Microsoft Document Outlines Its Cloud Security Infrastructure

Microsoft today announced a new white paper that explains the organizational and standards-based underpinnings of its cloud security efforts.

The paper, "Information Security Management System for Microsoft Cloud Infrastructure" (PDF), describes the standards Microsoft follows to address current and evolving cloud security threats. It also depicts the internal structures within Microsoft that handle broad cloud security and risk management issues.

This latest white paper is not a practical guide, but instead outlines some general principles. Its release follows two other Microsoft white paper publications designed to provide greater transparency about the company's cloud security efforts. Those earlier releases include "Securing Microsoft's Cloud Infrastructure" and "Microsoft Compliance Framework for Online Services."

The main notion from the newly released cloud infrastructure white paper is that Microsoft has a group within its Global Foundation Services organization that digs deep within standards, principally ISO/IEC 27001:2005. This ISO/IEC international standard describes security techniques and requirements for information security management systems. Microsoft uses ISO/IEC 27001:2005 as part of its Online Services Security and Compliance (OSSC) group's Information Security Management System (ISMS).

The OSSC's ISMS has three main programs, which cover information security management, risk management and information security policy. The group also coordinates various certifications, including SAS 70, Sarbanes-Oxley, the PCI Data Security Standard and the Federal Information Security Management Act. The OSSC's ISMS is validated by third parties, which aren't named in the white paper.

The new infrastructure white paper attempts to describe Microsoft's "recipe" for cloud computing, according to Mark Estberg, senior director of risk and compliance for Microsoft Global Foundation Services, in a blog post. Estberg is scheduled to speak with John Howie, senior director of Microsoft's Online Services security and compliance team, on Tuesday at the Cloud Security Alliance Congress in Orlando, Fla., where they will discuss Microsoft's best practices for the cloud.

The white paper admits that organizations may be stuck from adopting cloud computing based on privacy and security concerns. It also states that cloud business models and regulations are generally new and in flux. But it hopes that ISMS will become an overall strategy for both Microsoft's customers and partners to adopt.

Another attempt to explain approaches used for cloud security is the 76-page white paper from the Cloud Security Alliance, titled "Security Guidance for Critical Areas of Focus in Cloud Computing V2.1" (PDF). If that weren't enough, ThinkStrategies Inc., a consulting company focusing on the cloud computing and software-as-a-service industry, has issued a position paper today on why the U.S.A. PATRIOT Act, which prescribes limitations on privacy and civil liberty protections guaranteed by the U.S. Constitution, should not constrain companies from using U.S. cloud-based customer relationship management systems.

Assuring cloud security to organizations has been an uphill task. A March survey by the Information Systems Audit and Control Association found that half of 1,800 U.S. IT professionals polled felt that security concerns outweighed the potential benefits of cloud computing.

About the Author

Kurt Mackie is senior news producer for 1105 Media's Converge360 group.


  • Windows 11 Upgrade Prompts Coming in April

    Microsoft plans to issue messages to Windows users in April, prodding them to upgrade to Windows 11 version 23H2.

  • Image of a futuristic maze

    The 2024 Microsoft Product Roadmap

    Everything Microsoft partners and IT pros need to know about major Microsoft product milestones this year.

  • KKR Buys VMware's Virtual Desktop Business from Broadcom for $4B

    There's yet another new chapter in the VMware saga: Its End User Computing (EUC) business, which includes several enterprise virtual desktop staples, has been divested by current owner Broadcom.

  • An image of planes flying around a globe

    2024 Microsoft Conference Calendar: For Partners, IT Pros and Developers

    Here's your guide to all the IT training sessions, partner meet-ups and annual Microsoft conferences you won't want to miss.