Securing Microsoft’s Cloud Infrastructure

By Charlie McNerney, GM, Business & Risk Management, Global Foundation Services

When we talk with business customers about what they expect from cloud computing, two main themes emerge. On the one hand, technology business decision makers are enticed by the idea that purchasing services from a cloud environment could allow them to save money and focus on their core business, especially in the current economic climate. At the same time, certain themes have emerged as potential barriers to rapid adoption of cloud services.

At the top the list are concerns about security, privacy, reliability, and operational control. Microsoft recognizes that business decision makers have many questions about these issues and want to know how Microsoft is addressing them in our cloud computing environment.

The white paper we’re releasing today describes how our coordinated and strategic application of people, processes, technologies, and experience with consumer and enterprise security has resulted in continuous improvements to the security practices and policies of the Microsoft cloud infrastructure. The Online Services Security and Compliance (OSSC) team within the Global Foundation Services division that supports Microsoft’s infrastructure for online services builds on the same security principles and processes the company has developed through years of experience managing security risks in traditional software development and operating environments. Independent, third-party validation of OSSC’s approach includes Microsoft’s cloud infrastructure achieving both SAS 70 Type I and Type II attestations and ISO/IEC 27001:2005 certification. We are proud to be one of the first major online service providers to achieve ISO 27001 certification for our infrastructure. We have also gone beyond the ISO standard, which includes some 150 security controls. We have developed 291 security controls to date to account for the unique challenges of the cloud infrastructure and what it takes to mitigate some of the risks involved.

The amount of time and money we put into managing these resources, and the innovations we’ve developed in the security space, are in one sense a competitive advantage. But Microsoft feels that sharing security best practices is also important to help the industry improve together for the benefit of customers and to promote a safer and more secure environment for cloud services.Whether you’re a business decision maker evaluating various cloud options, a consumer, or a cloud provider, we invite you to read our white paper. We’re proud of the processes we’ve developed to add security, privacy, reliability, and operational control to the reasons companies choose Microsoft’s offerings, and we hope this information will help others make the cloud a safer and more reliable environment that companies can trust for their operations.

Here again is a link to our white paper: Securing Microsoft’s Cloud Infrastructure

Please also read this new white paper focused on Security in Microsoft's Business Productivity Online Suite

To read the second installment of this posting addressing questions we've received since releasing our white paper, see the Securing Microsoft’s Cloud Infrastructure, Part 2 blog post