Microsoft has rolled out a new Cloud Security Readiness Tool, which is designed to help companies with up to 500 employees assess the potential impact of adopting cloud-based security services.

Security has long been one of the biggest obstacles to cloud adoption, according to a wide variety of studies, and the new Microsoft initiative is aimed at helping companies navigate the complex issues surrounding the decision of whether to go towards the cloud or remain on-prem.

"When we talk to the companies who have not adopted cloud, 44 percent raised security concerns," said Jeff Jones, director of Microsoft's Trusted Computing Group. "We then asked what would help them to overcome those concerns, and they called for better use of industry-standards, plus they were looking for a high level of transparency, so they could better understand what they were getting."

[Related: Microsoft Patch Tuesday Issues Updates, Takes a Do-Over]

Jones added that the fundamental drivers towards the cloud focused on cost savings plus the convenience associated with outsourcing their security needs to a cloud provider. More than half of them expressed the opinion that they were getting improved security because the provider was dealing with patches and all the things necessary to keep their security posture up to date. This, he said, gave the customer more time and money to focus on their respective core businesses.

"So we are approaching this from the perspective of two high-level questions," he said. "They need to understand where they are today with respect to security and compliance. Second, if they adopt cloud security offerings, will I be better off?"

Through participation with groups such as the Cloud Security Alliance, Microsoft carved out a series of recommended standards and strategies. These best practices were coalesced into a tool comprised of 27 questions designed to assess the given organization's specific circumstances leading to recommendations pertaining either to the cloud or to how they can improve their existing security policies, technologies and procedures.

The Cloud Security Readiness Tool is available over the Internet free of charge," explained Jones. "It is designed to assist organizations and consultants, to determine where they are today with IT security and how they can improve."

NEXT: Customizable within Ten Areas

Customizable to various vertical markets and the standards most applicable to each one, the tool measures security maturity in 10 areas. These include architecture, HR security, facility security, information security, data governance, legal, risk management, release management, resiliency and operational management. For each area, the tool assesses the systematic approach ranging from "we just wing it," to "we have extensive audits on a regularly scheduled basis." This culminates in a report of approximately 60 pages that describes their current state and provides recommendations on what the customer can do next to improve their status in that particular area.

"So it provides recommended mitigation, and it also describes what benefits you would get from adopting cloud-based security," said Microsoft's Jones.

Jones says that the initiative is aimed at end users and also channel partners seeking a systematic approach to better understanding the needs and circumstances of the client or prospect. He claims that the cloud recommendation is offered on an agnostic basis, given that Microsoft serves customers both through the cloud and on-prem.

"If I were a partner, I would make up a sample for myself with made-up answers, and then show to my customer as an example of what I could deliver," he said. "Even if they don't adopt cloud, you can help them to develop next steps around formal reviews and similar strategies that can make their approach to security more mature."

PUBLISHED OCT. 10, 2012