Microsoft's View on Security in the Cloud

Sponsored Links
Find high paying job. It's quick! It's Free!!	Earn some quick money by spending just 5 minutes!!

By building on the same security principles used to manage risks to Microsoft software development and operating environments, Microsoft has created an online Information Security Program — that results in continuous improvements to security for the Microsoft cloud computing environment. The coordinated and strategic application of people, processes, and technology allows Microsoft to adapt to the rapid changes happening within the cloud infrastructure and in the marketplace for online services while still maintaining a trustworthy computing experience for customers.

Having a defense-in-depth approach is a fundamental element in how Microsoft provides a trustworthy cloud infrastructure. Applying controls at multiple security measures of varying strength — depending on the sensitivity of the protected asset — results in improved capacity to prevent breaches or to lessen the impact of a security incident. The advent of cloud computing does not change this principle — that the strength of the controls derives from the sensitivity of the asset — or how essential it is to managing security risks. The fact that in a cloud computing environment most assets can be virtualized results in shifts in the analysis of risk and how to apply security controls to the traditional defense-in-depth layers (physical, network, data, identity access, access authorization and authentication, and host).

Online services, including the infrastructure and platform services take advantage of virtualization. As a result, customers using services hosted on the Microsoft cloud may have assets that can no longer be easily associated with a physical presence. Data may be stored virtually and distributed across many locations. This basic fact means identifying security controls and determining how to use them to implement a layered approach to protecting assets must evolve.

Physical and network security measures must, of course, still be taken. However, the focal point of risk management shifts closer to the object level, closer to the elements in use in the cloud environment: for example, the static or dynamic data storage containers, the virtual machine objects, the run-time environments in which computations occur.

Host Security and Auditing and Reporting: Daily scanning of the infrastructure assets; penetration testing performed by internal & external parties

Application Security: The rigorous security practices employed by development teams at Microsoft were formalized into a process called the Security Development Lifecycle (SDL). Many cloud and online service development projects have shorter release schedules or the frequent addition of new features and capabilities. Agile development is widely adopted methodology for software development, and widely suited to these projects. Microsoft has evolved its SDL process to be effective in these accelerated development models and offers development teams the flexibility to adapt their secure code development practices to meet a project's specific goals and timeframe.

Identity and Access Management: Microsoft uses a need-to-know and least-privilege model to manage access to assets. Highly sensitive assets require multifactor authentication, including such measures as password, hardware tokens, smart cards, or biometrics.

Data Security: Microsoft applies security controls to assets based on asset classification. Controls include data encryption at rest and in transit.

Network Security: Microsoft applies many layers of security as appropriate to data center devices and network connections.

Physical Security: Microsoft ensures the establishment of outer and inner perimeters with increasing controls through each layer. The security system applies the combined use of technology solutions including cameras, biometrics, card readers, and alarms with traditional security measures such as locks and keys.