Microsoft Online: Security Concerns

Ferris recently had a briefing from Microsoft on the security of its Business Process Online Services (BPOS) -- e.g., Exchange Online, SharePoint Online, etc. This presentation turned out to be of more interest to Ferris for its subtext than for the specifics it contained.

The subtext was that Microsoft was encountering concern (pushback?) from organizations about both the security of data held in Microsoft Online services, and the security of the services themselves. Stated another way, organizations appear to want to apply the same analysis to cloud-delivered services that they apply to on-premise-delivered services. We cannot believe that these concerns are unique to Microsoft, and are therefore an issue that will have to be addressed by all providers of cloud-based services and associated cloud-based data storage.

Based on the specifics of this briefing, it would appear that Microsoft is attempting to answer these concerns in a structured fashion, as opposed to responding to specific queries. Its approach is to adhere to a set of standards and conventions, and where appropriate, submit its data centers and services to third-party audit and/or certification of adherence.

Among the relevant standards and conventions are the following:

  • EU Data - Safe Harbor Framework. Compliance claimed by Microsoft.
  • ISO/IEC 27001:2005. Compliance certified by British Standards Institute (BSI) Management Systems America.
  • SAS 70 Type II. Third-party audits claimed by Microsoft.

What remains to be seen is whether this will be sufficient to satisfy organizations of the security of Microsoft's cloud-based offerings, and if they are, what other vendors in this space (Google, Amazon, IBM, etc.) will do to achieve a similar outcome.

... Nick Shelness

One Comment

  1. Posted July 9, 2009 at 2:17 PM | Permalink

    These concerns definitely extend beyond the context of Microsoft. Google’s response is somewhat similar for Google Apps, in that they rely on a “set of standards and conventions”; namely SAS 70, Type II certification, however, they go a little further to help put the security question in context.

    Cloud based services are inherently different than premise based services, in that the goal is keeping the data online. With the data in a centralized located, it *tends* to be more secure. Statistically, there are fewer servers left in cabs that laptops. And if you ask most CIOs how many laptops were lost in an organization last year, it tends to expose a greater security hole. Nothing is perfect, but it will be interesting to see the process plays out.

Post a comment

You must be logged in to post a comment. To comment, first join our community.