On 24 February 2010, Microsoft said its Business Productivity Online Suite (BPOS) would be certified to meet ISO 27001, SAS-70 Type II, and the security requirements of the U.S. Federal Information Security Management Act (FISMA) and similar laws. In addition, the dedicated (as opposed to multitenant) version of BPOS will support Microsoft's Information Rights Management (IRM) using Federal Information Processing Standard 140-2 encryption and two-factor authentication. Microsoft will also offer a U.S.-only version of BPOS-Dedicated, which will support compliance with the U.S. International Traffic in Arms Regulations (ITAR) via government background checks and fingerprinting of operations center personnel, and isolated physical infrastructure with biometric access.

Some services are immediately available; others will ship by mid-2010. Most services will not cost extra, but some elements, such as ITAR compliance, will require an extra fee. Microsoft has not set final pricing.

These security initiatives not only react to enterprise needs but also leapfrog Google, which had previously completed a SAS-70 Type II audit. In September 2009, Google also announced Google Apps was undergoing certification and accreditation for FISMA requirements. Microsoft will now gain a temporary advantage over Google and other cloud suppliers, which will scramble to offer similar security assurances.

Increasingly, the capital costs required by enterprise-grade cloud security will make it difficult for all but the best-funded vendors to penetrate markets and geographies where regulations or industry requirements (such as FISMA, Payment Card Industry, North American Electric Reliability Corp. and European Data Protection) require strong protection of data. Microsoft's recent call for updating privacy regulations to apply to cloud services could also lead to legislation that would increase the barriers of entry into the cloud market.

Security certifications alone do not meet enterprise security needs for cloud services. Cloud service providers must also give enterprises the same visibility into security operations and status that they have in traditional hosting arrangements. Also, many of the security features (such as IRM) that Microsoft announced are tightly coupled to BPOS and are not general-purpose controls based on open industry standards.

• Make security certification and integrated security controls part of any evaluation of cloud suppliers.

• Look for cloud service providers that offer enough data protection to meet today's compliance requirements. Over time, compliance requirements will adapt to challenges posed by cloud architectures.

• Avoid long-term contracts with cloud service providers since competition will rapidly drive providers to increase security.

• "Critical Security Questions to Ask a SaaS Provider"— Answering "no" to any of these questions represents a serious vulnerability that will put your applications and data at risk. By John Pescatore

• "Microsoft BPOS: Maturation Under Way"— This report details the progress Microsoft is making in changing from an on-premises provisioning model to a cloud provisioning model for collaboration services. By Matt Cain

(You may need to sign in or be a Gartner client to access the documents referenced in this First Take.)

This research is part of a set of related research pieces. See E-Mail and Collaboration in the Cloud for an overview.