Securing the Cloud Infrastructure

Transcription

1 EXECUTIVE STRATEGY BRIEF Microsoft recognizes that security and privacy protections are essential to building the necessary customer trust for cloud computing to reach its full potential. This strategy brief discusses the challenges of providing a trustworthy environment for cloud services, reviews Microsoft s risk-based information security and privacy controls, and describes the compliance framework we follow to ensure our cloud infrastructure meets our commitments and help customers meet their compliance needs.

2 Cloud Security Challenges Cloud computing offers both challenges and opportunities for IT organizations looking to harness the favorable economics and operational flexibility of an online services model. The growing interdependence of public and private services, complex global compliance requirements, and sophistication of threats requires that the hosting environment employ robust policies and processes to protect sensitive information and enable persistent regulatory compliance. For more than 15 years, Microsoft has been addressing the following online service delivery challenges: Growing Interdependence Organizations and their customers will become more interdependent on each other through use of the cloud. With these new dependencies come mutual expectations that platform services and hosted applications be secure and available. Microsoft provides a trustworthy infrastructure, a base upon which public and private sector entities and their partners can build a trustworthy experience for their users. Microsoft actively works with these groups and the development community at large to encourage adoption of security-centric risk management processes. Complex global compliance requirements Regulatory, statutory, and industry compliance is a highly complex area because worldwide each country maintains their own laws that can govern the provisioning and use of online environments. Microsoft must be able to comply with a myriad of regulatory obligations because it has data centers in a number of countries and offers online services to a global customer base. In addition, many industries impose their own unique requirements. Microsoft has implemented a compliance framework to efficiently manage its various compliance obligations without creating undue burden on the business. More dynamic hosting environment Keeping pace with growth and anticipating future needs is essential to running an effective security program. The latest wave of change has already begun with the rapid move to virtualization and a growing adoption of Microsoft s Software-plus-Services strategy, which combines the power and capabilities of computers, mobile devices, online services, and enterprise software. The advent of cloud platforms enables custom applications to be developed by third parties and hosted in the Microsoft cloud. Microsoft maintains strong internal partnerships among security, product, and service delivery teams to provide a trustworthy Microsoft cloud environment while these changes occur. Growing sophistication of threats While pranksters still seek attention through a variety of techniques including domain squatting and man-in-the-middle attacks, more sophisticated malicious attempts aimed at obtaining identities or blocking access to sensitive business data have emerged, along with a more organized underground market for stolen information. Microsoft works closely with law enforcement, industry partners and peers, and research groups to understand and respond to this evolving threat landscape. Additionally, the Microsoft Security Development Lifecycle introduces security and privacy early and throughout the development process. Risk Management Process In addition to the information security management system we have in place, we follow an annual risk management process that looks at evolving risks in the environment and across the industry. We maintain a dedicated team that works through potential risks, calculates the potential disruption, and determines Microsoft s exposure. The risk management team evaluates the effectiveness of controls in place by: Identifying threats and vulnerabilities to the environment Calculating risk Reporting risks across the Microsoft cloud environment Addressing risks based on impact assessment and the associated business case Testing remediation effectiveness and residual risk Managing risks on an ongoing basis This process allows us to focus our efforts on the high-value targets, and then apply appropriate protections to defend our customers and ourselves. Organizations and their customers will become more interdependent on each other through use of the cloud. 2

3 Defense in Depth Defense in depth is a best practice across the industry, and it s an approach we take across our online services and infrastructure. Applying controls at multiple layers involves employing protection mechanisms, developing risk mitigation strategies, and being capable of responding to attacks when they occur. Using multiple security measures of varying strength depending on the sensitivity of the protected asset results in improved capacity to prevent breaches or to lessen the impact of a security incident. When we deploy a service to our datacenters, we assess and address every part of the software stack from the physical controls to prevent unauthorized access to equipment, to encrypting data moving over the network, to locking down the host servers and keeping malware protection up-to-date, to ensuring applications themselves have appropriate safeguards in place. Maintaining a rich set of controls and defense in depth strategy ensures that if any one area should fail, there are compensating protections in other areas that retain security and privacy at all times. figure 1: Defense-in-depth Security at our Foundation Application security is a key element in Microsoft s approach to securing its cloud computing environment. The rigorous security practices employed by development teams at Microsoft were formalized into a process called the Security Development Lifecycle (SDL) in The SDL process is development methodology agnostic and is fully integrated with the application development lifecycle from design to response. Various phases of the SDL process emphasize education and training, and also mandate that specific activities and processes be applied as appropriate to each phase of software development. Starting with the requirements phase, the SDL process includes a number of specific activities that need to be considered for the development of applications to be hosted in the Microsoft cloud in mind. One of the key steps is threat modeling and attack surface analysis, where we assess of the potential threats that could come in, what aspects of the service are exposed and proceed to minimize the attack surface by restricting services or eliminating functions that are unnecessary. The later stages then ensure that the controls are fully tested to mitigate the potential threats, so customers can have confidence in the final service release. Security Incident Response An important part of Microsoft s security capabilities includes our support and response processes. The Security Incident Management (SIM) team responds to these issues when they occur, operating around the clock. The SIM processes are aligned with ISO/IEC and NIST SP There are six phases to the SIM incident response process: Preparation SIM staff undergo ongoing training in order to be ready to respond when a security incident occurs. Identification Looking for the cause of an incident, whether intentional or not, often means tracking the issue through multiple layers of the Microsoft cloud computing environment. SIM collaborates with members from other internal Microsoft teams to diagnose the origin of a given security incident. Containment Once the cause of the incident has been found, SIM works with all necessary teams to contain the incident. How containment occurs depends on the business impact of the incident. Mitigation SIM coordinates with relevant product and service delivery teams to reduce risk of incident recurrence. Recovery Continuing to work with other groups as needed, SIM assists in the service recovery process. PHYSICAL NETWORK IDENTITY AND ACCESS MANAGEMENT HOST SECURITY APPLICATION DATA 3

4 Lessons learned After resolution of the security incident, SIM convenes a joint meeting with all involved personnel to evaluate what happened and to record lessons learned during the incident response process. A second area of response is interacting with law enforcement agencies. The Global Criminal Compliance (GCC) program is involved in setting policy and providing training on Microsoft s response process. GCC also responds to valid legal requests for information. GCC has legal agents available in many countries to validate and, if necessary, translate the request. One reason that GCC is considered a best response program by many international authorities is that GCC provides a law enforcement portal that offers guidance in multiple languages to authenticated law enforcement personnel about how to submit a legal request to Microsoft. Comprehensive Compliance Framework The Microsoft online services environment must meet numerous governmentmandated and industry-specific security requirements in addition to Microsoft s own business-driven specifications. As Microsoft online businesses continue to grow and change and new online services are introduced into the Microsoft cloud, additional requirements are expected that could include regional and country-specific data security standards. The Operational Compliance team works across operation, product, and service delivery teams and with internal and external auditors to ensure Microsoft is in compliance with relevant standards and regulatory obligations. One of the successes of having implemented this program is that Microsoft s cloud infrastructure has achieved SAS70 70 type I and Type II attestations, ISO/IEC 27001:2005 certification, and FISMA NIST SP revision 3 standard. Figure 4 (on the last page) lists out Microsoft s cloud infrastructure key certifications and attestations as of December The compliance framework includes a compliance process based on the ISO approach of plan-do-check-act. On a regular basis, Microsoft monitors the change in statutory and regulatory demands and adjusts our compliance framework and audit schedule accordingly. Though Microsoft s infrastructure has received industry certifications and attestations, customers are ultimately responsible to ensure their own compliance with applicable policies, practices, and regulations. Microsoft does not claim to be responsible for providing these certifications or to comply/not comply with these certifications on behalf of the customer, but does provide guidance to assist customers in meeting their own compliance requirements. As Microsoft online businesses continue to grow and change and new online services are introduced into our cloud, additional requirements are expected that could include regional and country-specific data security standards. figure 2: Microsoft s Security Development Lifecycle TRAINING REQUIREMENTS DESIGN IMPLEMENTATION VERIFICATION RELEASE RESPONSE + Core Training + Analyze security and privacy risk + Define quality gates + Threat modeling + Attack surface analysis + Specify tools + Enforce banned functions + Static Analysis + Dynamic/Fuzz testing + Verify threat models/ attack surface + Response plan + Final security review + Release archive + Response execution 4

5 Figure 3: Microsoft datacenter control framework 01. General information 02. Informational security 03. Organization of information security 04. Asset management 05. Human resources security 06. Physical and environmental security 07. Communications and operations management 08. Access control 09. Information systems aquisition, development and maintenance 10. Information security incident management 11. Business continuity management 12. Risk management 13. Compliance 14. Privacy DOMAINS STRUCTURE Domain Sub-domain Control objective Associated standard (external compliance requirement) Sample control activity Sample testing activity Control Framework Customers evaluating Microsoft s cloud services often ask how our compliance framework is actually structured. We have a series of domains that are informed by the ISA/IEC 27001:2005 standard along with specific industry obligations, such as the payment card industry data security standard and the FISMA NIST SP revision 3 standard. The control framework structure depends upon how we map those domains to the specific activities that go with them. For example, we take each of those domains, identify control activities and control owners of those activities, and provide specific evidence to demonstrate that we re meeting those activities and control domain objectives. This structure and process allows thirdparty auditors to follow a clean map from control domains down to activities and evidence. In addition, this framework allows us to take each requirement and communicate how we meet specific obligations back to customer and internal teams. For example, we can take the controlled domain and controlled activity structure and focus on specific healthcare obligations for customers in that industry. Alternatively, we can take a specific control objective, such as training and awareness, and map it back to a specific need an example here would be the requirement for training under ISO/IEC 27001:2005 and Sarbanes-Oxley. Security and Privacy Considerations for Selecting Online Services Providers Microsoft s stringent security, privacy and compliance controls helps ensure customers can have confidence and trust in the online services we provide. As customers evaluate options for online services, it is important that the ability of a service provider to ensure a protected, trusted environment be included in the selection criteria. The following checklist can help in assessing the security, privacy and compliance capabilities of a potential service provider: Require that the provider has attained third-party certifications and audits, such as ISO/IEC 27001:2005 Consider the ability of vendors to accommodate changing security and compliance requirements Understand the specific regional and industry compliance obligations that must be met Ensure a clear understanding of security and compliance roles and responsibilities for delivered services Ensure data and services can be brought back in-house if necessary Require transparency in security policies and operations 5

6 Microsoft is confident we offer a trusted cloud environment that will help public and private organizations take advantage of the flexibility and economics of the online services model, while maintaining the robust security and privacy their business demands. For more information on Microsoft s secure cloud infrastructure, please visit Figure 4: microsoft datacenter Certifications and Attestations, december 2010 ISO SAS 70 Type II HIPAA/HITECH Various State, Federal, and International Privacy Laws (95/46/EC aka EU Data Protection Directive; California SB1386; etc.) PCI Data Security Standard FISMA Certification & Accreditation 2010 Microsoft Corporation. All rights reserved. This document is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS SUMMARY. Microsoft is a registered trademark of Microsoft Corporation in the United States and/or other countries. The names of actual companies and products mentioned herein may be the trademarks of their respective owners.