In the previous blog post- Microsoft Cloud Computing Environment, I covered what is the Microsoft’s Cloud Computing environment and which team manages it. This post expands the security aspect of the environment a bit further.

To address customer concerns on security, privacy, reliability, and operational controls, the Global Foundation Services (GFS) and BPOS teams have provided the following resources:

White Paper: Securing Microsoft’s Cloud Infrastructure

This white paper describes how Microsoft protects customer data and business operations through a comprehensive Information Security Program and a mature methodology for policy and compliance management, frequent internal and external evaluation of practices and capabilities, and robust security controls across all service layers.

These processes and mechanisms are how Microsoft complies with industry standards and sustains regulatory compliance with all applicable laws, directives, statutes, and regulations while delivering services online to a global customer base

As a result of the Information Security Program, Microsoft is able to obtain key certifications such as International Organization for Standardization / International Society of Electrochemistry 27001:2005 (ISO/IEC 27001:2005) and Statement of Auditing Standard (SAS) 70 Type I and Type II attestations, and to more efficiently pass regular audits from independent third parties.

It’s an interesting paper and I would recommend anyone who has or is planning to have some part of the operations/applications in Microsoft Cloud Computing environment to read it.

Online Services Security and Compliance (OSSC) Team

The OSSC team within GFS is responsible for the Microsoft cloud infrastructure Information Security Program, including policies and programs used to manage online security risks. The mission of OSSC is to enable trustworthy online services that create a competitive advantage for Microsoft and its customers. Placing this function at the cloud infrastructure layer allows all Microsoft cloud services to take advantage of economies of scale and reduced complexity through use of shared security solutions. Having this standard approach also enables each of the Microsoft service teams to focus on the unique security needs of their customers.

Information Security Program

Microsoft’s online Information Security Program defines how OSSC operates. The Information Security Program organizes security requirements into three top-level domains: Administrative, Technical, and Physical.

The criteria in these domains represent the basis from which risk is managed. Starting with the safeguards and controls identified in the domains and their subcategories, the Information Security Program follows the ISO/IEC27001:2005 framework of “Plan, Do, Check, Act.”