Added Security for Microsoft Hosted Services

As cloud services become all the rage, one of the main issues of concerns for customers is security – how secure are hosted or online services, and what are vendors or service providers doing to ensure privacy and security for customers? This is especially true for government organizations, where security takes on a whole new meaning.

Yesterday Microsoft announced a number of enhancements and certifications for its Business Productivity Online Suite (BPOS) to improve security, privacy and management for all Microsoft Online Services customers.  

Microsoft Online Services are enterprise class software delivered via subscription services, hosted by Microsoft and sold with partners. One of these offerings is Microsoft’s Business Productivity Online Suite, which bundles together Exchange Online, Office Communications Online, Office SharePoint Online, and Office Live Meeting, offered with shared or dedicated options. The shared multi-tenancy option serves multiple customers on one architecture, and provides self service for management and administration. It is aimed at customers that need rapid deployment, with prices ranging from $2 to $10 per user. The dedicated option supports a single customer per architecture, with a VPN connection directly to the data center. It is aimed at organizations with more than 5,000 users, and is priced on a per user subscription plus an infrastructure fee.

Focusing on security, Microsoft added new standards and compliance certifications for the BPOS shared and dedicated architectures. According to the press release, Microsoft is announcing:

New security, privacy and management capabilities to existing Microsoft Online Services including a variety of standards and certifications such as protections called for in the Statement on Auditing Standard (SAS) No. 70 Type II, Federal Information Processing Standard (FIPS) 140-2 compliance, and the International Organization for Standardization’s (ISO) 27001 standard – among others. Microsoft also announced a roadmap for two factor authentication, enhanced encryption and the expected attainment of the Federal Information Security Management Act (FISMA) certification, an important requirement for government information technology, in the next six months.

In addition to the enhancements to the Shared offering, Dedicated is receiving new features such as Master Administrator seat aggregation, so that sub entities with fewer than 5,000 seats could aggregate within a master entity with a single administrator, encryption at rest with IRM, Trusted Internet Connection with two factor authentication coming soon. Compliance Certifications for Dedicated include FERPA, HIPAA, FIPS 140-2 compliance and ISO 27001 and FISMA compliance coming soon.

Microsoft also introduced a new, dedicated government cloud offering as part of BPOS, optimized to meet the security and privacy needs of U.S. government agencies and contractors. The Business Productivity Online Suite Federal Offering is a dedicated private cloud for U.S. public sector customers, aimed at U.S. federal government agencies and defense contractors, and is optimized for the security, privacy and compliance needs of these federal government agencies. Despite the name, the product is for anyone who requires this level of security, such as the NYPD, which would require ITAR due to its integration with Department of Homeland Security.

The offering includes additional features above and beyond those in BPOS, such as secured, separate facilities and access only for a small number of U.S. citizens who have cleared rigorous background checks. In addition, the service is hosted in an isolated, physical environment with additional security controls including biometric access.  Microsoft notes that it is the first and only cloud provider to offer this level of protection and security for governments.

According to Ron Markezich, corporate vice president of Microsoft Online, there has been a lot of momentum for Microsoft Online services, with 48 out of 50 states and more than 500 state and local governments using Microsoft Online Services in the U.S. The new capabilities built into the service raise the bar for security and are things that all customers expect – whether a small “mom and pop shop” or a federal agency. As customers look to the cloud, companies like Microsoft have to address unique privacy security requirements for all customers – regardless of size or industry.

Markezick also noted that Microsoft wants customers to be able to tap into the company’s R&D services and let customers get benefits from these services and the investments Microsoft is making in these services. For cloud services, Microsoft introduces new releases every 90 days, so “the service customers get improves every 90 days.”

Security is one of the biggest “dings” against using hosted services, and Microsoft is taking steps to ensure security and privacy for its hosted customers – and its U.S. government customers. Expect to see other vendors and hosted providers follow suit.