Microsoft Talks Up Cloud Security
Microsoft may be "all-in" the cloud. But if it can't convince the world that its services are secure, it could be all-out. That may explain why Microsoft is talking up cloud security these days.
Joel Sider, a senior product manager for identity and security for Microsoft's Forefront business, reiterated Microsoft's Trustworthy Computing initiatives in a blog posting this week. "We strive to be more transparent than anyone about how we help enable more secure cloud computing," Sider wrote.
Last week, Microsoft released a comprehensive update of its Security Development Lifecycle (SDL) best practices, particularly targeted at .NET developers building apps that will run in the cloud.
"We're putting renewed effort into communicating all of our efforts to help customers and partners think thru cloud security in the right way," Sider added in an e-mail. But as I reported this month, how do you really know what's behind the curtain of any provider's cloud services?
While many cloud providers comply with such standards as SAS 70, ISO 27001, PCI and COBIT, there is no common way for them to disseminate information to partners and customers. Hence, that visibility is lacking today.
There are efforts in the works to resolve this lack of clarity. Of particular note is CloudAudit, which seeks to develop standards for how cloud providers release information to prospective and existing enterprise clients that can satisfy specific compliances and internal governance requirements.
CloudAudit uses the recently released Cloud Security Alliance (CSA) Cloud Controls Matrix -- a framework that consists of 98 controls that specify how cloud providers should release detailed guidelines on how services are audited and risk is determined.
Among those participating are Amazon, Google, Microsoft, Unisys and Rackspace, though it remains to be seen if those and other players ultimately implement the CloudAudit specs. But it is an effort worth watching. If CloudAudit is widely adopted, it could remove one barrier to cloud computing.
What do you think? Drop me a line at [email protected].
Posted by Jeffrey Schwartz on June 23, 2010