Information Security Management System for Microsoft Cloud Infrastructure

By Mark Estberg, Senior Director of Risk and Compliance, Global Foundation Services


I often hear questions that are variations of “How does Microsoft secure its cloud?” and “How does Microsoft manage compliance in the cloud?”  The answer is similar to how any enterprise operates a comprehensive security program and is based on our information security program described in a white paper titled “Securing Microsoft's Cloud Infrastructure.”  The paper describes a framework that includes risk based decision making, defense in depth and a compliance framework.

How we operate that program is as important as the instructions in a recipe.  Ingredients alone – such as 1 egg, ½ teaspoon salt, 1 cup of flour and 2 tablespoons of water – are not enough information to make pasta without additional instructions.  For Microsoft’s cloud infrastructure, you can think of the control framework we describe in “Microsoft’s Compliance Framework for Online Services” and security controls that are part of our defense in depth capabilities as “ingredients.”  How we operate the program – the Information Security Management System – can be thought of as the “recipe,” or instructions. 

The Information Security Management System – the “recipe” – is described in a paper that we are releasing today called “Information Security Management System for Microsoft Cloud Infrastructure.”   This paper is another step in our effort to share how Microsoft approaches cloud security and which, I believe will promote the continuation of an important industry discussion on cloud security.

Comments (1)
  1. Darwin Larrison says:

    That document is a really good step in the right direction.  SOX is a big deal for us and companies worked hard to setup policies, processes, procedures (with documentation/evidence!) to get in line with all these new compliance requirements.  It took us about four to five years to get everying squared away and automated, auditable, so I will say this is a major consideration when looking at the cloud, thus, I really like these documents!  Good work.  (Now, I just have to re-read or study them further!)

Comments are closed.

Skip to main content