Microsoft Gains Cloud Security Certification … Six Months After Google

Microsoft has received FISMA certification for its cloud computing data centers, a key step toward gaining customers in the federal government market that has been infiltrated by rival Google. However, Microsoft’s hosted Exchange and Online services have not yet been awarded FISMA approval.

Just this week, Google scored a major win when the U.S. General Services Administration announced plans to become the first federal agency to move all of its e-mail and collaboration tools to a cloud-based service, specifically Google Apps.  

Also read: Microsoft’s cloud-based Exchange, SharePoint still stuck in 2007

Microsoft said it was “disappointed” in the GSA’s decision, and accused Google of “adding random functionality” without meeting real business requirements.

However, it was Google that gained approval under the Federal Information Security Management Act (FISMA) in July, well before Microsoft.

While the GSA announced its move to Google on Wednesday, Microsoft announced its own compliance with FISMA on Thursday in a blog post written by risk and compliance director Mark Estberg.

“Meeting the requirements of FISMA is an important security requirement for U.S. federal agencies,” Estberg wrote. The certification, called an “authorization to operate,” was issued specifically to Microsoft’s Global Foundation Services organization.

The GFS “provides a trustworthy foundation for the company’s cloud services, including Exchange Online and SharePoint Online,” Microsoft said. However, Exchange and SharePoint themselves are still “currently in the FISMA certification and accreditation process.”

A Microsoft spokesperson confirmed that “Exchange and SharePoint Online have not yet received FISMA approval but are in the process of doing so. Microsoft’s cloud infrastructure (data centers) is what received FISMA approval.”

GFS’s Online Services Security & Compliance team has previously obtained ISO 27001 certification and SAS 70 Type II attestation.

“We have also gone beyond the ISO standard, which includes some 150 security controls and developed over 300 security controls to account for the unique challenges of the cloud infrastructure and what it takes to mitigate some of the risks involved,” Estberg writes. “The additional rigorous testing and continuous monitoring required by FISMA have already been incorporated into our overall information security program.”

Estburg also said Microsoft’s cloud features “highly-focused testing and monitoring, automated patch delivery, cost-saving economies of scale, and ongoing security improvements.”

Microsoft has recently rebranded its cloud services under the name “Office 365,” which is now in beta and includes Microsoft Office, SharePoint, Exchange, Lync Online and other services. The upgraded service will reach general availability in the first half of 2011.

Follow Jon Brodkin on Twitter: www.twitter.com/jbrodkin

Read more about data center in Network World’s Data Center section.