By Pete Boden, GM, Online Services Security & Compliance, Global Foundation Services
The release last week of our white paper on Securing Microsoft’s Cloud Infrastructure has generated a lot of discussion in the industry, which was our intent. We wrote the paper in part to communicate our practices to customers concerned about security in the cloud environment and to generate a healthy dialogue within the industry in order to share best practices for creating more secure cloud-based services.
Many people who responded to last week’s release wanted to know more about Microsoft’s history in online services and security. Our background in these areas goes back further than many people might think. Microsoft built its first data center in 1989, four years before launching its first Web sites. Microsoft.com and MSN (Beta) went public in 1994, followed by the acquisition of Hotmail in 1997.
After successfully responding to a number of security issues at the time, in 2002 the company formed the Trustworthy Computing initiative, with Bill Gates committing Microsoft to fundamentally changing our security strategy in key areas.
Microsoft understands that success in the online services business depends on its ability to safeguard customers’ data and to maintain the availability of its services. Accordingly, Microsoft designs and tests applications and infrastructure to internationally recognized standards in order to demonstrate these capabilities and comply with laws and with internal security and privacy policies. As a result, Microsoft’s customers benefit from highly focused testing and monitoring, automated patch delivery, cost-saving economies of scale, and ongoing security improvements.
“Ongoing” is a particularly important part of the equation, as the information technology industry faces the following evolving challenges related to online service delivery:
• Emerging cloud business models create a growing interdependence amongst public and private sector entities and the people they serve: Such organizations and their customers will become more interdependent on each other through use of the cloud. With these new dependencies come mutual expectations that platform services and hosted applications need to be secure and available. Microsoft provides a trustworthy infrastructure—a base upon which public and private sector entities and their partners can build a trustworthy experience for their users. Microsoft actively works with these groups and the development community at large to encourage adoption of security-centric risk management processes.
• Acceleration of adoption of cloud services, including the continuing evolution of technologies and business models, creates a dynamic hosting environment, which is of itself a security challenge: Keeping pace with growth and anticipating future needs is essential to running an effective security program. The latest wave of change has already begun with the rapid move to virtualization and a growing adoption of Microsoft’s Software-plus-Services strategy, which combines the power and capabilities of computers, mobile devices, online services, and enterprise software. The advent of cloud platforms enables custom applications to be developed by third parties and hosted in the Microsoft cloud. Through the online services Information Security Program, Microsoft maintains strong internal partnerships among security, product, and service delivery teams to provide a trustworthy Microsoft cloud environment while these changes occur.
• Attempts to infiltrate or disrupt online service offerings grow increasingly sophisticated as more commerce and business occurs in this venue: While pranksters still seek attention through a variety of techniques including domain squatting and man-in-the-middle attacks, more sophisticated attempts aimed at obtaining identities or blocking access to sensitive business data have emerged, along with a more organized underground market for stolen information. Microsoft works closely with law enforcement, industry partners and peers, and research groups to understand and respond to this evolving threat landscape.
• Complex compliance requirements must be addressed as new and existing services are delivered globally: Regulatory, statutory, and industry compliance is a highly complex area because worldwide each country can and does pass its own laws that can govern the provision and use of online environments. Microsoft must be able to comply with a myriad of regulatory obligations because it has data centers in a number of countries and offers online services to a global customer base. In addition, many industries impose their own requirements. Microsoft has implemented a compliance framework (described in our white paper) whereby it manages various compliance obligations under a single program.
To stay ahead of all these challenges, Microsoft focuses on three key areas to provide a trustworthy cloud:
• Utilizing a risk-based information security program that assesses and prioritizes security and operational threats to the business
• Maintaining and updating a detailed set of security controls that mitigate risk
• Operating a compliance framework that ensures controls are designed appropriately and are operating effectively
Microsoft’s Information Security Program defines the compliance framework and how our security team operates. The program has been independently certified by British Standards Institute (BSI) Management Systems America as being compliant with ISO/IEC 27001:2005.
The framework that enabled Microsoft to earn the ISO 27001:2005 accreditation and SAS Type I and Type II attestations for our cloud infrastructure also sets the stage for product and service delivery teams to more efficiently obtain additional certifications and attestations as appropriate. Microsoft’s independently certified programs help to demonstrate the continued relevance of these programs to the evolution of challenges and opportunities in the online services marketplace.