Global Foundation Services Blog

Offering Support to Help Victims of the Japanese Earthquake

GFS1 — Sat, 12 Mar 2011 01:43:48 GMT

By Charlie McNerney, GM, Business Management, GFS

On Friday, March 11th, 2011, a magnitude 8.9 earthquake hit Japan followed by a series of tsunamis, causing widespread damage. In response, Microsoft activated its Disaster Response protocol. We are currently accounting for all our employees and assessing all of our facilities for any impact.

We are saddened by the devastation caused by the earthquake in Japan. We are reaching out to our customers and partners to conduct impact assessments, and we are providing those impacted by the earthquake with free incident support to help get their operations back up and running. There has been no disruption to our cloud based and hosted services, and we continue to monitor the situation closely. Microsoft also has a cloud-based disaster response communications portal running on Windows Azure that is available to governments and nonprofits to use for communication between agencies and with citizens.

More information on Microsoft’s response to the disaster is on our Microsoft Corporate Citizenship website which will be updated with any new developments.
News and Resources:

• Search Bing for the latest quake information
• Get the latest news from MSNBC
• See updated images
• Watch related videos
• Get breaking news on Twitter

//cm

Shedding Light on Our New Cloud Farms

GFS1 — Tue, 04 Jan 2011 15:00:00 GMT

By Kevin Timmons,
General Manager of Datacenter Services

It’s an exciting time for Microsoft’s datacenter program. In addition to operating one of the largest global datacenter footprints in the industry, we have been super busy working on multiple next-generation, modular facilities that are in various phases of construction.

One of our most innovative new datacenters is set to open in Quincy, WA in early 2011 and incorporates key learnings from award-winning facilities that Microsoft opened last year in Chicago and Dublin. The Dublin facility uses server PODs and outside air economization to cool the servers, which significantly reduces cooling expense and infrastructure costs. We took a slightly different approach with our Chicago datacenter which utilizes water-side economization for cooling and improves scalability by using IT Pre-Assembled Components (ITPACs.) An ITPAC is a pre-manufactured, fully-assembled module that can be built with a focus on sustainable materials such as steel and aluminum and can house as little as 400 servers and as many as 2,000 servers, significantly increasing flexibility and scalability. You can learn more about our ITPACs by going to the ITPAC video.

View our Modular Datacenter slide deck

The expansion in Quincy takes these ideas a step further by extending the flexibility of PACs across the entire facility using modular “building blocks” for electrical, mechanical, server and security subsystems. This increase in flexibility enables us to even better support the needs of what can often be a very unpredictable online business and allows us to build datacenters incrementally as capacity grows. Our modular design enables us to build a facility in significantly less time while reducing capital costs by an average of 50 to 60 percent over the lifetime of the project.

When Phase 1 opens in Quincy it will be located adjacent to our existing 500,000-square-foot facility. However, the new datacenter is radically different. The building will actually resemble slightly more modern versions of the tractor sheds I spent so much time around during my childhood in rural Illinois.

Tractor shed in my home town of Mt. Pulaski, IL

The building’s utilitarian appearance belies its many hidden innovations. The structure is virtually transparent to ambient outdoor conditions, allowing us to essentially place our servers and storage outside in the cool air while still protecting it from the elements. The interior layout is specifically designed to allow us to further innovate in the ways that we deploy equipment in future phases of the project. And, like any good barn, the protective shell serves to keep out critters and tumbleweeds. Additional phases have been planned for the Quincy site and will be built based on demand. Those phases will incorporate even more cutting-edge methods to deploy servers and storage in ways that have never been seen before in the industry.

We will open other modular datacenters later in 2011 in Virginia and Iowa and I’ll be sharing more information about those facilities at that time. Our modular approach to design and construction with these facilities will allow us to substantially lower cost per megawatt to build and run our datacenters while significantly reducing time to market. This is the holy grail for most datacenter professionals…. fast, cheap and reliable – what more could you ask for?

We’ve been sharing our research and best practices around modularity with our partners and others in the industry for a number of years and I’m thrilled to see the industry begin moving in this direction. By sharing our learnings, we’ve helped others build more sustainable facilities and reduce our collective carbon footprint.
Stay tuned for more information about our future datacenter projects in 2011.

//Kev

Watt Matters in Energy Efficiency!

GFS1 — Mon, 13 Dec 2010 15:00:00 GMT

By Dileep Bhandarkar, Ph. D.
Distinguished Engineer
Global Foundation Services, Microsoft

I recently had the privilege to deliver a keynote speech titled “Watt Matters in Datacenters” at the Server Design Summit in Santa Clara, CA on December 1, 2010. My keynote focused on energy efficiency in datacenters and the need for holistic optimization of the server hardware and datacenter infrastructure. I have covered this topic in a previous blog but wanted to take this opportunity to discuss some of the work that we have been doing with our industry hardware partners to optimize server design for cloud computing.

As part of our commitment to driving efficiencies in our datacenters, we have been working actively with server OEMs, microprocessor manufacturers, disk drive vendors, memory suppliers and other component suppliers to increase the efficiency of server designs. We share our detailed requirements, develop concept designs, and work with our partners on optimized designs that are then shared out and available to the industry at large. We firmly believe that this strong partnership approach and sharing our best practices is the best way to advance the state of the datacenter industry and meet our cloud computing needs.

I also presented some opportunities that server designers should consider to further optimize for cloud computing including:

Better Alignment with Datacenter Technologies
480V 3 phase power supplies at rack level
In rack UPS instead of current central UPS
Rightsizing of platforms for major workloads
Low Power DIMMs and Processors
Tiny CPU cores – Atom? Bobcat? ARM?
System on a Chip for lower platform power
Dynamic Power Capping
Designs for higher temperature operation
Rack level power and cooling
Enhanced support of virtualization

After the holidays, I will discuss these topics in greater detail in an upcoming white paper. I witnessed a huge amount of interest in what I shared at the Server Design Summit and have made my presentation available here.

Wishing you and yours a very happy holiday season!

- Dileep

Find more information on our datacenter strategies on GFS’ web site at www.globalfoundationservices.com

Microsoft’s Cloud Infrastructure Receives FISMA Approval

GFS1 — Thu, 02 Dec 2010 18:00:00 GMT

By Mark Estberg, Senior Director of Risk and Compliance,
Global Foundation Services

Although cloud computing has emerged as a hot topic only in the past few years, Microsoft has been running some of the largest and most reliable online services in the world for over 16 years. Our cloud infrastructure supports more than 200 cloud services, 1 billion customers, and 20 million businesses in over 76 markets worldwide.

Today, I am pleased to announce that Microsoft’s cloud infrastructure has achieved another milestone in receiving its Federal Information Security Management Act of 2002 (FISMA) Authorization to Operate (ATO). Meeting the requirements of FISMA is an important security requirement for US Federal agencies. The ATO was issued to Microsoft’s Global Foundation Services organization. It covers Microsoft’s cloud infrastructure that provides a trustworthy foundation for the company’s cloud services, including Exchange Online and SharePoint Online, which are currently in the FISMA certification and accreditation process.

This ATO represents the government’s reliance on our security processes and covers Microsoft’s General Support System and follows NIST Special Publication 800-53 Revision 3 “Recommended Security Controls for Federal Information Systems and Organizations.”

Government organizations require specialized compliance and regulatory processes. Operating under FISMA requires transparency and frequent security reporting to our US Federal customers. And we are applying these specialized processes across our infrastructure to even further enhance our Online Services Security & Compliance program. The company has been designing and testing our cloud applications and infrastructure for over a decade to continually address emerging, internationally-recognized standards. We are focused on excelling in demonstrating our capabilities and compliance with these laws and with our stringent internal security and privacy policies. As a result, all our customers can benefit from highly-focused testing and monitoring, automated patch delivery, cost-saving economies of scale, and ongoing security improvements.

Microsoft’s Chicago datacenter (a FISMA-approved facility), provides over 17 football fields worth of cloud computing capacity.

The company opened its first datacenter in September 1989 and today its globally-distributed, high-availability datacenters are managed by our Global Foundation Services (GFS) group. GFS’s Online Services Security & Compliance team has built upon the company’s existing capabilities, including being one of the first major online service providers to achieve our ISO/IEC 27001:2005 certification and SAS 70 Type II attestation, which also met the FISMA requirements. We have also gone beyond the ISO standard, which includes some 150 security controls and developed over 300 security controls to account for the unique challenges of the cloud infrastructure and what it takes to mitigate some of the risks involved. The additional rigorous testing and continuous monitoring required by FISMA have already been incorporated into our overall information security program, which is described in several white papers located our Global Foundation Services web site.

More information about FISMA is available at the National Institute of Standards and Technology web site.

Information Security Management System for Microsoft Cloud Infrastructure

GFS1 — Fri, 12 Nov 2010 18:10:00 GMT

By Mark Estberg, Senior Director of Risk and Compliance, Global Foundation Services

I often hear questions that are variations of “How does Microsoft secure its cloud?” and “How does Microsoft manage compliance in the cloud?” The answer is similar to how any enterprise operates a comprehensive security program and is based on our information security program described in a white paper titled “Securing Microsoft's Cloud Infrastructure.” The paper describes a framework that includes risk based decision making, defense in depth and a compliance framework.

How we operate that program is as important as the instructions in a recipe. Ingredients alone – such as 1 egg, ½ teaspoon salt, 1 cup of flour and 2 tablespoons of water – are not enough information to make pasta without additional instructions. For Microsoft’s cloud infrastructure, you can think of the control framework we describe in “Microsoft’s Compliance Framework for Online Services” and security controls that are part of our defense in depth capabilities as “ingredients.” How we operate the program – the Information Security Management System – can be thought of as the “recipe,” or instructions.

The Information Security Management System – the “recipe” – is described in a paper that we are releasing today called “Information Security Management System for Microsoft Cloud Infrastructure.” This paper is another step in our effort to share how Microsoft approaches cloud security and which, I believe will promote the continuation of an important industry discussion on cloud security.

Security Best Practices for Developing Windows Azure Applications

GFS1 — Fri, 11 Jun 2010 16:07:00 GMT

By Mark Estberg, Senior Director of Risk and Compliance, Global Foundation Services

Security challenges exist in the cloud and applications must take these challenges into account.

Our team recently collaborated with other security experts to publish a white paper which describes these challenges and recommend approaches to design and develop more secure applications for Microsoft’s Windows Azure platform. The Windows Azure provides Platform as a Service capabilities that give developers flexibility and access to highly scalable compute and storage.

I would like to thank Microsoft’s Security Engineering Center and Online Services Security and Compliance teams that worked to provide this paper which builds on the security principles that the company has developed through years of experience managing security risks in traditional development and our large scale operating environment.

We hope that by sharing our best practices that we can help others in the industry provide a more secure cloud computing experience and develop common standards for those practices to benefit customers globally.

The paper can be found via this link.

Rightsizing Servers to Achieve Cost and Power Savings

GFS1 — Wed, 16 Dec 2009 19:18:00 GMT

For Production Datacenters - White paper published

This week our team published a new white paper on “Rightsizing Servers to Achieve Cost and Power Savings,” written by Dileep Bhandarkar and Kushagra Vaid, distinguished engineer and principal hardware architect in our Global Foundation Services (GFS) datacenter team. The paper offers best practices on how GFS is lowering its total cost of ownership (of its servers) and achieving power savings for the company’s production datacenters. The paper can be found on GFS’ web site at www.globalfoundationservices.com on the Infrastructure page here and is discussed in Dileep’s blog post under the same title. More information is posted on Microsoft’s Environmental Sustainability blog post.

Today more than ever, IT departments need to make sure that the servers they deploy are as efficient as possible in terms of acquisition cost and energy consumption. This paper describes how GFS, the team that manages and operates the company’s vast production datacenters, rightsizes its servers to achieve maximum efficiency. The paper details the processes used for collecting detailed performance data using representative workloads, and then analyzing that dataset to select balanced servers that are optimally sized for “production scenarios”. By sharing these best practices, Microsoft hopes to help other industry IT departments stretch their purchasing budgets significantly to help achieve organizational goals even in times of constraint.

/gfs

Continuing to Share Best Practices on Security and Privacy for the Cloud

GFS1 — Mon, 16 Nov 2009 18:04:00 GMT

By Mark Estberg, Senior Director of Risk and Compliance,

Global Foundation Services

Microsoft has released several papers over the last couple of months on how we secure the cloud infrastructure, manage online service security, and how we developed and manage our compliance framework. Together, these papers describe some of the factors that are necessary to deliver a trustworthy cloud environment. Recently, another paper was released describing how we address potential security vulnerabilities during the development of “client and cloud” applications by using a methodical Security Development Lifecycle (SDL) process. This paper provides insight both in how Microsoft applies SDL to services that we offer in the cloud as well as guidance on how these same concepts can be applied by anyone developing their own cloud applications on platforms, including Windows Azure. This paper called “Security Considerations for Client and Cloud Applications” is available at http://www.microsoft.com/sdl.

Additionally, the paper illustrates how services at the Software as a Service (SaaS) and Platform as a Service (PaaS) cloud layers rely on capabilities at the Infrastructure as a Service layer (IaaS). The two other papers, “Securing Microsoft's Cloud Infrastructure” and “Microsoft’s Compliance Framework for Online Services,” go into more detail about security at the IaaS layer and how this extends up the stack to SaaS and PaaS. These papers are available at www.globalfoundationservices.com/security.

Microsoft will continue to release papers revealing our online, live and cloud security best practices in an effort to provide insight into the key learnings we are gaining from providing online services to customers 24x7x365 since 1994. We hope such sharing will help to advance an industry dialogue that will benefit the entire cloud ecosystem and our customers.

Introducing the Microsoft Compliance Framework for Online Services

GFS1 — Mon, 26 Oct 2009 05:00:00 GMT

By Mark Estberg, Senior Director of Risk and Compliance,

Global Foundation Services

Sometimes it can seem like half the battle of securing online services involves satisfying audits and otherwise demonstrating that you are complying with industry and government regulations. Just like any online service provider, Microsoft is subject to a large number of regulations, statutes and industry requirements. Our service delivery and operations teams found themselves spending increasing amounts of time responding to a variety of audits that often asked for the same types of information repeatedly over the course of a year. In addition, compliance obligations are increasing and becoming more complex as Microsoft moves into new markets and businesses and also as regulations and industry standards change.

We are often asked how we have built and then operate our framework, so today we are releasing a white paper to share our approach. The white paper includes our approach, processes, and reference tables.

To put our approach to this problem in context, it’s important to have some background about Microsoft’s online environment. My group is part of the Global Foundation Services (GFS) division within Microsoft. GFS provides the cloud infrastructure for over 200 Microsoft services ranging from familiar consumer-oriented services such as Windows Live Hotmail and Bing to business-oriented services such as Microsoft Dynamics CRM Online and Microsoft Business Productivity Online Standard Suite from Microsoft Online Services. This environment also includes the Windows Azure platform which is used to host online services built by third parties.

We developed a compliance framework for online services to better manage our obligations in this large environment and to minimize the impact to our operations teams. The compliance framework is a set of processes and documentation that we put together that are based on the ISO 27001 security standard. We use this framework to manage a large variety of obligations which include the Payment Card Industry Data Security Standard, Sarbanes-Oxley requirements and obligations imposed by the Health Insurance Portability and Accountability Act. These are in addition to our own business and customer driven security requirements.

There are two major components of the framework. The first is a control set (often referred to as a controls framework) that maps our obligations to a single set of controls rather than independent requirements. The second component is the compliance process and predictable audit schedule that minimize disruptions to our teams and reduce the number and impact of audits. This framework results in third party validation and certifications which allow us to clearly communicate our capabilities to our customers. For example, Global Foundation Services is ISO 27001 certified and we also have Statement of Auditing Standard 70 Type I and Type II attestations. This structure is represented in the following illustration:

How we manage our processes is critical to the success of our compliance program. We have based our compliance framework processes on the “Plan, Do, Check, Act” steps found in ISO 27001. We execute this process on a regular rhythm and also when our environment changes.

Microsoft’s compliance framework for online services provides confidence that we are meeting our obligations, minimizes audit disruption to our teams and allows us to communicate our capabilities through third party verification. A standard does not exist for cloud security and this is a challenge for all online service providers and customers. We are sharing our approach to contribute to an industry dialogue. Our hope is that by sharing best practices with industry counterparts we can improve together and customers can benefit.

This white paper is one of a series that introduces the OSSC team’s strategic approach to cloud security. For more about how OSSC manages security risks to the cloud infrastructure, read the Securing Microsoft’s Cloud Infrastructure white paper.

Microsoft Celebrates Chicago Data Center Grand Opening

GFS1 — Wed, 30 Sep 2009 16:59:00 GMT

Microsoft’s cloud computing infrastructure takes another big step forward this week with the grand opening of our Chicago data center. At more than 700,000 square feet, this facility significantly expands our ability to meet the demand generated from our Live, Online, and Cloud Computing services offerings for our customers. To find out more read today's posting on our Microsoft Data Centers blog.

Dublin Data Center Celebrates Grand Opening

GFS1 — Fri, 25 Sep 2009 01:10:00 GMT

This is a big week for Microsoft’s online, live, and cloud services as we celebrate the grand opening of our new data center in Dublin, Ireland. The Dublin facility delivers two key advances for Microsoft’s Software plus Services initiatives. One is expanded support for all our customers in the Europe, Middle East, and Africa region, thanks to Microsoft’s first mega data center built outside of the U.S. The other is dramatically improved environmental sustainability, resulting from innovative technology that takes advantage of the naturally cool climate in Ireland. To find out more read today's posting on our Microsoft Data Centers blog.

Microsoft Brings Two More Mega Data Centers Online in July

GFS1 — Mon, 29 Jun 2009 19:22:00 GMT

July marks the launch of our two newest mega data centers in Chicago and Dublin. Our Dublin facility will go live on July 1, followed by our Chicago facility on July 20 to support our growing Online, Live, and Cloud services. Together these Generation 3 facilities demonstrate Microsoft’s continuing commitment to improving data center efficiency with a focus on environmental sustainability. To find out more read today's posting on our Microsoft Data Centers blog.

Microsoft’s Infrastructure Services Team Welcomes Kevin Timmons

GFS1 — Mon, 22 Jun 2009 20:02:00 GMT

Building an organization around exceptional leaders with the deepest industry expertise is core to how we evolve our organization. Read today's posting on our Microsoft Data Centers blog about Kevin Timmons joining Global Foundation Services to head up our Data Center Services organization. Kevin brings a wealth of knowledge and passion in this space, most recently serving as vice president of Operations at Yahoo!, where he led the build-out of their data centers and infrastructure.

Response to Question about SAS 70 Objectives

GFS1 — Wed, 17 Jun 2009 02:45:00 GMT

By Pete Boden, GM, Online Services Security & Compliance, Global Foundation Services

Following our posting further below we received a question about what the objectives were for our SAS 70 certification. Here's our response:

The Global Foundation Services (GFS)-managed online operating environment is required to meet a number of government-mandated and industry security requirements, many of which require a periodic review to validate that compliance is being maintained. These are in addition to our business requirements. The GFS Online Services Security and Compliance team operates a comprehensive security program and control framework that is evaluated regularly by external parties. The ISO standard is the foundation of our program. While the ISO/IEC 27001:2005 certification standard includes about 150 security controls for our scope, we have increased our security controls to 291 at this point. The reason we’ve done this is to account for the uniqueness of the cloud infrastructure and risk management. In addition, the security program and capabilities are subject to a SAS 70 Type II review. The ISO certification and SAS 70 Type II attestation demonstrate Microsoft’s commitment to delivering a trustworthy cloud computing infrastructure.

Securing Microsoft’s Cloud Infrastructure: Part 2

GFS1 — Mon, 08 Jun 2009 19:10:00 GMT

By Pete Boden, GM, Online Services Security & Compliance, Global Foundation Services

The release last week of our white paper on Securing Microsoft’s Cloud Infrastructure has generated a lot of discussion in the industry, which was our intent. We wrote the paper in part to communicate our practices to customers concerned about security in the cloud environment and to generate a healthy dialogue within the industry in order to share best practices for creating more secure cloud-based services.

Many people who responded to last week’s release wanted to know more about Microsoft’s history in online services and security. Our background in these areas goes back further than many people might think. Microsoft built its first data center in 1989, four years before launching its first Web sites. Microsoft.com and MSN (Beta) went public in 1994, followed by the acquisition of Hotmail in 1997.

After successfully responding to a number of security issues at the time, in 2002 the company formed the Trustworthy Computing initiative, with Bill Gates committing Microsoft to fundamentally changing our security strategy in key areas.

Microsoft understands that success in the online services business depends on its ability to safeguard customers’ data and to maintain the availability of its services. Accordingly, Microsoft designs and tests applications and infrastructure to internationally recognized standards in order to demonstrate these capabilities and comply with laws and with internal security and privacy policies. As a result, Microsoft’s customers benefit from highly focused testing and monitoring, automated patch delivery, cost-saving economies of scale, and ongoing security improvements.

“Ongoing” is a particularly important part of the equation, as the information technology industry faces the following evolving challenges related to online service delivery:

• Emerging cloud business models create a growing interdependence amongst public and private sector entities and the people they serve: Such organizations and their customers will become more interdependent on each other through use of the cloud. With these new dependencies come mutual expectations that platform services and hosted applications need to be secure and available. Microsoft provides a trustworthy infrastructure—a base upon which public and private sector entities and their partners can build a trustworthy experience for their users. Microsoft actively works with these groups and the development community at large to encourage adoption of security-centric risk management processes.

• Acceleration of adoption of cloud services, including the continuing evolution of technologies and business models, creates a dynamic hosting environment, which is of itself a security challenge: Keeping pace with growth and anticipating future needs is essential to running an effective security program. The latest wave of change has already begun with the rapid move to virtualization and a growing adoption of Microsoft’s Software-plus-Services strategy, which combines the power and capabilities of computers, mobile devices, online services, and enterprise software. The advent of cloud platforms enables custom applications to be developed by third parties and hosted in the Microsoft cloud. Through the online services Information Security Program, Microsoft maintains strong internal partnerships among security, product, and service delivery teams to provide a trustworthy Microsoft cloud environment while these changes occur.

• Attempts to infiltrate or disrupt online service offerings grow increasingly sophisticated as more commerce and business occurs in this venue: While pranksters still seek attention through a variety of techniques including domain squatting and man-in-the-middle attacks, more sophisticated attempts aimed at obtaining identities or blocking access to sensitive business data have emerged, along with a more organized underground market for stolen information. Microsoft works closely with law enforcement, industry partners and peers, and research groups to understand and respond to this evolving threat landscape.

• Complex compliance requirements must be addressed as new and existing services are delivered globally: Regulatory, statutory, and industry compliance is a highly complex area because worldwide each country can and does pass its own laws that can govern the provision and use of online environments. Microsoft must be able to comply with a myriad of regulatory obligations because it has data centers in a number of countries and offers online services to a global customer base. In addition, many industries impose their own requirements. Microsoft has implemented a compliance framework (described in our white paper) whereby it manages various compliance obligations under a single program.

To stay ahead of all these challenges, Microsoft focuses on three key areas to provide a trustworthy cloud:

• Utilizing a risk-based information security program that assesses and prioritizes security and operational threats to the business

• Maintaining and updating a detailed set of security controls that mitigate risk

• Operating a compliance framework that ensures controls are designed appropriately and are operating effectively

Microsoft’s Information Security Program defines the compliance framework and how our security team operates. The program has been independently certified by British Standards Institute (BSI) Management Systems America as being compliant with ISO/IEC 27001:2005.

The framework that enabled Microsoft to earn the ISO 27001:2005 accreditation and SAS Type I and Type II attestations for our cloud infrastructure also sets the stage for product and service delivery teams to more efficiently obtain additional certifications and attestations as appropriate. Microsoft’s independently certified programs help to demonstrate the continued relevance of these programs to the evolution of challenges and opportunities in the online services marketplace.

If you’d like to know more, please read our security white paper. We’re proud of the innovations we’ve made in the areas of security, privacy, reliability, and business practices. And we’ll continue innovating as we respond to the evolving challenges of cloud computing. While our advancements are competitive advantages to Microsoft’s online service offerings, we hope they will help others make the cloud a safer and more reliable place that public and private organizations and individual consumers can trust.

Securing Microsoft’s Cloud Infrastructure

GFS1 — Wed, 27 May 2009 19:24:00 GMT

By Charlie McNerney, GM, Business & Risk Management, Global Foundation Services

When we talk with business customers about what they expect from cloud computing, two main themes emerge. On the one hand, technology business decision makers are enticed by the idea that purchasing services from a cloud environment could allow them to save money and focus on their core business, especially in the current economic climate. At the same time, certain themes have emerged as potential barriers to rapid adoption of cloud services.

At the top the list are concerns about security, privacy, reliability, and operational control. Microsoft recognizes that business decision makers have many questions about these issues and want to know how Microsoft is addressing them in our cloud computing environment.

The white paper we’re releasing today describes how our coordinated and strategic application of people, processes, technologies, and experience with consumer and enterprise security has resulted in continuous improvements to the security practices and policies of the Microsoft cloud infrastructure. The Online Services Security and Compliance (OSSC) team within the Global Foundation Services division that supports Microsoft’s infrastructure for online services builds on the same security principles and processes the company has developed through years of experience managing security risks in traditional software development and operating environments. Independent, third-party validation of OSSC’s approach includes Microsoft’s cloud infrastructure achieving both SAS 70 Type I and Type II attestations and ISO/IEC 27001:2005 certification. We are proud to be one of the first major online service providers to achieve ISO 27001 certification for our infrastructure. We have also gone beyond the ISO standard, which includes some 150 security controls. We have developed 291 security controls to date to account for the unique challenges of the cloud infrastructure and what it takes to mitigate some of the risks involved.

The amount of time and money we put into managing these resources, and the innovations we’ve developed in the security space, are in one sense a competitive advantage. But Microsoft feels that sharing security best practices is also important to help the industry improve together for the benefit of customers and to promote a safer and more secure environment for cloud services. Whether you’re a business decision maker evaluating various cloud options, a consumer, or a cloud provider, we invite you to read our white paper. We’re proud of the processes we’ve developed to add security, privacy, reliability, and operational control to the reasons companies choose Microsoft’s offerings, and we hope this information will help others make the cloud a safer and more reliable environment that companies can trust for their operations.

Here again is a link to our white paper: Securing Microsoft’s Cloud Infrastructure

Please also read this new white paper focused on Security in Microsoft's Business Productivity Online Suite

To read the second installment of this posting addressing questions we've received since releasing our white paper, see the Securing Microsoft’s Cloud Infrastructure, Part 2 blog post