By Mark Estberg, Senior Director of Risk and Compliance,
Global Foundation Services
Sometimes it can seem like half the battle of securing online services involves satisfying audits and otherwise demonstrating that you are complying with industry and government regulations. Just like any online service provider, Microsoft is subject to a large number of regulations, statutes and industry requirements. Our service delivery and operations teams found themselves spending increasing amounts of time responding to a variety of audits that often asked for the same types of information repeatedly over the course of a year. In addition, compliance obligations are increasing and becoming more complex as Microsoft moves into new markets and businesses and also as regulations and industry standards change.
We are often asked how we have built and then operate our framework, so today we are releasing a white paper to share our approach. The white paper includes our approach, processes, and reference tables.
To put our approach to this problem in context, it’s important to have some background about Microsoft’s online environment. My group is part of the Global Foundation Services (GFS) division within Microsoft. GFS provides the cloud infrastructure for over 200 Microsoft services ranging from familiar consumer-oriented services such as Windows Live Hotmail and Bing to business-oriented services such as Microsoft Dynamics CRM Online and Microsoft Business Productivity Online Standard Suite from Microsoft Online Services. This environment also includes the Windows Azure platform which is used to host online services built by third parties.
We developed a compliance framework for online services to better manage our obligations in this large environment and to minimize the impact to our operations teams. The compliance framework is a set of processes and documentation that we put together that are based on the ISO 27001 security standard. We use this framework to manage a large variety of obligations which include the Payment Card Industry Data Security Standard, Sarbanes-Oxley requirements and obligations imposed by the Health Insurance Portability and Accountability Act. These are in addition to our own business and customer driven security requirements.
There are two major components of the framework. The first is a control set (often referred to as a controls framework) that maps our obligations to a single set of controls rather than independent requirements. The second component is the compliance process and predictable audit schedule that minimize disruptions to our teams and reduce the number and impact of audits. This framework results in third party validation and certifications which allow us to clearly communicate our capabilities to our customers. For example, Global Foundation Services is ISO 27001 certified and we also have Statement of Auditing Standard 70 Type I and Type II attestations. This structure is represented in the following illustration:
How we manage our processes is critical to the success of our compliance program. We have based our compliance framework processes on the “Plan, Do, Check, Act” steps found in ISO 27001. We execute this process on a regular rhythm and also when our environment changes.
Microsoft’s compliance framework for online services provides confidence that we are meeting our obligations, minimizes audit disruption to our teams and allows us to communicate our capabilities through third party verification. A standard does not exist for cloud security and this is a challenge for all online service providers and customers. We are sharing our approach to contribute to an industry dialogue. Our hope is that by sharing best practices with industry counterparts we can improve together and customers can benefit.
This white paper is one of a series that introduces the OSSC team’s strategic approach to cloud security. For more about how OSSC manages security risks to the cloud infrastructure, read the Securing Microsoft’s Cloud Infrastructure white paper.