Information Security Management System for Microsoft Cloud Infrastructure

By Mark Estberg, Senior Director of Risk and Compliance, Global Foundation Services


I often hear questions that are variations of “How does Microsoft secure its cloud?” and “How does Microsoft manage compliance in the cloud?” The answer is similar to how any enterprise operates a comprehensive security program and is based on our information security program described in a white paper titled “Securing Microsoft's Cloud Infrastructure.” The paper describes a framework that includes risk based decision making, defense in depth and a compliance framework.

How we operate that program is as important as the instructions in a recipe. Ingredients alone – such as 1 egg, ½ teaspoon salt, 1 cup of flour and 2 tablespoons of water – are not enough information to make pasta without additional instructions. For Microsoft’s cloud infrastructure, you can think of the control framework we describe in “Microsoft’s Compliance Framework for Online Services” and security controls that are part of our defense in depth capabilities as “ingredients.” How we operate the program – the Information Security Management System – can be thought of as the “recipe,” or instructions.

The Information Security Management System – the “recipe” – is described in a paper that we are releasing today called “Information Security Management System for Microsoft Cloud Infrastructure.” This paper is another step in our effort to share how Microsoft approaches cloud security and which, I believe will promote the continuation of an important industry discussion on cloud security.