The second annual Cloud Security Alliance (CSA) EMEA Congress was held last month in Edinburgh, Scotland, where several hundred business leaders and security professionals participated in an interesting series of sessions and interactive demonstrations from 20+ cloud providers. The beautifully restored 18th Century Assembly Rooms in the heart of the city provided a charming old world backdrop for a Digital Age discussion about today’s cloud computing trends and topics.
I was invited to deliver a keynote presentation at the event, in which I shared the findings from a study Microsoft commissioned last June which looked at cloud trends and perceptions among small and mid-sized businesses. I also discussed Microsoft’s trust and transparency solutions, including our trust centers, CSA Security, Trust & Assurance Registry entry and attestations efforts, such as the most recent SOC2 + CCM attestation from the American Institute of Certified Public Accountants (AICPA).
With more and more organizations moving from evaluating the cloud to actual deployment, it is not surprising that trust, transparency and compliance came up during this event. Cloud providers should be prepared to address questions in these areas.
I outlined the investments Microsoft makes in three broad categories: 1) the development of secure cloud offerings; 2) datacenter security; and 3) incident response – communication to customers if and when the unexpected occurs.
When it comes to cloud development, we rely on the secure coding practices embodied in our Security Development Lifecycle, which has been part of Microsoft’s DNA for over a decade. Our SDL for Agile process includes adaptations that are particularly helpful for the more continuous, iterative update cycles used in developing for the cloud.
We also leverage security telemetry and information that comes in to the Microsoft Malware Protection Center, as well as the findings shared among a vast worldwide network of companies and security researchers, to continuously improve our understanding of the latest cybersecurity threats. We report on these findings twice a year in our Security Intelligence Report.
We also make datacenter security a priority. At the conference, I discussed Microsoft’s investments in physical security, along with the regular audits of our datacenters by Deloitte, using standards such as ISO27001 from the British Standards Institute. Microsoft’s datacenter security efforts are discussed more deeply in this whitepaper from our Global Foundation Services team.
When it comes to incident response, our Dynamics CRM, Office 365 and Microsoft Azure units all keep our customers up-to-date with information posted to the various trust centers, providing a dashboard where customers can check the status of their cloud service.
As cloud adoption continues to grow, organizations such as the CSA will play an increasingly valuable role in helping businesses of all sizes select the right cloud provider by offering tools and processes for evaluating cloud providers on trust issues. It was a pleasure to participate in the Edinburgh event and I’m already looking forward to the annual CSA Congress in Orlando, Florida, in December.