Managing security risk in the cloud

  • Article

Article

March 2016

Download

Article, 467KB, Microsoft Word file

Sample workbook 156KB, Microsoft Excel file

 

Excel icon

Click on the Excel icon to download the sample workbook.

When considering cloud hosting, data security is an essential part of your decision making process. Making an informed decision is very challenging, especially when data center operations and other key elements of the service provider are not visible. Establishing a partnership with your cloud provider is important to understanding data security within third-party solutions. With transparency into the service, you can establish a clearer picture of the risk management responsibilities and build a relationship of trust.

Risk assessment guidance

As the service provider for one of the largest hosted-solutions enterprises, Microsoft IT struggles to assess data security for Microsoft Software-as-a-Service (SaaS) products, as well as third-party SaaS solutions. Microsoft IT works to assess risk and understand what security controls are available to manage risk. In Figure 1, you can see how Microsoft thinks about managing security risk. In the SaaS model, the service provider carries most of the responsibility for risk management.

Title: Levels of risk responsibility for customer and provider - Description: Customer has all responsibility for risk management with on-premises. As move along continuum from IaaS, PaaS, and to SaaS, the risk management responsibility shifts to the provider. In SaaS model, customer is fully responsible for data classification and accountability, client and end-point protection, and partially responsible for identity and access management; then provider is fully responsible for application level controls, network contrls, host security, and physical security.

Figure 1. Risk responsibility in cloud solutions

Given the lack of an assessment framework for cloud services in diverse environments, Microsoft IT created guidelines. These guidelines, in the form of a workbook, provide a common view of security across all services. The guidelines are agnostic about the solution, which makes them very useful when deciding whether to build a custom solution or buy one from a third party. You can use this workbook to assess your security management.

Guidance workbook

The workbook is an Excel spreadsheet that is structured to provide a consistent process for a SaaS assessment. It’s designed to be customized by you for your organization. The first part, Information gathering, identifies the solution, provider, key artifacts, and contacts.

The second part, Questions for the provider and customer, is structured around control areas that correspond to 15 security domains (described at the end of this section). Within each control area, a series of questions and considerations help you to better understand how the solution responds to the security control. The questions may be for the customer or the provider—or both—if within the area of shared responsibility for control. There is also a policy relation. Most of the questions can help you understand if security controls will satisfy your standards. You need to relate the questions to your specific enterprise policies.

In the next section, Standards assessment, you use the answers to the questions to evaluate whether the solution meets a specific standard, and you assign a score (pass/fail/partial). This section includes examples so you can decide if this structure is useful for your organization.

In the last section, Results, you use the standards assessment score to determine areas that may need remediation or activity to mitigate risk. This helps drive the risk conversation to make sure you are making good decisions about the solutions you plan to implement. This section in the workbook includes examples only. Replace the examples with your own policies and create the relationship between the questions and policies.

Three tiers of responsibility

Microsoft IT looks at the SaaS cloud model as having three tiers of responsibility: what the platform enables, what the provider creates, and what the customer configures. As a customer, it’s important to ensure that you are using all the available security controls and that these controls are implemented properly. Examples of improper implementation include not choosing the right roles or not using all available security controls. When Microsoft IT assesses risk, they evaluate 15 different security domains—each with different components—as shown here.

Title: The 15 security domains - Description: Identity, auditing, application security, business continuity/disaster recovery, anomaly detection/monitoring, authentication, segmentation, health management, incident response & communication, physical security, authorization, data protection, compliance assessment, key management, and policy, laws and operations.

Figure 2. Security domains used by Microsoft IT to assess risk

These security domains help to define what components are necessary when evaluating if an SaaS solution meets Microsoft IT standards. If the solution is from a third party and the team does not have access to data center operations, Microsoft IT looks at a variety of artifacts including reports and independent evaluations that illustrate what the provider is doing to manage the service.

A work in progress

We are all on a journey together, to better understand our needs and to build trust through transparency as we move from an on-premises model to the cloud. Microsoft IT is offering this workbook as a process to aid your learning and growth. We hope the workbook will give you a better understanding, possible questions to ask, and a methodology for evaluating the answers so that your organization can continue its journey to the cloud.

For more information

Microsoft IT Showcase

microsoft.com/ITShowcase

© 2016 Microsoft Corporation. All rights reserved. Microsoft and Windows are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries. The names of actual companies and products mentioned herein may be the trademarks of their respective owners. This document is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS SUMMARY.