Cloud Computing In a Post Snowden World. Guy Wiggins, Kelley Drye & Warren LLP Alicia Lowery Rosenbaum, Microsoft Legal and Corporate Affairs

Transcription

1 Cloud Computing In a Post Snowden World Guy Wiggins, Kelley Drye & Warren LLP Alicia Lowery Rosenbaum, Microsoft Legal and Corporate Affairs

2 Guy Wiggins Director of Practice Management Kelley Drye & Warren LLP 325 Attorneys 6 Offices NY, Washington DC, CT, CH, NJ and LA August 18, 2014

3 Common Definitions From NIST (National Institute of Standard and Technology) Three basic types of Cloud Service Models Cloud Infrastructure as a service (IAAS) involves the provisioning of fundamental computer resources (e.g. processing, storage) Cloud Software as a Service (SaaS) involves access to a provider s software as a Service (e.g. G mail, SalesForce) Cloud Platform as a Service (Paas) involving the provision to users of the capability to deploy onto cloud infrastructure applications created by the user with provider supported programming languages and tools (e.g. Azure)

4 Common Definitions From NIST (National Institute of Standard and Technology) Four models for deployment of cloud infrastructure Private Cloud maintain all technology components, servers and software for a single organization. May be managed by a 3 rd party. Public Cloud available to anyone, from individuals to large organizations and is owned and controlled by the provider of the service. Offers the greatest potential flexibility and cost savings. E.g Salesforce Community Cloud cloud infrastructure shared by several organizations that supports a specific community with shared concerns. Hybrid Cloud involves a mix of two or more of these models

5 Cloud Value Proposition What makes moving to the Cloud compelling for a business? Pay just for what you need Cloud technologies make it easy to scale up and scale down depending on demand for storage, bandwidth, processing etc. Flexible Pricing pay just for what you use, and quickly increase or decrease usage with minimal involvement by the service provider. Agility Cloud technologies allow companies to move quickly. No long procurement cycles and new business ideas and services can be brought to market much more quickly. Improved Focus on business value instead of maintaining current systems, your IT Department can spend more time solving new business problems. Mobility being on the cloud means that that information is instantly available to all devices, from PC s to laptops to tablets and iphones. Most Cloud services are also browser and OS agnostic

6 Can the Cloud be Trusted? How to assess risk Key concerns Privacy Loss of control Regulatory Compliance Physical/logical security Need for Due Diligence Governance, Risk and Compliance Risk Assessments Business Impact of What If s Ensuring you use the right contractual terms to enable your strategy Security and Privacy Business Continuity 3 rd Party Litigation and e Discovery Regulation Compliance

7 Bankruptcy M &A (non prevailing product goes extinct) Contract Breach (Blown SLA s) Force Majeure Extended Outage Exit Strategy how can I get my data off once it s on? Can t Recover Your Data Due Diligence Questions Asking What If

8 Crafting a Plan think about working with a neutral 3 rd party vendor Define your Standards What are the Triggers that set contingency in motion? Is there a neutral Third Party that can execute the plan Is there a way to continue working while the contingency plan is being executed Test to verify that the plan works Make sure you have unambiguous contract terms if possible Contingency Planning If something goes wrong, what is the plan?

9 Clear articulation of fees for services and modifications Well defined performance metrics and remedies for service failures Security, privacy and audit commitments that will satisfy regulatory concerns and understanding where data resides Business continuity, disaster recovery and force majeure events Clear restrictions on use and ownership of customer data and IP Provision for termination of contract and moving to a different provider, including data recovery Addressing the impacts of disputes and bankruptcy (e.g. software escrow) E Discovery is there a reasonable process to put in a place a hold and preserve data? Contractual Issues Checklist Key areas to review

10 Alicia Lowery Rosenbaum Attorney Microsoft Legal & Corporate Affairs Thank you for being here today August 18, 2014

11 Trust considerations Is cloud computing secure? security Where is my data and do I have access? How do you support my compliance needs? compliance What does privacy mean? Is my data used for advertising? privacy - Forbes, 2013

12 Security Built in Capabilities Flexible Customer Controls Security best practices like penetration testing, Defense-in-depth to protect against cyberthreats Physical and data security with access control, encryption and strong authentication Unique customer controls with Rights Management Services to empower customers to protect information

13 Defense in depth Physical controls, video surveillance, access control Physical Security Network Host Application Admin Data Edge routers, firewalls, intrusion detection, vulnerability scanning Access control and monitoring, anti-malware, patch and configuration management Secure engineering (SDL), access control and monitoring, anti-malware Account management, training and awareness, screening Threat and vulnerability management, security monitoring, and response, access control and monitoring, file/data integrity, encryption Independently verified to meet key standards ISO 27001, SSAE 16, FISMA

14 Physical Security Seismic bracing 24x7 onsite security staff Days of backup power Tens of thousands of servers

15 Customer data isolation Designed to support logical isolation of data that multiple customers store in same physical hardware. Customer A Customer B Intended or unintended mingling of data belonging to a different customer/tenant is prevented by design using Active Directory organizational units 15

16 Administrators Background checks Screening Automatic account deletion Unique accounts Zero access privileges SDL Annual training

17 Lock Box Zero access privilege & role based access Request Approve Temporary access granted Grants least privilege required to complete task. Verify eligibility by checking if Request with reason Zero standing privileges 1. Background check completed 2. Fingerprinting completed 3. Security training completed

18 Encryption Data at Rest Disks encrypted with Bitlocker Encrypted shredded storage Data in-transit SSL/TLS Encryption Client to Server Server to Server Data center to Data center User

19 ncrypted shredded storage A B C D Content DB Key Store A B C E D

20 Privacy Privacy by design means that we do not use your information for anything other than providing you services No Advertising Transparency Privacy controls No advertising products out of Customer Data No scanning of or documents to build analytics or mine data Access to information about geographical location of data, who has access and when Notification to customers about changes in security, privacy and audit information Various customer controls at admin and user level to enable or regulate sharing If the customer decides to leave the service, they get to take to take their data and delete it in the service

21 Transparency Where is Data Stored? Clear Data Maps and Geographic boundary information provided Ship To address determines Data Center Location Who accesses and what is accessed? Core Customer Data accessed only for troubleshooting and malware prevention purposes. Core Customer Data access is limited to key personnel on an exception basis only. Do I get notified? Microsoft notifies you of changes in data center locations.

22 On government snooping To be clear, here s what we do, and what we don t do: We don t provide any government with direct, unfettered access to your data. We don t assist any government s efforts to break our encryption or provide any government with encryption keys. We don t engineer back doors into our products and we take steps to ensure governments can independently verify this. If, as reports suggest, there is a bigger surveillance program, we are not involved

23 EU Data Protection Authorities validate Microsoft s approach to privacy Article 29 Working Party - collection of data protection authorities in Europe regulating world s toughest privacy laws Validation by EU Data Protection Authorities for Microsoft s commercial commitments for DPA/EU Model Clauses. (covering Office 365, Azure, CRM Online, and Intune) Microsoft is the only provider to have received this validation Standard part of contracts as of July 1st

24 Built in Capabilities Office 365 is built with a focus on privacy and security that allows us to obtain important industry certifications and enables customers to meet international laws and regulations 3rd party certification and audits. Customer controls for compliance Data Loss Prevention (DLP) Archiving and Legal Hold E-Discovery

25 archiving and retention Preserve Search In-Place Archive Governance Hold ediscovery Secondary mailbox with separate quota Managed through EAC or PowerShell Available on-premises, online, or through EOA Automated and timebased criteria Set policies at item or folder level Expiration date shown in message Capture deleted and edited messages Time-Based In-Place Hold Granular Query-Based In-Place Hold Optional notification Web-based ediscovery Center and multi-mailbox search Search primary, In-Place Archive, and recoverable items Delegate through roles-based administration De-duplication after discovery Auditing to ensure controls are met

26 Data Loss Prevention (DLP) Empower users to manage their compliance Contextual policy education Doesn t disrupt user workflow Works even when disconnected Configurable and customizable Admin customizable text and actions Built-in templates based on common regulations Import DLP policy templates from security partners or build your own

27 Questions We ll now open it up for questions

28 Thank You