Jean-Phillippe Courtois, the President of Microsoft International, has written a guest post about Cloud security on the Viewpoints blog. You should read it if you’re at all interested in the framework for security and compliance of Cloud services - it delves into the Microsoft Cloud offerings, and the security framework we have had to build over the last 17 years.
There were a couple of highlight points that I took away:
There is no global standard for security of cloud services
As there is no global standard for security of cloud services or security of cloud infrastructure, GFS’s approach is based on the widely used and understood ISO27001 and ISO27002 information security management standards. Microsoft added an additional 141 controls to the initial 150 in ISO27001. These arise from the unique challenges of cloud infrastructure and are based on our experience of mitigating the risks that arise in this environment.
My reaction: What? There is no global international standard for cloud security! We’ve had to add141 controls to the existing 150 in an ISO standard in order to get to something that’s secure enough. So perhaps there is no wonder that as well as national differences, we’re seeing differences emerging in the ways that Cloud services are being approached between each State government in Australia.
Our Cloud security commitments
Jean-Phillippe sets out a summary of the commitments detailed in our Online Services Trust Centre which details our Cloud security model - and critically how we secure your data in our Cloud datacentres:
My reaction: It’s the detail behind these five commitments that makes the interesting reading, and would be helpful in understanding the ways that different cloud services could collect and use information - and potentially help you to build your own list of acceptable Cloud practices within your organisations