How Microsoft is taking Privacy by Design to Work. Alan Chan National Technology Officer Microsoft Hong Kong 7 May 2015

Similar documents
Data Processing Agreement for Oracle Cloud Services

Article 29 Working Party Issues Opinion on Cloud Computing

<Choose> Addendum Windows Azure Data Processing Agreement Amendment ID M129

Trusted Cloud: Microsoft Azure Security, Privacy, and Compliance. April 2015

White Paper How Noah Mobile uses Microsoft Azure Core Services

BRITISH COUNCIL DATA PROTECTION CODE FOR PARTNERS AND SUPPLIERS

Microsoft Azure. White Paper Security, Privacy, and Compliance in

Security Considerations

The Internet of Things, big data and the cloud: implications for privacy and trust

Cloud Computing In a Post Snowden World. Guy Wiggins, Kelley Drye & Warren LLP Alicia Lowery Rosenbaum, Microsoft Legal and Corporate Affairs

How To Manage Cloud Data Safely

CLOUD COMPUTING FOR SMALL- AND MEDIUM-SIZED ENTERPRISES:

Privacy Statement. What Personal Information We Collect. Australia

CloudDesk - Security in the Cloud INFORMATION

Acquia Comments on EU Recommendations for Data Processing in the Cloud

The problem of cloud data governance

Enrollment for Education Solutions Addendum Microsoft Online Services Agreement Amendment 10 EES

Microsoft Online Subscription Agreement/Open Program License Amendment Microsoft Online Services Security Amendment Amendment ID MOS10

Office 365 Data Processing Agreement with Model Clauses

Data Management Policies. Sage ERP Online

Leveraging Dedicated Servers and Dedicated Private Cloud for HIPAA Security and Compliance

ECSA EuroCloud Star Audit Data Privacy Audit Guide

Cloud Computing: Legal Risks and Best Practices

Security Issues in Cloud Computing

GoodData Corporation Security White Paper

Building Secure Cloud Applications. On the Microsoft Windows Azure platform

Using AWS in the context of Australian Privacy Considerations October 2015

Data In The Cloud: Who Owns It, and How Do You Get it Back?

Access Control BUSINESS REQUIREMENTS FOR ACCESS CONTROL

Security Information & Policies

MANAGED FILE TRANSFER: 10 STEPS TO SOX COMPLIANCE

IT Best Practices Audit TCS offers a wide range of IT Best Practices Audit content covering 15 subjects and over 2200 topics, including:

Cloud Security Trust Cisco to Protect Your Data

Type of Personal Data We Collect and How We Use It

Data Protection Act Guidance on the use of cloud computing

Cloud Computing: Contracting and Compliance Issues for In-House Counsel

Cloud Computing Contracts. October 11, 2012

Transparency. Privacy. Compliance. Security. What does privacy at Microsoft mean? Are you using my data to build advertising products?

Evaluating the Cloud An Executive Perspective

The Education Fellowship Finance Centralisation IT Security Strategy

Supplier Information Security Addendum for GE Restricted Data

Information Technology: This Year s Hot Issue - Cloud Computing

PROTECTING YOUR VOICE SYSTEM IN THE CLOUD

SUBJECT: SECURITY OF ELECTRONIC MEDICAL RECORDS COMPLIANCE WITH THE HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996 (HIPAA)

Information Technology Branch Access Control Technical Standard

How can Cloud help your Security. Christophe Van Mollekot Solution Advisor Microsoft

HIPAA Privacy & Security White Paper

<cloud> Secure Hosting Services

The Anti-Corruption Compliance Platform

Contracting with a Cloud Service Provider DATA PROTECTION WORKSHOP NJERI OLWENY, MICROSOFT

Cloud Computing. Cloud Computing An insight in the Governance & Security aspects

Brad Smith, General Counsel & Executive Vice President, Legal and Corporate Affairs, Microsoft

IBM Cognos TM1 on Cloud Solution scalability with rapid time to value

MANAGED FILE TRANSFER: 10 STEPS TO PCI DSS COMPLIANCE

AlixPartners, LLP. General Data Protection Statement

This Amendment consists of two parts. This is part 1 of 2 and must be accompanied by and signed with part 2 of 2 (Annex 1) to be valid.

Understand Troubleshooting Methodology

KeyLock Solutions Security and Privacy Protection Practices

GUESTBOOK REWARDS, INC. Privacy Policy

Comparing Alternatives for Business-Grade File Sharing. intermedia.net CALL US US ON THE WEB

PCI COMPLIANCE ON AWS: HOW TREND MICRO CAN HELP

Cloud Computing Governance & Security. Security Risks in the Cloud

DARTFISH PRIVACY POLICY

Privacy and Electronic Communications Regulations

Brainloop Cloud Security

DHHS Information Technology (IT) Access Control Standard

OrgChart Now Information Security Overview. OfficeWork Software LLC

The Panoptix Building Efficiency Solution: Ensuring a Secure Delivery of Building Efficiency

RAYSAFE S1 SECURITY WHITEPAPER VERSION B. RaySafe S1 SECURITY WHITEPAPER

Protecting Data and Privacy in the Cloud

MANAGED FILE TRANSFER: 10 STEPS TO HIPAA/HITECH COMPLIANCE

HIPAA, PHI and . How to Ensure your and Other ephi are HIPAA Compliant.

DATA SECURITY AGREEMENT. Addendum # to Contract #

Cloud-Based Project Information Management from Aconex: A Guide for IT Professionals

Last updated: 30 May Credit Suisse Privacy Policy

Considerations for Outsourcing Records Storage to the Cloud

ELECTRONIC INFORMATION SECURITY A.R.

How To Make Bring Your Own Device A Plus, Not A Risk

Addressing Cloud Computing Security Considerations

2. A Note about Children. We do not intentionally gather Personal Data from visitors who are under the age of 13.

INFORMATION SECURITY SPECIFIC VENDOR COMPLIANCE PROGRAM (VCP) ACME Consulting Services, Inc.

Transcription:

How Microsoft is taking Privacy by Design to Work Alan Chan National Technology Officer Microsoft Hong Kong 7 May 2015

Agenda Introducing the New Microsoft Microsoft privacy principle Protecting privacy in Microsoft Implementing Privacy By Design in the Cloud

Introducing the new Microsoft

Technology Megatrends Shift to a Data Driven Economy Mobility Social Cloud Big data IoT By 2016, smartphones and tablets in service by 2.7 billion Asians. Millennials will make up 59% of the Asian workforce by 2025 50% of organizations are either using or investigating cloud computing solutions in Asia by 2014 1 ZB = 10 21 bytes = = 1 billion terabytes. Digital content will grow from less than 0.5ZB in 2013, up 90% rocketing toward 4.8ZB by 2017 IoT Devices will grow to 50B by 2020, with a market potential of 10 Trillion devices

Big/bold ambitions A PC on every desk and in every home Empowering everyone Realizing people s unlimited potential Productivity and platform Reinvent productivity to empower every person and every organization to do more

Microsoft Our Future --

Microsoft Privacy Principles

Privacy remains Microsoft s #1 priority & Marketing

No Big Deal? It s everyone s business!

Microsoft s Privacy Policy 10 Privacy Principles Accountability Disclosure or Onward Transfer Notice Quality Collection Access Choice and Consent Security Use and Retention Monitoring and Enforcement 10

Protecting Privacy in Microsoft

Privacy in action for sales & marketing Transparency Tell customers what data we collect and how it will be used. Ensure our data practices comply with Federal, State, and International laws we must be compliant to avoid penalties. Compliance Control Empower users to control collection, use, & distribution of their personal information. Establish protective measures to defend against hostile acts or influences. Provide assurance of defense. Security Data Minimization Collect only data that s necessary and retain only as long as there s a legitimate need.

Examples of protecting privacy in action Transactional vs. Promotional Emails Request Customer or Partner List Supplier Security & Privacy Assurance Sensitive Data storage 13

Implementing Privacy By Design in the Cloud

The Microsoft Trusted Cloud 200+ cloud services, 1+ million servers, $15B+ infrastructure investment 57% of Fortune 500 4 10,000 new subscribers per week 2 3.5 million active users 4 Online 5.5+ billion worldwide queries each month 3 300+ million users per month 5 1 billion customers, 20 million businesses, 90 countries worldwide 1 1.2 billion worldwide users 2 48 million members in 57 countries 4 450+ million unique users each month 6 15

Cloud principles

Privacy & Control in Commercial Cloud Microsoft makes our commitment to the privacy of our customers a priority with independently audited policies and practices that include restricting the mining of Customer Data for advertising or similar commercial purposes. 17

Security without compromising experience Applications Data Runtime Middleware O/S

Release Start

Infrastructure protection Cloud infrastructure includes hardware, software, networks, administrative and operations staff, policies and procedures, and the physical data centers that house it all 24 hour monitored PHYSICAL SECURITY Centralized MONITORING AND ALERTS Update MANAGEMENT Anti-Virus/Anti-Malware PROTECTION Red Teaming PENETRATION TESTING FIREWALLS 20

Trustworthy foundation Privacy by Design Microsoft privacy principles are designed to facilitate the responsible use of customer data, be transparent about practices, and offer meaningful privacy choices. Microsoft Privacy Standard Guidelines that help ensure privacy is applied in the development and deployment of products and services. Data segregation We use logical isolation to segregate each customer s data from that of others. 21

Customer Data When a customer utilizes our cloud services, they retain exclusive ownership of their data. Control over data location Customers choose data location and replication options. Role based access control Tools support authorization based on a user s role, simplifying access control across defined groups of users. Encryption key management Customers have the flexibility to generate and manage their own encryption keys. Control over data destruction Deletion of data on customer request and on contract termination. 22

Data protection We provide customers with strong data protections both by default and as customer options Data isolation Logical isolation segregates each customer s data from that of others is enabled by default. At-rest data protection Customers can implement a range of encryption options for virtual machines and storage. In-transit data protection Encryption Industry-standard protocols encrypt data in transit to/from outside components, as well as data in transit internally by default. Data encryption in storage or in transit can be deployed by the customer to align with best practices for ensuring confidentiality and integrity of data. Data redundancy Customers have multiple options for replicating data, including number of copies and number and location of replication data centers. Data destruction Strict standards for overwriting storage resources before reuse and the physical destruction of decommissioned hardware are by default. 23

Restricted data access Customer data is only accessed when necessary to support customer s use of the services (e.g. troubleshooting or feature improvement), or when required by law. When granted, access is controlled and logged. (Lock Box) Strong authentication, including MFA, helps limit access to authorized personnel only. Access is revoked as soon as it s no longer needed. Access controls are verified by independent audit and certifications. 24

Law enforcement requests Microsoft does not disclose Customer Data to law enforcement unless as directed by customer or required by law, and will notify customers when compelled to disclose, unless prohibited by law. The Law Enforcement Request Report discloses details of requests every 6 months. Microsoft doesn t provide any government with direct or unfettered access to Customer Data. Microsoft only releases specific data mandated by the relevant legal demand. If a government wants customer data it needs to follow the applicable legal process. Microsoft only responds to requests for specific accounts and identifiers. 25

ISO/IEC 27018 Microsoft is the first major cloud provider to adopt the first international code of practice for governing the processing of personal information by cloud service providers. Prohibits use of customer data for advertising and marketing purposes without customer s express consent. Prevents use of customer data for purposes unrelated to providing the cloud service. 26

Contractual commitments Adopt ISO/IEC 27018 code of practice Microsoft was the first major cloud service provider to Offer customers E.U. Standard Contractual Clauses that provide specific contractual guarantees around transfers of personal data for in-scope services. Have European data privacy authorities validate that its enterprise agreement meets EU requirements on international data transfers Abide by US-EU Safe Harbor Framework and the US-Swiss Safe Harbor Program. 27

Contracting for Cloud Services 1. Service Provider Reputation and Competence 2. Review, Monitoring and Control 3. Audit / Inspection Rights 4. Confidentiality and Certified Security Standards 5. Resilience and Business Continuity 6. Data Location and Transparency 7. Limits on Data Use (No secondary use) 8. Data Segregation / Isolation 9. Conditions on Subcontracting 10. Conditions on Termination

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information