Addressing Cloud Computing Security Considerations
|
|
- Tobias Thomas
- 8 years ago
- Views:
Transcription
1 Addressing Cloud Computing Security Considerations with Microsoft Office 365 Protect more
2 Contents 2 Introduction 3 Key Security Considerations 4 Office 365 Service Stack 5 ISO Certifications for the Microsoft Online Services Stack 8 Identity and Access 9 Service Integrity 12 Endpoint Integrity 13 Information Protection 14 Related Reading 6 Compliance and Risk Introduction This document is based on a supplemental paper, Cloud Computing Security Considerations 1, which focuses on a high-level discussion of the fundamental challenges and benefits of cloud computing security. The original paper includes questions cloud service providers and organizations using cloud services should consider as they evaluate a new move or expansion of existing services to the cloud. This document presumes the reader is familiar with the Cloud Computing Security Considerations paper, which offers high-level insight into how these considerations can be addressed using Office 365, a public cloud service. Office 365 combines the familiar Office desktop suite with cloud-based versions of next-generation communications and collaboration services, including Microsoft Office Professional, Microsoft Exchange Online, Microsoft SharePoint Online, and Microsoft Lync Online. Cloud service providers and organizations using cloud services should consider these two primary areas regarding security and compliance: Geolocation Due to the nature of the public cloud, a customer s data may be distributed in various geographies around the globe. Multi-Tenancy Space on a server/infrastructure is shared among tenants. 1 The Cloud Computing Security Considerations paper can be found here: 2
3 Key Security Considerations Here is a short summary of the considerations raised in the original paper mentioned on the previous page. What will you learn from this paper? This paper discusses how to address cloud security considerations in an Office 365 environment. It also shows how to strike the appropriate balance between customer and Microsoft responsibilities. When not further specified, the information herein applies to both the Microsoft Global Foundation Services ( and Microsoft Online Services ( As with any other technological shift or change, security benefits and risks must be addressed in order to realize the full benefits of cloud computing. Considerations such as compliance and risk management, identity and access management, service integrity, endpoint integrity, and information protection should all be explored when evaluating, implementing, managing, and maintaining cloud computing solutions. These apply to the cloud provider as well as the cloud customer; both should carefully consider and evaluate these points: Compliance and Risk Organizations shifting part of their business to the cloud are still responsible for compliance, risk, and security management. While some of the responsibility for execution may be transferred to the cloud provider, it is important to understand the overall compliance picture, as well as the roles and responsibilities within the provider organization. Identity and Access Identities may come from different providers; providers must be able to federate from on-premises to the cloud and help enable collaboration across organization and country borders. Service Integrity Cloud-based services should be engineered and operated with security in mind; operational processes should be integrated into the organization s security management. Endpoint Integrity As cloud-based services originate and are then consumed on-premises, the security, compliance, and integrity of the endpoint must be part of any security consideration. Information Protection Cloud services require reliable processes for protecting information before, during, and after the transaction. Responsibilities for the different considerations shift depending on the cloud service type consumed: Infrastructure-as-a-Service (IaaS), Platform-as-a-Service (PaaS), or Software-as-a-Service (SaaS). Careful definition of the control ownership is imperative in such environments. 3
4 The illustration below is based on the National Institute of Standards and Technology s (NIST) definition of the different cloud models. Office 365 Service Stack Office 365 is a Software-as-a-Service offering from Microsoft. In this scenario, Microsoft provides consumers the capability to use the Office 365 applications (Microsoft Office Professional desktop suite of applications, Microsoft Exchange, Microsoft SharePoint, and Microsoft Lync) running on a cloud infrastructure and accessible from various client devices. Consumers do not manage or control the underlying cloud infrastructure, network, servers, operating systems, storage, or the individual application capabilities apart from certain configuration capabilities. 4
5 When evaluating the control environment in a Software-as-a-Service model, it is important to consider the whole technology stack of the provider since different teams/services may be involved in providing the infrastructure and application service elements. ISO Certifications for the Microsoft Online Services Stack When evaluating Microsoft Online Services, it is helpful to understand that both Microsoft Online Services and Microsoft Global Foundation Services are International Standards Organization (ISO) based and certified frameworks. Why is the ISO certification important? While Microsoft may not be able to provide customers with our detailed internal policies and procedures for security purposes, customers can review and evaluate the standards and implementation guidance in which we are certified to ensure we meet or exceed industry best practices. ISO defines how to implement, monitor, maintain, and continually improve the Information Security System (ISMS). 5
6 Compliance and Risk Compliance and Risk Risk Risk Methodology Compliance Good risk management practices are essential for any cloud provider. Microsoft applies its own document risk management process: Identify threats and vulnerabilities to the environment. Calculate risk. Report risks across the Microsoft cloud environment. Address risks based on an impact assessment and a business case. Test remediation effectiveness and residual risk. Manage risks on an ongoing basis. Microsoft Online Services are built to adhere to Microsoft Online Services Privacy Standards 2 and based on an ISO framework to continually assess and improve our services offerings. The processes to manage the risks in Microsoft s environment are based and certified on ISO The services will be verified under SAS 70 Type II (to be replaced with industry standard SSAE16). Microsoft holds several compliance certifications; these are publically available and updated on a regular basis. Microsoft Trust Center 3 provides an up-to-date view on which certifications and practices are implemented by Microsoft. Current customers can also review the Global Foundation Services SAS 70 Type II report (to be replaced with industry SSAE16). A link to our Trust Center is provided in the Link section of this document. It is important to consider the entire service stack as outlined in the Office 365 service stack picture. (See page 5.) Customers are responsible for making sure they have an overall enterprise risk management process in place and that cloud risks are included in the overall company risk. Some of the responsibilities for handling risks connected to the workloads moved to Office 365 are transferred to Microsoft. Customers must understand, however, whether or not the stated certifications allow them to fulfill their regulatory requirements. By providing transparency around our program, Microsoft allows customers to evaluate our services against their requirements and make informed decisions. Microsoft customers around the world are subject to many different laws and regulations. Legal requirements in one country or industry may be inconsistent with applicable legal requirements elsewhere. As a provider of global cloud services, we run our services with common operational practices and features across multiple customers and jurisdictions. To help our customers comply with their own requirements, we build our services with common privacy and security requirements in mind. However, it is our customers responsibility to evaluate our offerings against their own requirements so they can determine whether or not Microsoft services satisfy their regulatory needs. 2 Privacy Guidelines for Developing Software Products and Services: 3 Trust Center link: 6
7 Compliance and Risk Security Termination of Service Microsoft helps comprehensively secure Office 365 services by applying the Microsoft Security approach, which ensures that the security of Office 365 services is vigilantly maintained, regularly enhanced, and routinely verified through testing. This approach provides protection at multiple levels, including: Physical layers at data centers physical controls, video surveillance, and access control. Logical layers data isolation, hosted applications security, infrastructure services, network level, identity and access management, federated identity, and single sign on. Our Security program is built on ISO principles and attested to through the compliance program. At the termination of a customer s subscription or use of the service, the customer may always export its data. See the Product Use Rights 4 for full details. Other than as described in these terms, Microsoft has no obligation to continue to hold, export, or return the customer subscriber data. Microsoft has no liability whatsoever for deleting the customer subscriber data pursuant to these terms. Microsoft provides multiple notices prior to deletion of customer subscription data so customers are informed and reminded of the impending deletion of their data should they fail to act within the stipulated time frame. If a customer needs assistance fulfilling privacy requests as required by law, they may contact Microsoft Customer Support 5 for help accessing, changing, or removing their customer data. Requests that cannot be fulfilled via standard tools and processes may be subject to additional charge. Customers will have to manage security within their premises (e.g., access to customer premises from which Office 365 is being accessed, or endpoint security). They must also ensure that the environment they connect to Office 365 is managed according to their requirements and security standards. Upon expiration or termination of a customer s online service subscription, the customer must contact Microsoft and specify whether the customer account should be disabled and subscriber data deleted, or whether the subscriber data should be retained for a limited time so the customer can extract the data. Following the expiration of the retention period, Microsoft will disable the customer account, and then delete all subscriber data. 4 Product Use Rights link: 5 Microsoft Customer Support link: 7
8 Identity and Access Dispute At the end of a customer s subscription or use of the service, the customer may always export its data. See the Product Use Rights for full details. Other than as described in these terms, Microsoft has no obligation to continue to hold, export, or return the customer subscriber data. Microsoft has no liability whatsoever for deleting customer subscriber data pursuant to these terms. Customers are responsible for understanding the dispute resolution process and ensuring constant and continuous access to the service in case of a dispute. Identity and Access Identity Identity Processes Microsoft applies strict controls over which user roles and users will be granted access to customer data. Users are required to complete a form along with a business justification to request access. This must be approved by the user s manager prior to gaining access. Controls related to identity and access management are formally audited annually through the SAS 70 Type II audit (to be replaced with industry standard SSAE16). We recognize the importance of our customers' non-public data. If someone Microsoft personnel, partners, or the customer s own administrators accesses the user s non-public data on the service, Microsoft can, upon request, provide a report on that access. This way, the customer will know when the data may have been accessed. To further limit the risk of unauthorized access, Microsoft does not use the same identity management platform for internal purposes as for managing the Office 365 environment. All Microsoft personnel are accountable for their handling of customer data; access to Microsoft Online Services data is granted in a manner that is traceable to a unique user. In other words, accountability is enforced through a set of system controls, including the use of unique user names, data access controls, and auditing. Two-factor authentication, such as smart card logins using digital certificates or RSA tokens, is also used to further strengthen accountability. User access to data is also limited by user role, for example, system administrators are not provided with database administrative access. Microsoft reviews its identity management and access controls on a regular basis for compliance to internal standards and procedures It is important for customers to understand that Microsoft does not manage the customer s identities or create accounts. The customer must ensure that robust processes and procedures are in place to ensure an adequate level of access control to their own data. Customers are responsible for the identity management processes for their identities. Any system for identity and access control, especially for higher value assets, should be based on an identity framework that uses in-person proofing, or a similarly strong process, and robust cryptographic credentials. This is the customer s responsibility and lays the foundation for any identity management process. Further, customers should have in place a process 8
9 Service Integrity Interoperability Ad Hoc Collaboration as well as external standards such as ISO The access levels are reviewed on a periodic basis to ensure that only users who have appropriate business justification have access to the systems. An important attribute of cloud-based Office products is interoperability between applications; workers can move from desktop to web to mobile without transforming or modifying their files as they go. One critical element is identity federation; Microsoft Office 365 uses ADFS v2.0. Since ADFS v2.0 is based on several WS-* and SAML standards, it can federate with multiple identity providers. Microsoft Active Directory, Microsoft Lync 6, and other products support interoperability requirements. Microsoft works intensively with the standards bodies and implements these standards and protocols. to ensure the effectiveness of their own identity and access management processes. Customers should adhere to interoperability standards that can be leveraged across different cloud providers, both on and off premises. Customers should ensure processes are in place to verify new partners with whom they want to collaborate on an ad hoc basis and who need to understand the technical requirements. Service Integrity Service integrity includes two components: 1) Service engineering and development; and 2) service delivery. Service engineering and development encompass the way in which the provider incorporates security and privacy at all phases of development. Service delivery covers how the service is operated to meet contractual levels of reliability and support. Service Engineering and Development Secure Development Microsoft has formalized the rigorous security practices employed by its development teams into a process called the Security Development Lifecycle (SDL). The SDL process is development methodology agnostic. It is fully integrated with the application development lifecycle, from design to response, and it does not replace software development methodologies such as Waterfall or Agile. Various phases of the SDL process emphasize education and training and mandate the application of specific activities and processes as appropriate to each phase of software development. Microsoft makes this process available to the development industry through papers and books 7, as well as via the SDL Pro Network 8, which supports organizations in implementing SDL within their processes. Customers should understand the processes Microsoft uses to develop software and respond to security vulnerabilities. This process is repeatable and designed to build security from the ground up. 6 Microsoft Lync link: 7 More information on SDL can be found at: 8 SDL Pro Network link: 9
10 Service Integrity Service Delivery Security Practices Auditing Microsoft s security practices are multi-layered and contain: Physical security (includes but is not limited to): Microsoft enforces physical security controls as part of a broad set of carrier-class data center operations. Carrier-class means very high availability, allowing for minimal downtime per year. Physical security controls applied to our data centers include smart-cards, identification badges, delivery and loading area isolation, video surveillance, and on-premises security officers 24/7. Only authorized staff has access to the hardware on which Office 365 is run. Host security (includes but is not limited to): Infrastructure assets are scanned daily. Penetration testing by internal and external parties occurs regularly. Automation is used to deploy hardened instances of operating systems. Automated pattern analysis of network logs identifies suspicious network activity. Real-time health monitoring and alerting speeds investigation and mitigation. Network security (includes but is not limited to): Load balancers, firewalls, and intrusion-prevention devices aid in management of volume-based denial of service attacks. Apart from ongoing internal auditing and monitoring activities, Microsoft provides our customers with evidence of third-party attestations to our best-in-class environment and has launched Trust Center as a portal for compliance, security, and privacy-related topics. The customer is responsible for ensuring that the endpoint from which the service is consumed adheres to their policies. Customers must verify that their compliance requirements are fulfilled by the certifications and audits Microsoft provides. One of the benefits of moving to an Office 365 environment is that Microsoft will keep the environment up to date and secure. 10
11 Service Integrity Forensics Incident Response For incident-related purposes, Microsoft performs forensic analysis on events that occurred. Should in-depth investigation be required, Microsoft collects content from the subject systems using best-of-breed forensic software and industry best practices. If someone Microsoft personnel, partners, or the customer s own administrators accesses the user s non-public data on the service, Microsoft can, upon request, provide a report on that access. This way, the customer will know when the data may have been accessed and may be able to use the information for their forensic processes. The Microsoft Online Security Incident Response process follows these phases: Identification System and security alerts are harvested, correlated, and analyzed. Microsoft Online operational and security teams investigate events. If an event indicates a security issue, the incident is assigned a severity classification and appropriately escalated within Microsoft. The escalation team includes product, security, and engineering specialists. Containment The escalation team evaluates the scope and impact of the incident. The escalation team s immediate priority is to ensure the incident is contained and data is safe. The team forms the response, performs appropriate testing, and implements changes. Should in-depth investigation be required, content is collected from the subject systems using forensic software and industry best practices. Eradication After the situation is contained, the escalation team moves toward eradicating any damage caused by the security breach and identifies the root cause of the security issue. If it determines vulnerability, the escalation team reports the issue to product engineering. Recovery During recovery, software or configuration updates are applied to the system and services are returned to a full working capacity. Lessons Learned Microsoft analyzes each security incident to ensure we apply the appropriate mitigations to protect against future reoccurrence. Customers are responsible for understanding what information can be obtained from Microsoft and which processes they must follow to legally access corresponding operational data. This is the basis for integration into the customer s forensic processes. Customers should incorporate the information they receive from Microsoft into their incident response processes and understand how they (the customer) can handle them. 11
12 Endpoint Integrity Business Continuity Office 365 offerings are delivered by extremely resilient systems that help ensure high levels of service. Office 365 leverages the Microsoft hosting experience, as well as close ties to Microsoft product groups and support services to create a cloud service that meets our customers high standards. Service continuity provisions are part of the Office 365 system design. These provisions enable Office 365 to recover quickly from unexpected events such as hardware or application failure, data corruption, or other incidents that affect users. These service continuity provisions also apply during catastrophic outages (for example, natural disasters or a fire within a Microsoft data center that renders the entire data center inoperable). Customers data is stored in a redundant environment with robust backup, restore, and failover capabilities to enable availability, business continuity, and rapid recovery. Multiple levels of data redundancy are implemented, ranging from redundant disks to guard against local disk failure to continuous, full data replication to another data center. These measures are aligned with ISO requirements and provide a robust risk management process. Business Continuity is much broader than simply moving a business workload to Office 365. It is Microsoft s duty to ensure availability to the contracted level. Customers must understand and decide whether or not additional requirements for their business processes must be met to ensure business continuity, whether the service level agreed upon corresponds with the acceptable risks, and whether they (the customer) need to take further actions. Endpoint Integrity Endpoint Customer access to services provided over the Internet originates from users Internet-enabled locations and ends at a Microsoft data center. These connections established between customers and Microsoft data centers are encrypted using industry-standard Transport Layer Security (TLS)/Secure Sockets Layer (SSL). The use of TLS/SSL effectively establishes a highly secure browser-to-server connection to help provide data confidentiality and integrity between the desktop and the data center. Customers should ensure that the devices through which their users access Office 365 fulfill their needs and requirements. This might include (but is not limited to): Hardware security considerations: If the device (desktop, laptop, or mobile) stores information, it should be hardware protected from unauthorized access (TPM, Microsoft BitLocker, and so on). Software security considerations: Both the OS and application should be developed using a security model (SDL). Security software must be included (firewall, antivirus, IDS, and so on). A robust security practice process should be in place (auto update, timely patch deployment, client health checks, policy enforcement, and so on). 12
13 Information Protection Information Protection Data Classification Data Location Encryption Microsoft classifies all of its data along a common data classification scheme. Customer-relevant data is preclassified according to these guidelines and protection and security measures are pre-defined according to this classification. Microsoft understands our customers need to know where their data is located. Data is located in the region corresponding to the customer s billing address, with some supporting access performed from a U.S. location to ensure and monitor the system s health and integrity. Detailed information is available on Trust Center. Connections established over the Internet to the services are encrypted using industry-standard Transport Layer Security (TLS)/Secure Sockets Layer (SSL). The term data-at-rest refers to data as it exists on a physical storage medium. Microsoft does not encrypt data-at-rest, but customers may implement Active Directory Rights to provide a layer of control and security for their sensitive data. Data classification is a key element when considering what should and can be put into a public cloud environment. The customer is responsible for assessing and classifying the data going into the cloud and taking appropriate measures to protect the data from unauthorized access (e.g., encryption). Customers should evaluate whether or not the Office 365 offering meets their requirements regarding the geographic location of their data. If customers require encryption, they must expect the loss of certain functionality, such as search. When a customer needs to encrypt data, responsibility for key management remains with the customer since the key must be separated from the data. 13
14 Related Reading Cloud Computing Security Considerations white paper: The Office 365 Security Service Description is publicly available on the Microsoft Download Center: Office 365 FAQ: Trust Center: Office 365 Standard Response to Request for Information: Coming soon on the Microsoft Download Center Microsoft Corporation. All rights reserved. Microsoft, Active Directory, BitLocker, Lync, and SharePoint are trademarks of the Microsoft group of companies. 14
White Paper How Noah Mobile uses Microsoft Azure Core Services
NoahMobile Documentation White Paper How Noah Mobile uses Microsoft Azure Core Services The Noah Mobile Cloud service is built for the Microsoft Azure platform. The solutions that are part of the Noah
More informationCloud Computing Security Considerations
Cloud Computing Security Considerations Roger Halbheer, Chief Security Advisor, Public Sector, EMEA Doug Cavit, Principal Security Strategist Lead, Trustworthy Computing, USA January 2010 1 Introduction
More informationGoodData Corporation Security White Paper
GoodData Corporation Security White Paper May 2016 Executive Overview The GoodData Analytics Distribution Platform is designed to help Enterprises and Independent Software Vendors (ISVs) securely share
More informationSecurity Controls for the Autodesk 360 Managed Services
Autodesk Trust Center Security Controls for the Autodesk 360 Managed Services Autodesk strives to apply the operational best practices of leading cloud-computing providers around the world. Sound practices
More informationQualification Guideline
Qualification Guideline June 2013 Disclaimer: This document is meant as a reference to Life Science companies in regards to the Microsoft O365 platform. Montrium does not warrant that the use of the recommendations
More informationProtectV. Securing Sensitive Data in Virtual and Cloud Environments. Executive Summary
VISIBILITY DATA GOVERNANCE SYSTEM OS PARTITION UNIFIED MANAGEMENT CENTRAL AUDIT POINT ACCESS MONITORING ENCRYPTION STORAGE VOLUME POLICY ENFORCEMENT ProtectV SECURITY SNAPSHOT (backup) DATA PROTECTION
More informationAutodesk PLM 360 Security Whitepaper
Autodesk PLM 360 Autodesk PLM 360 Security Whitepaper May 1, 2015 trust.autodesk.com Contents Introduction... 1 Document Purpose... 1 Cloud Operations... 1 High Availability... 1 Physical Infrastructure
More informationEnterprise level security, the Huddle way.
Enterprise level security, the Huddle way. Security whitepaper TABLE OF CONTENTS 5 Huddle s promise Hosting environment Network infrastructure Multiple levels of security Physical security System & network
More informationFormFire Application and IT Security. White Paper
FormFire Application and IT Security White Paper Contents Overview... 3 FormFire Corporate Security Policy... 3 Organizational Security... 3 Infrastructure and Security Team... 4 Application Development
More informationIBX Business Network Platform Information Security Controls. 2015-02- 20 Document Classification [Public]
IBX Business Network Platform Information Security Controls 2015-02- 20 Document Classification [Public] Table of Contents 1. General 2 2. Physical Security 2 3. Network Access Control 2 4. Operating System
More informationensure prompt restart of critical applications and business activities in a timely manner following an emergency or disaster
Security Standards Symantec shall maintain administrative, technical, and physical safeguards for the Symantec Network designed to (i) protect the security and integrity of the Symantec Network, and (ii)
More informationIBM Cognos TM1 on Cloud Solution scalability with rapid time to value
IBM Solution scalability with rapid time to value Cloud-based deployment for full performance management functionality Highlights Reduced IT overhead and increased utilization rates with less hardware.
More informationSecurity Issues in Cloud Computing
Security Issues in Computing CSCI 454/554 Computing w Definition based on NIST: A model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources
More informationUniversity of Pittsburgh Security Assessment Questionnaire (v1.5)
Technology Help Desk 412 624-HELP [4357] technology.pitt.edu University of Pittsburgh Security Assessment Questionnaire (v1.5) Directions and Instructions for completing this assessment The answers provided
More informationInfor CloudSuite. Defense-in-depth. Table of Contents. Technical Paper Plain talk about Infor CloudSuite security
Technical Paper Plain talk about security When it comes to Cloud deployment, security is top of mind for all concerned. The Infor CloudSuite team uses best-practice protocols and a thorough, continuous
More information¼ããÀ ããè¾ã ¹ãÆãä ã¼ãîãä ã ããõà ãäìããä ã½ã¾ã ºããñ à Securities and Exchange Board of India
CIRCULAR CIR/MRD/DP/13/2015 July 06, 2015 To, All Stock Exchanges, Clearing Corporation and Depositories. Dear Sir / Madam, Subject: Cyber Security and Cyber Resilience framework of Stock Exchanges, Clearing
More informationIBM Cloud Security Draft for Discussion September 12, 2011. 2011 IBM Corporation
IBM Cloud Security Draft for Discussion September 12, 2011 IBM Point of View: Cloud can be made secure for business As with most new technology paradigms, security concerns surrounding cloud computing
More informationKeyfort Cloud Services (KCS)
Keyfort Cloud Services (KCS) Data Location, Security & Privacy 1. Executive Summary The purposes of this document is to provide a common understanding of the data location, security, privacy, resiliency
More informationData Security and Privacy Principles for IBM SaaS How IBM Software as a Service is protected by IBM s security-driven culture
Data Security and Privacy Principles for IBM SaaS How IBM Software as a Service is protected by IBM s security-driven culture 2 Data Security and Privacy Principles for IBM SaaS Contents 2 Introduction
More informationSecurity Overview. BlackBerry Corporate Infrastructure
Security Overview BlackBerry Corporate Infrastructure Published: 2015-04-23 SWD-20150423095908892 Contents Introduction... 5 History... 6 BlackBerry policies...7 Security organizations...8 Corporate Security
More informationCloud Security Trust Cisco to Protect Your Data
Trust Cisco to Protect Your Data As cloud adoption accelerates, organizations are increasingly placing their trust in third-party cloud service providers (CSPs). But can you fully trust your most sensitive
More informationSecure, Scalable and Reliable Cloud Analytics from FusionOps
White Paper Secure, Scalable and Reliable Cloud Analytics from FusionOps A FusionOps White Paper FusionOps 265 Santa Ana Court Sunnyvale, CA 94085 www.fusionops.com World-class security... 4 Physical Security...
More informationVMware vcloud Air Security TECHNICAL WHITE PAPER
TECHNICAL WHITE PAPER The Shared Security Model for vcloud Air The end-to-end security of VMware vcloud Air (the Service ) is shared between VMware and the customer. VMware provides security for the aspects
More informationProtecting Data and Privacy in the Cloud
Protecting Data and Privacy in the Cloud Contents 1 3 6 9 12 13 Protecting Data and Privacy in the Cloud an Introduction Building Services to Protect Data Protecting Data in Service Operations Empowering
More informationCloud Security. Peter Jopling joplingp@uk.ibm.com IBM UK Ltd Software Group Hursley Labs. peterjopling. 2011 IBM Corporation
Cloud Security Peter Jopling joplingp@uk.ibm.com IBM UK Ltd Software Group Hursley Labs peterjopling 2011 IBM Corporation Cloud computing impacts the implementation of security in fundamentally new ways
More informationBlackboard Collaborate Web Conferencing Hosted Environment Technical Infrastructure and Security
Overview Blackboard Collaborate Web Conferencing Hosted Environment Technical Infrastructure and Security Blackboard Collaborate web conferencing is available in a hosted environment and this document
More informationData Protection: From PKI to Virtualization & Cloud
Data Protection: From PKI to Virtualization & Cloud Raymond Yeung CISSP, CISA Senior Regional Director, HK/TW, ASEAN & A/NZ SafeNet Inc. Agenda What is PKI? And Value? Traditional PKI Usage Cloud Security
More informationService Organization Controls 3 Report. Report on Hyland Software, Inc. s OnBase Online Cloud Platform, relevant to Security and Availability
Service Organization Controls 3 Report Report on Hyland Software, Inc. s OnBase Online Cloud Platform, relevant to Security and Availability for the period May 1, 2015 through October 31, 2015 Ernst &
More informationSecuring the Microsoft Cloud
Securing the Microsoft Cloud Page 1 Securing the Microsoft Cloud Microsoft recognizes that trust is necessary for organizations and customers to fully embrace and benefit from cloud services. We are committed
More informationPROTECTING YOUR VOICE SYSTEM IN THE CLOUD
PROTECTING YOUR VOICE SYSTEM IN THE CLOUD Every enterprise deserves to know what its vendors are doing to protect the data and systems entrusted to them. Leading IVR vendors in the cloud, like Angel, consider
More informationCloud Contact Center. Security White Paper
Cloud Contact Center Security White Paper Introduction Customers communicate with organizations in a variety of forms from phone conversations to email, web chat and social media. As each interaction may
More informationSecurity from a customer s perspective. Halogen s approach to security
September 18, 2015 Security from a customer s perspective Using a cloud-based talent management program can deliver tremendous benefits to your organization, including aligning your workforce, improving
More informationSecurity Controls What Works. Southside Virginia Community College: Security Awareness
Security Controls What Works Southside Virginia Community College: Security Awareness Session Overview Identification of Information Security Drivers Identification of Regulations and Acts Introduction
More informationOracle Maps Cloud Service Enterprise Hosting and Delivery Policies Effective Date: October 1, 2015 Version 1.0
Oracle Maps Cloud Service Enterprise Hosting and Delivery Policies Effective Date: October 1, 2015 Version 1.0 Unless otherwise stated, these Oracle Maps Cloud Service Enterprise Hosting and Delivery Policies
More informationCloud Contact Center. Security White Paper
Cloud Contact Center Security White Paper Introduction Customers communicate with organizations in a variety of forms from phone conversations to email, web chat and social media. As each interaction may
More informationSecuring Data in the Virtual Data Center and Cloud: Requirements for Effective Encryption
THE DATA PROTECTIO TIO N COMPANY Securing Data in the Virtual Data Center and Cloud: Requirements for Effective Encryption whitepaper Executive Summary Long an important security measure, encryption has
More informationCloud Computing In a Post Snowden World. Guy Wiggins, Kelley Drye & Warren LLP Alicia Lowery Rosenbaum, Microsoft Legal and Corporate Affairs
Cloud Computing In a Post Snowden World Guy Wiggins, Kelley Drye & Warren LLP Alicia Lowery Rosenbaum, Microsoft Legal and Corporate Affairs Guy Wiggins Director of Practice Management Kelley Drye & Warren
More informationTHE BLUENOSE SECURITY FRAMEWORK
THE BLUENOSE SECURITY FRAMEWORK Bluenose Analytics, Inc. All rights reserved TABLE OF CONTENTS Bluenose Analytics, Inc. Security Whitepaper ISO 27001/27002 / 1 The Four Pillars of Our Security Program
More informationBMC s Security Strategy for ITSM in the SaaS Environment
BMC s Security Strategy for ITSM in the SaaS Environment TABLE OF CONTENTS Introduction... 3 Data Security... 4 Secure Backup... 6 Administrative Access... 6 Patching Processes... 6 Security Certifications...
More informationSecuring the Cloud Infrastructure
EXECUTIVE STRATEGY BRIEF Microsoft recognizes that security and privacy protections are essential to building the necessary customer trust for cloud computing to reach its full potential. This strategy
More informationProjectplace: A Secure Project Collaboration Solution
Solution brief Projectplace: A Secure Project Collaboration Solution The security of your information is as critical as your business is dynamic. That s why we built Projectplace on a foundation of the
More informationService Definition Document
Service Definition Document QinetiQ Secure Cloud Protective Monitoring Service (AWARE) QinetiQ Secure Cloud Protective Monitoring Service (DETER) Secure Multi-Tenant Protective Monitoring Service (AWARE)
More informationAnypoint Platform Cloud Security and Compliance. Whitepaper
Anypoint Platform Cloud Security and Compliance Whitepaper 1 Overview Security is a top concern when evaluating cloud services, whether it be physical, network, infrastructure, platform or data security.
More informationInformation Security Risk Assessment Checklist. A High-Level Tool to Assist USG Institutions with Risk Analysis
Information Security Risk Assessment Checklist A High-Level Tool to Assist USG Institutions with Risk Analysis Updated Oct 2008 Introduction Information security is an important issue for the University
More informationFive keys to a more secure data environment
Five keys to a more secure data environment A holistic approach to data infrastructure security Compliance professionals know better than anyone how compromised data can lead to financial and reputational
More informationClinical Trials in the Cloud: A New Paradigm?
Marc Desgrousilliers CTO at Clinovo Clinical Trials in the Cloud: A New Paradigm? Marc Desgrousilliers CTO at Clinovo What is a Cloud? (1 of 3) "Cloud computing is a model for enabling convenient, on-demand
More informationVistara Lifecycle Management
Vistara Lifecycle Management Solution Brief Unify IT Operations Enterprise IT is complex. Today, IT infrastructure spans the physical, the virtual and applications, and crosses public, private and hybrid
More informationMEMORANDUM. Date: October 28, 2013. Federally Regulated Financial Institutions. Subject: Cyber Security Self-Assessment Guidance
MEMORANDUM Date: October 28, 2013 To: Federally Regulated Financial Institutions Subject: Guidance The increasing frequency and sophistication of recent cyber-attacks has resulted in an elevated risk profile
More informationHosted Exchange. Security Overview. Learn More: Call us at 877.634.2728. www.megapath.com
Security Overview Learn More: Call us at 877.634.2728. www.megapath.com Secure and Reliable Hosted Exchange Our Hosted Exchange service is delivered across an advanced network infrastructure, built on
More informationMicrosoft Azure. White Paper Security, Privacy, and Compliance in
White Paper Security, Privacy, and Compliance in Security, Privacy, and Compliance in Executive Summary The adoption of cloud services worldwide continues to accelerate, yet many organizations are wary
More informationThings You Need to Know About Cloud Backup
Things You Need to Know About Cloud Backup Over the last decade, cloud backup, recovery and restore (BURR) options have emerged as a secure, cost-effective and reliable method of safeguarding the increasing
More informationStratusLIVE for Fundraisers Cloud Operations
6465 College Park Square Virginia Beach, VA 23464 757-273-8219 (main) 757-962-6989 (fax) stratuslive.com Contents Security Services... 3 Rackspace Multi Layered Approach to Security... 3 Network... 3 Rackspace
More informationRetention & Destruction
Last Updated: March 28, 2014 This document sets forth the security policies and procedures for WealthEngine, Inc. ( WealthEngine or the Company ). A. Retention & Destruction Retention & Destruction of
More informationEXECUTIVE STRATEGY BRIEF. Securing the Cloud Infrastructure. Cloud. Resources
EXECUTIVE STRATEGY BRIEF Securing the Cloud Infrastructure Cloud Resources 01 Securing the Cloud Infrastructure / Executive Strategy Brief Securing the Cloud Infrastructure Microsoft recognizes that trust
More informationHow To Control Vcloud Air From A Microsoft Vcloud 1.1.1 (Vcloud)
SOC 1 Control Objectives/Activities Matrix goes to great lengths to ensure the security and availability of vcloud Air services. In this effort, we have undergone a variety of industry standard audits,
More informationWhite Paper: Librestream Security Overview
White Paper: Librestream Security Overview TABLE OF CONTENTS 1 SECURITY OVERVIEW... 3 2 USE OF SECURE DATA CENTERS... 3 3 SECURITY MONITORING, INTERNAL TESTING AND ASSESSMENTS... 4 3.1 Penetration Testing
More informationXerox Litigation Services. In the Cybersecurity Hot Seat: How Law Firms are Optimizing Security While Reducing Cost and Risk
Xerox Litigation Services In the Cybersecurity Hot Seat: How Law Firms are Optimizing Security While Reducing Cost and Risk Your Highest Priority is also Your Greatest Challenge Data breaches are not just
More informationEnterprise IT is complex. Today, IT infrastructure spans the physical, the virtual and applications, and crosses public, private and hybrid clouds.
ENTERPRISE MONITORING & LIFECYCLE MANAGEMENT Unify IT Operations Enterprise IT is complex. Today, IT infrastructure spans the physical, the virtual and applications, and crosses public, private and hybrid
More informationTENDER NOTICE No. UGVCL/SP/III/608/GPRS Modem Page 1 of 6. TECHNICAL SPECIFICATION OF GPRS based MODEM PART 4
TENDER NOTICE No. UGVCL/SP/III/608/GPRS Modem Page 1 of 6 TECHNICAL SPECIFICATION OF GPRS based MODEM PART 4 Cloud services (Data Centre) and related Functional requirement Cloud services as a Control
More informationOpen Data Center Alliance Usage: Provider Assurance Rev. 1.1
sm Open Data Center Alliance Usage: Provider Assurance Rev. 1.1 Legal Notice This Open Data Center Alliance SM Usage:Provider Assurance is proprietary to the Open Data Center Alliance, Inc. NOTICE TO USERS
More informationHow does IBM deliver cloud security? An IBM paper covering SmartCloud Services 1
How does IBM deliver cloud security? An IBM paper covering SmartCloud Services 1 2 How does IBM deliver cloud security? Contents 2 Introduction 3 Cloud governance 3 Security governance, risk management
More informationProjectManager.com Security White Paper
ProjectManager.com Security White Paper Standards & Practices www.projectmanager.com Introduction ProjectManager.com (PM) developed its Security Framework to continue to provide a level of security for
More informationTable of Contents. FME Cloud Architecture Overview. Secure Operations. Application Security. Shared Responsibility.
FME Cloud Security Table of Contents FME Cloud Architecture Overview Secure Operations I. Backup II. Data Governance and Privacy III. Destruction of Data IV. Incident Reporting V. Development VI. Customer
More informationSupplier Information Security Addendum for GE Restricted Data
Supplier Information Security Addendum for GE Restricted Data This Supplier Information Security Addendum lists the security controls that GE Suppliers are required to adopt when accessing, processing,
More informationSecure and control how your business shares files using Hightail
HIGHTAIL FOR ENTERPRISE: SECURITY OVERVIEW Secure and control how your business shares files using Hightail Information the lifeblood of any business is potentially placed at risk every time digital files
More informationCollaborate on your projects in a secure environment. Physical security. World-class datacenters. Uptime over 99%
Security overview Collaborate on your projects in a secure environment Thousands of businesses, including Fortune 500 corporations, trust Wrike for managing their projects through collaboration in the
More informationMicrosoft s Compliance Framework for Online Services
Microsoft s Compliance Framework for Online Services Online Services Security and Compliance Executive summary Contents Executive summary 1 The changing landscape for online services compliance 4 How Microsoft
More informationMicrosoft Online Subscription Agreement/Open Program License Amendment Microsoft Online Services Security Amendment Amendment ID MOS10
Microsoft Online Subscription Agreement/Open Program License Amendment Microsoft Online Services Security Amendment Amendment ID This Microsoft Online Services Security Amendment ( Amendment ) is between
More informationHIPAA CRITICAL AREAS TECHNICAL SECURITY FOCUS FOR CLOUD DEPLOYMENT
HIPAA CRITICAL AREAS TECHNICAL SECURITY FOCUS FOR CLOUD DEPLOYMENT A Review List This paper was put together with Security in mind, ISO, and HIPAA, for guidance as you move into a cloud deployment Dr.
More informationCLOUD STORAGE SECURITY INTRODUCTION. Gordon Arnold, IBM
CLOUD STORAGE SECURITY INTRODUCTION Gordon Arnold, IBM SNIA Legal Notice The material contained in this tutorial is copyrighted by the SNIA. Member companies and individual members may use this material
More informationSAS 70 Type II Audits
Thinking from IntraLinks SAS 70 Type II Audits SAS 70 Type II Audits Ensuring Data Security, Reliability and Integrity If your organization shares sensitive data over the Internet, you need rigorous controls
More informationCloud Assurance: Ensuring Security and Compliance for your IT Environment
Cloud Assurance: Ensuring Security and Compliance for your IT Environment A large global enterprise has to deal with all sorts of potential threats: advanced persistent threats (APTs), phishing, malware
More information<cloud> Secure Hosting Services
Global Resources... Local Knowledge Figtree offers the functionality of Figtree Systems Software without the upfront infrastructure investment. It is the preferred deployment solution for organisations
More informationPCI Requirements Coverage Summary Table
StillSecure PCI Complete Managed PCI Compliance Solution PCI Requirements Coverage Summary Table January 2013 Table of Contents Introduction... 2 Coverage assumptions for PCI Complete deployments... 2
More informationCloud e-mail services: Security, Compliance and Privacy. Nasos Kladakis Solutions Specialist Microsoft Hellas
Cloud e-mail services: Security, Compliance and Privacy Nasos Kladakis Solutions Specialist Microsoft Hellas Risk Management Program Overview Information Security Policy Security Privacy & Regulatory Service
More informationThe Education Fellowship Finance Centralisation IT Security Strategy
The Education Fellowship Finance Centralisation IT Security Strategy Introduction This strategy outlines the security systems in place to optimise, manage and protect The Education Fellowship data and
More informationEnsuring Enterprise Data Security with Secure Mobile File Sharing.
A c c e l l i o n S e c u r i t y O v e r v i e w Ensuring Enterprise Data Security with Secure Mobile File Sharing. Accellion, Inc. Tel +1 650 485-4300 1804 Embarcadero Road Fax +1 650 485-4308 Suite
More informationIBM Connections Cloud Security
IBM Connections White Paper September 2014 IBM Connections Cloud Security 2 IBM Connections Cloud Security Contents 3 Introduction 4 Security-rich Infrastructure 6 Policy Enforcement Points Provide Application
More informationNorth American Electric Reliability Corporation (NERC) Cyber Security Standard
North American Electric Reliability Corporation (NERC) Cyber Security Standard Symantec Managed Security Services Support for CIP Compliance Overviewview The North American Electric Reliability Corporation
More informationDid you know your security solution can help with PCI compliance too?
Did you know your security solution can help with PCI compliance too? High-profile data losses have led to increasingly complex and evolving regulations. Any organization or retailer that accepts payment
More informationEnrollment for Education Solutions Addendum Microsoft Online Services Agreement Amendment 10 EES17 --------------
w Microsoft Volume Licensing Enrollment for Education Solutions Addendum Microsoft Online Services Agreement Amendment 10 Enrollment for Education Solutions number Microsoft to complete --------------
More informationSecurity Overview Enterprise-Class Secure Mobile File Sharing
Security Overview Enterprise-Class Secure Mobile File Sharing Accellion, Inc. 1 Overview 3 End to End Security 4 File Sharing Security Features 5 Storage 7 Encryption 8 Audit Trail 9 Accellion Public Cloud
More informationInjazat s Managed Services Portfolio
Injazat s Managed Services Portfolio Overview Premium Managed Services to Transform Your IT Environment Injazat s Premier Tier IV Data Center is built to offer the highest level of security and reliability.
More informationMicrosoft Visual Studio Online Data Protection
Microsoft Visual Studio Online Data Protection May 2015 Jeff Beehler, VSO Group Program Manager jeffbe@microsoft.com (c) 2015 Microsoft Corporation. All rights reserved Contents Overview... 1 Our commitment...
More informationREGULATIONS FOR THE SECURITY OF INTERNET BANKING
REGULATIONS FOR THE SECURITY OF INTERNET BANKING PAYMENT SYSTEMS DEPARTMENT STATE BANK OF PAKISTAN Table of Contents PREFACE... 3 DEFINITIONS... 4 1. SCOPE OF THE REGULATIONS... 6 2. INTERNET BANKING SECURITY
More informationSecuring Microsoft s Cloud Infrastructure
Securing Microsoft s Cloud Infrastructure This paper introduces the reader to the Online Services Security and Compliance team, a part of the Global Foundation Services division who manages security for
More informationBirst Security and Reliability
Birst Security and Reliability Birst is Dedicated to Safeguarding Your Information 2 Birst is Dedicated to Safeguarding Your Information To protect the privacy of its customers and the safety of their
More informationIBM 000-281 EXAM QUESTIONS & ANSWERS
IBM 000-281 EXAM QUESTIONS & ANSWERS Number: 000-281 Passing Score: 800 Time Limit: 120 min File Version: 58.8 http://www.gratisexam.com/ IBM 000-281 EXAM QUESTIONS & ANSWERS Exam Name: Foundations of
More informationWalk Then Run: 10 Essential Steps to Securing the Cloud
Walk Then Run: 10 Essential Steps to Securing the Cloud Security and Platform Insights from 15 CIOs Every Organization Needs a Security Plan Every business needs a strategic security plan that takes into
More informationSecuring Microsoft s Cloud Infrastructure
Securing Microsoft s Cloud Infrastructure This paper introduces the reader to the Online Services Security and Compliance team, a part of the Global Foundation Services division who manages security for
More informationAdvanced Service Desk Security
Advanced Service Desk Security Robust end-to-end security measures have been built into the GoToAssist Service Desk architecture to ensure the privacy and integrity of all data. gotoassist.com Many service
More informationKeyLock Solutions Security and Privacy Protection Practices
KeyLock Solutions Overview KeyLock Solutions hosts its infrastructure at Heroku. Heroku is a cloud application platform used by organizations of all sizes to deploy and operate applications throughout
More informationThe President s Critical Infrastructure Protection Board. Office of Energy Assurance U.S. Department of Energy 202/ 287-1808
cover_comp_01 9/9/02 5:01 PM Page 1 For further information, please contact: The President s Critical Infrastructure Protection Board Office of Energy Assurance U.S. Department of Energy 202/ 287-1808
More informationData Management Policies. Sage ERP Online
Sage ERP Online Sage ERP Online Table of Contents 1.0 Server Backup and Restore Policy... 3 1.1 Objectives... 3 1.2 Scope... 3 1.3 Responsibilities... 3 1.4 Policy... 4 1.5 Policy Violation... 5 1.6 Communication...
More information1 Introduction 2. 2 Document Disclaimer 2
Important: We take great care to ensure that all parties understand and appreciate the respective responsibilities relating to an infrastructure-as-a-service or self-managed environment. This document
More informationLibrary Systems Security: On Premises & Off Premises
Library Systems Security: On Premises & Off Premises Guoying (Grace) Liu University of Windsor Leddy Library Huoxin (Michael) Zheng Castlebreck Inc. CLA 2015 Annual Conference, Ottawa, June 5, 2015 Information
More informationPayment Card Industry Data Security Standard
Symantec Managed Security Services support for IT compliance Solution Overview: Symantec Managed Services Overviewview The (PCI DSS) was developed to facilitate the broad adoption of consistent data security
More informationAskAvanade: Answering the Burning Questions around Cloud Computing
AskAvanade: Answering the Burning Questions around Cloud Computing There is a great deal of interest in better leveraging the benefits of cloud computing. While there is a lot of excitement about the cloud,
More informationSmall Business IT Risk Assessment
Small Business IT Risk Assessment Company name: Completed by: Date: Where Do I Begin? A risk assessment is an important step in protecting your customers, employees, and your business, and well as complying
More informationSECURITY OVERVIEW FOR MY.ENDNOTE.COM. In line with commercial industry standards, Thomson Reuters employs a dedicated security team to protect our
ENDNOTE ONLINE SECURITY OVERVIEW FOR MY.ENDNOTE.COM In line with commercial industry standards, Thomson Reuters employs a dedicated security team to protect our servers from attacks and other attempts
More information