The Microsoft Marketing Machine is in overdrive touting the security of Microsoft Business Productivity Online Suite (BPOS), Exchange Online, and their other online services. Much of the hype is in response to Google’s recent announcement that Google Apps Premier Edition has received FISMA Certification along with both SAS 70 Type I and II certifications.
As of August 26, 2010, Microsoft’s own FAQs for their online services acknowledges the lack of security certifications.
“The Standard version of the Business Productivity Online Standard Suite will be seeking a SAS 70 Type II audit attesting to the effectiveness of Microsoft’s internal controls. While our U.S. datacenters maintain a SAS 70 Type II for the physical controls of each facility, the Services (Live Meeting, EHS, Exchange Online, SharePoint Online and Office Communications Online) themselves do not. Live Meeting maintains both the CyberTrust Service Provider Certification and the CyberTrust Application Certification, which surpasses the control requirements for SOX. The Business Productivity Online Standard Suite Standard implementation is scheduled to undergo the CyberTrust certification within the next couple of months.“