adopting a privacy frame of reference for today’s ...€¦ · microsoft’s data center evolution...
TRANSCRIPT
Adopting a Privacy Frame of Reference for Today’s Enterprise
Cloud
John Weigelt
Chief Technology Officer
Microsoft Canada
@Thumbtackhead
Security and privacy should be a top leadership concern
2
Managing risk in an increasingly connected world
“This Nexus of Forces is impacting
security in terms of new vulnerabilities.
–Ruggero Contu, Christian Canales and Lawrence Pingree. Forecast Overview: Information Security, Worldwide, 2014 Update. Gartner, Inc. June 25, 2014.
Impact of cyber attacks could be
as much as $3 trillion in lost
productivity and growth
ImplicationsJob security Customer loyalty
Intellectual property
Legal liabilityBrand reputation
$ 3.5MAverage cost of
a data breach toa company
15 % increase YoY
median # of days attackers are
present on a victim network
before detection243
level issue
is a
CEO
Security
Photo credit: Peter Broster
Microsoft’s Data Center Evolution
Generation 1 Generation 2
Rack
Density and Deployment
1.4 –1.6 PUE
Minimized Resource Impact
Server
Capacity
~2 PUE
20 year Technology
2011+20081989-2005 2007
Generation 3 Generation 4
Density Containment
Containers, PODs
Scalability & Sustainability
1.2 –1.5 PUE
Air & Water Economization
Differentiated SLAs
Colocation
ITPACs
Reduced Carbon, Rightsized
1.05 –1.20 PUE
Faster Time to Market
Air Cooled
Modular
Hyper scale Infrastructure27 Regions Worldwide, 22 ONLINE…huge capacity around the world…growing every year
100+ datacenters
Top 3 networks in the world
2.5x AWS, 7x Google DC Regions
G Series – Largest VM in World, 32 cores, 448GB Ram, SSD…
Operational
Announced/Not Operational
Central US
Iowa
West US
California
East US
Virginia
US Gov
Virginia
North Central US
Illinois
US Gov
Iowa
South Central US
Texas
Brazil South
Sao Paulo State
West Europe
Netherlands
China North *
Beijing
China South *
Shanghai
Japan East
Tokyo, Saitama
Japan West
Osaka
India South
Chennai
East Asia
Hong Kong
SE Asia
Singapore
Australia South East
Victoria
Australia East
New South Wales
* Operated by 21Vianet
India Central
Pune
Canada East
Quebec City
Canada Central
Toronto
India West
Mumbai
Germany North East
Magdeburg
Germany Central
Frankfurt
United Kingdom
Regions
North Europe
Ireland
East US 2
Virginia
Data Handling
Operational
Transparency and control: running the service
Lockbox
Customer Lockbox
Customer controls authorization of Office 365 personnel access
Security
Encryption
• Bitlocker Encryption on all disks
• Encryption to, from and between data centres
• Bring your own keys to validated hardware security modules
• Key management on customer premise for some services
• Per-file encryption for Skype For Business
• Per-file encryption for Sharepoint online
• Per-file encryption for OneDrive for business
• Advanced encryption for email announced
Customer managed security S/MIME, RMS, O365 message encryption, message flow through
http://aka.ms/OSA
Cyber Defense Operations Center
Protecting your data privacy
What we’re doing about it:• We allow you to keep the data you
upload in the region you specify.
• We will not use your data for
advertising or commercial purposes.
• We will not disclose your information
outside of Microsoft except with your
consent or when required by law.
• We provide a variety of tools to extract
your data.
• Azure will fully delete your data within
180 days after expiration or
termination.
You have a right to expect:
• Your content should only be
accessed as permitted by
you, and should not be
shared with third parties
unless permitted by you.
• You should always have
access to your content, and
should be able to delete it or
take it with you if you leave.
22
ISO 27018
Maintaining transparency
24
Compliance
26
Master Controls Approach
CSA UCF SOC1ISO 27001 NIST 800-53 SOC2
Engineering Operations
HR
Security MCIO
Legal Procurement Sales
AREAS OF REGULATORY CONCERN
COMMON CONTROLS FRAMEWORK
SLAM
Patching
IcM QE .. .. .. .. Cn
Malware Training Physical SDL Mgt Policy Assets
Getting Comfortable
Review the current
“as-is”
environment
Pilot the serviceAssess the
compliance
environment
Select a service to
be provided
Conduct
preliminary PIA &
TRA
Build out the
business case
Review the SLAAssess the risk
delta
Decide and
manage the risk
Consume the
cloud service