Trust in the Cloud – Cybersecurity

By Richard Saunders, International Public Relations Reactive Security Communications

Trust me, I’m a cloud vendor.

I visited my sister and her family a while ago and somehow ended up playing a game with my seven year-old niece. I forget what it was called now, but the objective was to describe colours without being able to relate them to an object. In other words, describe the colour blue without referring to the sea, or the sky.

Try it. It’s tough. Though apparently not for seven year-olds.

Don’t ask me how, because I really don’t know, but on the drive home the game got me thinking about the concept of trust and how it relates to the cloud and cloud services. Just how do you explain something as ethereal as trust and yet come across as genuine and well, trustworthy?

In today’s environment, winning and retaining their customers’ trust is every cloud provider’s ambition. But how do you earn the right to be trusted? What do you say? Somehow starting a conversation with the words ‘trust me’ seems to have the opposite effect.

Here’s another phrase: actions speak louder than words. And that is what we have tried to do at Microsoft – set out the things we do to make our cloud services more secure, private and reliable. With 200 online and cloud services serving a billion customers and 20 million businesses in more than 76 countries and 90 markets and regions, we know that organizations won’t use technology they don’t trust.


Security and privacy have been ingrained into our culture for more than a decade. It’s part of our DNA. To help our customers decide whether they can trust our cloud we invite them to consider our efforts in four main categories: cybersecurity, data privacy, compliance and transparency.

There’s a lot to cover in each of these categories, but, as I learned playing the colour game with my niece, there’s a benefit in brevity. Over the next few weeks I’ll cover each of these in a bit more detail, starting with cybersecurity.


Cybersecurity is engineered into Microsoft products and services from the initial design stage using the Security Development Lifecycle (SDL) – a holistic and comprehensive software development process for writing more secure and privacy-enhanced code, and enabling more reliable products and services. We invented the SDL and today it is broadly regarded as the industry standard for writing more secure software. Many of its key elements have been adopted by organizations including the Government of India as well as commercial entities, including Itron, MidAmerican Energy, Adobe and Cisco as the basis for their secure development regimen. Our SDL was also recognized as a case study on how to do software security development in the ISO standard 27034-1.To protect against Internet-based security threats and continuously assess and enhance the security of our services, we utilize Operational Security Assurance (OSA). OSA combines the knowledge from our security development and security response programs, with the experience of running hundreds of thousands of servers in data centres around the world.


…by decreasing the amount of time needed to prevent, detect, and respond to real and potential Internet-based security threats, thereby increasing the security for our customers.

For many years, we have incorporated encryption into our products and services to help protect customers from online criminals and hackers. However, since June of 2013, public concern about the methods governments use to collect data has led many organizations to be concerned about the privacy of their information. We not only understand the concerns our customers have, we share them. While we have no direct evidence that customer data has been breached by unlawful and unauthorized government access, we are addressing this concern head on by…


Although this is a significant engineering effort given the large number of services we offer and the hundreds of millions of customers we serve, we are committed to moving quickly. Many services already benefit from strong encryption in all or part of the lifecycle. For example, is protected by best in class security such as Transport Layer Security (TLS) and Perfect Forward Secrecy (PFS) encryption for both outbound and inbound email. We are also expanding encryption across all our services to provide best in class encryption solutions for data in transit between a user and the service, data in transit between data centers, data at rest, and end-to-end communications between users. And for customers looking for another layer of protection, we have also invested in giving customers the ability to use their own encryption mechanisms to encrypt their data.

Please look in on the Cyber Trust Blog next week when I’ll talk further about what we are doing specifically in the area of data privacy.

Oh. You’re this color when you’re sad and yet when you look up on a sunny day it makes you happy. That’s how a seven year old girl explains blue.



Related Posts