The Microsoft approach to cloud transparency – Part II

Welcome! Please comment and leave me a note telling me what you like and what you'd like to see more of. Sign up to my RSS Feed!
This entry is part of a wonderful series, Microsoft Cloud Transparency»

As we mentioned last week, please find here the continuation of the paper I authored for Microsoft about  its approach to security of Cloud offering, including using the Cloud Security Alliance (CSA) Security, Trust & Assurance Registry (STAR).

Let me know what you think!


The Microsoft approach to cloud transparency

Using the Cloud Security Alliance’s Security, Trust & Assurance Registry (STAR)


Part II – Cloud assurance challenges

Having a good grasp of risk management is important in today’s information security and privacy landscape.

When working with cloud computing providers such as Windows Azure and cloud-provided services such as Office 365 and Microsoft Dynamics CRM, it is important to understand that risk assessments need to consider the dynamic nature of cloud computing.

An organization needs to consider performing a full-scope risk assessment that looks at several criteria whenever a new initiative is underway. Cloud computing is no different. Some of the more prominent criteria that typically interest organizations that are considering cloud computing deployments are discussed in the following sections.


There are many security dimensions to consider in cloud computing scenarios.


When evaluating controls in cloud computing, it is important to consider the entire services stack of the cloud service provider. Many different organizations may be involved in providing infrastructure and application services, which increases the risk of misalignment. A disruption of any one layer in the cloud stack, or in the customer- defined last mile of connectivity, could compromise the delivery of the cloud service and have negative impacts. As a result, customers should evaluate how their service provider operates and understand the underlying infrastructure and platforms of the service as well as the actual applications.

Secure data destruction or erasure

Many organizations have policies that require data to be deleted when it is no longer needed, or after a fixed interval. At times, these policies mandate that data deletion be attested to, which may take the form of a statement that the data has been destroyed in a manner that prevents its reconstruction.

Many cloud providers cannot easily attest to such deletion, partially because of the way cloud data is rapidly replicated and relocated on many disk drives, servers, and data centers. Although the assumption may be that such data is overwritten in its “original” or prior location, the possibility frequently exists that a determined forensic process (or attack) could retrieve such data.

Data loss

Cloud computing in its current multi-tenant form is relatively new, and many deploying organizations are concerned with the maturity of the tools used by providers to host and manage their data.

Microsoft stands out from newer entrants to the market because of its experience in related technology platforms (such as Hotmail®, MSN®, and others), as many as twenty years in some cases.

Beyond the typical risk of data loss on disk drives, the existence of additional tools such as hypervisors, virtual machine managers, new operating and storage environments, and rapidly deployed applications introduce additional stability and redundancy factors that must be included in data loss considerations.


Thank you for reading this Part II of the Microsoft Approach to Cloud Transparency.  Please join again next week for the continuation, in Part III

The Microsoft approach to cloud transparency – part I

This entry is part of a wonderful series, Microsoft Cloud Transparency»

Late last year (2012), ISSA Distinguished Fellow Frank Simorjay of Microsoft, asked me to author a paper about Microsoft and its approach to security of Cloud offering, including using the Cloud Security Alliance (CSA) Security, Trust & Assurance Registry (STAR).  The resulting document starts below, and will continue for a few weeks.  Let me know what you think!


The Microsoft approach to cloud  transparency

Using the Cloud Security Alliance’s Security, Trust & Assurance Registry (STAR)


Executive summary

The shift to cloud computing represents a significant opportunity to change the way that businesses operate. Similar to the concept of outsourcing, the combination of the technologies and processes that comprise today’s definition of cloud computing represent a new way to view and use information technology and enhance the value of IT organizations.

This evolution of computing represents a tremendous opportunity for many organizations, because they can reduce or eliminate the need to manage the server-based technologies that underlie their business processes. In addition to changing processes and focus, this shift provides ways to reduce costs, to be more agile in adjusting to rapidly changing business needs, and to deploy and track resources in a more efficient manner.

This paper provides an overview of various risk, governance, and information security frameworks and standards. It also introduces the cloud-specific framework of the Cloud Security Alliance (CSA), known as the Security, Trust & Assurance Registry (STAR).

STAR is a good resource for organizations that seek an unbiased information source to help them evaluate cloud providers and maximize the benefits of cloud service. Microsoft’s commitment to transparency is apparent in its adoption of STAR controls for security, privacy, compliance, and risk management and also in its replies to STAR control requirement statements, some of which are included later in this paper.


Cloud computing is a way of treating computing as a utility service.  That is, computer processing, storage, and bandwidth are managed as commodities by providers, similar to electricity or water. This approach represents a logical evolution of computing for many organizations; taking advantage of cloud computing means that they reduce or eliminate the need to manage the server-based technologies that underlie their business processes, and can focus on their core business activities.

In addition to providing organizations with the ability to focus on their core business objectives, cloud computing can help them reduce information technology and capital costs, which can provide better results to stakeholders. Also, cloud computing helps IT organizations support new business needs of their existing customer base by providing rapid deployment and resource utilization tracking. This capability directly contributes to business agility, the ability to adapt to new conditions and quickly bring new solutions to market.

Cloud computing provides an opportunity for organizations to take advantage of the rapid evolution of technology and benefit from related security, speed, scalability, and flexibility opportunities without being burdened by on-premises solutions. Today, organizations are frequently challenged to reduce their IT costs but are required to be agile and responsive to market needs. The cloud computing model allows them to pay only for the services they need. Capital outlay can be reduced significantly, which allows them to prioritize resources on business objectives.

The inherent agility in cloud computing also provides an additional benefit: scalability. As business needs grow and features or sets of data are added, cloud computing allows simple and fast scaling of the environment. Should the computing environment’s capacity need to be reduced, for example after a seasonal peak, it can be easily facilitated without the negative effects that typically accompany the sudden idling of a significant capital investment.

The opportunity offered by cloud computing requires balancing the benefits of moving data, processing, and capacities to the cloud with the implications of data security, privacy, reliability, and regulatory requirements. Since the launch of MSN® in 1994, Microsoft has been building and running online services. Microsoft enables organizations to adopt cloud computing rapidly via its cloud services such as Windows Azure™, Office 365, and Microsoft Dynamics® CRM and take a business-leading approach to security, privacy, and reliability.

Microsoft cloud services are hosted in Microsoft data centers around the world, and are designed to offer the performance, scalability, security, and service levels that business customers expect. Microsoft has applied state-of-the-art technology and processes to maintain consistent and reliable access, security, and privacy for every user. These Microsoft cloud solutions have capabilities that facilitate compliance with a wide range of global regulations and privacy mandates.

In this paper, Microsoft provides an overview of various risk, governance, and information security frameworks and introduces the cloud-specific framework developed by the Cloud Security Alliance (CSA),called the Security, Trust & Assurance Registry (STAR). The paper also discusses STAR’s roots and evolution, and examines how Microsoft cloud products fulfill the security, privacy, compliance, and risk management requirements that are defined in STAR.

This white paper provides information about how Microsoft services such as Windows Azure, Office 365, and Microsoft Dynamics CRM align with STAR guidelines for security, privacy, compliance, and risk management controls.When engaging customers, Microsoft provides documentation that specifies Microsoft-shared responsibilities with regard to applications and data that customers entrust to them; such documentation is essential for organizations that have regulatory and/or compliance obligations. As with any use of a third-party service, the customer that uses the service is ultimately accountable for determining whether the service meets their needs and obligations.

With regard to Windows Azure, this white paper addresses Windows Azure core services: Cloud Services (Web and Worker roles, formerly under Compute), Storage (Tables, Blobs, Queues), and Networking (Traffic Manager and Windows Azure Connect). It does not provide detailed information about other Windows Azure features, such as Windows Azure SQL Database, Service Bus, Marketplace, and Caching.. For more information about Windows Azure, see the “Additional readingsection later in this paper. Office 365 and Microsoft Dynamics CRM Online services run on a cloud infrastructure provided by Microsoft and are accessible from various client devices.

This white paper assumes that readers are familiar with Windows Azure basic concepts; therefore, they are not explained within the paper. Links to reading materials that describe these core concepts can be found at “White Papers on Windows Azure” on Technet.


More on the The Microsoft approach to cloud transparency next week 🙂