Cloud Security with Windows Azure and Microsoft Global Foundation Services

With the RSA conference occurring this week and cloud computing being such a high interest topic, the two worlds of cloud and security are receiving increased visibility in the trade press. The Cloud Security Alliance, which Microsoft is part of, also held their Cloud Security Alliance Summit this week, with it being co-located with RSA. I included a brief mention of the Summit earlier in my blog post about Vivek Kundra’s (CIO for the Whitehouse) participation in it discussing the “Federal Cloud Computing Strategy” paper.

I wanted to take a few minutes to share some of the information and a video available from Microsoft that discusses securing cloud environments, whether that is the public Windows Azure cloud or the Microsoft Global Foundation Services cloud offerings which hosts SaaS applications like SharePoint Online and Exchange Online.

If your company or you are considering creating and deploying cloud applications on Windows Azure, I’d recommend reviewing the Windows Azure Security Overview at this location. It covers the identity and access management model, the physical security features, as well as information on Microsoft operations personnel. The paper is intended for Technical Decision Makers considering the Windows Azure platform, as well as for developers looking to create applications to run on the environment.

The other area I wanted to touch on is Microsoft Global Foundation Services (GFS) which host cloud SaaS applications such as SharePoint Online and Exchange Online. There was exciting news back in December when the Microsoft cloud infrastructure received its Federal Information Security Management Act of 2002 (FISMA) Authorization to Operate (ATO). In the blog announcing this it states:

Meeting the requirements of FISMA is an important security requirement for US Federal agencies. The ATO was issued to Microsoft’s Global Foundation Services organization. It covers Microsoft’s cloud infrastructure that provides a trustworthy foundation for the company’s cloud services, including Exchange Online and SharePoint Online, which are currently in the FISMA certification and accreditation process.

There’s a good whitepaper titled “Information Security Management System for Microsoft Cloud Infrastructure” located here which covers online security and compliance of the GPS cloud infrastructure. This paper covers three key programs:

- Information Security Management Forum – A structured series of management meetings in specific categories for managing the ongoing operations of securing the cloud infrastructure.

- Risk Management Program – A sequence of processes for identifying, assessing, and treating information security risks and for enabling informed risk management decisions.

- Information Security Policy Program – A structure process for reviewing information security policy and for making changes when deemed necessary.

Finally, I found this brief video with Pete Boden, GM Online Services Security & Compliance at Microsoft, which discusses cloud computing and security. He talks about the need to shift the way that threats and risks are analyzed, as well as using standards and third parties to evaluate Microsoft’s security in our cloud datacenters. Check out the video for more information on securing and protecting your cloud computing assets here, I’ve also embedded it here for easy viewing:

Security is a critical factor when considering any IT decision, especially one that moves data out of on-site datacenters. Customers want a trusted company with proven security procedures and processes in place - Microsoft is committed to delivering on these needs for customers.

I hope you find the information useful. If you have any questions or feedback, please let me know in the comments section. If you’re looking for more information on what Microsoft has to offer businesses, check out the Cloud Power site here.

Thanks for your time - larry