Cloud: Our platform is security ready says Microsoft

BANGALORE, INDIA: Cloud computing has the potential to offer governments, enterprises and individuals greater choice and flexibility, at the same time spurring significant gains in efficiency, lower IT costs, as well as creating online platforms and incentives for innovation. However, migration to the cloud is not on the expected track, due to the fear caused by the series of security breaches in the recent past.

Software giant Microsoft has been a player in the cloud environment for over 15 years now, offering cloud solutions that span businesses, governments and general consumers. Sanjay Bahl, chief security officer of Microsoft India in an interview with CIOL, talked about various security measures set up by Microsoft in the cloud environment.

Excerpts:

CIOL:  How open are Indian enterprises in moving applications to the cloud?

Sanjay Bahl: I feel that in India, many enterprises are still hesitant to move their applications to the cloud. One of the possible reasons may be security perception. As interdependency among public and private sector entities grows, the issue of security and loss of control tends to be a concern.

Also read: Sony data breach raises questions about cloud security

There is a certain level of comfort in knowing you can take some action if there is a problem, and losing that control and ability to take action is understandably hard. However, these concerns can be addressed, as there are certain applications that could be sourced from the cloud and certain things that could be run on specific, more secure applications. At Microsoft, the model we propose gives customers the best of both worlds; which is the cloud and specific solutions for specific needs.

Also read: '70 per cent of web applications not secure' 

CIOL: What categories of apps are being moved to the cloud at this stage?

Sanjay Bahl:The Morgan Stanley report of May 2010 wherein it surveyed 50 CIO’s mentions that email, CRM and human resources applications will be the first to move to a cloud environment. Email will come out on top with a three times increase in hosted email usage over the next year.

Until now, on the BPOS platform we have about 1400 customers and over 700 partners. On the Windows Azure front we have 600 enterprise customers with over 8,500 applications developed from India. So it’s evident from the numbers the kind of commitment and expertise that Microsoft is currently offering vis-à-vis cloud computing.

CIOL: What is Microsoft doing on the security front?

Sanjay Bahl: Microsoft has designed the Azure platform with security in mind, ensuring a number of different security features have been built in and not bolted on. An important aspect of securing data is verifying the identities of those who request to access it. Microsoft has .NET Access Control Service, which works with web services and web applications to provide a way to integrate common identities.” Microsoft uses a need-to-know and least-privilege model to manage access to assets.

Highly sensitive assets require multi factor authentication, including such measures as password, hardware tokens, smart cards, or biometrics. Microsoft's compliance framework is designed to address the security challenge. The security for Microsoft's cloud infrastructure is managed by the Online Services Security and Compliance team, which maintains the security control framework and develops policies and programs for ensuring compliance and managing security risks.

We ensure that the Microsoft Cloud undergoes annual audits for compliance, as well as internal assessments throughout the year, managing cloud complexity with threat modeling.

CIOL: In the USA, law requires cloud security service providers to announce any data breach. Do you see a need for a similar law in India to clear the doubts about data security in the cloud environment?

Sanjay Bahl: Yes, a similar law here in India would definitely help clear the doubts or hesitance people and organizations have regarding data security in the cloud environment. Breaches of security on the web are numerous. If you read the fine print of cloud computing applications or service's privacy policy, terms of service, or use, you will see no guarantees of privacy, confidentiality or security. They do not and often cannot give guarantee as no cloud computing application is 100 per cent secure, safe, or reliable, and that is primarily because the web is not 100 per cent secure, safe or reliable.  The web is a target for miscreants and criminals.

Microsoft is committed to assuage the fears of concerned users by assuring them that their information is safe and secure. When we think about security for Microsoft Online, we do so in the context of the Microsoft Online Risk Management Program. This includes the intertwined disciplines of security, privacy, continuity, and compliance.

CIOL: What are your suggestions for enterprises that are looking at migrating to the cloud?

Sanjay Bahl: Here are a few pointers organisations should consider when embracing the cloud:

• Well-functioning risk and compliance programs are a must
• Data classification is the base
• Choose the right deployment model (private, community, or public)
• Strong, cloud trained, internal team still needed
• Process transparency, compliance controls, and auditability by the provider
• Implement a secure development life cycle and evaluate the provider and their vendors as well
• Stronger federated identity and access controls
• Information life cycle controls
• Access controls to operate across organisational boundaries without surrendering identity ownership