News

Microsoft Document Outlines Its Cloud Security Infrastructure

Microsoft today announced a new white paper that explains the organizational and standards-based underpinnings of its cloud security efforts.

The paper, "Information Security Management System for Microsoft Cloud Infrastructure" (PDF), describes the standards Microsoft follows to address current and evolving cloud security threats. It also depicts the internal structures within Microsoft that handle broad cloud security and risk management issues.

This latest white paper is not a practical guide, but instead outlines some general principles. Its release follows two other Microsoft white paper publications designed to provide greater transparency about the company's cloud security efforts. Those earlier releases include "Securing Microsoft's Cloud Infrastructure" and "Microsoft Compliance Framework for Online Services."

The main notion from the newly released cloud infrastructure white paper is that Microsoft has a group within its Global Foundation Services organization that digs deep within standards, principally ISO/IEC 27001:2005. This ISO/IEC international standard describes security techniques and requirements for information security management systems. Microsoft uses ISO/IEC 27001:2005 as part of its Online Services Security and Compliance (OSSC) group's Information Security Management System (ISMS).

The OSSC's ISMS has three main programs, which cover information security management, risk management and information security policy. The group also coordinates various certifications, including SAS 70, Sarbanes-Oxley, the PCI Data Security Standard and the Federal Information Security Management Act. The OSSC's ISMS is validated by third parties, which aren't named in the white paper.

The new infrastructure white paper attempts to describe Microsoft's "recipe" for cloud computing, according to Mark Estberg, senior director of risk and compliance for Microsoft Global Foundation Services, in a blog post. Estberg is scheduled to speak with John Howie, senior director of Microsoft's Online Services security and compliance team, on Tuesday at the Cloud Security Alliance Congress in Orlando, Fla., where they will discuss Microsoft's best practices for the cloud.

The white paper admits that organizations may be stuck from adopting cloud computing based on privacy and security concerns. It also states that cloud business models and regulations are generally new and in flux. But it hopes that ISMS will become an overall strategy for both Microsoft's customers and partners to adopt.

Another attempt to explain approaches used for cloud security is the 76-page white paper from the Cloud Security Alliance, titled "Security Guidance for Critical Areas of Focus in Cloud Computing V2.1" (PDF). If that weren't enough, ThinkStrategies Inc., a consulting company focusing on the cloud computing and software-as-a-service industry, has issued a position paper today on why the U.S.A. PATRIOT Act, which prescribes limitations on privacy and civil liberty protections guaranteed by the U.S. Constitution, should not constrain companies from using U.S. cloud-based customer relationship management systems.

Assuring cloud security to organizations has been an uphill task. A March survey by the Information Systems Audit and Control Association found that half of 1,800 U.S. IT professionals polled felt that security concerns outweighed the potential benefits of cloud computing.

About the Author

Kurt Mackie is senior news producer for 1105 Media's Converge360 group.

Featured

  • Hands-On AI Skills Now Outshine Certs in Salary Stakes

    For AI-related roles, employers are prioritizing verifiable, hands-on abilities over framed certificates -- and they're paying a premium for it.

  • Roadblocks in Enterprise AI: Data and Skills Shortfalls Could Cost Millions

    Businesses risk losing up to $87 million a year if they fail to catch up with AI innovation, according to the Couchbase FY 2026 CIO AI Survey released this month.

  • Microsoft Cuts Windows 11 Recovery Time with New Update

    Microsoft has introduced two key enhancements to Windows 11 aimed at minimizing downtime and streamlining error resolution.

  • Microsoft Offers Support Extensions for Exchange 2016 and 2019

    Microsoft has introduced a paid Extended Security Update (ESU) program for on-premises Exchange Server 2016 and 2019, offering a crucial safety cushion as both versions near their Oct. 14, 2025 end-of-support date.