News

Microsoft Document Outlines Its Cloud Security Infrastructure

• By Kurt Mackie
• November 15, 2010

Microsoft today announced a new white paper that explains the organizational and standards-based underpinnings of its cloud security efforts.

The paper, "Information Security Management System for Microsoft Cloud Infrastructure" (PDF), describes the standards Microsoft follows to address current and evolving cloud security threats. It also depicts the internal structures within Microsoft that handle broad cloud security and risk management issues.

This latest white paper is not a practical guide, but instead outlines some general principles. Its release follows two other Microsoft white paper publications designed to provide greater transparency about the company's cloud security efforts. Those earlier releases include "Securing Microsoft's Cloud Infrastructure" and "Microsoft Compliance Framework for Online Services."

The main notion from the newly released cloud infrastructure white paper is that Microsoft has a group within its Global Foundation Services organization that digs deep within standards, principally ISO/IEC 27001:2005. This ISO/IEC international standard describes security techniques and requirements for information security management systems. Microsoft uses ISO/IEC 27001:2005 as part of its Online Services Security and Compliance (OSSC) group's Information Security Management System (ISMS).

The OSSC's ISMS has three main programs, which cover information security management, risk management and information security policy. The group also coordinates various certifications, including SAS 70, Sarbanes-Oxley, the PCI Data Security Standard and the Federal Information Security Management Act. The OSSC's ISMS is validated by third parties, which aren't named in the white paper.

The new infrastructure white paper attempts to describe Microsoft's "recipe" for cloud computing, according to Mark Estberg, senior director of risk and compliance for Microsoft Global Foundation Services, in a blog post. Estberg is scheduled to speak with John Howie, senior director of Microsoft's Online Services security and compliance team, on Tuesday at the Cloud Security Alliance Congress in Orlando, Fla., where they will discuss Microsoft's best practices for the cloud.

The white paper admits that organizations may be stuck from adopting cloud computing based on privacy and security concerns. It also states that cloud business models and regulations are generally new and in flux. But it hopes that ISMS will become an overall strategy for both Microsoft's customers and partners to adopt.

Another attempt to explain approaches used for cloud security is the 76-page white paper from the Cloud Security Alliance, titled "Security Guidance for Critical Areas of Focus in Cloud Computing V2.1" (PDF). If that weren't enough, ThinkStrategies Inc., a consulting company focusing on the cloud computing and software-as-a-service industry, has issued a position paper today on why the U.S.A. PATRIOT Act, which prescribes limitations on privacy and civil liberty protections guaranteed by the U.S. Constitution, should not constrain companies from using U.S. cloud-based customer relationship management systems.

Assuring cloud security to organizations has been an uphill task. A March survey by the Information Systems Audit and Control Association found that half of 1,800 U.S. IT professionals polled felt that security concerns outweighed the potential benefits of cloud computing.