Adopting a Privacy Frame of Reference for Today’s Enterprise

Cloud

John Weigelt

Chief Technology Officer

Microsoft Canada

@Thumbtackhead

Security and privacy should be a top leadership concern

2

Managing risk in an increasingly connected world

“This Nexus of Forces is impacting

security in terms of new vulnerabilities.

–Ruggero Contu, Christian Canales and Lawrence Pingree. Forecast Overview: Information Security, Worldwide, 2014 Update. Gartner, Inc. June 25, 2014.

Impact of cyber attacks could be

as much as $3 trillion in lost

productivity and growth

ImplicationsJob security Customer loyalty

Intellectual property

Legal liabilityBrand reputation

$ 3.5MAverage cost of

a data breach toa company

15 % increase YoY

median # of days attackers are

present on a victim network

before detection243

level issue

is a

CEO

Security

Photo credit: Peter Broster

Microsoft’s Data Center Evolution

Generation 1 Generation 2

Rack

Density and Deployment

1.4 –1.6 PUE

Minimized Resource Impact

Server

Capacity

~2 PUE

20 year Technology

2011+20081989-2005 2007

Generation 3 Generation 4

Density Containment

Containers, PODs

Scalability & Sustainability

1.2 –1.5 PUE

Air & Water Economization

Differentiated SLAs

Colocation

ITPACs

Reduced Carbon, Rightsized

1.05 –1.20 PUE

Faster Time to Market

Air Cooled

Modular

Hyper scale Infrastructure27 Regions Worldwide, 22 ONLINE…huge capacity around the world…growing every year

100+ datacenters

Top 3 networks in the world

2.5x AWS, 7x Google DC Regions

G Series – Largest VM in World, 32 cores, 448GB Ram, SSD…

Operational

Announced/Not Operational

Central US

Iowa

West US

California

East US

Virginia

US Gov

Virginia

North Central US

Illinois

US Gov

Iowa

South Central US

Texas

Brazil South

Sao Paulo State

West Europe

Netherlands

China North *

Beijing

China South *

Shanghai

Japan East

Tokyo, Saitama

Japan West

Osaka

India South

Chennai

East Asia

Hong Kong

SE Asia

Singapore

Australia South East

Victoria

Australia East

New South Wales

* Operated by 21Vianet

India Central

Pune

Canada East

Quebec City

Canada Central

Toronto

India West

Mumbai

Germany North East

Magdeburg

Germany Central

Frankfurt

United Kingdom

Regions

North Europe

Ireland

East US 2

Virginia

Data Handling

Operational

Transparency and control: running the service

Lockbox

Customer Lockbox

Customer controls authorization of Office 365 personnel access

Security

Encryption

• Bitlocker Encryption on all disks

• Encryption to, from and between data centres

• Bring your own keys to validated hardware security modules

• Key management on customer premise for some services

• Per-file encryption for Skype For Business

• Per-file encryption for Sharepoint online

• Per-file encryption for OneDrive for business

• Advanced encryption for email announced

Customer managed security S/MIME, RMS, O365 message encryption, message flow through

http://aka.ms/OSA

Cyber Defense Operations Center

Protecting your data privacy

What we’re doing about it:• We allow you to keep the data you

upload in the region you specify.

• We will not use your data for

advertising or commercial purposes.

• We will not disclose your information

outside of Microsoft except with your

consent or when required by law.

• We provide a variety of tools to extract

your data.

• Azure will fully delete your data within

180 days after expiration or

termination.

You have a right to expect:

• Your content should only be

accessed as permitted by

you, and should not be

shared with third parties

unless permitted by you.

• You should always have

access to your content, and

should be able to delete it or

take it with you if you leave.

22

ISO 27018

Maintaining transparency

24

Compliance

26

Master Controls Approach

CSA UCF SOC1ISO 27001 NIST 800-53 SOC2

Engineering Operations

HR

Security MCIO

Legal Procurement Sales

AREAS OF REGULATORY CONCERN

COMMON CONTROLS FRAMEWORK

SLAM

Patching

IcM QE .. .. .. .. Cn

Malware Training Physical SDL Mgt Policy Assets

Getting Comfortable

Review the current

“as-is”

environment

Pilot the serviceAssess the

compliance

environment

Select a service to

be provided

Conduct

preliminary PIA &

TRA

Build out the

business case

Review the SLAAssess the risk

delta

Decide and

manage the risk

Consume the

cloud service

John Weigelt

Johnwei@microsoft.com

@Thumbtackhead