Five Lessons from Microsoft on Cloud Security

The software titan reviewed its security approach to cloud computing and developed new strategies. Here's what one Microsoft cloud expert says he's learned.

By Robert Lemos

CONNECTIONS
Microsoft
Google
Amazon
Tue, August 25, 2009CIO While Google, Amazon and Salesforce have gotten the most attention as cloud service providers, Microsoft—with its 300 products and services delivered from its data centers—has a large cloud bank all its own.

In May, the company released a paper on its approach to cloud services and how the company plans to secure those services. The paper—penned by Microsoft's Global Foundation Services, the group responsible for overseeing the company's software-as-a-service infrastructure—spells out the current dangers for online services, including a growing interdependence between customers and the companies that serve them and more sophisticated attacks on Internet services.

[For timely cloud computing news and expert analysis, see CIO.com's Cloud Computing Drilldown section. ]

Microsoft argues that its approach to security, which it carved out with its Trustworthy Computing Initiative in 2002, works as well for online services, with some modification.

"If I take the traditional security principles, that hasn't changed in terms of discipline and approach," said Charlie McNerney, general manager for business and risk management at Microsoft's GFS. "What has expanded is the amount of controls we have applied."

In recent interviews, McNerney and other cloud providers shared their thoughts on Microsoft's approach to securing cloud services and the data centers that power such services.

1. Discuss risk with customers

The security of cloud services worries many customers, and it should, said McNerney. Figuring out where the responsibilities lie with respect to a customer's data is an important conversation, he says.

"What are the defect scenarios and the responsibilities that parties have in that environment when it breaks," McNerney says. "That is the type of thing that large enterprise companies want to talk about the most."

But Microsoft has found that security is not just a worry for their biggest clients. Web sites and e-mail are central to the brand of any company and have to be protected, he says.

"I don't find anyone casual on trust," McNerney says. "The small guy operating on the Web with his commerce site is just as passionate about security as the big guys."

2. Pay attention to compliance

To assuage its clients fears, Microsoft has invested a lot of time in organizing the controls necessary to meet various compliance standards.

The company reduced 26 different types of audits to a list of 200 necessary controls and mapped those controls across its data-center environments and services, McNerney says. Standardization means that Microsoft does not have to give every customer, or its auditor, access to the company's data centers.

"Larger enterprise customers want to understand the controls, but how many companies can I let into a data center?" he says. "If you think about what that could be, there is no way that I could let all those customers into our facilities."

Instead, Microsoft has an agreed-upon compliance framework that allows auditors to order off a menu of tests and get the results.

"Each company is going to want to understand the tests and results," he says. "Therein lies the opportunity and challenge."

3. Better standards needed

To serve customers better, the large cloud providers need to work together to standardize across their platforms, says McNerney.

"Amazon has a view; Yahoo has a view; Google has a view," McNerney says. "But all our approaches are still different. The next wave is that all of us will have to come together with a framework that we will have to use to make it super-productive on the Web."

For example, the companies need to agree on a way of handling universal IDs. The problems with federated identity on the Internet have not been solved in the standards, he says.

"Customers are going to expect that this (cloud services) is an interoperable environment for them," he says.

4. Privacy and security are not so different

As Microsoft applied cloud-computing models to its services and data centers, the difference between security and privacy nearly disappeared, says McNerney.

The result, which is somewhat surprising, he says, is that as the company developed its tools for managing security and privacy, it did not differentiate a lot between the two ideals.

"Most people approach security in one way and privacy in another," he says. "Those come together in a much more blended way in the cloud."

5. Don't generalize on cloud security

With the coming launch of its Windows Azure platform this fall, Microsoft will have a new set of considerations, says Jay Chaudhry, CEO of Web security-as-a-service provider ZScaler.

The security considerations for every cloud service are different, Chaudhry argues. While serving up office applications, e-mail services, and access to databases may scale well, other services—such as Exchange servers&mdash:require a lot of customization and are harder to secure, he says.

"Companies need to look at specific areas and address them properly," Chaudhry says. "There is not a single thing that can be done across the whole cloud-computing spectrum."

Database-as-a-service, storage-as-a-service and vulnerability-assessment-as-a-service all have different security considerations, he says. And the coming Azure platform-as-a-service will as well.

Do you Tweet? Follow everything from CIO.com on Twitter @CIOonline.

cloud
Loading...
Data Center MarketSpace
From Chaos to Order-Winning the Information Management Game
Learn how Oracle Application Express delivers an easy, fast, and free way to manage your business information. Learn more »
Optimizing Information Insight
This paper will argue that the key to enabling midsize organizations to make even better business decisions is by simplifying the extraction of specific, actionable information from large volumes of data. Learn more »
Consolidate Your Servers and Storage to Lower Costs with Oracle Database 11g
Profit from Power Savings
Looking for a fast payback?
Learn how you can boost ROI and productivity with a JDE technology refresh. Learn more »
3 Minutes with Free Tool Can Save Thousands!
See how you can improve decision-making while reducing your total cost of ownership through process efficiencies and technology simplification. Learn more »
Informatica 9: What it means for the CIO?
 Hear from Informatica's CIO on how Informatica 9 will improve... Learn more »
Lower Costs with New Servers and Consolidation
When it comes to server technology staying the course will cost you. Lower costs and create an efficient datacenter with newer server technology. Learn more »
 
SPONSORED LINKS
 

White Paper: Right-Sizing Your Power Infrastructure

Lower IT Costs with Oracle Database 11g Release 2

New technology that addresses challenges organizations are facing.

Return on Information: Google Enterprise Search pays you back

Cut Costs & Green Your IT Operations with PC Power Management

White Paper: 4 Customer Service Myths

White Paper: Managed Security for a Not-So-Secure World

White Paper: 5 Best Practices for Smartphone Support

Global Research: CIOs Weigh In On Virtualization

5 Key Virtualization Management Challenges

Secure Email and Web-Based Communication from Evolving Attacks

WagerWorks Takes Fraudsters Out of the Game using iovation

Seven Design Requirements for Web 2.0 Threat Protection

Increase UPS efficiency without sacrificing protection.

Learn how advanced forecasting tools can deliver significant business results for global corporations.

Achieving Business Agility with Application Grid

Ready to virtualize tier one applications? Check your virtualization maturity.

Seven Ways ITIL Can Help You in an Economic Downturn

Tips for successful virtualization management.

AT&T Synaptic Storage as a Service. Expand on demand

Trend Micro ranked #1 against real-world malware. Read more.

Webinar: Jump-start your in-house e-discovery with Ringtail QuickCull from FTI Technology

Streamline IT Costs. Boost Performance with WAN Optimization.

Build your 1st app FREE with Force.com

TDWI checklist helps define data readiness for analytics. Download report.

State of the Data Integration Market

Server Consolidation: Leveraging the Benefits of Virtualization

Upgrading to VMware vSphere with vWire

Maximizing website Return on Information with high-quality search

See how AT&T can help protect your network.

Webcast: Unleashing the Power of Customer Data

White Paper: Improve Agility with Operational Responsiveness

White Paper: Legacy Tools: Not Built for the Helpdesk

Taking a Seat at the Executive Table: The Reality of Virtualization

White Paper: Next Generation Remote Infrastructure Management

Keeping Your Members Safe from Online Scams and Predators

The Total Economic Impact of Network Security Intrusion Prevention

Generation Remote Infrastructure Management - Changing the Paradigm

Cloud-Based Email Management: Opinion Shifts In Favor

eBook: How Can You Make Your People Productive Anywhere?

White Paper: Visibility and the New Normal of Mobile Work

Taking the Service Desk to the Next Level

Learn about The Information Technology Infrastructure Library.

Return on Information: Google Enterprise Search pays you back. Get the facts.

VMware. The source for Business Infrastructure Virtualization.

ShoreTel tells businesses to untangle from competitors' complexity and turn to its brilliantly simple UC solution

Top Five CIO Challenges

Read the RSA report: Security for Business Innovation

64-page prescriptive guide to security, compliance, and IT operations.

A Clear View Toward Virtualization

 
 
RESOURCE CENTER
 
buy a link »
Ads by TechWords