Security of Cloud ComputingSecuring Microsoft’s Cloud Infrastructure

No one questions that Microsoft can write great software.

Customers want to know if we can be innovative, scalable, reliable in

the cloud.

(1996)450M+ active users

(1997)550M users/mth

(1998)x100Musers

Largest non-TCP/IP

cloud service

(1999)320M+ active users

Windows Live

Messenger

(1999)2 Billion

queries/mth

(2001)20M+ active users

(2003)5

Billion conf

mins/yr

(2004)2 Billion

emails/day

Web Applications

(2010)400M+ consume

rs at release

Microsoft Is a LEADER In The Cloud

HIGHLY SECURED DATA CENTERSEnterprise class reliability and security

…delivering highly secure, private, and reliable experiences based on sound business practices

Key Features• Geo-redundant

datacenters• N+1 Architecture• 9 Layer Data Security…• CyberTrust Certified• Secure access via SSL• ITIL/MOF Operational

Practices• 24 x 7 x 365 Support• 99.9% Uptime

Financially-backed SLA

• Filtering Routers• Firewalls• Intrusion Detection

Systems• System Level Security• Application

Authentication• Application Level

Counter-measures• Virus Scanning• Separate Data Networks• Authentication to Data

Infrastructure Services

Security and Compliance

Global Delivery

EnvironmentalAwareness

Global Foundation Services

Microsoft®

US data location guaranteed today

across all enterprise services

FISMA, SAS 70, ISO

certification across all

facilities and services

ISO27001

(strategic)

SAS70(audit)

FISMA

(tactical)

Global Foundation

Services

Microsoft’s Cloud Environment

4

Physical infrastructure

Logical Infrastructure

Compute runtimes Identity and directory

stores

Cloud Platform Services

And others

Cloud Infrastructure

Consumer and Small Business Services

Enterprise Services

Third-Party

Hosted Services

A Commitment to Trustworthy Computing

5

Build software and services to better help protect Microsoft customers and the industry; ensure information and data are safe and confidential.

Privacy

Develop online services with the privacy of customers in mind.No matter where our customers live or work, Microsoft strives to help them protect their privacy.

ReliabilityMake dependable software and continue to improve the reliability of technologies, products, and support processes with a continuing focus on the customer’s experience.

Business Practices

Ensure integrity and transparency in all business practices, and maintain the highest standards in business conduct.

Security

How Microsoft Responds to the Challenges

6

Risk-based Information

Security Program

Maintaining a Deep Set of Security

Controls

Comprehensive

Compliance Framework

Response to Cloud Security Challenges

Information Security Program

7

International Organization for Standardization / International Electrotechnical Commission 27001:2005

Certified

Risk Management Process

Identify threat and vulnerabilities to the environmentCalculate riskReport risks across Microsoft cloud environmentAddress risks based on impact assessment and a business caseTest remediation effectiveness and residual riskManage risks on an ongoing basis

8

9

Business Continuity Management

Response Teams

10

Security Incident Response Global Criminal Compliance

Responds to suspected security incidents 24 hours a day

Supports worldwide investigations by law enforcement into criminal activity involving Microsoft online services, including emergency situations when appropriate

Response process: Preparation Identification Containment Mitigation Recovery Lessons Learned

Response process: Begins with validated legal

request Is based on country of origin Includes guidance for law

enforcement

11

Defense-in-Depth Layers

Physical Network Host Security

Identity and

Access Managem

ent

DataApplication

Security Development Lifecycle (SDL)

SDL Process

• Product Team Coordination OSSC uses questionnaires and other product development documentation to validate that SDL has been applied correctly

• Threat Models Review OSSC analyzes the product teams’ threat models to verify that they are complete and current

• Security Bugs Review All bugs relating to security and privacy of customers’ data are reviewed and addressed

• Tools Use Validation OSSC ensures that product teams have correctly and appropriately made use of the tools, documented code, and patterns and practices available to them12

Training Design Verification Release ResponseImplementationRequirements

Comprehensive Compliance Framework

13

ISO/IEC 27001:2005 certificationStatement of Auditing Standard 70 Type I and Type II attestations

Certification and Attestations

Comprehensive Compliance Framework

14

Payment Card Industry Data Security Standard Health Insurance Portability and Accountability Act

Industry Standards and RegulationsMedia Ratings Council

Sarbanes-Oxley , etc.

Identify and integrate:– Regulatory requirements– Customer requirements

Assess and remediate:– Eliminate or mitigate gaps in

control design

Controls FrameworkTest effectiveness and assess risk

Attain certifications and attestations

Improve and optimize:– Examine root cause of non-

compliance– Track until fully remediated

Predictable Audit Schedule

Microsoft Online Services Security

15

Strategic Information

Security Program

Based on industry best practices to

enable rapid adaption to cloud

infrastructure changes

Certification Framework Streamlines

certification process for product and

service delivery teams

Trusted BrandEstablished through meeting business obligations along with legal and commercial

expectations

Confidence Born from years of

experience managing security risks in

traditional development and

operating environments

This material is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS DOCUMENT.

©2009 Microsoft Corporation. All rights reserved.Microsoft, Active Directory, Hotmail, Microsoft Dynamics, MSN, SharePoint, SQL Server, Windows, and Xbox LIVE are either trademarks or registered trademarks of the Microsoft

group of companies.