Hans Bos Microsoft Nederland.

Transcription

1 Hans Bos Microsoft Nederland

2

3 Microsoft s Cloud Environment Consumer and Small Business Services Software as a Service (SaaS) Enterprise Services Third-party Hosted Services Platform as a Service (PaaS) Infrastructure as a Service (IaaS) Global Foundation Services Data Centers Operations Global Network Security

4 Cloud Security Challenges

5 Why Should I Trust the Microsoft Cloud? Proven Track Record History of meeting obligations associated with the delivery of over 200 cloud services Scale Spreading cost of robust security and compliance across large number of customers provides a trusted cloud at lower cost Security at our Foundation Years of experience through our Trustworthy Computing Initiative

6

7 Comprehensive Compliance Framework INDUSTRY STANDARDS AND REGULATIONS ISO/IEC 27001:2005 EU Model Clauses FISMA/NIST Sarbanes-Oxley PCI-DSS HIPAA, etc CONTROLS FRAMEWORK Identify and integrate Regulatory requirements Customer requirements Assess and remediate Eliminate or mitigate gaps in control design PREDICTABLE AUDIT SCHEDULE Test effectiveness and assess risk Attain certifications and attestations Improve and optimize Examine root cause of non-compliance Track until fully remediated CERTIFICATION AND ATTESTATIONS ISO / IEC 27001:2005 certification SSAE 16/ISAE 3402 SOC 1, 2 and 3 PCI DSS certification FISMA certification and accreditation And more

8 Control Framework Domains DOMAINS STRUCTURE 1. Security Policy 2. Organization of Information Security 3. Asset Management 4. Human Resources Security 5. Physical and Environmental Security 6. Communications and Operations Management 7. Access Control 8. Information Systems Acquisition, Development, and Maintenance 9. Information Security Incident Management 10.Business Continuity Management 11.Compliance

9 Control Framework Structure DOMAINS STRUCTURE 64 Policy Objectives 600 Unique Control Activities Audit Requirements Control Owner Documents/Records Testing Procedures Cost Data Historical Health Data Importance Data Maturity Data

10 Rationalized Requirements Example: Awareness Training CONTROL OBJECTIVE Security awareness training for all employees, contractors, and third-party users must be provided: When granted access to resources When organizational policies and procedures change ISO/IEC 27001:2005 A SOX COBIT DS7 Trainees will be expected to understand these policies and procedures as they relate to relevant job function and protection of sensitive information HIPAA b.1 PCI-DSS version

11 Defense-in-Depth: Infrastructure Security PHYSICAL NETWORK IDENTITY AND ACCESS MANAGEMENT HOST SECURITY APPLICATION DATA

12 Infrastructure Compliance Capabilities Cloud Infrastructure Certifications and Attestations (as of January 2013) ISO / IEC 27001:2005 Certification SSAE 16/ISAE 3402 SOC 1 Type I and Type II and AT Section 101 SOC 2 and 3 Type I and Type II attestations HIPAA/HITECH PCI Data Security Standard Certification FISMA Certification & Accreditation Various State, Federal, and International Privacy Laws (95/46/EC aka EU Data Protection Directive; California SB1386; etc.)

13 Helping You Meet Your Compliance Needs You are ultimately responsible for ensuring you meet your compliance obligations Microsoft will share its certifications and audit reports to help you design your compliance program Responsibility: Data Classification and Accountability Application Level Controls Operating System Controls Host Level Controls Identity and Access Management Network Controls Physical Security IaaS PaaS SaaS CLOUD CUSTOMER CLOUD PROVIDER

14 Considerations for Choice in Cloud Services Provider Require that the provider has attained third-party certifications and audits, e.g. ISO/IEC 27001:2005 Know the value of your data and processes and the security and compliance obligations you need to meet Ensure a clear understanding of security and compliance roles and responsibilities for delivered services Consider the ability of vendors to accommodate changing security and compliance requirements Ensure data and services can be brought back in house if necessary Require transparency in security policies and operations

15

16 Choice: Public, Private, Hybrid. on premise cloud services

17