Breach, Data Security, Network Security, Patch/Configuration Management, Vulnerability Management

Companies have security to consider with in-the-cloud Office

Audit, compliance and identity management issues must be sorted out prior to deploying Microsoft's planned in-the-cloud offerings for Office, security experts said Wednesday.

“It doesn't make it more or less vulnerable, but it does raise the requirement for doing a computer security audit on an off-premise based storage solution,” Matthew Cain, vice president and lead email analyst at Gartner, told Wednesday.

Microsoft on Tuesday announced that it is now building the product, with a likely availability date sometime in  2010, Cain said.

“We [also] would have to look at compliance implications, discovery implications, records management,” Cain said.

In February 2007, Google announced its own hosted business application suite -- Google Apps -- as a competitor to Office. Five months later, the internet giant acquired Postini, partly to secure those offerings.

Jon Oltsik, senior analyst at Enterprise Strategy Group, told Wednesday that the biggest issue with on-demand products is that of identity. He posed the question — if employees are accessing their applications in the cloud, how does one verify it is the user and not a third-party malicious hacker?

Oltsik said using strong passwords or strong authentication could help.

He added that once companies allow their sensitive data to be stored in a third-party facility, they must consider the integrity of the provider.

“They can say they do background checks, but how do you know that's true?”  Oltsik said. “You have to have some sort of audit privilege.”

As for vulnerabilities, moving Office to the cloud would place the patching burden on Microsoft itself, Oltsik said. (Microsoft still plans to offer users the option of on-premise software).

A Microsoft spokesman told Wednesday that home users will get Office web applications as an advertising-supported service through Office Live Workspace, and businesses can get it through a hosted subscription or through existing volume licensing programs.

Office Live Workspace currently uses Windows Live ID and takes advantage of Microsoft Forefront Security for SharePoint for virus protection.

For businesses that decide to host the Office web applications themselves (i.e., behind a corporate firewall), they would have to take the same security measures as they do with their current applications, the spokesman said.  

Cain said the benefit of on-demand Office is that users will have the content available to them on any device or location, allowing for easier collaboration.

“With this development, people can benefit from Office as a service on their browser, as a downloadable application on their phone, and as software on their PCs,” Microsoft Senior Vice President Chris Capossela said in a statement.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.