trust in the cloud - cyber security day · trust in the cloud ovidiu pismac mcse security, cissp,...
TRANSCRIPT
Microsoft Azure
Trust in the Cloud
Ovidiu Pismac
MCSE Security, CISSP, MCSE Private Cloud / Server & Desktop infrastructure, MCTS Forefront
Microsoft Romania
Microsoft Azure
430B+ Microsoft Azure AD
authentications
280% year-over-year
database growth in
Microsoft Azure
50%of Fortune 500 use
Microsoft Azure
$25,000in the cloud would cost
$100,000 on premises
EconomicsScale
30,000 to
250,000
Scale from
site visitors instantly
2 weeksto deliver new services
vs. 6-12 months with
traditional solution
Speed
Technology trends: driving cloud adoption
of CIOs will embrace a
cloud-first strategy in 2016
(IDC CIO Agenda webinar)
Cloud Trend:
70%
BENEFITS
AZURE ADOPTION
Microsoft Azure
Pre-adoption concern
60%cited concerns around
data security as a barrier
to adoption
45%concerned that the
cloud would result in a
lack of data control
Benefits realized
94%experienced security
benefits they didn’t
previously have
on-premise
62%said privacy protection
increased as a result of
moving to the cloud
Cloud innovation OPPORTUNITY FOR SECURITY & COMPLIANCE BENEFITS
SECURTIY
• Design/Operation
• Infrastructure
• Network
• Identity/access
• Data
PRIVACY
COMPLIANCE
Microsoft Azure
Trustworthy foundationBUILT ON MICROSOFT EXPERIENCE AND INNOVATION
20+ Data Centers
Trustworthy Computing
Initiative
Security Development
LifecycleGlobal Data Center
Services
Malware Protection
Center
Microsoft SecurityResponse Center
Windows Update
1st
Microsoft Data
CenterActive
DirectorySOC 1
CSA Cloud Controls Matrix
PCI DSS Level 1
FedRAMP/FISMAUK G-Cloud
Level 2
ISO/IEC 27001:2005
HIPAA/HITECH
Digital Crimes
Unit
SOC 2
E.U. Data Protection Directive
Operations Security
Assurance
Microsoft Azure
Trustworthy Computing
Initiative
Security Development
LifecycleGlobal Data Center
Services
Malware Protection
Center
Microsoft SecurityResponse Center
Microsoft Update
ActiveDirectory
SOC 1
CSA Cloud Controls Matrix
PCI DSS Level 1
FedRAMP/FISMAUK G-Cloud
Level 2
ISO/IEC 27001:2005
HIPAA/HITECH
Digital Crimes
Unit
SOC 2
E.U. Data Protection Directive
Operations Security
Assurance
1st
Microsoft Data
Center
Trustworthy Computing
Created the SDL which has
become the industry standard
for developing secure software
20+ Data Centers
20+ Data Centers
Trustworthy Computing
Initiative
Security Development
LifecycleGlobal Data Center
Services
Windows Update
1st
Microsoft Data
CenterActive
DirectorySOC 1
CSA Cloud Controls Matrix
PCI DSS Level 1
FedRAMP/FISMAUK G-Cloud
Level 2
ISO/IEC 27001:2005
HIPAA/HITECH
Digital Crimes
Unit
SOC 2
E.U. Data Protection Directive
Operations Security
Assurance
Malware Protection
Center
Microsoft SecurityResponse Center
Security Centers
of Excellence:
Protecting Microsoft
customers by combatting
evolving threats
Trustworthy Computing
Initiative
Security Development
LifecycleGlobal Data Center
Services
Malware Protection
Center
Microsoft SecurityResponse Center
Microsoft Update
ActiveDirectory
SOC 1
CSA Cloud Controls Matrix
PCI DSS Level 1
FedRAMP/FISMAUK G-Cloud
Level 2
ISO/IEC 27001:2005
HIPAA/HITECH
Digital Crimes
Unit
SOC 2
E.U. Data Protection Directive
Operations Security
Assurance
1st
Microsoft Data
Center
20+ Data Centers:
Operating Microsoft Azure in
11 data centers around the
world, plus 2 in China
20+ Data Centers20+ Data Centers
Trustworthy Computing
Initiative
Security Development
LifecycleGlobal Data Center
Services
Malware Protection
Center
Microsoft SecurityResponse Center
Windows Update
1st
Microsoft Data
CenterActive
Directory
Digital Crimes
Unit
SOC 1
CSA Cloud Controls Matrix
PCI DSS Level 1
FedRAMP/FISMAUK G-Cloud
Level 2
ISO/IEC 27001:2005
HIPAA/HITECH
SOC 2
E.U. Data Protection Directive
Compliance Standards:
Investing heavily in robust
compliance processes, including
ISO 27001, FedRAMP, and HIPAA
Operations Security
Assurance
Trustworthy foundationBUILT ON MICROSOFT EXPERIENCE AND INNOVATION
Microsoft Azure
Microsoft Azure
Automated
Managed Resources
Elastic
Usage Based
UNIFIED PLATFORM FOR MODERN BUSINESS
Microsoft Azure
Shared responsibilityREDUCE SECURITY COSTS + MAINTAIN FLEXIBILITY, ACCESS, & CONTROL
Customer Microsoft
On-Premises IaaS PaaS SaaS
Microsoft Azure
Market Endorsement
Gartner Magic Quadrant for Cloud
Infrastructure as a Service(IaaS)
Gartner Magic Quadrant for
Enterprise Application Platform as
a Service(PaaS)
Gartner Magic Quadrant for Public
Cloud Storage Services
Gartner Magic Quadrant for
Virtualization
Microsoft Azure
Transparency & independent verification
Best practices and guidance
Third-party verification
Cloud Security Alliance
Security intelligence
report
Compliance packages
Trust Center
Access to audit reports
Security Response Center progress
report
AID CUSTOMERS IN MEETING SECURITY & COMPLIANCE OBLIGATIONS
Microsoft Azure
Microsoft approach in action
10
Microsoft Azure
Security embedded
in
planning, design, devel
opment, & deployment
Rigorous controls to
prevent, detect, contai
n, & respond to threats
Hardening cloud
services through
simulated real-world
attacks
Global, 24x7 incident
response to mitigate
effects of attacks
Design & operations
Operational security controls
Assume breach
Incident response
Software Development Lifecycle (SDL)
Microsoft Azure
Security
12
We chose Azure because all things
being equal, it is the easiest cloud
platform to work with. Security and
patching is already taken care of, so
it is less labour-intensive.”
Microsoft Azure
24 hour monitored physical security
Secure multi-tenant environment
Firewalls
Patch management
System monitoring and logging
Antivirus/antimalware protection
Threat detection
Forensics
Infrastructure protection
Microsoft Azure
Service security starts with physical data center
Cameras
24X7 security staff
Barriers
Fencing
Alarms
Two-factor access control: Biometric readers & card readers
Security operations center
Days of backup power
Seismic bracing
BuildingPerimeter Computer room
Microsoft Azure
Architected for secure multi-tenancy
AZURE:
• Centrally manages the platform and helps
isolate customer environments using the
Fabric Controller
• Runs a configuration-hardened version of
Windows Server as the Host OS
• Uses Hyper-V, a battle tested and enterprise
proven hypervisor
• Runs Windows Server and Linux on Guest
VMs for platform services
CUSTOMER:
• Manages their environment through service
management interfaces and subscriptions
• Chooses from the gallery or brings their own
OS for their Virtual Machines
Azure
Storage
SQL
Database
FabricController
Customer
Admin
Guest VM Guest VM
Customer 2
Guest VM
Customer 1Portal
SMAPI
End
Users
Host OS
Hypervisor
Microsoft Azure
Microsoft Azure
Microsoft Azure
Microsoft and Interoperability
“DHMC runs both Windows Server as guest operating systems under
Hyper-V, as well as Linux. To date, DHMC has virtualized Web servers,
sites on Microsoft Office SharePoint® Server, reporting servers,
medical applications, domain controllers, file and print servers, Citrix
servers, and more.”
Dartmouth Hitchcock Medical Center Case Study
Microsoft commitment to support Linux – Red
Hat, SUSE, CentOS, OpenSuse, Ubuntu, Oracle
Linux, new FreeBSD 10 on Hyper-V
System Center Configuration Manager 2012 SP1
supports administering non-Windows platforms:
Linux, Unix (monitored by SCOM) and Mac OS X
systems
System Center Operations Manager 2012 SP1
supports monitoring of non-Windows, including
Linux – Red Hat, SUSE, CentOS; Unix – HP UX, Sun
Solaris and IBM AIX; from January 2013 – new Linux
distributions supported: Debian Linux, Oracle
Linux, Ubuntu Linux Server
System Center Virtual
Machine Manager 2012 manages VMware ESX
servers and Citrix XEN Servers
CentOS
ProductLinux UNIX
Red Hat SUSE CentOS Ubuntu Debian Oracle AIX HP-UX Solaris
Operations
Manager
Configuration
Manager
Endpoint
Protection
No Plans
Virtual Machine
Manager
Hyper-V
Azure IaaS Future
Debian 7.0 has Linux Integration Services
Microsoft Azure 19
Network protection
Segregates network
access between
customers,
management systems
& the internet
Connects cloud
services using private
IP addresses, subnets
Site to site, point to
site, and ExpressRoute
help enable secure
connect to Azure
Virtual Networks
Cloud to on-premises connections
Network isolation
Microsoft Azure
Microsoft employee access management
Monitor & protect access to cloud apps
Enterprise cloud identity –Azure AD
Multi-Factor Authentication
Identity & access
Microsoft Azure
Data encryption options: Bitlocker, Azure RMS,
AES 256 /512
Data segregation
Data location and redundancy
Data destruction
Data protection
Microsoft Azure
Data location and redundancy
Note: Microsoft Azure data centers, Australia – Q2 FY15
AZURE:
• Creates three copies of data in
each datacenter
• Offers geo-replication in a
datacenter 400+ miles away
• Does not transfer Customer Data
outside of a geo (ex: from US to
Europe or from Asia to US)
CUSTOMER:
• Chooses where data resides
• Configures data replication
options
Microsoft Azure
Data Deletion
Data destruction
• Wiping is NIST 800-88 compliant
• Defective disks are destroyed at the datacenter
• Index immediately removed from primary location
• Geo-replicated copy of the data (index) removed
asynchronously
• Customers can only read from disk space they have written to
Disk Handling
Microsoft Azure
Privacy controls
are built into Azure
design and
operations
Customer data is
only used to provide
the service and is
never used for
advertising
Data Processing
Agreements, EU
Model
Clauses, HIPAA
BAA
1010101010101010101010101010101010101010101010101010
1010101010101010101010101010
10101010101010101010101010101010
Restricted data access & use
Contractual commitments
Privacy by Design
Privacy by design
Microsoft Azure
Contractual commitments
EU Data Privacy Approval
• Microsoft makes strong contractual commitments to safeguard customer data
covered by HIPAA BAA, Data Processing Agreement, & E.U. Model Clauses
• Enterprise cloud-service specific privacy protections benefit every industry &
region
• Microsoft meets high bar for protecting privacy of EU customer data
• Microsoft offers customers EU Model Clauses for transfer of personal data
across international borders
• Microsoft’s approach was approved by the Article 29 committee of EU data
protection authorities – the first company & cloud vendor to obtain this
Broad contractual scope
Microsoft Azure
Privacy
Our vision is to be the national leader
in patient-centered e-healthcare.…
Using Windows Azure as our delivery
system provides us with a level of trust
and reliability that makes this
possible.”
Microsoft Azure
ISO 27001 SOC 1 Type 2
SOC 2 Type 2
FedRAMP/FISMA
PCI DSS Level 1
UK G-Cloud
Information
security
standards
Effective controls
Government & industry certifications
Simplified compliance
Microsoft Azure
Program Description
ISO/IEC 27001The ISO/IEC 27001:2005 certificate validates that Azure has implemented the internationally recognized
information security controls defined in this standard.
SOC 1
SSAE 16/ISAE 3402
Azure has also been audited against the Service Organization Control (SOC) reporting framework for SOC 1 Type
2 (formerly SAS 70), attesting to the design and operating effectiveness of its controls.
SOC 2Azure has been audited for SOC 2 Type 2, which includes a further examination of Azure controls related to
security, availability, and confidentiality
FedRAMP/FISMAAzure has received Provisional Authorization to Operate from the Federal Risk and Authorization Management
Program (FedRAMP) Joint Authorization Board (JAB), having undergone the assessments necessary to verify that it
meets FedRAMP security standards.
PCI DSS Level 1 Azure has been validated for PCI-DSS Level 1 compliance by an independent Qualified Security Assessor (QSA).
UK G-Cloud IL2In the United Kingdom, Azure has been awarded Impact Level 2 (IL2) accreditation, further enhancing Microsoft
and its partner offerings on the current G-Cloud procurement Framework and CloudStore.
HIPAA BAATo help customers comply with HIPAA and HITECH Act security and privacy provisions, Microsoft offers a HIPAA
Business Associate Agreement (BAA) to healthcare entities with access to Protected Health Information (PHI).
Certifications & programs
Microsoft Azure
Compliance
Windows Azure was attractive because
it has built-in capabilities for
compliance with a wide range of
regulations and privacy mandates.”
Microsoft Azure
Unified platform for modern business
Microsoft commitment
Microsoft Azure
Trusted by leading companies
Microsoft Azure
Talk to a Microsoft security expert
Explore additional resources:
Trustworthy Computing Cloud Services: www.microsoft.com/trustedcloud
Microsoft Trust Center for Microsoft Azure:
http://www.windowsazure.com/en-us/support/trust-center
Microsoft Security Intelligence Report
http://www.microsoft.com/sir
Microsoft Azure