How Microsoft Secures its Cloud-Scale Data Centers and Infrastructure

Mark Estberg, Senior Director Online Services Security & ComplianceMark Estberg, Senior Director
Online Services Security & Compliance

Microsoft is committed to giving customers the information they need to have confidence in us as a cloud provider. Today, we continue to share our best practices and key learnings to be as open and transparent as possible, and contribute to industry and community efforts to increase trust in the cloud. While there is complexity in the cloud and in some of the security techniques necessary to protect cloud services, explanations should be clear. To provide insight into some of those complexities, I am pleased to announce the release of a new series of our Security and Compliance videos, whitepapers, and a strategy brief that describe our approaches to this customer priority.

Cloud Security Challenges 

022813-1The growing interdependence of public and private services; increasingly complex global regulations and industry standards; a dynamic and expanding hosting environment operating at massive scale; and continuous and growing sophistication of threats requires that cloud infrastructure environments (data centers, networks and related operations functions) employ robust policies, technologies, and processes to protect sensitive information and meet compliance needs locally, regionally, and globally. All cloud customers and providers face these challenges, and Microsoft has been addressing them for more than 24 years.

Confidence that the cloud is capable of reaching its potential is building as more companies and organizations move to the cloud every day. Some of the progress to make the cloud more secure and trustworthy was discussed at this week's RSA Conference, and Scott Charney, Microsoft's corporate vice president for Trustworthy Computing, delivered a keynote on this topic called "The Case for Optimism."

The interdependencies of the internet reflect the need for the online community to closely work together to deliver a trustworthy ecosystem.  A recent example from Microsoft is an announcement we made on February 26, 2013 offering a service to help country-code top-level domain (ccTLD) registry operators find and fix security vulnerabilities before they are exploited.  The Microsoft Country-Code Top Level Domain (ccTLD) Registry Security Assessment Service is based on what we have learned operating and protecting our own online environment. It is available to the ccTLD registry operator community at no charge.   

In addition to working with the global online community, Microsoft operates a comprehensive security and compliance program for our own cloud-scale environment that delivers over 200 cloud and online services for more than 1 billion customers, 20 million businesses and 76 markets worldwide.  At cloud-scale, the complexities we face in managing security, privacy and compliance issues are significant. We must develop and maintain a level of trust that ensures our customers, partners and the online community can depend on our security, privacy, and reliability capabilities.

Microsoft's cloud services can be viewed through a traditional service model lens, with offerings at the Infrastructure, Platform, and Software as a Service layers.  Global Foundation Services (GFS) is the Microsoft organization that provides the infrastructure upon which these services operate, which includes data centers, networking, operations, and security and compliance functions. The security and compliance aspects of GFS are managed by our Online Services Security and Compliance team. 

Microsoft's Information Security Management System

Although the cloud can be abstract, our security policies and practices are not.  They are based on industry best practices and years of experience from across the company.  We apply that knowledge to our cloud security and compliance program.  The basis of that program is our Information Security Management System.  We use it to run a risk-based information security program that takes into account business requirements as well as industry standards and regulations, producing certifications and attestations that are verified by independent assessors and auditors.  


The challenges of operating at cloud-scale also require us to maintain a comprehensive defense-in-depth set of security controls.  Applying controls at multiple layers involves employing protection mechanisms, developing risk mitigation strategies, and responding effectively to attacks when they occur. Using a variety of security measures, which are applied based on the sensitivity of the protected asset, results in improved capacity to prevent breaches or to lessen the impact of a security incident. We apply a mix of hard-won experience and innovative approaches to our program.  This combination is what allows us to achieve security and compliance capabilities at the infrastructure layer which Microsoft's cloud and online services and, most importantly, our customers can rely upon.  

Microsoft's Infrastructure Compliance Capabilities 

022813-3One of the challenges posed by the cloud is the need of cloud consumers to rely on the capabilities of cloud providers.  The cloud and online services that Microsoft offers are delivered around the world.  Those services are required to meet many government- and industry-mandated security requirements as well as the expectations of our customers.  Microsoft operates a comprehensive compliance program to demonstrate that we meet these expectations.  We also maintain a set of certifications, attestations and compliance capabilities that are validated by third-party auditors.  The results of these third-party audits are shared with our customers and are an important element in establishing trust and reliance on Microsoft's cloud services. 

I am excited about the progress the industry and our team are making to address the evolving challenges of operating and protecting cloud services. The benefits and risks of moving to the cloud are clear.  Microsoft will continue to address these risks and provide the information our customers need to manage them and to have confidence in Microsoft as a cloud provider.  More information about our Online Services Security and Compliance program, as well as suggestions of factors to take into consideration when considering moving to the cloud, is available on our Security and Compliance page on this web site. 

We will continue to post more information throughout the year, including updates to our cloud and online community involvement to increase the dialogue and sharing of best practices within our industry. 







Mark Estberg, Senior Director, Online Services Security & Compliance