Harmonizing Cloud Security Requirements to Enable Cloud Adoption

  • Article

Posted by Posted by: Mark Estberg, Senior Director, Online Services Security and Compliance on the Trustworthy Computing Blog:

Microsoft’s Global Foundation Services (GFS) organization delivers the global infrastructure and network for over 200 consumer and enterprise cloud services. The security, privacy and reliability expectations of the customers served by these services must be met in order to develop the level of trust necessary to support a global shift to online and cloud computing. Each of Microsoft’s online and cloud services focus on its respective customer requirements and GFS must meet the obligations that come from all of the more than 200 services because they all reside in the GFS infrastructure. While many of the capabilities must be provided at the service layer, all services have at least some level of dependency on the cloud infrastructure built, managed, and secured by GFS. 

This results in a broad set of requirements that must be met and represented by GFS. These requirements stem from regulatory and statutory sources (e.g., European Union Model Clauses, United States health care requirements including HIPAA and HITECH, United States Federal Information Security Management Act, etc.), industry sources (e.g., Payment Card Industry Data Security Standard, etc.), self-selected standards (e.g., ISO 27001, SOC 1, SOC 2, etc.), as well as risk-based security expectations commemorated in our policy and business decisions. 

In GFS, we maintain an extensive compliance program and corresponding control framework. This approach allows us to have a clear understanding of the control activities that GFS must operate, the reason behind each control activity (i.e., the specific clause from an audit such as SOC 2 or the specific element of security policy that drives the need to perform the control activity) as well as a number of other metadata mappings that allow us to effectively and efficiently manage our program. Our compliance program also includes both self-reviews performed by Microsoft teams and third-party reviews of our overall Information Security Management System and performance against our control framework. The third parties that conduct the regular audits of our GFS environment provide a scalable mechanism for Microsoft to communicate the capabilities of our online and cloud infrastructure to our customers and partners. 

This model is extended to our online services, allowing for trusted third parties to examine relevant service elements and provide in-depth reviews of targeted services such as Office 365 and Windows Azure. The independent assessments are logically stacked upon one another to reflect dependencies and are shared with our customers and partners. This allows our customers and partners to examine, in detail, the capabilities relevant to their services from the data center all the way to the service they use.

The approach Microsoft takes to managing our compliance program and control framework is necessary to meet the complex and changing requirements associated with operating online and cloud services. It also provides visibility into the overlapping and sometimes antiquated and conflicting requirements that must be met to operate and use a cloud service. Overlapping, antiquated and conflicting requirements are driving a level of inefficiency and confusion that must be addressed in order for the cloud to meet its potential and become a driver of the global economy and growth. Earlier in June, I participated in a forum of European Union policy makers that acknowledged this challenge and the need to solve it as one way to help with economic recovery. Similar groups are coming together around the globe. I believe these types of forums that include public and private sector representatives are in the best position to build and put solutions in place that remove unnecessary roadblocks to cloud computing while maintaining a strong basis for verifying trust in the cloud ecosystem.

For more information on our cloud infrastructure security, privacy, and compliance strategies, please visit our web site at www.globalfoundationservices.com. There you will find a number of videos, white papers, and strategies briefs covering these topics.