compliance, security and trust patrick hynds, microsoft regional directory, ceo of dts, inc. duane...
TRANSCRIPT
Compliance, Securityand Trust
Patrick Hynds, Microsoft Regional Directory, CEO of DTS, Inc.Duane Laflotte, CTO of Criticalsites
Microsoft’s Commitment
Security
Privacy
Compliance
www.windowsazure.com/trustcenter/
Comprehensive compliance framework
• ISO/IEC 27001:2005 certification• SOC 1 and SOC 2 attestations
Certifications and Attestations
Predictable Audit Schedule• Test effectiveness and assess risk• Attain certifications and attestations• Improve and optimize• Examine root cause of non-compliance• Track until fully remediated
Controls Framework• Identify and integrate• Regulatory requirements• Customer requirements
• Assess and remediate • Eliminate or mitigate gaps in control design
• Payment Card Industry Data Security Standard • Health Insurance Portability and Accountability Act
Industry Standards and Regulations• Media Ratings Council • Sarbanes-Oxley, GLBA, FFIEC, etc.
• HIPAA Business Associate Agreement• FISMA authorization• And more
Datacenter infrastructure compliance
ISO / IEC 27001:2005 certification
SOC 1 Type 2 (SSAE 16 / ISAE 3402) attestationSOC 2 Type 2 and SOC 3 (AT 101) attestations
HIPAA / HITECH Act
PCI Data Security Standard validation
FISMA authorization
* Various state, federal, and international privacy laws
* 95/46/EC—aka EU Data Protection Directive; California SB1386; etc.
Windows Azure compliance programs• ISO 27001
• SSAE 16 (SOC 1 Type 2)
• SOC 2 Type 2 (in process)
• CSA Cloud Control Matrix
• EU Model Clauses
• UK Government accreditation for IL 2 data
• HIPAA Business Associate Agreement (BAA)
• FISMA/FedRAMP authorization (in process)
FISMA ISO
HIPAA
SSAE
Statement on Customer PrivacyOn June 6, media outlets including the Washington Post and Guardian began reporting allegations that the United States National Security Agency (NSA) is collecting customer communications data from major technology companies, including Microsoft. Microsoft issued the following statement about the company’s alleged involvement in these activities:
REDMOND, Wash., June 6, 2013 - We provide customer data only when we receive a legally binding order or subpoena to do so, and never on a voluntary basis. In addition we only ever comply with orders for requests about specific accounts or identifiers. If the government has a broader voluntary national security program to gather customer data we don’t participate in it.
Privacy http://www.windowsazure.com/en-us/support/legal/privacy-statement/
Shades of Cloud – Risk AllocationOn Premises
Storage
Servers
Networking
O/S
Middleware
Virtualization
Data
Applications
Runtime
Infrastructure(as a Service)
Storage
Servers
Networking
O/S
Middleware
Virtualization
Data
Applications
Runtime
Platform(as a Service)
Storage
Servers
Networking
O/S
Middleware
Virtualization
Applications
Runtime
Data
Software(as a Service)
Storage
Servers
Networking
O/S
Middleware
Virtualization
Applications
Runtime
Data
Customer
Vendor
Managed by:
MS Datacenter Experience
Defense-in-depth
Identityand
Access Manage
ment
Host Security
Application DataNetworkPhysical
10 Things to Know About Azure Securityhttp://technet.microsoft.com/en-us/cloud/gg663906.aspx
Data Center SecurityCameras
Security patrols
Barriers
Fencing
Cameras
Security patrols
Alarms
Two-factor access control
• Biometric readers
• Card readers
Security operations centerBuildingPerimeter Computer room
Cameras
Security patrols
Alarms
Two-factor access controlBiometric readersCard readers
World-ClassSecurity
Extensive Monitoring
Network
• Isolated from Microsoft corpnet
• VLANs and packet filters in routers
• Host boundary protection
• DDoS protection
• Penetration testing
• Monitoring and logging
• Security incidents and breach notification
Identity and accessWindows Azure customer support personnel• Access control requirements established by Windows Azure Security Policy• No access to customer data by default• No user / administrator accounts on VMs• Monitoring and logging when local accounts are created on VMs
Access to PaaS VMs is highly restricted• Most common authorization is based on customer troubleshooting
request• Full incident monitoring and logging• Temporary accounts for limited duration and 2FA enforced
Access to IaaS VMs is not possible
HostStripped-down version of Win 2012• No drivers except approved ones, no graphics modules• Network connectivity restricted using host firewall
Host boundaries enforced hypervisor All Guest access to network and disk is mediated by Root VM (via the Hypervisor)When VMs are provisioned, they are cloned from known configs• PaaS images managed and updated by Microsoft• With IaaS, customers can bring their own images (and
manage them)Patch managementSupport lifecycle policy
Gue
st V
M
Gue
st V
M
Gue
st V
M
Gue
st V
M
Roo
t VM
Hypervisor
Network / Disk
Application• Security Best Practices for Developing Windows Azure Applications• Windows Azure does not inspect, approve, or monitor customer
applications• Customer application and storage account logging and monitoring• Anti-malware scanning for customer applications• Protection against external attacks, including third-party options• Disaster recovery and business continuity• Forensic investigations
DataRedundant storage• Locally redundant storage• Geo-replication
Storage accounts and keysData backupData deletion and destructionWindows Azure data cleansing and leakageData encryption (in transit, at rest)
Geographic regions for customer data
Asia• East (Hong Kong)• Japan East and West• Southeast (Singapore)
Europe• North (Ireland)• West (Netherlands)
United States• North Central (Illinois)• South Central (Texas)• East (Virginia)• West (California)
AtmanCoSituation:• Maker of personality tests for potential employees• Needed to scale to handle 5K to 10K tests at a time to
avoid turning down business• Potential French customer needed servers hosted in
Europe• Management of servers under IaaS model burdensome
Solution:• Azure VMs and Web Sites provided Scale and Flexibility
MYOBSituation:• Offers AccountRight which streamlines and automates
business processes for small businesses and accountants
• Needed Mobile support and Offline support
Solution:• AccountRight Live launched as an Azure hosted
offering that synched with the existing desktop suite• Provide API that lets almost 600 external developers
build a solid ecosystem
NTP SoftwareSituation:• NTP Software Universal File Access provides Mobile
and web interfaces that allow Enterprise clients to provide access to File Data Selectively and Securely
• Needed to integrate with client’s on premise storage system while letting them preserve security
Solution:• Integrates with client’s Windows Azure account to
leverage larger organization discounts for volume and minimize impact on primary storage systems
Sangkuriang InternasionalSituation:• Built secure instant messaging service (EMASS) and
wanted to not be in the service provider business• Needed to adapt to the Mobile centric reality of
Indonesian society to stay competitive• Platform needed to support a wide range of
technology
Solution:• EMASS deployed as 15 cloud apps running on Azure
based virtual machines
Summit Data CorpSituation:• Wanted to tap into the growing fitness market• Needed a platform that supported high scalability
(hundreds of thousands of users)• Required a platform that would keep innovating
and not stagnate
Solution:• Active Fitness leverages Windows Azure Mobile
Services to support hundreds of thousands of users
Call To ActionThe time is right for ISVs to break out of their normal confines by leveraging Azure and its many capabilities
Azure has matured to enable many, varied options
If you do not seize the opportunity someone else in your space will!