Microsoft is committed to giving customers the information they
need to have confidence in us as a cloud provider. Today, we
continue to share our best practices and key learnings to be as
open and transparent as possible, and contribute to industry and
community efforts to increase trust in the cloud. While there is
complexity in the cloud and in some of the security techniques
necessary to protect cloud services, explanations should be clear.
To provide insight into some of those complexities, I am pleased to
announce the release of a new series of our Security and Compliance
videos, whitepapers, and a strategy brief that describe our
approaches to this customer priority.
Cloud Security Challenges
The growing interdependence of public
and private services; increasingly complex global regulations and
industry standards; a dynamic and expanding hosting environment
operating at massive scale; and continuous and growing
sophistication of threats requires that cloud infrastructure
environments (data centers, networks and related operations
functions) employ robust policies, technologies, and processes to
protect sensitive information and meet compliance needs locally,
regionally, and globally. All cloud customers and providers face
these challenges, and Microsoft has been addressing them for more
than 24 years.
Confidence that the cloud is capable of reaching its potential
is building as more companies and organizations move to the cloud
every day. Some of the progress to make the cloud more secure and
trustworthy was discussed at this week's RSA Conference, and Scott
Charney, Microsoft's corporate vice president for Trustworthy
Computing, delivered a keynote on this topic called "The Case for Optimism."
The interdependencies of the internet reflect the need for the
online community to closely work together to deliver a trustworthy
ecosystem. A recent example from Microsoft is
an announcement we made on February 26, 2013 offering a service
to help country-code top-level domain (ccTLD) registry operators
find and fix security vulnerabilities before they are
exploited. The Microsoft Country-Code Top Level Domain (ccTLD)
Registry Security Assessment Service is based on what we have
learned operating and protecting our own online environment. It is
available to the ccTLD registry operator community at no
charge.
In addition to working with the global online community,
Microsoft operates a comprehensive security and compliance program
for
our own cloud-scale environment that delivers over 200 cloud
and online services for more than 1 billion customers, 20 million
businesses and 76 markets worldwide. At cloud-scale, the
complexities we face in managing security, privacy and compliance
issues are significant. We must develop and maintain a level of
trust that ensures our customers, partners and the online community
can depend on our security, privacy, and reliability
capabilities.
Microsoft's cloud services can be viewed through a traditional
service model lens, with offerings at the Infrastructure, Platform,
and Software as a Service layers. Global Foundation Services
(GFS) is the Microsoft organization that provides the
infrastructure upon which these services operate, which includes
data centers, networking, operations, and security and compliance
functions. The security and compliance aspects of GFS are managed
by our Online Services Security and Compliance team.
Microsoft's Information Security Management
System
Although the cloud can be abstract, our security policies and
practices are not. They are based on industry best practices
and years of experience from across the company. We apply
that knowledge to our cloud security and compliance program.
The basis of that program is our Information Security Management
System. We use it to run a risk-based information security
program that takes into account business requirements as well as
industry standards and regulations, producing certifications and
attestations that are verified by independent assessors and
auditors.
The challenges of operating at cloud-scale also require us to
maintain a comprehensive defense-in-depth set of security controls.
Applying controls at multiple layers involves employing
protection mechanisms, developing risk mitigation strategies, and
responding effectively to attacks when they occur. Using a variety
of security measures, which are applied based on the sensitivity of
the protected asset, results in improved capacity to prevent
breaches or to lessen the impact of a security incident. We apply a
mix of hard-won experience and innovative approaches to our
program. This combination is what allows us to achieve
security and compliance capabilities at the infrastructure layer
which Microsoft's cloud and online services and, most importantly,
our customers can rely upon.
Microsoft's Infrastructure Compliance
Capabilities
One of the challenges
posed by the cloud is the need of cloud consumers to rely on the
capabilities of cloud providers. The cloud and online
services that Microsoft offers are delivered around the
world. Those services are required to meet many government-
and industry-mandated security requirements as well as the
expectations of our customers. Microsoft operates a
comprehensive compliance program to demonstrate that we meet these
expectations. We also maintain a set of certifications,
attestations and compliance capabilities that are validated by
third-party auditors. The results of these third-party audits
are shared with our customers and are an important element in
establishing trust and reliance on Microsoft's cloud
services.
I am excited about the progress the industry and our team are
making to address the evolving challenges of operating and
protecting cloud services. The benefits and risks of moving to the
cloud are clear. Microsoft will continue to address these
risks and provide the information our customers need to manage them
and to have confidence in Microsoft as a cloud provider. More
information about our Online Services Security and Compliance
program, as well as suggestions of factors to take into
consideration when considering moving to the cloud, is available on
our Security and
Compliance page on this web site.
We will continue to post more information throughout the year,
including updates to our cloud and online community involvement to
increase the dialogue and sharing of best practices within our
industry.
//me
Read More >>
