Trustworthy Computing and Cloud Services

Malicious attempts to infiltrate computer infrastructure have become more frequent and more sophisticated. When these attacks succeed, the consequences for the victims can be serious. Confidential information and personal information are at risk.

In this environment, we hear that security is often the number one consideration for organisations when considering the future of their technology infrastructure. Security is a valid concern, and we encourage organisations to consider their options carefully. 

Exterior security gates at a Microsoft cloud computing datacentre

A relatively new option that has come to the fore is cloud computing. Business and government organisations can save time and money with cloud services, and they give professionals, small businesses, schools and charities unprecedented access to leading edge technology that would previously have required dedicated in-house resources that were simply beyond their means.

To help organisations realise these benefits, Microsoft has recently launched cloud services such as Office 365, which delivers familiar cloud-based productivity technology to organisations of all sizes.

However there is no question that organisations must consider how security, data protection, privacy, and data ownership needs will be met by the technology they use.

Microsoft takes these concerns seriously and has applied its experience with the Security Development Lifecycle to its cloud services.  Many organisations find that our cloud services can provide a higher standard of security at lower cost than they would be capable of maintaining with their own in-house systems.

Image representing Microsoft cloud computing services and datacentres

Taking Office 365 as an example, our goal is to operate each layer of the services as securely as possible, and to give organisations accurate information about our security, so that organisations can make informed comparisons. Each year, Microsoft cloud datacentres undergo third-party audits to validate compliance with our policies and procedures for security, privacy, continuity and compliance.

Microsoft provides a coherent, robust, and transparent privacy policy emphasizing that organisations maintain ownership of data we hold or process on their behalf.

To help decision makers compare their options, the company has provided detailed information, certified to the ISO 27001 standard, signed the European Union Safe Harbour agreement, and a public response to the Cloud Security Alliance’s Cloud Control Matrix.

We recognise that a few organisations do have security requirements that go beyond what is offered in a distributed multitenant environment like Office 365.  Microsoft has designed Office 365 to provide flexibility for organisations to choose how they deploy technology. Organisations can deploy Microsoft solutions on their own premises or with a service provider, and because both solutions are built on the same technology, there is always the choice to move between running servers on their own premises.

Office 365 is designed to deliver security requirements that exceed what most organisations could deploy themselves, to enable them to use the cloud with confidence.

By Dr Mark Rees, National Technology Officer, Microsoft New Zealand Limited

Photo showing the interior of an energy-efficient Microsoft cloud computing datacentre

Overview Videos

Security and the Cloud video (3 minutes) - with Microsoft Senior Vice President Chris Capossela

Link to video with Chris Capossela

Microsoft Global Foundation Services Datacentre Tour (10 minutes) – An inside look at Microsoft Cloud Services

[View:https://www.youtube.com/watch?v=hOxA1l1pQIw] 

Key security considerations for choosing a service provider

  1. Know the value of your data and processes and the security and compliance obligations you need to meet. How do you meet your obligations today, and what are your technology options?
  2. Consider the ability of service providers to accommodate changing security and compliance requirements. Require transparency in security policies and operations. 
  3. Has the provider attained third-party certifications such as ISO/IEC 27001:2005, what practices does the certification represent, and how are those practices audited?
  4. Ensure a clear understanding of security and compliance roles and responsibilities for each service. Where does responsibility lie for each layer of the service? Security considerations may differ significant between services.
  5. Ensure data and services can be brought back in house if necessary.

Further resources