By Mark Estberg, Senior Director of Risk and Compliance,

Global Foundation Services 

Microsoft has released several papers over the last couple of months on how we secure the cloud infrastructure, manage online service security, and how we developed and manage our compliance framework. Together, these papers describe some of the factors that are necessary to deliver a trustworthy cloud environment.  Recently, another paper was released describing how we address potential security vulnerabilities during the development of “client and cloud” applications by using a methodical Security Development Lifecycle (SDL) process.  This paper provides insight both in how Microsoft applies SDL to services that we offer in the cloud as well as guidance on how these same concepts can be applied by anyone developing their own cloud applications on platforms, including Windows Azure.  This paper called “Security Considerations for Client and Cloud Applications” is available at http://www.microsoft.com/sdl.

 Additionally, the paper illustrates how services at the Software as a Service (SaaS) and Platform as a Service (PaaS) cloud layers rely on capabilities at the Infrastructure as a Service layer (IaaS).  The two other papers, “Securing Microsoft's Cloud Infrastructure” and “Microsoft’s Compliance Framework for Online Services,” go into more detail about security at the IaaS layer and how this extends up the stack to SaaS and PaaS.  These papers are available at www.globalfoundationservices.com/security.

Microsoft will continue to release papers revealing our online, live and cloud security best practices in an effort to provide insight into the key learnings we are gaining from providing online services to customers 24x7x365 since 1994. We hope such sharing will help to advance an industry dialogue that will benefit the entire cloud ecosystem and our customers. 

By Mark Estberg, Senior Director of Risk and Compliance,

Global Foundation Services 

Sometimes it can seem like half the battle of securing online services involves satisfying audits and otherwise demonstrating that you are complying with industry and government regulations.  Just like any online service provider, Microsoft is subject to a large number of regulations, statutes and industry requirements.  Our service delivery and operations teams found themselves spending increasing amounts of time responding to a variety of audits that often asked for the same types of information repeatedly over the course of a year.  In addition, compliance obligations are increasing and becoming more complex as Microsoft moves into new markets and businesses and also as regulations and industry standards change.

We are often asked how we have built and then operate our framework, so today we are releasing a white paper to share our approach.  The white paper includes our approach, processes, and reference tables.  

To put our approach to this problem in context, it’s important to have some background about Microsoft’s online environment. My group is part of the Global Foundation Services (GFS) division within Microsoft.  GFS provides the cloud infrastructure for over 200 Microsoft services ranging from familiar consumer-oriented services such as Windows Live Hotmail and Bing to business-oriented services such as Microsoft Dynamics CRM Online and Microsoft Business Productivity Online Standard Suite from Microsoft Online Services. This environment also includes the Windows Azure platform which is used to host online services built by third parties. 

We developed a compliance framework for online services to better manage our obligations in this large environment and to minimize the impact to our operations teams.  The compliance framework is a set of processes and documentation that we put together that are based on the ISO 27001 security standard.  We use this framework to manage a large variety of obligations which include the Payment Card Industry Data Security Standard, Sarbanes-Oxley requirements and obligations imposed by the Health Insurance Portability and Accountability Act.  These are in addition to our own business and customer driven security requirements. 

There are two major components of the framework.  The first is a control set (often referred to as a controls framework) that maps our obligations to a single set of controls rather than independent requirements.  The second component is the compliance process and predictable audit schedule that minimize disruptions to our teams and reduce the number and impact of audits.  This framework results in third party validation and certifications which allow us to clearly communicate our capabilities to our customers.  For example, Global Foundation Services is ISO 27001 certified and we also have Statement of Auditing Standard 70 Type I and Type II attestations.  This structure is represented in the following illustration:

How we manage our processes is critical to the success of our compliance program.  We have based our compliance framework processes on the “Plan, Do, Check, Act” steps found in ISO 27001.  We execute this process on a regular rhythm and also when our environment changes. 

July marks the launch of our two newest mega data centers in Chicago and Dublin. Our Dublin facility will go live on July 1, followed by our Chicago facility on July 20 to support our growing Online, Live, and Cloud services. Together these Generation 3 facilities demonstrate Microsoft’s continuing commitment to improving data center efficiency with a focus on environmental sustainability. To find out more read today's posting on our Microsoft Data Centers blog.

By Pete Boden, GM, Online Services Security & Compliance, Global Foundation Services 

Following our posting further below we received a question about what the objectives were for our SAS 70 certification. Here's our response:

The Global Foundation Services (GFS)-managed online operating environment is required to meet a number of government-mandated and industry security requirements, many of which require a periodic review to validate that compliance is being maintained. These are in addition to our business requirements.  The GFS Online Services Security and Compliance team operates a comprehensive security program and control framework that is evaluated regularly by external parties.  The ISO standard is the foundation of our program. While the ISO/IEC 27001:2005 certification standard includes about 150 security controls for our scope, we have increased our security controls to 291 at this point. The reason we’ve done this is to account for the uniqueness of the cloud infrastructure and risk management. In addition, the security program and capabilities are subject to a SAS 70 Type II review.  The ISO certification and SAS 70 Type II attestation demonstrate Microsoft’s commitment to delivering a trustworthy cloud computing infrastructure.

By Pete Boden, GM, Online Services Security & Compliance, Global Foundation Services 

The release last week of our white paper on Securing Microsoft’s Cloud Infrastructure has generated a lot of discussion in the industry, which was our intent. We wrote the paper in part to communicate our practices to customers concerned about security in the cloud environment and to generate a healthy dialogue within the industry in order to share best practices for creating more secure cloud-based services.

Many people who responded to last week’s release wanted to know more about Microsoft’s history in online services and security. Our background in these areas goes back further than many people might think. Microsoft built its first data center in 1989, four years before launching its first Web sites. Microsoft.com and MSN (Beta) went public in 1994, followed by the acquisition of Hotmail in 1997.

After successfully responding to a number of security issues at the time, in 2002 the company formed the Trustworthy Computing initiative, with Bill Gates committing Microsoft to fundamentally changing our security strategy in key areas. 

Microsoft understands that success in the online services business depends on its ability to safeguard customers’ data and to maintain the availability of its services.  Accordingly, Microsoft designs and tests applications and infrastructure to internationally recognized standards in order to demonstrate these capabilities and comply with laws and with internal security and privacy policies.  As a result, Microsoft’s customers benefit from highly focused testing and monitoring, automated patch delivery, cost-saving economies of scale, and ongoing security improvements.

“Ongoing” is a particularly important part of the equation, as the information technology industry faces the following evolving challenges related to online service delivery:

•       Emerging cloud business models create a growing interdependence amongst public and private sector entities and the people they serve: Such organizations and their customers will become more interdependent on each other through use of the cloud.  With these new dependencies come mutual expectations that platform services and hosted applications need to be secure and available.  Microsoft provides a trustworthy infrastructure—a base upon which public and private sector entities and their partners can build a trustworthy experience for their users.  Microsoft actively works with these groups and the development community at large to encourage adoption of security-centric risk management processes.

•       Acceleration of adoption of cloud services, including the continuing evolution of technologies and business models, creates a dynamic hosting environment, which is of itself a security challenge: Keeping pace with growth and anticipating future needs is essential to running an effective security program.  The latest wave of change has already begun with the rapid move to virtualization and a growing adoption of Microsoft’s Software-plus-Services strategy, which combines the power and capabilities of computers, mobile devices, online services, and enterprise software.  The advent of cloud platforms enables custom applications to be developed by third parties and hosted in the Microsoft cloud.  Through the online services Information Security Program, Microsoft maintains strong internal partnerships among security, product, and service delivery teams to provide a trustworthy Microsoft cloud environment while these changes occur.

•       Attempts to infiltrate or disrupt online service offerings grow increasingly sophisticated as more commerce and business occurs in this venue: While pranksters still seek attention through a variety of techniques including domain squatting and man-in-the-middle attacks, more sophisticated attempts aimed at obtaining identities or blocking access to sensitive business data have emerged, along with a more organized underground market for stolen information.  Microsoft works closely with law enforcement, industry partners and peers, and research groups to understand and respond to this evolving threat landscape. 

•       Complex compliance requirements must be addressed as new and existing services are delivered globally: Regulatory, statutory, and industry compliance is a highly complex area because worldwide each country can and does pass its own laws that can govern the provision and use of online environments.  Microsoft must be able to comply with a myriad of regulatory obligations because it has data centers in a number of countries and offers online services to a global customer base.  In addition, many industries impose their own requirements.  Microsoft has implemented a compliance framework (described in our white paper) whereby it manages various compliance obligations under a single program.

To stay ahead of all these challenges, Microsoft focuses on three key areas to provide a trustworthy cloud:

•       Utilizing a risk-based information security program that assesses and prioritizes security and operational threats to the business

•       Maintaining and updating a detailed set of security controls that mitigate risk

•       Operating a compliance framework that ensures controls are designed appropriately and are operating effectively

Microsoft’s Information Security Program defines the compliance framework and how our security team operates.  The program has been independently certified by British Standards Institute (BSI) Management Systems America as being compliant with ISO/IEC 27001:2005.

The framework that enabled Microsoft to earn the ISO 27001:2005 accreditation and SAS Type I and Type II attestations for our cloud infrastructure also sets the stage for product and service delivery teams to more efficiently obtain additional certifications and attestations as appropriate. Microsoft’s independently certified programs help to demonstrate the continued relevance of these programs to the evolution of challenges and opportunities in the online services marketplace.