On Monday, I led a session on how we build security in the Microsoft cloud at the Gartner Security and Risk Management Summit in London, as part of our ongoing efforts engage with customers on our initiatives to build trust in the cloud, which will continue on September 29 at our first AzureCon event.
In my presentation, I described how security is built into Azure from the ground up, starting with the Secure Development Lifecycle, which embeds security requirements into every phase of the development process, and supported by the security guidelines laid out in the Operational Security Assurance (OSA) process. I then described how we assume breaches of our systems as a security strategy, and our global incident response team that works around the clock to mitigate the effects of any attacks against Azure security, subjects I also explored earlier this year in my joint session with the Office 365 team at the RSA Conference in San Francisco.
I also talked about the strong measures we take to protect customer data, both at rest and in transit. For data in transit, Azure uses industry-standard transport protocols between user devices and Microsoft datacenters, and within datacenters themselves. We also allow customers to enable encryption for traffic between their own virtual machines (VMs) and end users. For data at rest, Azure offers a wide range of encryption capabilities using AES-256 symmetric encryption, giving customers the flexibility to choose the solution that best meets their needs.
After the session ended, I stayed to answer questions from the audience. The attendees at the summit were mostly senior IT people and business leaders – Chief Information Security Officers (CISOs) and IT directors – in mid-sized European firms. Consistent themes that emerged were future advancements of encryption solutions, and tracking access to customer data. One attendee asked, “Will Microsoft be supporting Bitlocker encryption of system volumes in Azure?” and I shared, “We always have important advancements occurring and I recommend you follow the Azure Security blog.”
Later that evening, I hosted a dinner with Jennifer Byrne, Chief Security Officer, Microsoft Worldwide Public Sector and ten CISOs. At our dinner, our guests elaborated on many of these same concerns. A CISO from a financial services organization said, “Alignment and integration across services supplying end-to-end data protection is critical to moving to a multi-tenant public cloud environment.”
My conversations with IT security professionals in Europe this week strongly reinforced what we already knew – for customers to fully commit to the cloud, we must win their trust. A trust built not on marketing jargon but on real technologies and strongly enforced policies, which are enforced by contractual terms and independently verified by compliance auditors. I’m proud to be part of the Microsoft effort to make this vision a reality.