How Does Microsoft Approach Cloud Security?

It boiled down to- Can you trust it and how does Microsoft do Cloud Security? Which raises the obvious question: How does Mimecast compare?

Doug Cavit, the Chief Security Strategist at Microsoft recently did a great video on Cloud Trust at 10,000 feet.

Doug is a really interesting guy- he was the CIO of McAfee for 8 years- protecting them from threats - an important job if you consider what happened to RSA. When he joined Microsoft he worked on the OneCare product team as Microsoft started to become more of a service provider in the security space, so he's definitely one of those people that's been on both sides of the table.

In the video he's answering one of the questions we get asked most: How can I trust my data is going to be safe in the Cloud? And it's a question we take more seriously than anything else.

The fundamental difference in Cloud vs On-Premise is control.

When your data is on your own equipment, you have ultimate visibility and control over the policies and processes that operate on that data, which means you can be the ultimate arbiter as to how it's treated. With the Cloud, you aren't. So how do you deal with that?

With Cloud, you need to trade control for transparency.

That's the only sustainable way to cede control over something so important- your business data, and in our case, your primary communication method, email.

So we take transparency extremely seriously here at Mimecast, to the point where we have a whole team of people here at dedicated to transparency- helping our customers receive the insight and information from us.

What makes a provider transparent and therefore trustworthy?

Policies are the jumping off point- ensuring these meet your requirements as a customer. Policies are fine, but how do you make sure they are followed into procedures? This has consistently been one of the hardest things for Cloud companies to prove because in an emerging sector like Cloud, standards always lag behind the technology. So we've had to forge best practices and procedures through collaboration with organisations like the Cloud Security Alliance, which is helping ISO update the Cloud security controls for ISO 27001. But we're getting there, and hopefully soon we'll have the most comprehensive ISO 27001 implementation of any Cloud provider to date.

What about reliability?

This is where the rubber meets the road. To take a phrase from the financial services industry- "Past performance is no guarantee of future results" couldn't be further from the truth- what has the service provider delivered to date? Are they open about it? What's their SLA to back it up? And we like to put our money where our mouth is too, with an industry leading 100% uptime SLA.

Thinking more broadly about putting your data in the Cloud- one of the most important things to think about is the actual data- how much risk does it represent? It sounds like a ridiculous question, but classifying the data is such an important part of GRC: you don't need to protect your marketing brochures the same way you protect your trade secrets. Doug has a great quote from the video "I can't protect something if I don't know what it is".

Thinking about the lifecycle of the data and your relationship with the Cloud provider is critically important-  I talk about Birth, Marriage and Divorce in my presentations. It's easy to think about the birth and marriage when going to Cloud, but vital to think about divorce, in case you need to get it out at the end. It's a tough question for structured data, like accounting or ERP but significantly easier for unstructured data like emails. Our customers can download their data at any time.

One thing he doesn't mention is data sovereignty... where your data is physically located, which is becoming more and more important because of legislative requirements and judicial concerns, like the Patriot Act. Having your data located in the right jurisdiction is critical.

So like Microsoft we take a two step approach to security.

  1. We reduce vulnerabilities as much as we possibly can in software
  2. And recognising that issues will happen- when they do, the key is how you deal with them. Triage, Identify, Learn and Integrate that learning into processes. We've been doing that for 9 years- that's a lot of experience built into our processes.

To top that off you can always reach a human being at Mimecast. Someone to help you resolve your issues and escalating them appropriately. I love that. When I got locked out of my Google Apps account the other day- it took a few days for them to respond to my email...

Having a deeper understanding of Cloud security will enable you to use the Cloud provider to do what they do well - abstracting your IT department away from the complexity of running the service.

So can you trust the Cloud? I think so. Like Doug says, just know what you're trying to accomplish and make sure the vendor offers you the right amount of transparency.