,” Noel adds. “But also, forward-thinking businesses are looking for ways to innovate within the cloud, and possess better ways of managing and leveraging big data, analytics etc.”

The law of Privacy

While Microsoft will not build major data centres in every country in the world, New Zealand included, it doesn’t detract away from the overriding message which is for Noel, that the future of more ubiquitous mobility and cloud deployment will boil down to trust.

“We don’t touch your data, we stay away from it,” adds Noel, adding that Microsoft receives legal demands for customer data from law enforcement agencies around the world.

But while it may appear overkill, security and privacy in the cloud has been a hot topic following revelations about the US government’s access to data stored with large providers and has provoked some concern about data sovereignty issues for New Zealand organisations.

A common question now being asked is just where is my data held and under what legal and privacy frameworks?

As a result, in March 2013, the company began publishing details of the number of demands it receives each year in its Law Enforcement Requests Report, providing a clear documentation of established practices in responding to government legal demands for customer data.

Across New Zealand, Microsoft has received a total of 52 requests for information, 38.5 percent of which have been rejected, as highlighted in the graphic below.

On a global scale however, beginning late last year when a US court ordered the company to turn over customer email data stored in a Dublin data centre, Microsoft's fight to preserve the stored data continues to gain support from across the world.

Despite the best efforts of US law enforcement to force Microsoft’s hand, coupled with Redmond appealing and losing its case, the tech giant has now took the fight public in the hope of having the ruling reversed.

With the escalation of events prompting an open-editorial in the The Wall Street Journal, Microsoft General Counsel Brad Smith wrote that "Microsoft believes you own emails stored in the cloud, and that they have the same privacy protection as paper letters sent by mail.

“This means, in our view, that the US government can obtain emails only subject to the full legal protections of the Constitution's Fourth Amendment.

“It means, in this case, that the U.S. government must have a warrant. But under well-established case law, a search warrant cannot reach beyond U.S. shores.”

For Smith, and Noel, it all comes down to playing the game openly and above board, in line with already established rules and regulations and with the privacy of the customer again at its core.

“We will win,” Noel adds confidently, referring to an instance when Microsoft dutifully obliged with the law, following the terrorist attacks on French satirical magazine Charlie Hedbo in January of this year.

“If you take the Charlie Hebdo example, Microsoft was able, with the correct approach from law enforcement, to respond within 45 minutes to a request from the French Police regarding data hosted on Microsoft servers.

“French Police realised that some of the information from the terrorists were hosted by Microsoft so they went through the correct, legal channels and requested we supply the data, which we did immediately. It simply has to be within the realms of the law.”

As internet connections get faster and more reliable in New Zealand, and the convenience of having masses of data available on all devices becomes ever more attractive, the issue of data privacy takes centre stage.

Market feedback suggests that cloud computing is slowly winning the trust war in enterprise but for the Kiwi IT decision makers who remain sceptical, Noel accepts it’s the job of Microsoft, through its cloud expertise, to persuade them otherwise.