CLOUD COMPUTING FOR

U.S. Government PROFESSIONALS

CLOUD

BASICS
CHAPTER 3

Security in

the CLOUD

http://www.microsoft.com/govcloud

MICROSOFT U.S. Government

CLOUD BASICS: CHAPTER THREE

Keeping the
bad guys off
of your cloud

02-002

Cloud computing may seem risky because you cannot secure its perimeter
where are a clouds boundaries? In addition, many government agencies must
comply with regulatory statutes, such as the Health Insurance Portability and
Accountability Act (HIPAA), the Sarbanes-Oxley Act of 2002 (SOX), and the
Federal Information Security Management Act (FISMA).
Yet your organization can move forward with cloud computing, even while
security standards are being defined. The National Institute of Standards and
Technology likens the adoption of cloud computing to that of wireless technology.
Agencies learned how to protect their wireless dataand they will do the same
with cloud computing.i
It comes down to this: Federal, state, and local agencies vary in their security and
regulatory compliance needs, and you know your needs best. You must look carefully at how well cloud providers protect key functions and sensitive data.

MICROSOFT U.S. Government

CLOUD BASICS: CHAPTER THREE

Your own
private cloud

02-002

Agencies with sensitive information and workloads would probably never

want all of their data in a public cloud. Private clouds offer the scalability and
shared resources of cloud computing on your termsand on your turf, if you
can afford it. To achieve true cloud scalability in a private cloud, you must
forecast demand to support the requisite degree of excess capacity and then
invest accordingly.
Some agencies have the need and the budget to do so. Within the U.S.
Department of Defense (DOD), for example, groups can obtain access to
the private cloud created by the Defense Information Service Agency. Called
Rapid Access Computing Environment (RACE), it enables DOD users to quickly
set up operating environments within a secured cloud. The Department of
Homeland Security is also building a cloud platform to serve up enterprise
email and other services to its employees.ii Michigan and Utah have plans to
turn their IT departments into private clouds so that they can provide more
resources to local governments, schools, and agencies.iii

When the cloud might not be the right fit:

A regulatory or security issue prevents you from hosting even encrypted data in
a public cloud.
An application requires greater reliability or speed than whats available through
the Internet.
You want control over your assets, including physical possession of the hardware
your data resides on. However, a private cloud offers one solution if you still
want to take advantage of cloud benefits.

MICROSOFT U.S. Government

CLOUD BASICS: CHAPTER THREE

Security checklist

Integration. Look for integration points with security and identity management technologies
you already have, such as Active Directory, and controls for role-based access and entity-level
applications.

Identity and access. When you place your resources in a shared cloud infrastructure, the
provider must have a means of preventing inadvertent access. Find out how identities can be
federated across different services and from your internal environment to the cloud, and how the
databases are protected for access.

Compliance. Verify vendor certification and compliance with industry and government
standards that affect your agency. Its also important to find out ahead of time how dispute
resolution and liability issues are handled, what the metrics are for cloud service monitoring, how
e-discovery and criminal compliance requests are handled, and what processes will be used to
move your agency to and from the cloud.

Service integrity. Find out how your vendors protect software from corruption (malicious
or accidental) and how they ensure the security of the written code. You should also look into
their threat modeling, the hiring process for the personnel doing administrative operations, and
what levels of access those employees have.

Jurisdiction. The location of a cloud providers operations can affect the privacy laws that
apply to the data it hosts. Does your data need to reside within your legal jurisdiction? Federal
records management and disposal laws may limit the ability of agencies to store official records
in the cloud.

Information protection. Discuss encryption with your vendor and find out who has
access to encryption keys. Other things to consider include who owns the data, where the backup
is located, whether youll have an on-premise backup, and how that backup is purged. Also, be
sure to discuss your requirements with regard to the physical location of your data.

02-002

Privacy. Make sure a cloud service includes data encryption, effective data anonymization, and
mobile location privacy. In federal agencies, your contract with the service provider should include
provisions for complying with the Privacy Act of 1974.iv

MICROSOFT U.S. Government

CLOUD BASICS: CHAPTER THREE

Microsoft
in the cloud

As one of the largest hosted services providers in the world, Microsoft offers a solid track record as an online
solution provider. Long established in the cloud, Microsoft continues to invest heavily in research and development
to help drive the technology further.

02-002

Compliance
Microsoft has invested more than U.S.$2 billion in new data centers around the world. These online services and
data centers adhere to stringent HIPAA, SOX, ISO, and FISMA requirements. The data centers are also Statement on
Auditing Standards (SAS) 70 and International Organization for Standardization (ISO) 27001 certified, and they are
audited by independent, third-party security organizations.
In December 2010, Microsofts cloud infrastructure received its FISMA Authority to Operate (ATO) as a ModerateImpact System. The ATO was issued to Microsofts Global Foundation Services organization. It covers Microsofts
cloud infrastructure that provides a trustworthy foundation for the companys cloud services, including Exchange
Online and SharePoint Online, which are currently in the FISMA certification and accreditation process.
Uptime
Microsoft guarantees 99.9 percent uptime at its data centers, which are outfitted to operate during power outages and after natural disasters. Microsoft replicates data from its primary data centers to secondary data centers
for redundancy, without storing any data off-site.
Data with or without borders
If your data needs to stay within the U.S. borders, Microsoft can guarantee that it will, with multiple
data centers across the United States that provide reliability and failover for government customers.
In addition, our data centers preserve the chain of custody for documents. When moving documents
between on-premise and cloud services, they retain the format and fidelity needed to create a
reasonable facsimile for investigations or Freedom of Information Act (FOIA) requests.
How green is our cloud?
Microsoft data centers are designed to reduce total energy consumption by 2540 percent compared
to traditional facilities.

MICROSOFT U.S. Government

CLOUD BASICS: CHAPTER THREE

Whos in our cloud?

Millions use Microsoft-hosted services, including:

The United States Department of Agriculture

http://blogs.msdn.com/b/uspublicsector/archive/2010/12/08/usda-moves-to-the-cloud-with-microsoft.aspx
The State of Minnesota
http://www.govtech.com/enterprise-technology/Minnesota-Microsoft-Cloud-Collaboration.html

02-002

The City of New York

http://www.nytimes.com/2010/10/21/technology/21soft.html?_r=1
The City of Carlsbad, California
http://www.microsoft.com/casestudies/Microsoft-Business-Productivity-Online-Standard-Suite/City-ofCarlsbad/City-Government-Uses-Online-Services-for-Messaging-Saves-40-Percent-Annually/4000004251
Klamath County, Oregon
http://www.microsoft.com/casestudies/Software-Services/Klamath-County-Oregon/Klamath-CountyOregon-Streamlines-IT-Operations-by-Migrating-to-Hosted-Messaging/4000005954
The City of Miami, Florida
http://www.microsoft.com/casestudies/Case_Study_Detail.aspx?casestudyid=4000006568
The Vernon Hills, Illinois, Police Department
http://www.microsoft.com/casestudies/Case_Study_Detail.aspx?CaseStudyID=4000007072
FreedomSpeaks
http://www.microsoft.com/casestudies/Case_Study_Detail.aspx?CaseStudyID=4000007618

Calculate cloud cost savings

Get a customized estimate of the potential cost savings your organization might achieve
by building on the Windows Azure platform. Try our total cost of ownership calculator at
http://www.microsoft.com/windowsazure/tco/.

MICROSOFT U.S. Government

CLOUD BASICS: CHAPTER THREE

Learn more
Articles
GCN: Cloud security: Feds on the cusp of change
http://gcn.com/articles/2010/05/05/securing-risks-in-the-cloud---fed-on-the-cusp-of-change.aspx?sc_lang=en
Federal Computer Week: NIST creates cloud-computing team
http://fcw.com/Articles/2009/02/25/NIST-cloud-computing.aspx

02-002

Computerworld: Report cites potential privacy gotchas in cloud computing

http://www.computerworld.com/s/article/9128636/Report_cites_potential_privacy_gotchas_in_cloud_computing
Microsoft government guides
Cloud computing
http://www.microsoft.com/govcloud
Security
http://www.microsoft.com/industry/government/guides/security/default.aspx

MICROSOFT U.S. Government

CLOUD BASICS: CHAPTER THREE

...continued
Microsoft security material
Cloud computing security considerations
http://www.microsoft.com/downloads/details.aspx?displaylang=en&FamilyID=3269a73d-9a74-4cbfaa6c-11fbafdb8257

02-002

Effective practices for cloud security PDF, 187 KB

http://download.microsoft.com/download/E/F/9/EF9F24B7-DB49-44D4-8F6A-A49D5020B8B8/Cloud
Security_Final.pdf
Security in cloud computing
http://www.microsoft.com/downloads/details.aspx?displaylang=en&FamilyID=
5e25adf4-507c-4e39-a09f-02fa72fe93b4
White paper: An introduction to cloud computing in government PDF, 4.15 MB
http://download.microsoft.com/download/2/0/1/201E54BE-31A8-4B9B-8069-849DCE50C04F/
GovernmentCloudComputing.pdf
Microsoft Security Cooperation Program
http://www.microsoft.com/industry/publicsector/government/programs/SCP.mspx

MICROSOFT U.S. Government

CLOUD BASICS: CHAPTER THREE

Cloud
basics series

Entering the cloud

http://www.microsoft.com/industry/government/guides/cloud_computing/1-entering.aspx

02-002

Government benefits in the cloud

http://www.microsoft.com/industry/government/guides/cloud_computing/2-benefits.aspx
Security in the cloud
http://www.microsoft.com/industry/government/guides/cloud_computing/3-security.aspx
SaaS
http://www.microsoft.com/industry/government/guides/cloud_computing/4-SaaS.aspx
PaaS
http://www.microsoft.com/industry/government/guides/cloud_computing/5-PaaS.aspx
IaaS
http://www.microsoft.com/industry/government/guides/
cloud_computing/6-IaaS.aspx
Cloud First
http://www.microsoft.com/cloudfirst

Towns, Steve. State CIOs Offer Government Cloud Option. Government Technology,
January 24, 2010. http://www.govtech.com/gt/articles/734128
iii

Vijayan, Jaikumar. Report Cites Potential Privacy Gotchas in Cloud Computing.

Computerworld, February 25, 2009. http://www.computerworld.com/s/
article/9128636/Report_cites_potential_privacy_gotchas_in_cloud_computing

iv

02-002

Hoover, J. Nicholas. DHS Plots Its Cloud Computing Strategy. InformationWeek,

December 18, 2009. http://www.informationweek.com/news/government/cloud saas/showArticle.jhtml?articleID=222002709&cid=RSSfeed_IWK_All

ii

MICROSOFT U.S. Government

Beizer, Doug. NIST creates cloud-computing team. Federal Computer Week,

February 25, 2009. http://www.fcw.com/Articles/2009/02/25/NIST-cloud computing.aspx

CLOUD BASICS: CHAPTER THREE

Footnotes

10

http://www.microsoft.com/govcloud

This document is provided as is. Information and views expressed in this document, including URL and other
Internet Web site references, may change without notice. You bear the risk of using it.
This document does not provide you with any legal rights to any intellectual property in any Microsoft product.
You may copy and use this document for your internal reference purposes.
2011 Microsoft Corporation. All rights reserved.