Sikkerhet i skytjenester; hva bør en tenke på? Ole Tom Seierstad National Security Officer Microsoft Norway oles@microsoft.com

Transcription

1 Sikkerhet i skytjenester; hva bør en tenke på? Ole Tom Seierstad National Security Officer Microsoft Norway oles@microsoft.com

2 Cloud is becoming integral to business transformation The secure pathway to innovation Start with a trusted & resilient foundation Leverage economies of scale and expertise Use the cloud to drive business strategy Reshape how you engage with customers Enable more productive work Drive new and more rapid sources of innovation 2

3 Cybersecurity concerns persist Global attacks are increasing and costs are rising Cybercrime extracts between 15% and 20% of the value created by the Internet. 1 In the UK, 81% of large corporations and 60% of small businesses reported a cyberbreach in the past year. 2 Total financial losses attributed to security compromises increased 34% in Impact of cyber attacks could be as much as $3 trillion in lost productivity and growth. 4 3

4 But cloud momentum continues to accelerate If you re resisting the cloud because of security concerns, you re running out of excuses. The question is no longer: How do I move to the cloud? Instead, it s Now that I m in the cloud, how do I make sure I ve optimized my investment and risk exposure? By 2020 clouds will stop being referred to as public and private. It will simply be the way business is done and IT is provisioned. 4

5 Technology is evolving at lightning speed

6 Holistic Tension strategy between to innovation drive business & security success risks Business Innovation SECURITY STRATEGY Extend Trust and Data to Devices Secure new patterns of Data Security Risks Extend Trust to Cloud Service Providers Protect new forms of value generation from big data

7 The Microsoft Trusted Cloud 200+ cloud services, 1+ million servers, $15B+ infrastructure investment 57% of Fortune ,000 new subscribers per week million active users 4 Online 5.5+ billion worldwide queries each month million users per month 5 1 billion customers, 20 million businesses, 90 countries worldwide billion worldwide users 2 48 million members in 57 countries million unique users each month 6 7

8 Microsoft Azure a trusted foundation Privacy and Security Transparency Compliance Control 8 8

9 Microsoft Data Center Unified platform for modern business Compute Data Storage Network Services App Services Global Physical Infrastructure Stores over 4 trillion objects Handles on average 127,000 requests/second Peak of 880,000 requests/second 9

10 Microsoft Data Center Scale Microsoft has datacenter capacity around the world and we re growing Quincy Cheyenne Chicago Des Moines Boydton Dublin Amsterdam Shanghai Japan Hong Kong San Antonio Singapore Brazil 35+ factors in site selection: Proximity to customers Energy, Fiber Infrastructure Skilled workforce Australia 10

11 Certification & Security Reliance Microsoft s cloud environment Application Software as a Service (SaaS) Consumer and small business services Enterprise services Third-party hosted services Microsoft IT PaaS IaaS Physical Cloud Infrastructure and Operations Datacenters Operations Global Network Security 11

12 Responsibility On-Prem IaaS PaaS SaaS Risk customers must manage Data Classification End Point Devices Shared risks Identity & access management Data classification and accountability Client & end-point protection Identity & access management Application level controls Network controls Risks a provider can help reduce Physical Networking Host Security Physical Security Cloud Customer Cloud Provider

13 24-hour security monitoring of data centers Perimeter security Fire suppression Multi-factor authentication Premises monitoring

14 Customer risk management Public Data Internal Data Confidential Data

15

16 Transparency in action

17 Cybersecurity

18 Trustworthy Privacy foundation Privacy by Design Microsoft privacy principles are designed to facilitate the responsible use of customer data, be transparent about practices, and offer meaningful privacy choices. Microsoft Privacy Standard Guidelines that help ensure privacy is applied in the development and deployment of products and services. Data segregation Azure uses logical isolation to segregate each customer s data from that of others. 19

19 ISO/IEC Microsoft is the first major cloud provider to adopt the first international code of practice for governing the processing of personal information by cloud service providers. Prohibits use of customer data for advertising and marketing purposes without customer s express consent. Prevents use of customer data for purposes unrelated to providing the cloud service. 20

20 ISO Born in the Cloud Key Principles - Cloud providers must: Not use data for advertising or marketing unless express consent is obtained Be transparent about data location and how data is handled Provide customers with control over how their data is used Be accountable to determine if customer data was impacted by a breach of information security Communicate to customers and regulators in the event of a breach Have services independently audited for compliance with this standard

21 Contractual commitments Adopt ISO/IEC code of practice Microsoft was the first major cloud service provider to Offer customers E.U. Standard Contractual Clauses that provide specific contractual guarantees around transfers of personal data for in-scope services. Have European data privacy authorities validate that its enterprise agreement meets EU requirements on international data transfers Abide by US-EU Safe Harbor Framework and the US-Swiss Safe Harbor Program. 22

22 Restricted data access Customer data is only accessed when necessary to support customer s use of Azure (e.g. troubleshooting or feature improvement), or when required by law. When granted, access is controlled and logged. Strong authentication, including MFA, helps limit access to authorized personnel only. Access is revoked as soon as it s no longer needed. Access controls are verified by independent audit and certifications. 23

23 Customer Data When a customer utilizes Azure, they retain exclusive ownership of their data. Control over data location Customers choose data location and replication options. Role based access control Tools support authorization based on a user s role, simplifying access control across defined groups of users. Encryption key management Customers have the flexibility to generate and manage their own encryption keys. Control over data destruction Deletion of data on customer request and on contract termination. 24

24 Enable customers to meet global compliance standards in ISO 27001, EUMC, HIPAA, FISMA Contractually commit to privacy, security and handling of customer data through Data Processing Agreements Admin Controls like Data Loss Prevention, Archiving, E-Discovery to enable organizational compliance CJIS Yes No Yes No No EU Model Clauses Yes Yes Yes Yes No EU Safe Harbor Yes Yes Yes Yes Yes FedRamp (Moderate) Yes No Yes No No FERPA Yes Yes Yes N/A Yes HIPAA/BAA Yes Yes Yes Yes No US Government Cloud Yes Yes Yes No No UK G-Cloud Yes Yes Yes No No ISO 27001:2013 (w/iso 27018:2014) Yes Yes Yes Yes Yes (ISO 27001:2005) PCI DSS N/A N/A Yes N/A N/A SOC 1 Type 2 - (SSAE 16 / ISAE 3402) Yes Yes Yes Yes No SOC 2 Type 2 - (AT Section 101) Yes No Yes Yes No

25

26 Law enforcement requests Microsoft does not disclose Customer Data to law enforcement unless as directed by customer or required by law, and will notify customers when compelled to disclose, unless prohibited by law. The Law Enforcement Request Report discloses details of requests every 6 months. Microsoft doesn t provide any government with direct or unfettered access to Customer Data. Microsoft only releases specific data mandated by the relevant legal demand. If a government wants customer data it needs to follow the applicable legal process. Microsoft only responds to requests for specific accounts and identifiers. 27

27 Source:

28

29

30

31 Compliance Program Region Description ISO WW Broad international information security standard. Results in a formal certification. ISO EU, WW International standard for the protection of privacy and personal data in the cloud. Code of practice that provides guidelines, no certification possible. EU Model Clauses EU Contractual addendum offered to EU customers requiring additional safeguards for the protection of personal data beyond Safe Harbor Framework. G-Cloud UK G-Cloud v6 process requires CSPs to self-certify and supply evidence against 14 cloud security principles. SOC 1 WW Key attestation based on AICPA SSAE 16 standard. SOC 2, SOC 3 WW Key attestation based on AICPA AT 101 standard. HIPAA BAA US Health Insurance Portability and Accountability Act (HIPAA) of 1996 is a US Federal law. Business Associate Agreement (BAA) is a contract addendum offered to customers. 21 CFR Part 11 GxP Life Sciences US, WW Food and Drug Administration (FDA) governed storage of electronic records. Good practices for Manufacturing, Laboratory, and Clinical records. FISMA / FedRAMP US Gov Federal Risk and Authorization Management Program (FedRAMP) Authorization to Operate (ATO) is required for Cloud Service Providers who wish to sell their services to US Federal agencies. FIPS US Gov Security requirements for cryptographic modules. CNSSI 1253 US Gov Committee on National Security Systems Instruction No specifies options in the NIST security controls. CJIS US Gov Criminal Justice Information Services (CJIS) is a division of the FBI that provides state, local, and federal law enforcement agencies with access to information concerning individuals, stolen property, criminal organizations, etc. CJIS Security Policy defines 11 policy areas that Cloud Service Providers need to evaluate to meet CJIS requirements. DIACAP / DIARMF US Gov Department of Defense Information Assurance Certification and Accreditation process being migrated to Risk Management Framework.

32 Compliance Program Region Description DoD US Gov Set up by Defense Information Systems Agency (DISA) to test Records Management Applications. ITAR US Gov International Traffic in Arms Regulation controls the export and import of defense-related articles and services on the US Munitions List. DISA DoD SRG US Gov The US Department of Defense (DoD) designated the Defense Information Systems Agency (DISA) to perform cloud brokerage functions. DISA issued a Security Requirements Guide (SRG) that aligns their authorization closely to FedRAMP. SEC 17a-4 US Archival storage of broker-dealer records with guaranteed data immutability for predetermined duration of time. FERPA US Family Education Rights and Privacy Act. What s needed is guidance offered to educational institutions. FFIEC US Federal Financial Institutions Examination Council prescribes standards for federal examination of financial institutions. GLB Act US Gramm-Leach-Bliley Act is the Financial Modernization Act of 1999 has security and privacy implications for FSI. IRS 1075 US Safeguards for protecting federal tax information at all points where it is received, processed, stored, and maintained. MTCS Singapore Multi-Tier Cloud Security (MTCS) standard developed by Infocomm Development Authority of Singapore (IDA). OSFI Canada Office of the Superintendent of Financial Institutions expectations for federally regulated financial institutions. FISC Japan The Center for Financial Industry Information Systems. PCI DSS WW Payment Card Industry Data Security Standard. Required when CC data is stored, processed, or accessed in the cloud. TC 260 China Procurement guidelines regarding cloud security issued by the Ministry of Industry and Information Technology (MIIT). MLPS China Multi Level Protocol Scheme issued by the Ministry of Public Security (MPS). Under development. Expected mid 2015.

33 Microsoft Azure Key Vault Azure IaaS Azure PaaS SQL Server PKI 3 rd party Secure VM Custom LOB Application 2 Applications get high performance access to your secrets on your terms 1 You manage your secrets Import keys On-premises HSM Microsoft Confidential