The Microsoft approach to cloud transparency – Part X

Welcome! Please comment and leave me a note telling me what you like and what you'd like to see more of. Sign up to my RSS Feed!

Thank you for coming back for the exciting Part X of The Microsoft approach to cloud transparency

 

The Microsoft approach to cloud transparency

Using the Cloud Security Alliance’s Security, Trust & Assurance Registry (STAR)

 

Part X – Specific examples of Microsoft adoption of STAR controls, continued

 

DG-05 Data Governance – Secure Disposal

“How does the service provider comply with the need for ’Policies and procedures shall be established and mechanisms implemented for the secure disposal and complete removal of data from all storage media, ensuring data is not recoverable by any computer forensic means.’”

Microsoft’s reply:

“Microsoft uses best practice procedures and a wiping solution that is NIST 800-88 compliant. For hard drives that can’t be wiped, we use a destruction process that destroys it (such as shredding) and renders the recovery of information impossible (for example, disintegrate,shred, pulverize, or incinerate). The appropriate means of disposal is determined by the asset type. Records of the destruction are retained.

Microsoft Dynamics CRM Online uses approved media storage and disposal management services. Paper documents are destroyed by approved means at the pre-determined end-of-life cycle.

All Windows Azure services utilize approved media storage and disposal management services. Paper documents are destroyed by approved means at the pre-determined end-of-life cycle.

Microsoft Office 365 utilizes approved media storage and disposal management services. Paper documents are destroyed by approved means at the pre-determined end-of-life cycle.”

“Secure disposal or re-use of equipment and disposal of media” is covered under the ISO 27001 standards, specifically addressed in Annex A, domains 9.2.6 and 10.7.2. For more information, we suggest a review of the publicly available ISO standards for which we are certified.”

 

FS-03 Facility Security – Controlled Access Points

“Physical security perimeters (fences, walls, barriers, guards, gates, electronic surveillance, physical authentication mechanisms, reception desks and security patrols) shall be implemented to safeguard sensitive data and information systems.”

Microsoft’s reply:

“Data center buildings are nondescript and do not advertise that Microsoft Data Center hosting services are provided at the location. Access to the data center facilities is restricted. The main interior or reception areas have electronic card access control devices on the perimeter door(s), which restrict access to the interior facilities. Rooms within the Microsoft Data Center that contain critical systems (servers, generators, electrical panels, network equipment, etc.) are either restricted through various security mechanisms such as electronic card access control, keyed lock, antitailgating and/or biometric devices.

Additional physical barriers, such as “locked cabinets” or locked cages erected internal to facility perimeters, may be in place as required for certain assets according to Policy and/or by business requirement.”

“Physical security perimeter and environmental security” is covered under the ISO 27001 standards, specifically addressed in Annex A, domain 9. For more information review of the publicly available ISO standards Microsoft is certified against is suggested.“

 

Come back next week for Part XI!

Leave a Reply

Your email address will not be published. Required fields are marked *


*