Security in Microsoft Business Productivity Online Suite (BPOS)
Why Online Services?
Key applications such as messaging, worker and group collaboration tools, and online conferencing services provide the foundation for businesses of all sizes and in all markets. Though necessary to the day-to-day operation of your business, these applications can be expensive to purchase and operate. These important communication tools require staff with specialist skills outside the key requirements for your business, can represent a significant overhead, and must be regularly maintained and monitored to ensure that they are securely and reliably operated.
Immediate benefits to using Web-based or online services include lower total cost of ownership: you have no specialized staff to hire, no equipment to house, no server software to maintain and operate. Services scale readily to match your business requirements; you’re never under-provisioned or over-provisioned and your online "virtual" IT department grows and responds to your changing needs.
Is it Secure?
Along with reliability, continuity, and data privacy, the security of their online environment is high on the list of customer requirements.
The foundation of Microsoft Online Services is Trustworthy Computing (read: The Microsoft Trustworthy Computing Privacy Overview) . A White Paper, Security in Microsoft Business Productivity Online Suite, released last month describes how security has been a central principle designed into all aspects of the Business Productivity Online Suite. It describes the capabilities, technologies, and processes that build trust in the Business Productivity Online Standard Suite, providing world-class online services for your business.
This paper describes how Microsoft:
- Manages security, privacy, and continuity of the Online Services through a robust and mature compliance management program.
- Aligns with industry standards for security and reliability.
- Periodically obtains independent validation and testing through accredited third-party organizations.
I have pasted some interesting bits from the white paper below:
The Security Development Lifecycle (SDL)
The Microsoft Security Development Lifecycle, the industry-leading Microsoft software security assurance process, is applied to Microsoft Online Services development, deployment, and maintenance. Like the Trustworthy Computing Initiative, the SDL is a Microsoft-wide initiative and has been a mandatory policy since 2004. The SDL has played a critical role in embedding security and privacy into Microsoft software and culture, introducing security and privacy early and throughout the development process. All Microsoft software and services used in the Online Services are built according to the SDL process.
Availability and Continuity
99.9-Percent Reliability - Microsoft Online Services have a measured 99.9-percent reliability. N+1 redundancy means that critical components throughout the service—at the network, data storage, and applications server levels—are duplicated to protect against failures. Details such as dual power supplies and network interfaces further increase uptime for key components. In addition, configurations are replicated offsite among data centers so that the data centers themselves are protected.
Avoiding Resource Constraints Through Scalability - Excess capacity is built into the Business Productivity Online Standard Suite. All users are pre-allocated the resources that they need, and additional capacity can be brought online proactively, in advance of current resources becoming constrained. The result is that you can add users, storage, or services at any time and get immediate results.
Independent Certification
In addition to internal assessment as described above, the Microsoft Online Services organization undergoes various independent third-party compliance audits to provide a greater level of guarantee to our customers. Such independent, objective audits may also help satisfy customers’ legal, regulatory, and compliance obligations.
Demonstrating Compliance
Microsoft develops compliance strategies based on the nature of the service offering. In the current service line, a service may have one or more of the following:
- Statement of Auditing Standard (SAS) 70 Type II
- ISO 27001 certification
- Verizon Security Management Program – Service Provider Certification (formerly Cybertrust)