Observations on “Securing Microsoft’s Cloud Infrastructure”
I was reading a blog post from Charlie McNerney, Microsoft’s GM, Business & Risk Management, Global Foundation Services on “Securing Microsoft’s Cloud Infrastructure.”
Intrigued, I read the white paper to first get a better understanding of the context for his blog post and to also grok what he meant by “Microsoft’s Cloud Infrastructure.” Was he referring to Azure?
The answer is per the whitepaper that Microsoft — along with everyone else in the industry — now classifies all of its online Internet-based services as “Cloud:”
Since the launch of MSN® in 1994, Microsoft has been building and running online services. The GFS division manages the cloud infrastructure and platform for Microsoft online services, including ensuring availability for hundreds of millions of customers around the world 24 hours a day, every day. More than 200 of the company’s online services and Web portals are hosted on this cloud infrastructure, including such familiar consumer-oriented services as Windows Live™ Hotmail® and Live Search, and business-oriented services such as Microsoft Dynamics® CRM Online and Microsoft Business Productivity Online Standard Suite from Microsoft Online Services.
Before I get to the part I found interesting, I think that the whitepaper (below) does a good job of providing a 30,000 foot view of how Microsoft applies lessons learned over its operational experience and the SDL to it’s “Cloud” offerings. It’s something designed to market the fact that Microsoft wants us to know they take security seriously. Okay.
Here’s what I found interesting in Charlie’s blog post, it appears in the last two sentences (boldfaced):
The white paper we’re releasing today describes how our coordinated and strategic application of people, processes, technologies, and experience with consumer and enterprise security has resulted in continuous improvements to the security practices and policies of the Microsoft cloud infrastructure. The Online Services Security and Compliance (OSSC) team within the Global Foundation Services division that supports Microsoft’s infrastructure for online services builds on the same security principles and processes the company has developed through years of experience managing security risks in traditional software development and operating environments. Independent, third-party validation of OSSC’s approach includes Microsoft’s cloud infrastructure achieving both SAS 70 Type I and Type II attestations and ISO/IEC 27001:2005 certification. We are proud to be one of the first major online service providers to achieve ISO 27001 certification for our infrastructure. We have also gone beyond the ISO standard, which includes some 150 security controls. We have developed 291 security controls to date to account for the unique challenges of the cloud infrastructure and what it takes to mitigate some of the risks involved.
I think it’s admirable that Microsoft is sharing its methodologies and ISMS objectives and it’s a good thing that they have adopted ISO standards and secured SAS70 as a baseline.
However, I would be interested in understanding what 291 security controls means to a security posture versus, say 178. It sounds a little like Twitter follower counts.
I can’t really explain why those last two sentences stuck in my craw, but they did.
I’d love to know more about what Microsoft considers those “unique challenges of the cloud infrastructure” as well as the risk assessment framework(s) used to manage/mitigate them — I’m assuming they’ve made great STRIDEs in doing so. 😉
/Hoff
The more I think about this, the more an SLA makes sense to me.
ISO, SAS70 etc are nice but can be played around with. How often are they audited, are they audited independently, etc etc.
The risk will always lie with the customer. Knowing the above helps make more intelligent decisions but the risk never passes.
In terms of availability, even $5 web sites offer an SLA. Once this is in place then it doesn't matter to you whether the site is hosted in Uganda, powered by a horny toad spinning a wheel and with traffic communicated via africa drums. As long as your site is up as per the SLA – fine. Else, pay me the penalties.
SAS70? Pah! I don't care. Just pay my costs if my information is leaked. Put your money where your mouth is. And if you are not prepared to take the risk on your network – why should I?