Security & privacy in the cloud; an easy road?

Transcription

1 Security & privacy in the cloud; an easy road? A journey to the trusted cloud Martin Vliem CISSP, CISA National Security Officer Microsoft The Netherlands [email protected]

2 THE SHIFT O L D W O R L D Information scarce Static hierarchies Compete to win Individual productivity Focus on planning ahead Efficiency of process N E W W O R L D Information abundant Dynamic networks Collaborate to win Collective value creation Experiment, learn and respond Effectiveness of outcomes

3 DATA

4 The evolution of attacks Future Internet of Things enables new forms of large-scale attacks. Militarization of Cyberspace continues. In the beginning Isolated cases of nation-state espionage and young hackers exploring networks Computing becomes pervasive Computers used as tools to facilitate traditional offenses; hacking cases increase with motives becoming more diverse (e.g., fraud, hactivisim) Today Massive data thefts across verticals; rampant economic and military espionage; advanced persistent threats, destructive attacks

5

6

7 Fundamental questions How secure is my data? A structured approach: 1. Data driven risk management 2. Cloud vendor assurances 3. Additional custom controls Can I control my data, is my data private? How can I stay compliant with law and regulations? What happens with my data?

8 SUPERVISORY RIGHTS Supervisor External Audit RISK ADJUSTMENTS Internal Audit Risk Management BUSINESS CASE Operations DATA processing CONCEPTUAL MODEL GOVERNANCE, RISK MANAGEMENT AND COMPLIANCE. FROM INNOVATION TO OBLIGATION

9 Your DATA You own your data and identities and the responsibility for protecting them. You own the security of on-premises resources Your DATACENTER Your RESPONSIBILITY

10 Your DATA Microsoft cloud services are built on a foundation of trust and security. Microsoft provides you security controls and capabilities to help you protect your data and applications. You own your data and identities and the responsibility for protecting them. You own the security of on-premises resources and cloud components you control (varies by service type) Cloud Security is a partnership

11 Opportunities versus risk Data driven risk management & defense You already had this responsibility Transfer operational & security controls to your cloud vendor Embrace cloud capabilities for enhancing security

12 Timeframe # of Enterprise customer data requests # of requests had data disclosed in response Jan Jun (3 rejected/redirected to customer) (1 pending a resolution) Jul Dec (2 rejected/redirected to customer) (1 customer instruction) Jan Jun (5 rejected/redirected to customer) Jul Dec Jan Jun Jan Dec Source: *2012 data combines all 12 months and excludes Skype

13 After all, people won t use technology they don t trust. We need to strike a better balance between privacy and national security to restore trust and uphold our fundamental liberties. In particular, a year on, there are five things the U.S. government still needs to do: End bulk collection Reform the FISA Court Brad Smith, President & Chief Legal Officer, Microsoft on the Issues Blog - June 4, 2014

14

15 Trusted cloud principles Assurances: descriptive independently verified contractual

16 Trusted cloud principles Assurances: descriptive independently verified contractual

17 ASSUME BREACH Protect First Host Compromised Domain Admin Compromised Detect Breach Discovered Respond CYBERTHREATS DATA LOSS (Attacker Undetected) months

18 Software as a Service Office SaaS Platform as a Service Azure - PaaS Infrastructure as a Service Azure - IaaS On Premises Security Dependencies 1. Security strategy, governance, and operationalization: Provide clear vision, standards, and guidance for your organization 2. Administrative control: Defend against the loss of control of your cloud services and on-premises systems 3. Data: Identify and protect your most important information assets 4. User identity and device security: Strengthen protection for accounts and devices 5. Application security: Ensure application code is resilient to attacks 6. Network: Ensure connectivity, isolation, and visibility into anomalous behavior 7. Operating system and middleware: Protect integrity of hosts 8. Private or on-premises environments: Secure the foundation Control area s supported by cloud

19 SECURITY RELIABILITY PRIVACY & CONTROL COMPLIANCE TRANSPARENCY DATA ownership Your DATA CONTROLS ADDITIONAL CONTROLS RISKS MICROSOFT AS DATA PROCESSOR CUSTOMER AS DATA CONTROLLER CONTRACTING Microsoft Online Services Terms (OST), GOVERNANCE SECURITY INDEPENDENTLY VERIFIED ISO27001, 27002, 27018, Audit Report, RISK MANAGEMENT PRIVACY DESCRIPTIVE INFORMATION Microsoft Trustcenter whitepapers, COMPLIANCE QUALITY OF SERVICE + TRUST & FREEDOM OF CHOICE

20 Trustworthy Computing 2.0 Security services help customers protect, detect and respond to security events through technology and consulting services. Controllability of data and services ensures customers can meet their own internal compliance requirements. Security Development Lifecycle focuses on security as a core component in the software development process, reducing the risk of costly issues, improving the security and privacy of applications, and protecting enterprise data and reputations. Secure DEVELOPMENT Secure and Empower CUSTOMERS Secure OPERATIONS Security features in our products help safeguard data and protect access to systems. Transparency into our practices and access to governments to review our source code provides assurance to all customers. International certifications like ISO, SOX and HIPPA certify that our control activities operate in accordance with expectations and comply with regulatory obligations. Software Integrity Policies include mandatory engineering policies like code signing and checking for malware. Developing Cyber Norms working with governments to develop offensive, defensive and industry norms to promote cyber security Cybercrime Prevention combines top legal and technical talent, cutting-edge forensics, and business intelligence to fight digital crime. Secure ECOSYSTEM Operational Security Assurance (OSA) provides real-world effectiveness against today s threat models that goes well beyond our external (and necessary) certifications. Cybersecurity collaboration with security researchers and vendors, and between MSIT and customers, helps contribute to safer systems and experiences. 20

21 Cloud first; your choice! Your DATA

22

23 References SAFE Handbook: Cyberspace 2015: A Data driver security defense: Problem-in-2e58ac4a Enterprise Cloud strategy e-book: Microsoft Cloud IT Architecture resources: Microsoft Security Intelligence Report: Microsoft Cyber Trust Blog: Video: fprmwe&index=1 23