Since the release of Microsoft's Office 365 cloud-based service, the pros and cons of how it stacks up against its competitors in terms of cost and usability have been hotly debated, but it is Office 365's security credentials that really sets it apart, according to the company's Trustworthy Computing Group.
Microsoft, the group says, is the only cloud services provider that addresses security at every level in the stack, starting with the underlying infrastructure, which is certified as complying with the ISO 27001 information security management standard.
Microsoft has also used the related ISO 27002 standard on information security practices and techniques to build a control matrix that includes firewalls, anti-virus patching and other controls drawn from the payment card industry's data security standard.
"We ended up with around 800 preventive, detective and corrective controls that were physical, administrative and technical. Then we took the defence-in-depth approach and put the controls throughout the stack," said John Howie, a senior director of technical security services for the online services security and compliance team within global foundation services at Microsoft in Redmond.
Added privacy mechanisms and technologies
Office 365, like other Microsoft online services, sits on top of that foundation, then has its own security provisions enabled by the same technologies used for the infrastructure stack from global foundation services.
"Office 365 builds on the old Business Process Online Suite (BPOS), also known as Microsoft online services, in terms of end-to-end security and privacy capabilities," said Howie.
As part of Microsoft's security development lifecycle that is applied to all products and services, developers built additional privacy mechanisms and technologies into Office 365.
"This is, in part, due to the fact that the latest versions of our Office products, such as Exchange 2010 SP1, SharePoint 2010 and the new Lync Server, have additional security features over the 2007 versions," said Howie.
An example of one improvement over BPOS is that users of Exchange Online can now audit access to the mailbox, which enables the business to know who is logging in and conduct checks to ensure no administrators are abusing their access rights.
Rights management is also enabled in Office 365, which provides businesses with a way of rights-protecting e-mail messages in Exchange and documents in SharePoint in the Microsoft cloud, which was not available in the previous online service.
Security advantages for SMEs
Is there any specific security advantage to small and medium-sized enterprises (SMEs), at which Office 365 is mainly aimed?
"When you are running on premise in your own server room you are responsible for everything. So in addition to managing identities, maintaining active directory, installing server software and installing applications, you are responsible for securing them appropriately to your business needs as well as everything else, such as running antivirus and applying security patches," said Howie.
All this adds cost and pressure on limited human resources, he says, which in turn ties up talented operational staff with mundane tasks.
Moving to cloud computing is always going to be more cost effective, says Howie, as it means being able to hand over much of the costly and time-consuming security and maintenance processes to service providers, it means not having to worry about capital expenditure on hardware and depreciation, and it frees up talented operational staff to work on more strategic projects.
Microsoft, like its competitors, argues that with dedicated teams and resources, it can probably do a far better job than any mid-size business could do themselves, but also claims the additional benefit of experience as an online service provider, having introduced Hotmail as long ago as 1996.
"For a small and medium enterprise, it is a very easy discussion between on-premise and cloud, with the exception only of a few select industries with very specific statutory and regulatory compliance obligations that might make it difficult to go to the cloud, such as a lawyers' offices where, for the purposes of client confidentiality under certain jurisdictions, they may not be able to put all of their data in the cloud," said Howie.
But even in those cases, he says, there will always be data that can go into the cloud and other data that will have to remain on-premise under tight wraps. In these cases, Office 365 has been designed to make it easy for businesses to have on-premise and in-the-cloud positions and allow easy interoperability between the two.
Microsoft offers this while also maintaining end-to-end security and privacy, which Howie says it competitors do not offer. "If you look at other cloud-based offerings, there is no on-premise equivalent, nor is there the flexibility of being able to pull back the data and the applications to on-premise under the same licensing model and without additional charge," he said.
Complying with European data privacy regulations
To comply with European data privacy regulations, Office 365 uses a regional model to ensure that European customer data resides only in Microsoft's European datacentres in Dublin and Amsterdam.
"Between those two datacentres we can provide failover, so if one of them goes down, servers will switch to the other," said Howie.
While Microsoft says it will do everything possible to keep data in its European datacentres for those customers who require it, Office 365 customers can also failover to the US under some circumstances.
"We can do that while maintaining our customer's privacy through a number of mechanisms, including the US Department of Commerce's Safe Harbor framework for data privacy and information sharing between Europe and the US, as well as other legal derogations to the data privacy directive that allow us to move customer data out of Europe to the US at the customer's request," says Howie.
Cloud savings appeal to businesses of all sizes
The types of organisation most likely to be the first adopters of Office 365 are start-ups, according to Howie. "Why [as a start-up] would I want to buy servers and run Exchange, SharePoint and Lync, because that is going to take away from me making money," he said.
Although Office 365 is aimed mainly at SMEs, Howie believes it is appropriate for companies and organisations of all sizes, and first movers are likely to be those where physical servers or software products are approaching end-of-life.
"These situations provide a natural opportunity for organisations of any size to move to the cloud to save costs, but right now, the economic drivers for adopting cloud computing are so strong that everyone is looking at it. Reduced costs and increased business agility are both essential for an economic recovery today," he said.
"I am not saying a large multinational corporation is going to put everything in the cloud, because there will always be some data they want to keep on-premise or are obliged to through compliance obligations, but there is a wealth of data, transactions and applications that they would love to move off-premise into a public cloud. So even a multinational organisation will find there is a lot of stuff they can push into the cloud," he said.
Cloud computing is attractive not only to younger, more tech-savvy companies. Banks in Portugal, for example, see it as an opportunity to make savings, says Howie. They like the fact that using Windows Azure, they can move from identifying a business opportunity to being up and running with a service in around a week, as opposed to months using traditional IT.
"When you have such a conservative industry sector looking at cloud computing in such a fashion, you have to wonder who would not look at the cloud these days. Pharmaceutical companies, telecoms companies and the services industry are also looking at the cloud," he said.
Cloud security reaching maturity
Security concerns have been one of the biggest hurdles to organisations adopting cloud-based services from the start, but Microsoft claims that its experience in running online services, coupled with its trusted stack, distributed controls and security development lifecycle, has achieved a level of maturity in terms of security that makes the benefits of cloud computing practically accessible to all organisations.
Although SSL-encrypted connections are currently available only in the enterprise version of the product, for any organisation considering moving to the cloud, Office 365 seems a good place to start, with familiar applications that can be easily moved back on-premise under the same licensing model at no additional cost.