Secure the Datacenter, Secure the Cloud

By Teresa Carlson, Vice President, Microsoft Federal 

I’ve talked a lot about the essential role cloud computing can play in creating a more agile, efficient, and cost-effective federal government, but when deciding whether or not to embrace cloud technology, agencies’ biggest questions rightly focus on security and privacy.  That’s why adhering to top line standards in each of those areas is critically important.

Datacenters are the foundation of any organization’s approach to cloud computing, which is why Microsoft has built its datacenters to comply with the strictest international security and privacy standards, including International Organization for Standardization (ISO) 27001, Health Insurance Portability and Accountability Act (HIPAA), Sarbanes Oxley Act of 2002 and SAS 70 Type 1 and Type II.  The ISO 27001 global certification is particularly important, as the highest international standard for information security.  Todd VanderVen, president of BSI Management Systems discussed ISO 27001 in a recent research report, saying, "As the first major online service provider to earn ISO/IEC 27001:2005 certification, Microsoft is further demonstrating a commitment to making its company more secure and securing the information of its customers.  By formalizing their documentation and processes and using ISO/IEC 27001:2005, Microsoft will be able to improve quality as well as security and continue to raise the bar for the industry, as they have done so well over the years."

Intersection of Security Standards 

Part of the payoff for adopting the tougher ISO standard is increased transparency while still offering the highest levels of security. In a cloud environment, where vendors host government data, it is critical for customers to demand full transparency.  ISO is the right standard and Microsoft continues to demonstrate a commitment to openness and transparency regarding our cloud. We’ve also recently entered into a partnership with the GSA to gain an Authority to Operate (ATO) Microsoft Business Productivity Online Suite for them through FISMA accreditation by the end of 2009.  Because we build security and privacy features into cloud solutions from the start, this allows us to satisfy government agencies security requirements such as FISMA as well as provide added measures like ensuring that domestic government data resides in the United States and a guaranteed 99.9% uptime.   

As we help government customers maintain rigorous security and privacy requirements as they move mission-critical communications and collaboration solutions to the cloud, we are already seeing successes with cities like Carlsbad, California which uses Microsoft Business Productivity Online Suite, and the University System of Ohio (the largest university system in the United States).  By leveraging Microsoft’s hosted applications, these customers are lowering operating costs and freeing up vital IT resources and staff for more innovative and strategic projects.    Customers also appreciate that they can continue to use familiar user interfaces (such as Office) after moving to the cloud, extending existing technology investments while accessing Microsoft’s round-the-clock support, backup, filtering, and compliance features during the transition.

Our approach to cloud computing has been developed through years of experience running not only massive-scale consumer cloud offerings like Hotmail®, Xbox Live, and Bing search but also Exchange Server for enterprises, which has a heritage of Common Criteria certification.  As more customers ask the tough questions on cloud, Microsoft Federal is ready with some resources that can help.  And for additional details on datacenter security, my colleagues at our datacenters have information that can point you in the right direction. 

White paper: Securing Microsoft’s Cloud Infrastructure

White Paper: Security in Microsoft's Business Productivity Online Suite

Global Foundation Services Blog: Securing Microsoft’s Cloud Infrastructure