In oddly fitting timing, Microsoft announced on Jan. 16 that its Windows Azure cloud platform has been validated to conform to Payment Card Industry Data Security Standards (PCI DSS 2.0), credit card industry policies and requirements that govern how merchant IT systems handle sensitive payment information.
“The PCI DSS is the global standard that any organization of any size must adhere to in order to accept payment cards, and to store, process, and/or transmit cardholder data,” wrote Windows Azure General Manager Steven Martin in a company blog post. He added that his company’s cloud “delivers a compliant framework” that enables customers to run their “own secure and compliant applications.”
Microsoft revealed that Azure had achieved the validation, performed by independent Qualified Security Assessor (QSA) Neohapsis, as the controversy surrounding Target’s massive credit card breach continues to rage. The retailer admitted on Dec. 19 that attackers had made off with information on roughly 40 million credit and debit card accounts, including names, debit/credit card numbers, expiration dates and the three-digit security code found on the backs of most cards.
The breach spanned the prime holiday shopping season, from Nov. 27 to Dec. 15. Gregg Steinhafel, Target chairman, president and CEO, said in a statement, “We take this matter very seriously and are working with law enforcement to bring those responsible to justice.” On Jan. 10, the company revised its figures upward to 70 million customers affected, mirroring the TJX data breach in 2006 that saw its numbers rise to 96 million compromised accounts when the investigation concluded in 2007.
The culprit: memory-scraping malware on Target’s point-of-sale terminals. Barring a sophisticated effort to infiltrate Microsoft’s data centers, the software giant’s cloud is unlikely to meet the same fate.
Microsoft’s overview of Windows Azure’s security features, last updated in April 2013, notes that the platform employs filtering routers, firewalls, encrypted traffic (optional between end users and customer virtual machines) and network segmentation. In terms of physical security, its data centers employ “various measures to help protect operations from power failure, physical intrusion, and network outages.”
“Microsoft uses highly secured access mechanisms, limited to a small number of operations personnel, who must regularly change their administrator access passwords,” added the company.
In addition to PCI DSS 2.0 compliance, Azure “successfully completed its annual ISO audit,” said Martin. ISO certification (ISO/IEC 27001:2005) now includes “SQL Database, Active Directory, Traffic Manager, Web Sites, BizTalk Services, Media Services, Mobile Services, Service Bus, Multi-Factor Authentication, and HDInsight among others,” he informed. Previously, it only covered Azure’s Cloud Services, Storage, Virtual Machines and Virtual Networks offerings.
“This expanded certification reaffirms Microsoft’s commitment to implementing internationally recognized information security controls so that customers can comply with the laws and regulations applicable to their use scenarios,” stated Martin.