Posted by: Bobby Jimenez, Chief Technology Officer, Sindicatum Sustainable Resources
A year ago my company, Sindicatum Sustainable Resources decided to move to the cloud with Office 365. Having done two years’ worth of homework, including meeting various cloud vendors, I decided that Office 365 was the right solution.
Now, 18 months down the line, the aim of this article is to report back on my experience as a customer as it relates to the way Microsoft treats security and privacy with Office 365. One of the most common generalisations/assumptions about cloud technology is that cloud is less secure than traditional IT infrastructure setups and that your data isn't safe in the cloud.
I have written more than a few articles on this blog focused on why it is important to provide visibility into how cloud services are being operated by cloud providers, particularly where security controls are concerned. Security of cloud services is top of mind for customers looking to realize the benefits of cloud computing. When cloud providers offer their customers insight into the security controls used to manage their cloud services, customers are able to evaluate whether those services meet compliance requirements they are subject to, and standards and best practices that are important to their organization.
Microsoft’s Global Foundation Services (GFS) organization delivers the global infrastructure and network for over 200 consumer and enterprise cloud services. The security, privacy and reliability expectations of the customers served by these services must be met in order to develop the level of trust necessary to support a global shift to online and cloud computing. Each of Microsoft’s online and cloud services focus on its respective customer requirements and GFS must meet the obligations that come from all of the more than 200 services because they all reside in the GFS infrastructure. While many of the capabilities must be provided at the service layer, all services have at least some level of dependency on the cloud infrastructure built, managed, and secured by GFS.
This results in a broad set of requirements that must be met and represented by GFS. These requirements stem from regulatory and statutory sources (e.g., European Union Model Clauses, United States health care requirements including HIPAA and HITECH, United States Federal Information Security Management Act, etc.), industry sources (e.g., Payment Card Industry Data Security Standard, etc.), self-selected standards (e.g., ISO 27001, SOC 1, SOC 2, etc.), as well as risk-based security expectations commemorated in our policy and business decisions.
I was at the Cloud Asia event in Singapore recently. One of the sessions was led by an exec from Changi Airport in which he likened internet security to airport security. Jetlag and the passing of time make me hazy on the finer points of what he said, but it was a good presentation.
It made me think that the airport analogy kind of works for Microsoft. As airport users, we are unaware of many of the security precautions in place. But a few – bag scans, pat downs, patrolling police officers etc. – are very obvious.
At Microsoft many of the users of our products are unaware of much of what we do to secure our customers’ data and give them a secure and private online experience. Take the Security Development Lifecycle(SDL), a secure development process that is applied by product groups at Microsoft in an effort to reduce the number and severity of vulnerabilities. Most people do not know it exists and yet it’s there, in the background since 2004 helping to secure our products and services every day.
As you might expect, governments are at the vanguard of most things security related. Entrusted to act in the public’s name and for the public interest, governmental agencies need to be sure that the technology they use for essential functions is secure and trustworthy. As part of this, in the U.S. the U.S. government has FISMA; a certification validating that a given IT solution has federal agency approval for use based on its level of security.
If you have been following our Trustworthy Computing Cloud Fundamentals Video Series you have probably seen at least two videos where we discuss the importance of transparency in cloud security controls. In addition, we have shared how the Cloud Security Alliance’s (CSA) Security Trust and Assurance Registry (STAR) can help provide that transparency to cloud providers and cloud consumers. If you haven’t seen these videos or would like a refresher, you can watch them here:
- Evaluating Different Cloud Service Offerings by Comparing Security Controls
- Windows Azure & the CSA STAR
As you can see from these video interviews, both Office 365 and Windows Azure have self-assessments published in the CSA’s STAR. This was an important step in demonstrating our commitment to transparency for our cloud customers. As of late last week we are pleased to share that Microsoft Dynamics CRM has also published a self-assessment in the CSA’s STAR.