Microsoft Outlines Cloud Compliance Framework update from October 2009

We've written previously about the challenges of regulatory compliance in a cloud computing environment. While this has been a concern for prospective cloud customers, compliance audits can keep data center providers busy as well. This week Microsoft Global Foundation Services (GFS), which builds and operates the company's huge data centers, has published a white paper outlining Microsoft's Compliance Framework for Online Services (PDF).  

The 47-page paper document provides some details on Microsoft's processes in organizing its compliance efforts, but also discusses the impact of compliance audits on staffing. "Our service delivery and operations teams found themselves spending increasing amounts of time responding to a variety of audits that often asked for the same types of information repeatedly over the course of a year," writes Mark Estberg, the Senior Director of Risk and Compliance, on the GFS blog. "In addition, compliance obligations are increasing and becoming more complex as Microsoft moves into new markets and businesses and also as regulations and industry standards change."

Microsoft's compliance requirements include adhering to the Payment Card Industry Data Security Standard, Sarbanes-Oxley requirements and obligations imposed by the Health Insurance Portability and Accountability Act. The company developed a controls framework that "maps our obligations to a single set of controls rather than independent requirements." Estberg writes. Microsoft also sought to develop a predictable audit schedule to minimize disruptions to its data center teams and reduce the number and impact of audits.

"A standard does not exist for cloud security and this is a challenge for all online service providers and customers," Estberg notes."We are sharing our approach to contribute to an industry dialogue. Our hope is that by sharing best practices with industry counterparts we can improve together and customers can benefit."