Microsoft recognizes that security and privacy protections are
essential to building the necessary customer trust for cloud computing
to reach its full potential.
This strategy brief discusses the challenges of providing a trustworthy
environment for cloud services, reviews Microsoft’s risk-based
Cloud Security Challenges
Cloud computing offers both challenges and opportunities for IT organizations looking to harness the favorable economics and operational flexibility of an online services model. The growing interdependence of public and private services, complex global compliance requirements, and sophistication of threats requires that the hosting environment employ robust policies and processes to protect sensitive information and enable persistent regulatory compliance. For more than 15 years, Microsoft has been addressing the following online service delivery challenges:
Growing Interdependence—Organizations and their customers will become more interdependent on each other through use of the cloud. With these new dependencies come mutual expectations that platform services and hosted applications be secure and available. Microsoft provides a trustworthy infrastructure, a base upon which public and private sector entities and their partners can build a trustworthy experience for their users. Microsoft actively works with these groups and the development community at large to encourage adoption of security-centric risk management processes.
Complex global compliance
requirements—Regulatory, statutory, and industry compliance is a highly complex area because worldwide each country maintains their own laws that can govern the provisioning and use of online environments. Microsoft must be able to comply with a myriad of regulatory
In addition, many industries impose their own unique requirements. Microsoft has implemented a compliance framework to efficiently manage its various compliance obligations without creating undue burden on the business.
More dynamic hosting environment—
Keeping pace with growth and anticipating future needs is essential to running an effective security program. The latest wave of change has already begun with the rapid move to virtualization and a growing adoption of Microsoft’s Software-plus-Services strategy, which combines the power and capabilities of computers, mobile devices, online services, and enterprise software. The advent of cloud platforms enables custom applications to be developed by third parties and hosted in the Microsoft cloud. Microsoft maintains strong internal partnerships among security, product, and service delivery teams to provide a trustworthy Microsoft cloud environment while these changes occur.
Growing sophistication of threats—
While pranksters still seek attention through a variety of techniques including domain squatting and man-in-the-middle attacks, more sophisticated malicious attempts aimed at obtaining identities or blocking access to sensitive business data have emerged, along with a more organized underground market for stolen information. Microsoft works closely with law enforcement, industry partners and peers, and research groups to understand and respond to this evolving threat landscape. Additionally, the Microsoft Security Development Lifecycle introduces security and privacy early and throughout the development process.
Risk Management Process
In addition to the information security management system we have in place, we follow an annual risk management process that looks at evolving risks in the environment and across the industry. We maintain a dedicated team that works through potential risks, calculates the potential disruption, and determines Microsoft’s exposure.
The risk management team evaluates the effectiveness of controls in place by: • Identifying threats and vulnerabilities
to the environment • Calculating risk
• Reporting risks across the Microsoft cloud environment • Addressing risks based on impact
assessment and the associated business case
• Testing remediation effectiveness and residual risk
• Managing risks on an ongoing basis This process allows us to focus our efforts on the high-value targets, and then apply appropriate protections to defend our customers and ourselves.
Defense in Depth
Defense in depth is a best practice across the industry, and it’s an approach we take across our online services and infrastructure. Applying controls at multiple layers involves employing protection mechanisms, developing risk mitigation strategies, and being capable of responding to attacks when they occur. Using multiple security measures of varying strength—depending on the sensitivity of the protected asset—results in improved capacity to prevent breaches or to lessen the impact of a security incident.
When we deploy a service to our datacenters, we assess and address every part of the software stack—from the physical controls to prevent unauthorized access to equipment, to encrypting data moving over the network, to locking down the host servers and keeping malware protection up-to-date, to ensuring applications themselves have appropriate safeguards in place. Maintaining a rich set of controls and defense in depth strategy ensures that if any one area should fail, there are compensating protections in other areas that retain security and privacy at all times.
Security at our Foundation
Application security is a key element in Microsoft’s approach to securing its cloud computing environment. The rigorous security practices employed by development teams at Microsoft were formalized into a process called the Security Development Lifecycle (SDL) in 2004. The SDL process is development methodology agnostic and is fully integrated with the application development lifecycle from design to response. Various phases of the SDL process emphasize education and training, and also mandate that specific activities and processes be applied as appropriate to each phase of software development. Starting with the requirements phase, the SDL process includes a number of specific activities that need to be considered for the development of applications to be hosted in the Microsoft cloud in mind. One of the key steps is threat modeling and attack surface analysis, where we assess of the potential threats that could come in, what aspects of the service are exposed—and proceed to minimize the attack surface by restricting services or eliminating functions that are unnecessary. The later stages then ensure that the controls are fully tested to mitigate the potential threats, so customers can have confidence in the final service release.
Security Incident Response
An important part of Microsoft’s security capabilities includes our support and response processes. The Security Incident Management (SIM) team responds to these issues when they occur, operating around the clock. The SIM processes are aligned with ISO/IEC 18044 and NIST SP800-61.
There are six phases to the SIM incident response process:
Preparation—SIM staff undergo ongoing training in order to be ready to respond when a security incident occurs.
Identification—Looking for the cause of an incident, whether intentional or not, often means tracking the issue through multiple layers of the Microsoft cloud computing environment. SIM collaborates with members from other internal Microsoft teams to diagnose the origin of a given security incident.
Containment—Once the cause of the incident has been found, SIM works with all necessary teams to contain the incident. How containment occurs depends on the business impact of the incident.
Mitigation—SIM coordinates with relevant product and service delivery teams to reduce risk of incident recurrence.
Recovery—Continuing to work with other groups as needed, SIM assists in the service recovery process.
PHYSICAL NETWORK ANDIDENTITY ACCESS SECURITYHOST APPLICATION DATA MANAGEMENT
Lessons learned—After resolution of the security incident, SIM convenes a joint meeting with all involved personnel to evaluate what happened and to record lessons learned during the incident response process.
A second area of response is interacting with law enforcement agencies. The Global Criminal Compliance (GCC) program is involved in setting policy and providing training on Microsoft’s response process. GCC also responds to valid legal requests for information. GCC has legal agents available in many countries to validate and, if necessary, translate the request. One reason that GCC is considered a “best response program” by many international authorities is that GCC provides a law enforcement portal that offers guidance in multiple languages to authenticated law enforcement personnel about how to submit a legal request to Microsoft.
Comprehensive Compliance
Framework
The Microsoft online services environment must meet numerous government-mandated and industry-specific security requirements in addition to Microsoft’s own business-driven specifications. As Microsoft online businesses continue to grow and change and new online services are introduced into the Microsoft cloud, additional requirements are expected that could include regional and country-specific data security standards. The Operational Compliance team works across operation, product, and service delivery teams and with internal and external auditors to ensure Microsoft is in compliance with relevant standards and regulatory obligations. One of the successes of having implemented this program is that Microsoft’s cloud infrastructure has achieved SAS70 70 type I and Type II attestations, ISO/IEC 27001:2005 certification, and FISMA NIST SP800-53 revision 3 standard. Figure 4 (on the last page) lists out Microsoft’s cloud infrastructure key certifications and attestations as of December 2010.
The compliance framework includes a compliance process based on the ISO 27001 approach of plan-do-check-act. On a regular basis, Microsoft monitors the change in statutory and regulatory demands and adjusts our compliance framework and audit schedule accordingly. Though Microsoft’s infrastructure has received industry certifications and attestations, customers are ultimately responsible to ensure their own compliance with applicable policies, practices, and regulations. Microsoft does not claim to be responsible for providing these certifications or to comply/not comply with these certifications on behalf of the customer, but does provide guidance to assist customers in meeting their own compliance requirements.
FIGURE 2: MICRoSoFT’S SECURITY DEVElopMEnT lIFECYClE
TRAINING REQUIREMENTS DESIGN IMPLEMENTATION VERIFICATION RELEASE RESPONSE
+ Core Training + Analyze security
Control Framework
Customers evaluating Microsoft’s cloud services often ask how our compliance framework is actually structured. We have a series of domains that are informed by the ISA/IEC 27001:2005 standard along with specific industry obligations, such as the payment card industry data security standard and the FISMA NIST SP800-53 revision 3 standard.
The control framework structure depends upon how we map those domains to the specific activities that go with them. For example, we take each of those domains, identify control activities and control owners of those activities, and provide specific evidence to demonstrate that we’re meeting those activities and control domain objectives.
This structure and process allows third-party auditors to follow a clean map from control domains down to activities and evidence. In addition, this framework allows us to take each requirement and communicate how we meet specific obligations back to customer and internal teams. For example, we can take the controlled domain and controlled activity structure and focus on specific healthcare obligations for customers in that industry. Alternatively, we can take a specific control objective, such as training and awareness, and map it back to a specific need—an example here would be the requirement for training under ISO/IEC 27001:2005 and Sarbanes-Oxley.
Security and Privacy
Considerations for Selecting
Online Services Providers
Microsoft’s stringent security, privacy and compliance controls helps ensure customers can have confidence and trust in the online services we provide. As customers evaluate options for online services, it is important that the ability of a service provider to ensure a protected, trusted environment be included in the selection criteria.
The following checklist can help in assessing the security, privacy and compliance capabilities of a potential service provider:
• Require that the provider has attained third-party certifications and audits, such as ISO/IEC 27001:2005
• Consider the ability of vendors to accommodate changing security and compliance requirements
• Understand the specific regional and industry compliance obligations that must be met
• Ensure a clear understanding of security and compliance roles and responsibilities for delivered services
• Ensure data and services can be brought back in-house if necessary
• Require transparency in security policies and operations
FIGURE 3: MICRoSoFT DATACEnTER ConTRol FRAMEwoRk
DOMAINS
STRUCTURE
01. General information 02. Informational security
03. Organization of information security 04. Asset management
05. Human resources security
06. Physical and environmental security 07. Communications and
operations management 08. Access control
09. Information systems aquisition, development and maintenance 10. Information security
incident management
11. Business continuity management 12. Risk management 13. Compliance 14. Privacy • Domain • Sub-domain • Control objective • Associated standard
(external compliance requirement) • Sample control activity
FIGURE 4: MICRoSoFT DATACEnTER CERTIFICATIonS AnD ATTESTATIonS, DECEMBER 2010
ISO 27001
SAS 70 Type II
HIPAA/HITECH
Various State, Federal, and International Privacy Laws
(95/46/EC—aka EU Data Protection Directive; California SB1386; etc.)
PCI Data Security Standard
