Mark Estberg, Senior Director
Online Services Security & Compliance
Compliance is a popular and often debated cloud services topic. I see this firsthand in my role as a senior director in Microsoft's Global Foundation Services (GFS) Online Services Security and Compliance organization. GFS manages Microsoft's cloud infrastructure. The Online Services Security and Compliance team provides infrastructure security, compliance and reliability capabilities to Microsoft's 200+ cloud and online services. My responsibilities include compliance with regulations and industry standards, audit management, infrastructure security and business continuity management. My team works directly with Microsoft product teams, auditors, standards bodies and, most importantly, the companies and organizations that rely on Microsoft's cloud services to meet their security and compliance needs. This blog is intended to describe some of the challenges with cloud services compliance as well as describe how Microsoft is meeting today's compliance needs and participating in efforts to address these challenges.
The topic of cloud compliance is complex. Regulations, expectations and methods have struggled to keep pace with technology and business model innovations. One particular challenge is that the industry must meet the compliance expectations of cloud services with methods that were not designed for the cloud. For example, prior to June 2011, Statement of Auditing Standard number 70 (SAS 70) reports were issued for cloud service providers. These reports were initially designed by the American Institute of Certified Public Accountants (AICPA) to evaluate financial statement assertions. While imperfect, it was one of the best mechanisms available at the time for cloud providers to communicate security capabilities. In 2011 the AICPA replaced the SAS 70 model with Service Organization Control (SOC) reports which are designed to better accommodate cloud services.
Compliance frameworks also struggle to keep up with technology innovations. Virtual systems that are the cornerstone of the cloud are a challenge for compliance frameworks that were developed in a world of relatively static environments, single imaged servers and hardware based firewalls. Compliance frameworks must allow for innovation and account for new security techniques that are released faster than today's frameworks can be revised.
Cloud customers, cloud service providers and regulators must work together to determine the solutions that best meet the needs of stakeholders:
- Enterprise and public sector cloud customers must be able to achieve their compliance obligations while using cloud services
- Individuals using the cloud have an expectation that their personal information will be protected and used appropriately
- Cloud service providers must have clear mechanisms to evaluate and communicate capabilities
- Regulators and industry governing bodies need to have confidence that their requirements are met and verified
Microsoft's cloud infrastructure team, GFS, is in a unique position to participate in the discussion because of our experience operating the infrastructure for Microsoft's 200+ cloud and online services. GFS must meet the wide variety of security and compliance needs of these services at an enormous scale. Examples of services with compliance requirements include HealthVault that is subject to healthcare laws; Microsoft's credit card processing systems that are subject to industry standards; and Office 365 and Windows Azure which are subject to security standards set by government agencies as well as the expectations of the world's top enterprises. Each of these services have dependencies on the infrastructure provided by GFS. Many years of meeting these requirements has given us a detailed understanding of the strengths and challenges of the different compliance frameworks and models.
The GFS compliance program represents the overall security capabilities provided by Microsoft's cloud infrastructure, which are described in this recent blog entry. The GFS compliance program maintains audit and attestation capabilities that best meet the needs of our customers. We select comprehensive standards such as ISO/IEC 27001:2005 and NIST Special Publication 800-53 Revision 3 which provide broad and thorough coverage. Our compliance framework and audit program are based on an approach that maps a wide variety of obligations to a single set of control activities. This combination allows us to effectively meet rigorous standards and provides coverage that often extends to other compliance needs. GFS certifications, attestations and compliance capabilities include the following:
- ISO/IEC 27001:2005 Certification- Microsoft's cloud infrastructure information security management system follows the ISO/IEC 27001:2005 standard. This risk-based information security management program follows a plan-do-check-act process and is viewed by many as an industry standard for information security programs. GFS first received ISO/IEC 27001:2005 certification in 2008.
- SOC 1 (SSAE 16/ISAE 3402) and SOC 2 and 3 (AT 101)- GFS first received a SAS 70 report (the predecessor to SOC reports) in 2008 and was an early adopter of the SOC 1, SOC 2 and SOC 3 in 2011. In 2012, Microsoft became one of the first in the industry to successfully complete a SOC 2 Type II and SOC 3 audit. The SOC 2 is a new attestation report for service organizations that contains rigorous standards for security, availability, processing integrity, confidentiality, and privacy. GFS also obtained a SOC 3 report (found here) which summarizes the SOC 2 audit.
- HIPAA/HITECH- The U.S. Health Insurance Portability and Accountability Act (HIPAA) and HITECH (Health Information Technology for Economic and Clinical Health) Act created by the US federal government include provisions to protect patients' private information. While there is no widely-accepted certification for these requirements, Microsoft's cloud infrastructure maintains a program to ensure we meet our obligations.
- PCI Data Security Standard Certification- Microsoft's cloud infrastructure is used by the online services at Microsoft which process credit card information. We have certified our infrastructure as a Level 1 Service Provider since 2008.
- FISMA Certification and Accreditation - The Federal Information Security Management Act of 2002 (FISMA) describes security requirements which US federal agencies expect to be in place for the protection of information and information systems. GFS operates a General Support System in accordance with NIST Special Publication 800-53 Revision 3 "Recommended Security Controls for Federal Information Systems and Organizations." Our first Authorization to Operate (ATO) was granted in 2010.
- Various state, federal, and international Privacy Laws(95/46/EC - aka EU Data Protection Directive, California SB 1386, etc.) - By developing and maintaining a comprehensive compliance program that is audited by third parties, GFS is able to map a variety of other obligations to existing capabilities. For example, we have mapped the European Union Article 29 Working Party Model Clauses to our program. This allows us to clearly understand the set of capabilities that we have in place to meet these requirements and efficiently operate the necessary controls
Microsoft is able to rely on these certifications, attestations and compliance capabilities to communicate our security capabilities to our customers and partners. In practice, the evaluation methods and communication mechanisms remain imperfect and inefficient for cloud service providers, cloud service customers and regulators. Evaluation methods have not kept pace with cloud business models, technology and regulations. Additionally, the methods to communicate the results of audits and attestations often lack sufficient detail and also do not facilitate reliance by cloud customers. Microsoft believes that the best solutions will come from active participation by all stakeholders and we participate in a variety of forums that bring these stakeholders together. These include formal working groups to develop revisions of existing standards, industry associations that facilitate interactions between stakeholders, and many detailed conversations with our customers.
I am optimistic about our collective ability to meet the demands of all stakeholders to build and implement solutions that remove unnecessary roadblocks to cloud computing while maintaining a strong basis to verify trust in the cloud ecosystem. I encourage those who want to learn more about cloud compliance to take part in the dialogue that is occurring to shape the future of cloud compliance. In addition to becoming a member of one of the many industry groups, opportunities include participating in industry group working committees, providing feedback to standards and joining local chapters. Thank you to all those who have participated in these efforts. They are a great way to connect with an enthusiastic community and all stakeholders will benefit from more contributors.