Microsoft Talks Federal Government Cloud Computing Security

Microsoft executive Teresa Carlson suggests that security for the cloud, particularly in the context of the federal government, starts with imposing strict security and privacy standards on the operation of data centers. Recent surveys indicate that security remains a top concern for IT administrators in both government and private enterprise.

Cloud computing may be increasingly vital to cost-efficient government IT, but concerns over security remain as prevalent in federal agencies' considerations for adopting the cloud as they are in the enterprise or SMBs. A Microsoft executive, meanwhile, is claiming in a recent blog post that security in the cloud, notably in the context of the federal government, rests on the ability to protect the security and privacy of data centers and the information they hold.

"Data centers are the foundation of any organization's approach to cloud computing, which is why Microsoft has built its data centers to comply with the strictest international security and privacy standards," Teresa Carlson, vice president of Microsoft Federal, wrote in an Oct. 14 posting on FutureFed, the Microsoft federal blog.

Those security and privacy standards include International Organization for Standardization (ISO) 27001, Health Insurance Portability and Accountability Act (HIPAA), Sarbanes-Oxley Act of 2002, and SAS 70 Type I and Type II, according to Carlson.

The ISO 27001 certification, first published in October 2005 by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC), posits a system that brings information security under strict management control.

"Part of the payoff for adopting the tougher ISO standard is increased transparency while still offering the highest levels of security," Carlson wrote. "In a cloud environment, where vendors host government data, it is critical for customers to demand full transparency."

Microsoft has recently entered into a partnership with the U.S. General Services Administration (GSA), Carlson added, to "gain an Authority to Operate (ATO) Microsoft Business Productivity Online Suite for them" by the end of 2009, dependent on Federal Information Security Management Act (FISMA) accreditation.

Cloud platforms for the federal government must satisfy security requirements such as those posted under FISMA. Microsoft has stated that it intends all cloud-hosted federal government data to reside in the United States and have a 99.9 percent uptime.

Security remains a prime concern for cloud implementers in the government and private enterprise alike.

A September survey by Unisys found that, of 312 IT professionals surveyed, some 51 percent cited security and data privacy as their top concern with regard to cloud computing. Other issues cited included integrating cloud-based applications with existing systems, regulatory and compliance concerns, and the ability to bring a system back within the corporate firewall should the need arise.

"These poll results confirm what we continue to hear from our clients as well as industry analysts," Sam Gross, Unisys' vice president of global IT outsourcing solutions, said in a statement. "Until they are convinced that there is 'industrial-strength' security in the cloud, CIOs will remain reluctant to move more than development and test systems into that environment."

Another survey of 500 IT professionals by IT consultancy Avanade found that respondents overwhelmingly trusted their in-house systems to provide better security and control than cloud-based offerings. That followed on the heels of F5 Networks' August survey showing that, although 99 percent of the 250 IT professionals surveyed were considering some sort of public or private cloud implementation, the majority said that access control and security were keys for adoption.