Can the cloud be secure? How Microsoft tackles the perpetual question

As consumers and organizations come to embrace the idea of cloud services, attention on the security of those services is growing. We hear about breaches in private, on-premise systems all the time. Can the cloud be secure? It’s an important consideration for all of us. “It’s a challenging goal,” said Adrienne Hall, general manager of Trustworthy Computing at Microsoft, but as she shares in a blog post, Microsoft is laser-focused on building and maintaining trust in its cloud offerings.

Hall says the focus is in three primary areas:

Development: Microsoft products and services are designed and built from the ground up using Microsoft’s Security Development Lifecycle (SDL), a comprehensive approach for writing security, privacy, and reliability-enhanced code. All products must pass a final security review before they are released, whether it’s the Windows Azure cloud platform, server products like Hyper-V, or application suites like Office 365 and Microsoft Dynamics CRM.

Operations: Microsoft designs and builds its datacenters to meet internationally recognized standards, regional laws, and Microsoft’s own stringent security and privacy policies. This includes detailed security controls across multiple layers of defense. Microsoft’s datacenter infrastructure has achieved a range of certifications and attestations, including ISO 27001, PCI Data Security Standard, SAS 70 Type 2, EU Model Clauses, U.S. HIPPAA BAA and Federal Information Security Management Act (FISMA).

Incident Response: No matter how secure or reliable Microsoft makes its products, unexpected situations occur. When they do, Microsoft mobilizes significant global resources to respond quickly, comprehensively, and effectively to incidents.

Hall adds that, while cloud service providers assume a lot of security responsibilities, it’s important to remember that in choosing the cloud, organizations do not fully absolve themselves of their responsibilities. Customers still need to maintain “client security” at their own locations and with their workforce – including measures such as up-to-date antivirus, and emphasizing the importance of strong passwords.

For more information, including best practice resources, head over to the Trustworthy Computing blog. And be sure to watch for Hall’s panel appearance at the GigaOM’s Structure: Europe conference in September.

You might also be interested in:


Deborah Pisano
Microsoft News Center