By Mark Estberg, Senior Director of Risk and Compliance,
Global Foundation Services
Microsoft has released several papers over the last couple of months on how we secure the cloud infrastructure, manage online service security, and how we developed and manage our compliance framework. Together, these papers describe some of the factors that are necessary to deliver a trustworthy cloud environment. Recently, another paper was released describing how we address potential security vulnerabilities during the development of “client and cloud” applications by using a methodical Security Development Lifecycle (SDL) process. This paper provides insight both in how Microsoft applies SDL to services that we offer in the cloud as well as guidance on how these same concepts can be applied by anyone developing their own cloud applications on platforms, including Windows Azure. This paper called “Security Considerations for Client and Cloud Applications” is available at http://www.microsoft.com/sdl.
Additionally, the paper illustrates how services at the Software as a Service (SaaS) and Platform as a Service (PaaS) cloud layers rely on capabilities at the Infrastructure as a Service layer (IaaS). The two other papers, “Securing Microsoft's Cloud Infrastructure” and “Microsoft’s Compliance Framework for Online Services,” go into more detail about security at the IaaS layer and how this extends up the stack to SaaS and PaaS. These papers are available at www.globalfoundationservices.com/security.
Microsoft will continue to release papers revealing our online, live and cloud security best practices in an effort to provide insight into the key learnings we are gaining from providing online services to customers 24x7x365 since 1994. We hope such sharing will help to advance an industry dialogue that will benefit the entire cloud ecosystem and our customers.