A Pragmatic Approach to Security in the Cloud

The pressure to do more with less is familiar to most, if not all CIOs. Successful CIOs have to quickly master the skill of understanding and managing both change, and the associated risks, with a degree of pragmatism to achieve progress and results.
But even for a profession that lives with constant change, cloud computing stands out as a once-in-a-generation opportunity, and there’s huge appetite for the agility, efficiency and savings that it promises to bring. There is also, quite rightly, a healthy realism about the associated risks, and an equally strong desire to understand how cloud changes the parameters of risk. As you might expect, this is an area that frequently comes up in my conversations with our customers across all sectors and geographies.
Bruce Schneier once said, “Security is a process, not a product.” I think that phrase captures the essence of the change in approach Microsoft took in early 2002 when we introduced the Trustworthy Computing initiative. The key to creating an effective security program is having a culture that is aware of and highly values security. As a core corporate value, Microsoft is committed to continually improving in four key areas: security, privacy, reliability, and business practices.
Bill Gates’ email to customers in July 2002 explained how always-on broadband connections to the Internet had changed the risk model for the PC, and how Microsoft had to respond by changing our software development processes, and retraining developers so that our software was “Secure by Default,” “Secure by Design” and “Secure in Deployment.” We referred to this as “SD3+C”, where the “C” was for communication, because we also recognized that open communication and transparency were crucial to building trust.
Microsoft has since built from that base, and Windows 7 and Office 2010 are the most secure versions we’ve ever released.
That same period has seen the incredible growth of the Web, and the associated growth in online services. Microsoft began offering online services 17 years ago with Microsoft.com in 1994 and MSN in 1995, so we have learned a great deal about what it takes to provide online services globally and at scale. The organization inside Microsoft that operates our global datacenters is called Global Foundation Services (GFS), and as you would expect, security is at the foundation of how they design, manage and operate our infrastructure. Microsoft provides a trustworthy cloud infrastructure through focus on three areas:
  1. Utilizing a risk-based information security program that assesses and prioritizes security and operational threats to the business
  2. Maintaining and updating a detailed set of security controls that mitigate risk
  3. Operating a compliance framework that ensures controls are designed appropriately and are operating effectively
  4. GFS operates a comprehensive Control Framework and predictable audit schedule. The Control Framework has three central elements, a business continuity program, a risk management program, and an audit program.
As there is no global standard for security of cloud services or security of cloud infrastructure, GFS’s approach is based on the widely used and understood ISO27001 and ISO27002 information security management standards. Microsoft added an additional 141 controls to the initial 150 in ISO27001. These arise from the unique challenges of cloud infrastructure and are based on our experience of mitigating the risks that arise in this environment.
All this gives Microsoft a high level of confidence that we are meeting our security obligations and will be able to do so in the future. Third party verification and transparency help us to communicate that clearly to customers. GFS is accredited to the Statement of Auditing Standard 70 (SAS70) Type I (report on controls placed in operation) and Type II (report on controls placed in operation and tests of operating effectiveness). These are widely recognized auditing standards and a “SAS 70 Audit” represents that a service organization has been through an in-depth audit of their control objectives and control activities.
GFS also share much of what they do to help foster an industry dialogue on cloud security, and also on sustainability and energy efficiency of cloud data centers.
On June 28, 2011, Microsoft launched Office365 in 20 languages and 40 countries. We also announced the Online Services Trust Center, where we detail a set of commitments and resources related to the security of our cloud services. I’ll list the commitments here because I think they go to the very heart of the issue on many CIOs’ minds.
  1. Data Use Limits: We use your data only to provide the services you want.
  2. Administrative Access: We enable you to find out whether someone has accessed your non-public data.
  3. Geographic Boundaries: We will share information about data location.
  4. Security, Audits, and Certifications: We obtain third party audits and certifications so you can trust our services are designed and operated with stringent safeguards.
  5. Regulatory Compliance: We are committed to transparency to help you comply with your regulatory needs.
I hope this illustrates three key points:
  1. Microsoft understands that success in the rapidly changing business of online services is dependent upon the security and privacy of customers’ data and the availability and resilience of the services we offer.
  2. Microsoft diligently designs and tests applications and infrastructure to internationally recognized standards in order to demonstrate these capabilities and compliance with laws and with internal security and privacy policies.
  3. That this means Microsoft’s customers benefit from more focused testing and monitoring, automated patch delivery, cost-saving economies of scale, and ongoing security improvements.
I’d like to leave you with one important request, which is to please get involved in the legal discussions that are happening in your country related to the cloud and data sovereignty. Your voice will help your government and standards bodies understand public and private sector organizations’ wants and needs when it comes to the cloud. Microsoft is engaged in this dialogue regularly in countries all over the world, but ours is only one voice. A strong alliance between business and government will help ensure that these discussions and decision that are made as a result will help improve the chances for everyone to benefit from the cloud.