Documentos de Académico
Documentos de Profesional
Documentos de Cultura
CLOUD
BASICS
CHAPTER 3
Security in
the CLOUD
http://www.microsoft.com/govcloud
Keeping the
bad guys off
of your cloud
02-002
Cloud computing may seem risky because you cannot secure its perimeter
where are a clouds boundaries? In addition, many government agencies must
comply with regulatory statutes, such as the Health Insurance Portability and
Accountability Act (HIPAA), the Sarbanes-Oxley Act of 2002 (SOX), and the
Federal Information Security Management Act (FISMA).
Yet your organization can move forward with cloud computing, even while
security standards are being defined. The National Institute of Standards and
Technology likens the adoption of cloud computing to that of wireless technology.
Agencies learned how to protect their wireless dataand they will do the same
with cloud computing.i
It comes down to this: Federal, state, and local agencies vary in their security and
regulatory compliance needs, and you know your needs best. You must look carefully at how well cloud providers protect key functions and sensitive data.
Your own
private cloud
02-002
A regulatory or security issue prevents you from hosting even encrypted data in
a public cloud.
An application requires greater reliability or speed than whats available through
the Internet.
You want control over your assets, including physical possession of the hardware
your data resides on. However, a private cloud offers one solution if you still
want to take advantage of cloud benefits.
Security checklist
Integration. Look for integration points with security and identity management technologies
you already have, such as Active Directory, and controls for role-based access and entity-level
applications.
Identity and access. When you place your resources in a shared cloud infrastructure, the
provider must have a means of preventing inadvertent access. Find out how identities can be
federated across different services and from your internal environment to the cloud, and how the
databases are protected for access.
Compliance. Verify vendor certification and compliance with industry and government
standards that affect your agency. Its also important to find out ahead of time how dispute
resolution and liability issues are handled, what the metrics are for cloud service monitoring, how
e-discovery and criminal compliance requests are handled, and what processes will be used to
move your agency to and from the cloud.
Service integrity. Find out how your vendors protect software from corruption (malicious
or accidental) and how they ensure the security of the written code. You should also look into
their threat modeling, the hiring process for the personnel doing administrative operations, and
what levels of access those employees have.
Jurisdiction. The location of a cloud providers operations can affect the privacy laws that
apply to the data it hosts. Does your data need to reside within your legal jurisdiction? Federal
records management and disposal laws may limit the ability of agencies to store official records
in the cloud.
Information protection. Discuss encryption with your vendor and find out who has
access to encryption keys. Other things to consider include who owns the data, where the backup
is located, whether youll have an on-premise backup, and how that backup is purged. Also, be
sure to discuss your requirements with regard to the physical location of your data.
02-002
Privacy. Make sure a cloud service includes data encryption, effective data anonymization, and
mobile location privacy. In federal agencies, your contract with the service provider should include
provisions for complying with the Privacy Act of 1974.iv
Microsoft
in the cloud
As one of the largest hosted services providers in the world, Microsoft offers a solid track record as an online
solution provider. Long established in the cloud, Microsoft continues to invest heavily in research and development
to help drive the technology further.
02-002
Compliance
Microsoft has invested more than U.S.$2 billion in new data centers around the world. These online services and
data centers adhere to stringent HIPAA, SOX, ISO, and FISMA requirements. The data centers are also Statement on
Auditing Standards (SAS) 70 and International Organization for Standardization (ISO) 27001 certified, and they are
audited by independent, third-party security organizations.
In December 2010, Microsofts cloud infrastructure received its FISMA Authority to Operate (ATO) as a ModerateImpact System. The ATO was issued to Microsofts Global Foundation Services organization. It covers Microsofts
cloud infrastructure that provides a trustworthy foundation for the companys cloud services, including Exchange
Online and SharePoint Online, which are currently in the FISMA certification and accreditation process.
Uptime
Microsoft guarantees 99.9 percent uptime at its data centers, which are outfitted to operate during power outages and after natural disasters. Microsoft replicates data from its primary data centers to secondary data centers
for redundancy, without storing any data off-site.
Data with or without borders
If your data needs to stay within the U.S. borders, Microsoft can guarantee that it will, with multiple
data centers across the United States that provide reliability and failover for government customers.
In addition, our data centers preserve the chain of custody for documents. When moving documents
between on-premise and cloud services, they retain the format and fidelity needed to create a
reasonable facsimile for investigations or Freedom of Information Act (FOIA) requests.
How green is our cloud?
Microsoft data centers are designed to reduce total energy consumption by 2540 percent compared
to traditional facilities.
02-002
Get a customized estimate of the potential cost savings your organization might achieve
by building on the Windows Azure platform. Try our total cost of ownership calculator at
http://www.microsoft.com/windowsazure/tco/.
Learn more
Articles
GCN: Cloud security: Feds on the cusp of change
http://gcn.com/articles/2010/05/05/securing-risks-in-the-cloud---fed-on-the-cusp-of-change.aspx?sc_lang=en
Federal Computer Week: NIST creates cloud-computing team
http://fcw.com/Articles/2009/02/25/NIST-cloud-computing.aspx
02-002
...continued
Microsoft security material
Cloud computing security considerations
http://www.microsoft.com/downloads/details.aspx?displaylang=en&FamilyID=3269a73d-9a74-4cbfaa6c-11fbafdb8257
02-002
Cloud
basics series
02-002
Towns, Steve. State CIOs Offer Government Cloud Option. Government Technology,
January 24, 2010. http://www.govtech.com/gt/articles/734128
iii
iv
02-002
ii
Footnotes
10
http://www.microsoft.com/govcloud
This document is provided as is. Information and views expressed in this document, including URL and other
Internet Web site references, may change without notice. You bear the risk of using it.
This document does not provide you with any legal rights to any intellectual property in any Microsoft product.
You may copy and use this document for your internal reference purposes.
2011 Microsoft Corporation. All rights reserved.