TABLE RONDE LMI 1 er JUIN 2012

Transcription

1 TABLE RONDE LMI 1 er JUIN 2012

2 107 Countries

3 Consumerization of IT Distributed Workforce 50 percent of business devices are expected to be smartphones by percent of organizations have a remote workforce Infrastructure Utilization Infrastructure Complexity 85 percent of datacenter capacity is idle on average 70 percent of IT budgets is spent maintaining datacenter operations

4

5 The Microsoft Cloud Data Center Infrastructure August 27, 2010 Page 5

6 MSIT s Windows Azure Approach Move existing applications to Azure Develop segmentation methodology Find low-risk proof-of-concept applications Predictable Bursting Auction Tool Make Azure the default for new application development Growing Fast Identify candidates Capture results Social experience Platform Move BIG/Critical applications Develop Tier 1 apps on the Azure Platform We have Cloud Power Volume Licensing Microsoft

7

8

9 Compute Compute Compute Compute Inactivity Average Period Usage Average Usage Time Time Average Usage Time Average Usage Time

10 Existing APPS Remove for Risk Reduction Mission critical High regulatory exposure HBI High cross-premise High monitoring needs VLDB (>500 GB) Rejection Criteria Fail DISQUALIFIED APPS Select for Success Adds Business Value BVR Defined Solves MSIT Problems (Cost, Time, Quality, Security) Have High Success Rate (Less known Platform Gaps & Risks) Selection Criteria Fail Limited Potential APPS Prioritize for ROI Advances MS Cloud Platform Advances MSIT Cloud Readiness Showcases Concrete ROI Sequencing Criteria Fail Low Cloud Value Add APPS High Cloud Value APPS => Strong Canditate

11

12

13 Savings Savings SaaS TODAY FY13: Efficiency Integrated provisioning, feature parity, integrated monitoring and support escalation FY15: Effectiveness Fully cross-premise services mgmt FY11: Experience Manual provisioning, monitoring, support, and escalation PaaS 30+K users on Exchange Online 500 LBI sites on Sharepoint Online 40+ apps on Azure FY13: 15% apps in the Cloud FY15: 80% apps in the Cloud FY11: Less than 5% apps in the Cloud

14 Before Today Availability 99.1% % Showcase site costs $15,000 month $1,050 month 2-4 hours 0 hours Planned downtime Planned downtime per upgrade per upgrade Release Time HW Provisioning Time Bottom Line weeks VMs 5-6 weeks Physical Servers Paying full-price and underutilizing a 3 rd -party competitive product 30 minutes Server environment provisioning Microsoft.com on Windows Azure at enterprise scale Current Status as of Jan medium VM instances, up to updates without missing a single transaction 10,000,000 error-free transactions since December Processor utilization % often in single digits Average response under 10ms (SLA is 250ms) Fully integrated with SCOM (System Center Ops Mgr.)

15 Addressable Spend 55% of Overall MSIT Budget Potential Savings Support Hardware, Hosting & SW Licenses Application Development and Maintenance 32% 53% 20%

16

17

18

19 Source: Microsoft

20 Security & Standards in the Cloud Building trust through openness and interoperability in the Cloud Yale Li Principal Security Architect, Microsoft Corporation Research Director, Cloud Security Alliance (Seattle)

21 Cloud - Generational Shift Centralized compute & storage, thin clients Hard to attack and less demand for security controls High upfront costs for hardware and software PCs and servers for distributed compute, storage, etc. Easy to attack and more demand for security controls Perpetual license for OS and application software Large DCs, commodity HW, scale-out, devices More attacks from all angles and big security control gaps Pay as you go, and only for what you use

22 Policies, Standards, and Procedures Control Objectives Cloud Layers and Information Classification Control Activities Control Activities Data Control Activities Control Activities Control Activities Control Activities Control Activities Control Activities Cloud Applications Cloud Platform The control activities at each layer must, in total, be sufficient to meet the overall control objective as determined by the classification Control Activities Control Activities Control Activities Control Activities Cloud Data Center Infrastructure Control Activities Control Objectives Policies, Standards, and Procedures Information classification pertains to data Classify according to standards Classification is determined by the asset owner Classification determines the controls needed

23 Microsoft Cloud Data Center Infrastructure Purpose-built data centers to host containers at large scale Cost $500 million, 100,000 square foot facility (10 football fields) 40 foot shipping containers can house as many as 2,500 servers Density of 10 times amount of compute in equivalent space in traditional data center Deliver an average PUE of 1.22 Power Usage Effectiveness benchmark from The Green Grid consortium on energy efficiency

24 Microsoft Cloud Platforms SERVICES P L A T F O R M STANDARDIZED SERVICE LOWEST OPERATIONS COST UPDATED BY MICROSOFT SERVER P L A T F O R M CUSTOMIZABLE PRODUCT SUPPORTS ALL EXISTING APPS LOW OPERATIONS COST UPDATED BY CUSTOMER

25 Microsoft Cloud Services/Applications Over 303M Users 76 markets and 48 languages 25M Users 500M Active Live IDs 59 markets and 36 languages Proven track record meeting obligations associated with the delivery of over 200 cloud services Enormous scale efficiently spreads cost of robust security, reliability and privacy investments

26 Microsoft Cloud Security and Compliance ISO SAS70 Type II FISMA (US DCs only) SOX PCI DSS HIPAA ISO 27001: 2011H2 SSAE16: 2012H1 FISMA: Gap assessment underway ISO 27001: All SAS 70 (SSAE 16) Type I: BPOS-S & Office 365 (2011Q4) SAS 70 (SSAE 16) Type II: BPOS-D & Office 365 (2012H2) EU Safe Harbor: All FISMA: Office 365 (2012H1) HIPPA: Office 365 (2011Q4)

27 IDENTITY Lifecycle Management, IDP Authority AUTHENTICATION Multifactor, Password Management, machine & traffic source, account sharing AUTHORIZATION LPA, Admin Role Segmentation, limited admin access, LPA auto provisioning & enforcement AUDITING OS event logging, auto user AuthN/AuthZ Reporting, Audit of Regulatory data, audit of shared account usage SEGMENTATION physical server isolation, logical & physical network segmentation, content isolation, VM isolation, machine access blocking due to noncompliance DATA PROTECTION Data Classification & tagging, Persistent data classification, Lifecycle Management, Data at Rest, Data in Motion, Data in Use APPLICATION SECURITY application code reviews, penetration testing, product release management- SECURITY MACHINE HEALTH MANAGEMENT security updates/patches, auto health remediation for hosts & servers & mobile devices, auto Data Protection remediation, Anti-Malware secure machine baseline config, policy provisioning, configuration discovery, service release management, change management COMPLIANCE ASSESSMENT scanning & assessment of health state of hosts & servers, ensure DP controls in place, DLP data compliance discovery, DLP user Notification, DLP reporting of Compliance, reporting of server health,, user notification of host health, regulatory compliance BUSINESS CONTINUITY/DISASTER RECOVERY Planning, testing INCIDENT RESPONSE & COMMUNICATION Forensics, reporting, tracking KEY MANAGEMENT Key protection, crypto algorithm and implementation ANOMALY DETECTION/MONITORING Data leakage detection, network, host PHYSICAL SECURITY Controlled access to data centers and facilities, stolen & lost equipment containing valued data NON-TECHNICAL Risk management, policy, standards, procedures, HR, background checks, legal ediscovery, Roles & Responsibilities, Awareness, operational processes

28 Microsoft Security Development Lifecycle (SDL) Industry-leading software security assurance process coordinated by TwC since 2004 Online services must conform, just like packaged software Extends to deployment infrastructure Threat model reviews Validation of correct tool usage, documentation, patterns and practices

29 The World of Standards Cloud-Standards.org

30 Microsoft Cloud Standard Support Data Infrastructure Languages XML ATOM (ATOMPub, AtomRSS) ECMA-334 (C#) OData HTTP Java ODBC SOAP ECMA-262 (ECMA Script) TDS WS-Security WS-BPEL JSON WS-SecurityPolicy SQL XML Digital Signature WS-Federation WSDL XML Encryption WS-Trust WS-Policy REST HTML SAML OpenID OAuth-WRAP

31 Standards-Based Interoperability

32 Server 2 Server Rich Client Browser-based Access Control Services Identity Providers ACS Your Application SAML SWT WS-Federation ADFS2. WS-Federation SAML ADFS2. WS-Trust WS-Trust Service Identities SWT OAuth WRAP

33 Sources of Security Standards Law Varies by countries and location Industry-specific requirements Not quite law, but can be hard requirements Standard-setting organizations Voluntary, but often used as a baseline Internal governance Policy/preference of individual organizations

34 The Compliance Landscape ISO (broad international information security standard) SAS 70 / SSAE 16 (US accounting audit standard) FISMA (required by law for US federal agencies and looked on favorably by other government agencies) EU Data Privacy Directive (PII within the EU/EEA/Switzerland) PCI DSS (credit card information) HIPAA (protected health information in the US) SOX (US public company accountability) GLBA, FFIEC (US financial services) CFR Title 21 Part 11 (US FDA regulations) MPAA (Movies etc.) And many others

35 Cloud Security Resources DMTF Cloud Management ENISA Cloud Risk Assessment BOSS ITOS Presentation Application SRM (security & risk management) Information Standards Roadmap Reference Architecture CSA GRC Stack - Controls Matrix - Questionnaire - Cloud Audit Reference Architecture Infrastructure Trusted Cloud Initiative

36 Trusted Cloud Initiative - Reference Architecture

37 CloudTrust Protocol (CTP) Included Within CSA GRC Stack Government Specs Extensions Commercial Deliver continuous monitoring required by A&A methodologies??? Continuous monitoring with a purpose Common technique and nomenclature to request and receive evidence and affirmation of controls from cloud providers??? Claims, offers, and the basis for auditing service delivery Common interface and namespace to automate the Audit, Assertion, Assessment, and Assurance (A6) of cloud environments FedRAMP DIACAP Other C&A standards Pre-audit checklists and questionnaires to inventory controls Industry-accepted ways to document what security controls exist NIST , HITRUST CSF, ISO 27001/27002, ISACA COBIT, PCI, HIPAA, SOX, GLBA, STIG, NIST , SAS 70, The recommended foundations for controls Fundamental security principles in assessing the overall security risk of a cloud provider

38 Summary The Cloud era is now Security, Openness and Interoperability is the foundation We are eager to collaborate with government and partners to build a trusted Cloud ecosystem

39

40 The Microsoft Cloud ~100 Globally Distributed Data Centers Quincy, WA Chicago, IL San Antonio, TX Dublin, Ireland Generation 4 DCs

41 Server Container Deployment

42 Customer & Partner Momentum

43 PRIVATE CLOUD STRATEGY TEST & DEV, ADVANCED APPS Redmond Ridge Lab Scalable/Elastic Business Groups Add Computing Capacity Usage Based for: Compute Storage Network RightSizing Highly Virtualized and Shared Services Self-Service Provision and De-Provision Virtual Machines

44 PRIVATE CLOUD RESULTS BENEFITS Manage Costs Business Agility Improved Control DASHBOARD: CENTRALIZED TEST & DEVELOPMENT LAB CAPACITY UTILIZATION SUPPORT COSTS