By Jeff Jones, Principal Cybersecurity Strategist, Microsoft
On October 9, I delivered a keynote about trust in the cloud at the Cybersecurity Expo 2014 event in London. I’ve been thinking about how to tackle a topic like ‘trust’ and how it applies to cloud computing. I don’t know about you, but when someone you don’t know very well says ‘you can trust me,’ I kind of feel the opposite. I believe that actions speak louder than words.
With that in mind, I approached the topic by talking about four key areas that Microsoft believes are important for cloud service providers to demonstrate trustworthiness; areas that Microsoft delivers in the 200+ cloud services customers use today. As I did with the delegates today, I invite readers to consider cloud provider efforts in four main categories: cybersecurity, data privacy, compliance and transparency.
For Cybersecurity, Microsoft works to protect, detect and respond to threats against customers. We have invested in developing more secure products and services for more than a decade via the Security Development Lifecycle (SDL) – a holistic and comprehensive software development process that we created to help write more secure and privacy-enhanced code and enable more reliable products and services. Today the SDL is regarded as the industry standard for writing more secure software and is included as a case study in the ISO standard 27034-1.
Our online services adhere to a rigorous set of security and privacy controls that govern operations and support through a process called Operational Security Assurance (OSA). We have strong data encryption polices that help to protect our customers, partners and internal data within our networks. In support of this, in July we provided examples of how we are expanding encryption across our services to help protect customer data:
Office 365 – Provides message encryption, an email service that allows you to send encrypted mail to anyone.
Microsoft Azure – ExpressRoute, enables customers to access Azure services from their premises without having to traverse the Internet.
Outlook.com – Protection is provided by Transport Layer Security (TLS) encryption for both outbound and inbound email. Outlook.com has also enabled Perfect Forward Secrecy (PFS) encryption support for sending and receiving mail.
OneDrive has enabled Perfect Forward Secrecy (PFS) encryption.
Microsoft has a global, 24×7 incident response team that works to mitigate the effects of cyberattacks and malicious activity. The incident response team follows established procedures for incident management, communication, and recovery, and uses discoverable and predictable interfaces internally and to customers. We also proactively partner with law enforcement to combat cybercrime through our Digital Crimes Unit.
Our commitment to data privacy begins at the development stage and is part of the SDL as well as a set of internal guidelines, called the Microsoft Privacy Standard. As a result, our enterprise cloud services include world-class privacy features like Data Loss Prevention (DLP), Rights Management Services (RMS), and various controls that help customers manage risks to their data. As a result, we are currently the only cloud vendor whose commercial contracts meet the European Union Data Protection Authorities’ stringent standards for international transfers of data, a fact recognized by the “Article 29 Working Party”.
Third-party certifications help demonstrate compliance readiness to customers, auditors and regulators. Independent third-party companies, such as Deloitte and the British Standards Institution (BSI), regularly assess and verify our capabilities and adherence to a comprehensive set of requirements. Our structured approach to compliance is built on commitment to comply with a broad range of certifications, in many cases setting the pace for others to follow.
In March 2013, as part of our commitment to increased transparency, we began publishing details on the number of demands we receive each year in our Law Enforcement Requests Report and providing clear documentation of our established practices in responding to government legal demands for customer data.
It is important to recognize that the threat landscape will continue to evolve to keep pace with advances in security and data protection – that’s a given. Microsoft remains committed to protecting customer data through innovation and collaboration to help manage risk from cybercriminals.
For more information on our cloud services, check out www.microsoft.com/cloud.
Tags: ICT infrastructure