Managing security risk in the cloud
Article
March 2016
Download |
---|
Article, 467KB, Microsoft Word file Sample workbook 156KB, Microsoft Excel file |
Click on the Excel icon to download the sample workbook.
When considering cloud hosting, data security is an essential part of your decision making process. Making an informed decision is very challenging, especially when data center operations and other key elements of the service provider are not visible. Establishing a partnership with your cloud provider is important to understanding data security within third-party solutions. With transparency into the service, you can establish a clearer picture of the risk management responsibilities and build a relationship of trust.
Risk assessment guidance
As the service provider for one of the largest hosted-solutions enterprises, Microsoft IT struggles to assess data security for Microsoft Software-as-a-Service (SaaS) products, as well as third-party SaaS solutions. Microsoft IT works to assess risk and understand what security controls are available to manage risk. In Figure 1, you can see how Microsoft thinks about managing security risk. In the SaaS model, the service provider carries most of the responsibility for risk management.
Figure 1. Risk responsibility in cloud solutions
Given the lack of an assessment framework for cloud services in diverse environments, Microsoft IT created guidelines. These guidelines, in the form of a workbook, provide a common view of security across all services. The guidelines are agnostic about the solution, which makes them very useful when deciding whether to build a custom solution or buy one from a third party. You can use this workbook to assess your security management.
Guidance workbook
The workbook is an Excel spreadsheet that is structured to provide a consistent process for a SaaS assessment. It’s designed to be customized by you for your organization. The first part, Information gathering, identifies the solution, provider, key artifacts, and contacts.
The second part, Questions for the provider and customer, is structured around control areas that correspond to 15 security domains (described at the end of this section). Within each control area, a series of questions and considerations help you to better understand how the solution responds to the security control. The questions may be for the customer or the provider—or both—if within the area of shared responsibility for control. There is also a policy relation. Most of the questions can help you understand if security controls will satisfy your standards. You need to relate the questions to your specific enterprise policies.
In the next section, Standards assessment, you use the answers to the questions to evaluate whether the solution meets a specific standard, and you assign a score (pass/fail/partial). This section includes examples so you can decide if this structure is useful for your organization.
In the last section, Results, you use the standards assessment score to determine areas that may need remediation or activity to mitigate risk. This helps drive the risk conversation to make sure you are making good decisions about the solutions you plan to implement. This section in the workbook includes examples only. Replace the examples with your own policies and create the relationship between the questions and policies.
Three tiers of responsibility
Microsoft IT looks at the SaaS cloud model as having three tiers of responsibility: what the platform enables, what the provider creates, and what the customer configures. As a customer, it’s important to ensure that you are using all the available security controls and that these controls are implemented properly. Examples of improper implementation include not choosing the right roles or not using all available security controls. When Microsoft IT assesses risk, they evaluate 15 different security domains—each with different components—as shown here.
Figure 2. Security domains used by Microsoft IT to assess risk
These security domains help to define what components are necessary when evaluating if an SaaS solution meets Microsoft IT standards. If the solution is from a third party and the team does not have access to data center operations, Microsoft IT looks at a variety of artifacts including reports and independent evaluations that illustrate what the provider is doing to manage the service.
A work in progress
We are all on a journey together, to better understand our needs and to build trust through transparency as we move from an on-premises model to the cloud. Microsoft IT is offering this workbook as a process to aid your learning and growth. We hope the workbook will give you a better understanding, possible questions to ask, and a methodology for evaluating the answers so that your organization can continue its journey to the cloud.
For more information
Microsoft IT Showcase
© 2016 Microsoft Corporation. All rights reserved. Microsoft and Windows are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries. The names of actual companies and products mentioned herein may be the trademarks of their respective owners. This document is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS SUMMARY.