Whenever I do a talk on “the cloud” or any of the products from Microsoft that involve (or revolve around) it, I always ask the folks in attendance, “What is your biggest concern about ‘the cloud’?” And without a single exception in the dozens of times I’ve done it, the first word I hear is “Security”. So today in part 9 of my “Cloudy April” series I thought I’d point out a few good resources from Microsoft and others around the aspects and aspirations of security in this new world of cloud computing.
“Can’t I just go to http://www.microsoft.com/security?”
Sure.. that’s obvious. But that site really is more geared the end-user (or “consumer” in Microsoft-speak).
“What about http://www.technet.com/security?”
Yeah… that’s better. The Security TechCenter on Microsoft TechNet is a great starting point for IT Professional and business information infrastructure topics relating to security. In fact, on any given day you’ll find more and more new resources and videos and screencasts, among which will undoubtedly be an increasing number of cloud-related topics.
Among those, I highly recommend the Security Talk Series. Graham Calladine has a multi-part Windows Azure Platform Security Essentials video series that looks really good.
Another good resource are the whitepapers that come out now and then regarding various aspects of security in the cloud as provided by Microsoft. A really good in-depth look at the security mechanisms built-in to Windows Azure is the Windows Azure Security Overview. And more recently, the Information Security Management System for Microsoft Cloud Infrastructure document discusses cloud security from the perspective of security certifications and compliance
Here are more resources (also found at the end of the previous document):
- Microsoft Global Foundation Services, home page: http://www.globalfoundationservices.com
- Microsoft Trustworthy Computing, home page: http://www.microsoft.com/twc
- The Microsoft Security Development Lifecycle (SDL): http://www.microsoft.com/security/sdl/
- Microsoft Security Response Center: http://www.microsoft.com/security/msrc
- International Organization for Standardization: http://www.iso.org
- The ISO 27001:2005 certificate for the Global Foundation Services group at Microsoft: http://www.bsi-global.com/en/Assessment-and-certification-services/Client-directory/CertificateClient-Directory-Search-Results/?pg=1&licencenumber=IS+533913&searchkey=companyXeqXmicrosoft
- The Microsoft SDL Threat Modeling Tool: http://msdn.microsoft.com/en-us/security/dd206731.aspx
- Microsoft Online Services: http://www.microsoft.com/online
And like many of you I’m a big fan of the RunAs Radio podcast. Not too long ago two episodes had some great information about Windows Azure and about Cloud Security in general.
And in RunAs show number 202, Steve Riley (former ‘softie, talented speaker, and overall network security guru currently with Riverbed Technology) discussed security topics, and had one particularly interesting take on how we should start thinking about Security in this new world of the cloud:
“…it’s all about changing the definition of control. If you use to define your control based on possession and location, you’re going to have to change that now and instead you define your control by relying on encryption, digital signatures, Service Level Agreements, and security standards. The world has already done this for pipes, right? Nobody owns the internet. Very few people deploy their own WAN links. We just buy connectivity from the Telcos and we use SSL on top of it. You can apply the same thinking to compute and storage as well. I believe you don’t have to own the infrastructure, you can let somebody else manage it but you can still own and control the data.”
I like that. It’s not about walls and locks on your datacenter. It’s more about encryption, SLAs, and security standards.
What do you think? Can we trust “the cloud” with our business data?
Tune–in tomorrow for Part 10, when we talk about IE 9.