Microsoft Bangs Drum For Cloud Trust


Microsoft says before cloud computing becomes the de facto IT delivery and consumption mechanism, the onus is on vendors, solution providers and partners to establish trust and prove that the cloud is secure.

"It's really as big a shift for IT as the shift from mainframes to computers," Adrienne Hall, general manager of Microsoft's Trustworthy Computing group, said in an interview.

And as cloud computing takes hold, it's up to vendors and cloud providers to offer a cloud ecosystem that is secure and to ensure the proper safeguards and checks and balances are in place.

"A key element is trust," Hall said, adding that cloud users have to determine what they are comfortable running in the cloud and that it is secure, private and reliable.

For Microsoft's part, its cloud trust initiative spans across products and groups and is a three-pronged approach that ensures secure deployment of cloud applications and environments, infrastructure and incident response.

Microsoft's push for trust in the cloud will leverage the Security Development Lifecycle (SDL) that Microsoft has leveraged since 2004 for its software offerings. SDL is a documented, auditable and traceable process for writing secure software through which all products pass a security review before they reach the market. For the cloud specifically, Hall said Microsoft has launched SDL Agile, a cloud-focused version of the SDL to secure cloud application development.

The cloud creates challenges in that the development lifecycle is shorter than with Microsoft's traditional software and packaged products. Being more fluid means closer attention has to be paid to secure processes throughout development.

In another bid for cloud trust, Hall said Microsoft will leverage Trustworthy Computing's transparency. Microsoft will ensure its infrastructure has the necessary certifications and accreditations and that regular audits are conducted by independent organizations. Additionally, Microsoft will lay out its data handling processes in hosted service agreements.

Hall added that its cloud customers' data will be stored on systems protected by both physical and technological security measures and protected with encryption. Infrastructure assets will also be subject to daily scanning.

"If there's some sort of new threat, by scanning daily we have systems that can alert us," Hall said.

 

Next: Incident Response Fosters Cloud Trust