Can we build a truly secure cloud? It’s a challenging goal, and the topic of a panel discussion on which I’ll be participating during GigaOM’s Structure:Europe conference in September. Security is an important consideration for organizations looking to tap the cloud’s cost savings, flexibility and scalability. People want to know if the cloud vendor they choose can keep their data secure and readily available, while effectively managing any unexpected events.
At Microsoft, we focus on three main areas to build customer trust in our cloud offerings:
Development: All our products and services are designed and built from the ground up using Microsoft’s Security Development Lifecycle (SDL), a comprehensive approach for writing security, privacy, and reliability-enhanced code.
All products must pass a final security review before they are released, whether it’s our Windows Azure cloud platform, server products like Hyper-V, or application suites like Office 365 and Microsoft Dynamics CRM.
Operations: We design and build our datacenters to meet internationally recognized standards, regional laws, and our own stringent security and privacy policies. This includes detailed security controls across multiple layers of defense.
Our datacenter infrastructure has achieved a range of certifications and attestations, including ISO 27001, SAS 70 Type 2, EU Model Clauses, U.S. HIPAA BAA and Federal Information Security Management Act (FISMA). [Update–I’ve edited this section to clarify: Microsoft ensures that all billing transactions meet the PCI Data Security Standard. Previously, I had stated that we have achieved PCI DSS certification, which is not accurate.]
Incident Response: No matter how secure or reliable we make our products, unexpected situations occur. When they do, Microsoft mobilizes significant global resources to respond quickly, comprehensively, and effectively to incidents.
All that said, it’s important to remember that organizations that choose the cloud are not devolving 100 percent of their security responsibilities. The cloud service provider will take on a great many security responsibilities, but not all of them. Customers will typically need to maintain “client security” at their own locations or among their workforce – ensuring up to date antivirus, for example, or educating employees on the importance of using strong passwords.
I’m looking forward to the panel and the conference. You can read a preview by GigaOM’s Jordan Novet, who’ll be moderating the discussion. And I’ll report back here with a recap after the conference, which takes place on September 18-19. If you’re there, I hope you’ll stop by and say hello.