Five lessons from Microsoft on cloud security

The software titan reviewed its security approach to cloud computing and developed new strategies. Here's what one Microsoft cloud expert says he's learned.

While Google, Amazon and Salesforce have gotten the most attention as cloud service providers, Microsoft-with its 300 products and services delivered from its data centers-has a large cloud bank all its own.

In May, the company released a paper on its approach to cloud services and how the company plans to secure those services. The paper-penned by Microsoft's Global Foundation Services, the group responsible for overseeing the company's software-as-a-service infrastructure-spells out the current dangers for online services, including a growing interdependence between customers and the companies that serve them and more sophisticated attacks on Internet services.

Microsoft argues that its approach to security, which it carved out with its Trustworthy Computing Initiative in 2002, works as well for online services, with some modification.

"If I take the traditional security principles, that hasn't changed in terms of discipline and approach," said Charlie McNerney, general manager for business and risk management at Microsoft's GFS. "What has expanded is the amount of controls we have applied."

In recent interviews, McNerney and other cloud providers shared their thoughts on Microsoft's approach to securing cloud services and the data centers that power such services.

1. Discuss risk with customers The security of cloud services worries many customers, and it should, said McNerney. Figuring out where the responsibilities lie with respect to a customer's data is an important conversation, he says.

"What are the defect scenarios and the responsibilities that parties have in that environment when it breaks," McNerney says. "That is the type of thing that large enterprise companies want to talk about the most."

But Microsoft has found that security is not just a worry for their biggest clients. Web sites and e-mail are central to the brand of any company and have to be protected, he says.

"I don't find anyone casual on trust," McNerney says. "The small guy operating on the Web with his commerce site is just as passionate about security as the big guys."

2. Pay attention to compliance To assuage its clients fears, Microsoft has invested a lot of time in organizing the controls necessary to meet various compliance standards.

The company reduced 26 different types of audits to a list of 200 necessary controls and mapped those controls across its data-center environments and services, McNerney says. Standardization means that Microsoft does not have to give every customer, or its auditor, access to the company's data centers.

"Larger enterprise customers want to understand the controls, but how many companies can I let into a data center?" he says. "If you think about what that could be, there is no way that I could let all those customers into our facilities."

Instead, Microsoft has an agreed-upon compliance framework that allows auditors to order off a menu of tests and get the results.

"Each company is going to want to understand the tests and results," he says. "Therein lies the opportunity and challenge."

3. Better standards needed To serve customers better, the large cloud providers need to work together to standardize across their platforms, says McNerney.

"Amazon has a view; Yahoo has a view; Google has a view," McNerney says. "But all our approaches are still different. The next wave is that all of us will have to come together with a framework that we will have to use to make it super-productive on the Web."

For example, the companies need to agree on a way of handling universal IDs. The problems with federated identity on the Internet have not been solved in the standards, he says.

"Customers are going to expect that this (cloud services) is an interoperable environment for them," he says.

4. Privacy and security are not so different As Microsoft applied cloud-computing models to its services and data centers, the difference between security and privacy nearly disappeared, says McNerney.

The result, which is somewhat surprising, he says, is that as the company developed its tools for managing security and privacy, it did not differentiate a lot between the two ideals.

"Most people approach security in one way and privacy in another," he says. "Those come together in a much more blended way in the cloud."

5. Don't generalize on cloud security With the coming launch of its Windows Azure platform this fall, Microsoft will have a new set of considerations, says Jay Chaudhry, CEO of Web security-as-a-service provider ZScaler.

The security considerations for every cloud service are different, Chaudhry argues. While serving up office applications, e-mail services, and access to databases may scale well, other services-such as Exchange servers-require a lot of customization and are harder to secure, he says.

"Companies need to look at specific areas and address them properly," Chaudhry says. "There is not a single thing that can be done across the whole cloud-computing spectrum."

Database-as-a-service, storage-as-a-service and vulnerability-assessment-as-a-service all have different security considerations, he says. And the coming Azure platform-as-a-service will as well.

Do you Tweet? Follow everything from on Twitter @CIOonline.

Join the CSO newsletter!

Error: Please check your email address.

Tags MicrosoftCloudsecurity

More about Amazon Web ServicesGoogleMicrosoftYahoo

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Robert Lemos

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place