Five Lessons from Microsoft on Cloud Security

The software titan reviewed its security approach to cloud computing and developed new strategies. Here's what one Microsoft cloud expert says he's learned.

By Robert Lemos
Tue, August 25, 2009

CIO — While Google, Amazon and Salesforce have gotten the most attention as cloud service providers, Microsoft—with its 300 products and services delivered from its data centers—has a large cloud bank all its own.

In May, the company released a paper on its approach to cloud services and how the company plans to secure those services. The paper—penned by Microsoft's Global Foundation Services, the group responsible for overseeing the company's software-as-a-service infrastructure—spells out the current dangers for online services, including a growing interdependence between customers and the companies that serve them and more sophisticated attacks on Internet services.

[For timely cloud computing news and expert analysis, see CIO.com's Cloud Computing Drilldown section. ]

Microsoft argues that its approach to security, which it carved out with its Trustworthy Computing Initiative in 2002, works as well for online services, with some modification.

"If I take the traditional security principles, that hasn't changed in terms of discipline and approach," said Charlie McNerney, general manager for business and risk management at Microsoft's GFS. "What has expanded is the amount of controls we have applied."

In recent interviews, McNerney and other cloud providers shared their thoughts on Microsoft's approach to securing cloud services and the data centers that power such services.

1. Discuss risk with customers

The security of cloud services worries many customers, and it should, said McNerney. Figuring out where the responsibilities lie with respect to a customer's data is an important conversation, he says.

"What are the defect scenarios and the responsibilities that parties have in that environment when it breaks," McNerney says. "That is the type of thing that large enterprise companies want to talk about the most."

But Microsoft has found that security is not just a worry for their biggest clients. Web sites and e-mail are central to the brand of any company and have to be protected, he says.

"I don't find anyone casual on trust," McNerney says. "The small guy operating on the Web with his commerce site is just as passionate about security as the big guys."

2. Pay attention to compliance

To assuage its clients fears, Microsoft has invested a lot of time in organizing the controls necessary to meet various compliance standards.

The company reduced 26 different types of audits to a list of 200 necessary controls and mapped those controls across its data-center environments and services, McNerney says. Standardization means that Microsoft does not have to give every customer, or its auditor, access to the company's data centers.

"Larger enterprise customers want to understand the controls, but how many companies can I let into a data center?" he says. "If you think about what that could be, there is no way that I could let all those customers into our facilities."

Instead, Microsoft has an agreed-upon compliance framework that allows auditors to order off a menu of tests and get the results.

"Each company is going to want to understand the tests and results," he says. "Therein lies the opportunity and challenge."

3. Better standards needed

To serve customers better, the large cloud providers need to work together to standardize across their platforms, says McNerney.

"Amazon has a view; Yahoo has a view; Google has a view," McNerney says. "But all our approaches are still different. The next wave is that all of us will have to come together with a framework that we will have to use to make it super-productive on the Web."

For example, the companies need to agree on a way of handling universal IDs. The problems with federated identity on the Internet have not been solved in the standards, he says.

"Customers are going to expect that this (cloud services) is an interoperable environment for them," he says.

4. Privacy and security are not so different

As Microsoft applied cloud-computing models to its services and data centers, the difference between security and privacy nearly disappeared, says McNerney.

The result, which is somewhat surprising, he says, is that as the company developed its tools for managing security and privacy, it did not differentiate a lot between the two ideals.

"Most people approach security in one way and privacy in another," he says. "Those come together in a much more blended way in the cloud."

5. Don't generalize on cloud security

With the coming launch of its Windows Azure platform this fall, Microsoft will have a new set of considerations, says Jay Chaudhry, CEO of Web security-as-a-service provider ZScaler.

The security considerations for every cloud service are different, Chaudhry argues. While serving up office applications, e-mail services, and access to databases may scale well, other services—such as Exchange servers&mdash:require a lot of customization and are harder to secure, he says.

"Companies need to look at specific areas and address them properly," Chaudhry says. "There is not a single thing that can be done across the whole cloud-computing spectrum."

Database-as-a-service, storage-as-a-service and vulnerability-assessment-as-a-service all have different security considerations, he says. And the coming Azure platform-as-a-service will as well.

Do you Tweet? Follow everything from CIO.com on Twitter @CIOonline.

White Papers »
Cloud-Scale Networks Using Open Fabric Architectures
Virtualization and cloud are driving new requirements for data center network performance, VM support, automation and simplified orchestration. This paper outlines Extreme Networks® open fabric approach to high speed, low latency networks for modern data centers.
IBM Synchronizes its Commerce 2.0 Strategy with 'Smarter Commerce' Initiative
On March 14, IBM announced "Smarter Commerce", a strategic initiative that addresses the surging market for Commerce 2.0 solutions that take advantage of the convergence of a number of disruptive software and hardware technologies.
HP Converged Storage Sets the Stage for the Next Era of Computing
Enterprise storage has undergone many changes in recent years - with converged storage and infrastructure 2.0 paving the way for reduced IT infrastructure costs and greater performance. This report discusses the latest trends that are setting the stage for the next era of computing. Learn about the new infrastructure and storage trends that are changing the way business storage works today.
The Best Way to Build a Cloud
In most companies, the needs of the business are outpacing what IT can deliver. Technology is the foundation and enabler of business innovation, but developing and implementing new solutions is resource-intensive. Integrating and optimizing islands of IT is complex, time-consuming and costly.

However, implementing a private cloud can be complex and daunting. HP's solution, CloudSystem Matrix, helps you build a turnkey private cloud environment to deliver the benefits of the cloud to your business users. Read now to find out how the HP CloudSystem Matrix can enable you to move quickly to a private cloud model.
HP CloudSystem Matrix: Building a Private Cloud
Cloud computing continues to grow in popularity among the IT industry. And more businesses are advertising that they are the front runner for providing the best cloud services. However, in this race to remain top dog, IT pros remain unsure of what cloud computing is and the benefits it can bring to their organization.
HP CloudSystem Matrix: Managing at a Higher Level
This white paper examines IT management challenges from a fundamental and system standpoint. In addition, it introduces the concept of a service-oriented and automated approach to IT management.
Webcasts »
Optimizing Networks for the Cloud
Join guest speaker, Rohit Mehra, IDC Director of Enterprise Communications Infrastructure, to explore current trends, discuss best practices for optimizing Data Center and enterprise campus network infrastructures for the Cloud, and identify ways to better allocate network resources, reduce operating costs and improve application performance.
Deliver Private Cloud Database as a Service with VMware vFabric Data Director
VMware recently announced VMware vFabric™ Data Director, a new database deployment and operations platform that enables enterprise IT organizations to offer database as a private cloud service. Built on top of VMware vSphere 5, vFabric Data Director enables IT organizations to ontrol database sprawl through automation and consistent policy enforcement and accelerate application development cycles with self-service database management. Attend this webcast to learn how vFabric Data Director can help you build database-as-a-service in your datacenter.
Navigating the Public Cloud
InfoWorld contributing editor and consultant David Linthicum offers expert advice about choosing services to outsource to the public cloud providers, cloud data security and identity, integrating public cloud services, and how to avoid provider lock-in.
Today's Flexible Workstyles: Get Ready Now with Windows 7 Enterprise
In this exclusive Virtual Briefing Center session from Microsoft and IDG, you'll discover how deploying Windows 7 Enterprise now will help you take advantage of this new environment. Learn through a series of videos, audio webinars and rich downloadable resources how to power today's flexible workstyles with Windows 7 Enterprise.
Taming the Wild West: How to build a strong cloud security strategy
Cloud deployments are playing a critical role in propelling innovation for many companies. At the same time security has become the #1 one of the top concerns for IT and business leaders as they migrate into the cloud. In this webinar, learn from Accenture discusses how to recast the cloud as a "fresh chance to rethink your approach to security."
Customer Spotlight: How IPC The Hospitalist Company Implemented Oracle on VMware
Have you been looking to hear about customer's experiences with the new VMware vCenter Site Recovery Manager product? View this webcast to learn about VMware customer, Navicure, and their experiences testing and evaluating the recovery manager, their progress in implementing it in their environment and their advice other customers considering using vCenter.
Newsletter Sign-Up »

Receive the latest news test, reviews and trends on your favorite technology topics

Choose a newsletter
  11. View all Newsletters | Privacy Policy
White Papers » All White Papers

Cloud-Scale Networks Using Open Fabric Architectures

IBM Synchronizes its Commerce 2.0 Strategy with 'Smarter Commerce' Initiative

HP Converged Storage Sets the Stage for the Next Era of Computing

The Best Way to Build a Cloud

HP CloudSystem Matrix: Building a Private Cloud

HP CloudSystem Matrix: Managing at a Higher Level

Five Myths of Cloud Computing

TechRepublic: Cloud Computing - Potential Value for Your Company?

Forbes: Enterprises Set Their Strategies for Cloud Computing

HBR: What Every CEO Needs to Know About the Cloud

Modernizing Application Platforms for Cost-Effective Cloud Readiness

Licensing for SaaS Applications: ISVs Take to the Cloud

Driving Business Value with VBlock Infrastructure Platforms

The Journey to the Private Cloud

Colocation: The Logical Home for the Cloud

Microsoft Enterprise Agreement Program Overview

Microsoft Enterprise Agreement Program Brief

Secure File Sharing in the Cloud: Maximizing the Benefits

Beyond Dropbox: Requirements for Enterprise Secure File Sharing

Seeing Through the Fog: Managing Application Performance in the Cloud
Resource Center
buy a link »
Ads by TechWords