Compliance, Securityand Trust

Patrick Hynds, Microsoft Regional Directory, CEO of DTS, Inc.Duane Laflotte, CTO of Criticalsites

Microsoft’s Commitment

Security

Privacy

Compliance

www.windowsazure.com/trustcenter/

Comprehensive compliance framework

• ISO/IEC 27001:2005 certification• SOC 1 and SOC 2 attestations

Certifications and Attestations

Predictable Audit Schedule• Test effectiveness and assess risk• Attain certifications and attestations• Improve and optimize• Examine root cause of non-compliance• Track until fully remediated

Controls Framework• Identify and integrate• Regulatory requirements• Customer requirements

• Assess and remediate • Eliminate or mitigate gaps in control design

• Payment Card Industry Data Security Standard • Health Insurance Portability and Accountability Act

Industry Standards and Regulations• Media Ratings Council • Sarbanes-Oxley, GLBA, FFIEC, etc.

• HIPAA Business Associate Agreement• FISMA authorization• And more

Datacenter infrastructure compliance

ISO / IEC 27001:2005 certification

SOC 1 Type 2 (SSAE 16 / ISAE 3402) attestationSOC 2 Type 2 and SOC 3 (AT 101) attestations

HIPAA / HITECH Act

PCI Data Security Standard validation

FISMA authorization

* Various state, federal, and international privacy laws

* 95/46/EC—aka EU Data Protection Directive; California SB1386; etc.

Windows Azure compliance programs• ISO 27001

• SSAE 16 (SOC 1 Type 2)

• SOC 2 Type 2 (in process)

• CSA Cloud Control Matrix

• EU Model Clauses

• UK Government accreditation for IL 2 data

• HIPAA Business Associate Agreement (BAA)

• FISMA/FedRAMP authorization (in process)

FISMA ISO

HIPAA

SSAE

Statement on Customer PrivacyOn June 6, media outlets including the Washington Post and Guardian began reporting allegations that the United States National Security Agency (NSA) is collecting customer communications data from major technology companies, including Microsoft. Microsoft issued the following statement about the company’s alleged involvement in these activities:

REDMOND, Wash., June 6, 2013 - We provide customer data only when we receive a legally binding order or subpoena to do so, and never on a voluntary basis. In addition we only ever comply with orders for requests about specific accounts or identifiers. If the government has a broader voluntary national security program to gather customer data we don’t participate in it.

Privacy http://www.windowsazure.com/en-us/support/legal/privacy-statement/

Shades of Cloud – Risk AllocationOn Premises

Storage

Servers

Networking

O/S

Middleware

Virtualization

Data

Applications

Runtime

Infrastructure(as a Service)

Storage

Servers

Networking

O/S

Middleware

Virtualization

Data

Applications

Runtime

Platform(as a Service)

Storage

Servers

Networking

O/S

Middleware

Virtualization

Applications

Runtime

Data

Software(as a Service)

Storage

Servers

Networking

O/S

Middleware

Virtualization

Applications

Runtime

Data

Customer

Vendor

Managed by:

MS Datacenter Experience

Defense-in-depth

Identityand

Access Manage

ment

Host Security

Application DataNetworkPhysical

10 Things to Know About Azure Securityhttp://technet.microsoft.com/en-us/cloud/gg663906.aspx

Data Center SecurityCameras

Security patrols

Barriers

Fencing

Cameras

Security patrols

Alarms

Two-factor access control

• Biometric readers

• Card readers

Security operations centerBuildingPerimeter Computer room

Cameras

Security patrols

Alarms

Two-factor access controlBiometric readersCard readers

World-ClassSecurity

Extensive Monitoring

Network

• Isolated from Microsoft corpnet

• VLANs and packet filters in routers

• Host boundary protection

• DDoS protection

• Penetration testing

• Monitoring and logging

• Security incidents and breach notification

Identity and accessWindows Azure customer support personnel• Access control requirements established by Windows Azure Security Policy• No access to customer data by default• No user / administrator accounts on VMs• Monitoring and logging when local accounts are created on VMs

Access to PaaS VMs is highly restricted• Most common authorization is based on customer troubleshooting

request• Full incident monitoring and logging• Temporary accounts for limited duration and 2FA enforced

Access to IaaS VMs is not possible

HostStripped-down version of Win 2012• No drivers except approved ones, no graphics modules• Network connectivity restricted using host firewall

Host boundaries enforced hypervisor All Guest access to network and disk is mediated by Root VM (via the Hypervisor)When VMs are provisioned, they are cloned from known configs• PaaS images managed and updated by Microsoft• With IaaS, customers can bring their own images (and

manage them)Patch managementSupport lifecycle policy

Gue

st V

M

Gue

st V

M

Gue

st V

M

Gue

st V

M

Roo

t VM

Hypervisor

Network / Disk

Application• Security Best Practices for Developing Windows Azure Applications• Windows Azure does not inspect, approve, or monitor customer

applications• Customer application and storage account logging and monitoring• Anti-malware scanning for customer applications• Protection against external attacks, including third-party options• Disaster recovery and business continuity• Forensic investigations

DataRedundant storage• Locally redundant storage• Geo-replication

Storage accounts and keysData backupData deletion and destructionWindows Azure data cleansing and leakageData encryption (in transit, at rest)

Geographic regions for customer data

Asia• East (Hong Kong)• Japan East and West• Southeast (Singapore)

Europe• North (Ireland)• West (Netherlands)

United States• North Central (Illinois)• South Central (Texas)• East (Virginia)• West (California)

AtmanCoSituation:• Maker of personality tests for potential employees• Needed to scale to handle 5K to 10K tests at a time to

avoid turning down business• Potential French customer needed servers hosted in

Europe• Management of servers under IaaS model burdensome

Solution:• Azure VMs and Web Sites provided Scale and Flexibility

MYOBSituation:• Offers AccountRight which streamlines and automates

business processes for small businesses and accountants

• Needed Mobile support and Offline support

Solution:• AccountRight Live launched as an Azure hosted

offering that synched with the existing desktop suite• Provide API that lets almost 600 external developers

build a solid ecosystem

NTP SoftwareSituation:• NTP Software Universal File Access provides Mobile

and web interfaces that allow Enterprise clients to provide access to File Data Selectively and Securely

• Needed to integrate with client’s on premise storage system while letting them preserve security

Solution:• Integrates with client’s Windows Azure account to

leverage larger organization discounts for volume and minimize impact on primary storage systems

Sangkuriang InternasionalSituation:• Built secure instant messaging service (EMASS) and

wanted to not be in the service provider business• Needed to adapt to the Mobile centric reality of

Indonesian society to stay competitive• Platform needed to support a wide range of

technology

Solution:• EMASS deployed as 15 cloud apps running on Azure

based virtual machines

Summit Data CorpSituation:• Wanted to tap into the growing fitness market• Needed a platform that supported high scalability

(hundreds of thousands of users)• Required a platform that would keep innovating

and not stagnate

Solution:• Active Fitness leverages Windows Azure Mobile

Services to support hundreds of thousands of users

Call To ActionThe time is right for ISVs to break out of their normal confines by leveraging Azure and its many capabilities

Azure has matured to enable many, varied options

If you do not seize the opportunity someone else in your space will!