Microsoft has published security policies it applies to its cloud services, and sheds some light on what might ultimately develop as industry standards for securing these services.

Its paper called “Securing Microsoft’s Cloud Infrastructure” is a high-level overview of what steps the company takes to protect its infrastructure as well as its customers’ data and applications.

Broadly, it relies on risk assessment and defense-in-depth as well as a continuing cycle of re-evaluating risks and developing appropriate new countermeasures to stay abreast of developing threats. The company also monitors laws pertaining to data privacy and integrity with the goal of complying with them.

Microsoft says it submits its cloud infrastructure to annual reviews for compliance with Payment Card Industry (PCI) standards, Sarbanes-Oxley regulations, Health Insurance Portability Accountability Act (HIPAA) compliance and Media Ratings Council rules.

“Recognizing the significant opportunity to eliminate redundant efforts, streamline processes and proactively manage compliance expectations in a more comprehensive manner, OSSC developed a comprehensive compliance framework,” the paper says. It rolls up all the requirements of these individual reviews into a master list of requirements that it sets about meeting and maintaining.

In addition, Microsoft points to International Organization for Standardization (ISO) and Statement of Auditing Standard (SAS) 70 certifications as a measure the soundness of its cloud security.

These measures go along with what others looking at the problem of cloud security have suggested as a basis for security standards. After all, many cloud security challenges are shared by traditional computing environments for which tough security standards have already been established. It makes sense to use them as an extendable template for cloud security.

Tim Greene is senior editor at Network World.