Microsoft Document Outlines Its Cloud Security Infrastructure

Microsoft today announced a new white paper that explains the organizational and standards-based underpinnings of its cloud security efforts.

The paper, "Information Security Management System for Microsoft Cloud Infrastructure" (PDF), describes the standards Microsoft follows to address current and evolving cloud security threats. It also depicts the internal structures within Microsoft that handle broad cloud security and risk management issues.

This latest white paper is not a practical guide, but instead outlines some general principles. Its release follows two other Microsoft white paper publications designed to provide greater transparency about the company's cloud security efforts. Those earlier releases include "Securing Microsoft's Cloud Infrastructure" and "Microsoft Compliance Framework for Online Services."

The main notion from the newly released cloud infrastructure white paper is that Microsoft has a group within its Global Foundation Services organization that digs deep within standards, principally ISO/IEC 27001:2005. This ISO/IEC international standard describes security techniques and requirements for information security management systems. Microsoft uses ISO/IEC 27001:2005 as part of its Online Services Security and Compliance (OSSC) group's Information Security Management System (ISMS).

The OSSC's ISMS has three main programs, which cover information security management, risk management and information security policy. The group also coordinates various certifications, including SAS 70, Sarbanes-Oxley, the PCI Data Security Standard and the Federal Information Security Management Act. The OSSC's ISMS is validated by third parties, which aren't named in the white paper.

The new infrastructure white paper attempts to describe Microsoft's "recipe" for cloud computing, according to Mark Estberg, senior director of risk and compliance for Microsoft Global Foundation Services, in a blog post. Estberg is scheduled to speak with John Howie, senior director of Microsoft's Online Services security and compliance team, on Tuesday at the Cloud Security Alliance Congress in Orlando, Fla., where they will discuss Microsoft's best practices for the cloud.

The white paper admits that organizations may be stuck from adopting cloud computing based on privacy and security concerns. It also states that cloud business models and regulations are generally new and in flux. But it hopes that ISMS will become an overall strategy for both Microsoft's customers and partners to adopt.

Another attempt to explain approaches used for cloud security is the 76-page white paper from the Cloud Security Alliance, titled "Security Guidance for Critical Areas of Focus in Cloud Computing V2.1" (PDF). If that weren't enough, ThinkStrategies Inc., a consulting company focusing on the cloud computing and software-as-a-service industry, has issued a position paper today on why the U.S.A. PATRIOT Act, which prescribes limitations on privacy and civil liberty protections guaranteed by the U.S. Constitution, should not constrain companies from using U.S. cloud-based customer relationship management systems.

Assuring cloud security to organizations has been an uphill task. A March survey by the Information Systems Audit and Control Association found that half of 1,800 U.S. IT professionals polled felt that security concerns outweighed the potential benefits of cloud computing.

About the Author

Kurt Mackie is senior news producer for 1105 Media's Converge360 group.


  • Pilot Begins of Microsoft Teams-Salesforce CRM Integration

    A new capability that lets Microsoft Teams users access information from the customer relationship management (CRM) platform debuted this week.

  • 2020 Microsoft Conference Calendar: For Partners, IT Pros and Developers

    Here's your guide to all the IT training sessions, partner meet-ups and annual Microsoft conferences you won't want to miss. (Now updated with COVID-19-related event changes.)

  • The 2020 Microsoft Product Roadmap

    From the next major update to Windows 10 to the next generations of .NET and PowerShell, here's what's on tap from Microsoft this year.

  • Microsoft's Azure Space Program Gets 'Modular' Datacenters

    Microsoft recently unveiled its new Azure Modular Datacenters, boxcar-like structures that can deliver compute and storage capabilities anywhere on earth.