The Microsoft approach to cloud transparency – Part IV – The benefits of standardized frameworks

Welcome! Please comment and leave me a note telling me what you like and what you'd like to see more of. Sign up to my RSS Feed!
This entry is part of a wonderful series, Microsoft Cloud Transparency»

As we mentioned last week, thank you for coming back for the exciting Part IV of The Microsoft approach to cloud transparency

The Microsoft approach to cloud transparency

Using the Cloud Security Alliance’s Security, Trust & Assurance Registry (STAR)


Part IV – The benefits of standardized frameworks

Generally, core competencies of organizations that adopt cloud computing do not include the deployment and management of cloud computing technologies. Because of the potential common and cloud-specific risks, organizations frequently rely on outside consulting firms and cloud providers’ lengthy RFP responses to evaluate risk for their specific cloud deployment needs.

Those responses must be evaluated by experienced cloud professionals, in addition to internal risk experts, to ascertain the true risk to the organization. This risk assessment should include a determination of the risk that derives from adopting these technologies and how to best mitigate that risk.

The cloud deployment partner selection exercise frequently takes place in a climate of intense business pressure to reduce costs and to increase flexibility. In such a climate, a drawn-out risk management process may be seen as an inhibitor, rather than an enabler, of business goals.

Best practices

Some of the unease and complexity involved in selecting a cloud provider can be alleviated by using a common controls framework. Such a framework should consider not only best practices in information security, but also include a true understanding and evaluation of cloud-specific deployment considerations and risks. In addition, such a framework should address much of the cost involved in the evaluation of alternate solutions and help to significantly manage risk that must otherwise be considered.

In using a well thought-out controls framework, organizations can avoid most of the costs related to engaging outside expertise for selecting an appropriate cloud provider, and rely instead on combined efforts that represent years of expertise in the field.



A cloud-specific controls framework such as the Cloud Controls Matrix (CCM) reduces the risk of an organization failing to consider important factors when selecting a cloud provider. The risk is further mitigated by relying on the cumulative knowledge of industry experts who created the framework, and taking advantage of the efforts of many organizations, groups, and experts in a thoughtfully laid-out form. In addition, an effective industry framework will be regularly updated to take account of changes in maturing technologies, based on the experiences of experts who have reviewed many different approaches.


For organizations that do not have detailed knowledge about the different ways that cloud providers can develop or configure their offerings, reviewing a fully developed framework can provide insight into how to compare similar offerings and distinguish between providers. A framework can also help determine whether a specific service offering meets or exceeds compliance requirements and/or relevant standards.

Audit and knowledge base

Using an industry-accepted framework provides a means to review documentation about why and how decisions were made and to know which factors were given more weight and why. Understanding how a decision was made can provide a basis of knowledge for decision making in future efforts, especially when personnel changes cause the people who made the original decision to no longer be available.


Come back next week for Part V!


Unified Privacy Primer

Today we are in for a special treat.

Andreas Wuchner, the Global Information Security and Risk Officer for Novartis, has agreed to pen a guest blog on the issues of global privacy.  Please enjoy it below:

It is not nice, but the European Commission, the U.S., Argentina, Japan and other countries have different privacy laws and regulations. There are significant discrepancies between all of them. The big number of different laws is one of the biggest challenges a Privacy and Risk Management professional/organization must face. Many countries have privacy regulations built on similar principals, which in general, are to protect the privacy of their citizens. The differences exist in the varying degrees in which nations approach meeting regulatory compliance of such principals.


Comprehensive laws (European Union (EU)):

For historical reasons, many countries in the EU have placed a high value on personal privacy.  Too many countries in Europe have experienced what a repressive Government or occupying force can do with their data for this subject to be of no concern. These values have been inherited by the EU where personal privacy is a fundamental human right (Article 8 of the European Convention for the Protection of Human Rights and Fundamental Freedoms). Many EU countries have had privacy laws for decades. This often includes an omnibus legislative approach, basically at least one dedicated piece of privacy legislation and sectoral related privacy regulations, such as seen in Drug Development laws.

Sectoral laws (US):

Freedom from unreasonable government intrusion into personal affairs is a fundamental Constitutional right (4th Amendment to the United States Constitution).

Relatively recent legislative started to focus on protecting individuals from private intrusions into personal affairs. Federal data privacy law in the US occurs down sectoral lines with health data and financial data being regulated by specific legislation. There is as of now no Federal privacy act for private companies, but both Federal and State laws regulate special circumstances like protection of driver license and credit card data. Akin in some ways to privacy law in its affect, the majority of US States have dedicated  and different data breach notification legislation in place. Typically these laws make it necessary to tell State authorities and the people affected that a breach has happened but the consequences, the how to do it and by when can differ widely..


Even with the fact that Europe has a much longer history and more mature processes around protection of personal rights there are still significant differences in the Privacy approaches even within the EU member states. The EU Data Privacy Directive 95/46/EC is a guideline for EU nations, however each one of these 27 EU member states have their own national law and each of them has its own agency who interprets this law.

This may seem quite daunting, yet as there are many differences, there are also similarities between the privacy laws. The collection of a data subjects’ “unambiguous consent” is an example of this. The collection of consent is the backbone of any privacy legislation and the EU, US, Canadian, Australian, Japanese and many more countries share this requirement.

As there are so many possible pitfalls, it is highly recommended to familiarize yourself with the requirements of the different locations you are doing business in as you could become very quickly responsible for not following local laws. On my blog I have published a series of privacy related articles over the last three weeks. Please feel free to have a look at http://ITRiskSpace.comfor further information.


Privacy Law Links

Please also see here some links that lead to several countries’ laws:

The Swiss Law is at :

The German law is at:


Thank you,

Ariel Silverstone