Security & privacy in the cloud; an easy road?

Similar documents
Address C-level Cybersecurity issues to enable and secure Digital transformation

Microsoft s cybersecurity commitment

Combatting the Biggest Cyber Threats to the Financial Services Industry. A White Paper Presented by: Lockheed Martin Corporation

Securing the Microsoft Cloud

Brad Smith, General Counsel & Executive Vice President, Legal and Corporate Affairs, Microsoft

DETECT. LEARN. ADAPT. DEFEND. WIN EVERY ATTACK.

CONSULTING IMAGE PLACEHOLDER

CYBERSECURITY IN FINANCIAL SERVICES POINT OF VIEW CHALLENGE 1 REGULATORY COMPLIANCE ACROSS GEOGRAPHIES

The data breach lifecycle: From prevention to response IAPP global privacy summit March 6, 2014 (4:30-5:30) Draft v

National Cyber Security Policy -2013

Cybersecurity Strategic Consulting

Privacy in the Cloud A Microsoft Perspective

The Evolution of Application Monitoring

Staying Ahead of the Cyber Security Game. Nigel Tan ASEAN Technical Leader IBM Security

Cybersecurity and Privacy Hot Topics 2015

Introduction to Cybersecurity Overview. October 2014

By John Pirc. THREAT DETECTION HAS moved beyond signature-based firewalls EDITOR S DESK SECURITY 7 AWARD WINNERS ENHANCED THREAT DETECTION

Cyber Security Strategy

KEY TRENDS AND DRIVERS OF SECURITY

Cybersecurity: What CFO s Need to Know

Cloud Security. Peter Jopling IBM UK Ltd Software Group Hursley Labs. peterjopling IBM Corporation

Cloud Computing Security Considerations

Cloud Security Trust Cisco to Protect Your Data

Protecting Data and Privacy in the Cloud

How To Secure Cloud Computing

Westcon Presentation on Security Innovation, Opportunity, and Compromise

The Sumo Logic Solution: Security and Compliance

How To Defend Yourself Against Cyber Attacks

Supplier Vigilance: A Critical Layer of Defense

Middle Class Economics: Cybersecurity Updated August 7, 2015

CYBERSECURITY: PROTECTING YOUR ORGANIZATION AGAINST CYBER ATTACKS. Viviana Campanaro CISSP Director, Security and Compliance July 14, 2015

Cyber Resilience Implementing the Right Strategy. Grant Brown Security specialist,

Managing Cyber Risk through Insurance

CyberSecurity Solutions. Delivering

Microsoft Azure. White Paper Security, Privacy, and Compliance in

CYBER SECURITY Audit, Test & Compliance

IT Cloud / Data Security Vendor Risk Management Associated with Data Security. September 9, 2014

CYBERSECURITY: ISSUES AND ISACA S RESPONSE

Securing the Microsoft Cloud Infrastructure. Reto Häni Chief Security Officer Microsoft Western Europe MEET SWISS INFOSEC!

OCIE CYBERSECURITY INITIATIVE

October 24, Mitigating Legal and Business Risks of Cyber Breaches

Strategic Compliance & Securing the Cloud. Annalea Sharack-Ilg, CISSP, AMBCI Technical Director of Information Security

Purpose. Service Model SaaS (Applications) PaaS (APIs) IaaS (Virtualization) Use Case 1: Public Use Case 2: Use Case 3: Public.

Building Blocks of a Cyber Resilience Program. Monika Josi monika.josi@safis.ch

Logging In: Auditing Cybersecurity in an Unsecure World

Defending Against Data Beaches: Internal Controls for Cybersecurity

Securing your Corporate Infrastructure What is really needed to keep your assets protected

Cyber security Building confidence in your digital future

How Microsoft is taking Privacy by Design to Work. Alan Chan National Technology Officer Microsoft Hong Kong 7 May 2015

CYBERSECURITY HOT TOPICS

Cybersecurity Protecting Yourself, Your Business, Your Clients

Over 20 years experience in Information Security Management, Risk Management, Third Party Oversight and IT Audit.

and Security in the Era of Cloud

POLICIES TO MITIGATE CYBER RISK

Securing the Cloud with IBM Security Systems. IBM Security Systems IBM Corporation IBM IBM Corporation Corporation

Security Landscape of Cloud Computing

Information Technology: This Year s Hot Issue - Cloud Computing

Cyber-Security. FAS Annual Conference September 12, 2014

CYBER SECURITY TRAINING SAFE AND SECURE

A NEW APPROACH TO CYBER SECURITY

Cyber Threats Insights from history and current operations. Prepared by Cognitio May 5, 2015

Securing the Cloud Infrastructure

CORE INSIGHT ENTERPRISE: CSO USE CASES FOR ENTERPRISE SECURITY TESTING AND MEASUREMENT

How To Get A Cloud Security System To Work For You

Designing & Building an Information Security Program. To protect our critical assets

Protec'ng Data and Privacy in a World of Clouds and Third Par'es Vincent Campitelli

Can Your Organization Brave The New World of Advanced Cyber Attacks?

CYBER4SIGHT TM THREAT INTELLIGENCE SERVICES ANTICIPATORY AND ACTIONABLE INTELLIGENCE TO FIGHT ADVANCED CYBER THREATS

Cyber security. Cyber Security. Digital Employee Experience. Digital Customer Experience. Digital Insight. Payments. Internet of Things

Securing the Microsoft Cloud

Developing a Mature Security Operations Center

Validating Enterprise Systems: A Practical Guide

Bellevue University Cybersecurity Programs & Courses

Research Topics in the National Cyber Security Research Agenda

Sharing Cybersecurity Threat Info With the Government -- Should You Be Afraid To Do So?

Cyberprivacy and Cybersecurity for Health Data

Transcription:

Security & privacy in the cloud; an easy road? A journey to the trusted cloud Martin Vliem CISSP, CISA National Security Officer Microsoft The Netherlands mvliem@microsoft.com

THE SHIFT O L D W O R L D Information scarce Static hierarchies Compete to win Individual productivity Focus on planning ahead Efficiency of process N E W W O R L D Information abundant Dynamic networks Collaborate to win Collective value creation Experiment, learn and respond Effectiveness of outcomes

DATA

The evolution of attacks Future Internet of Things enables new forms of large-scale attacks. Militarization of Cyberspace continues. In the beginning Isolated cases of nation-state espionage and young hackers exploring networks Computing becomes pervasive Computers used as tools to facilitate traditional offenses; hacking cases increase with motives becoming more diverse (e.g., fraud, hactivisim) Today Massive data thefts across verticals; rampant economic and military espionage; advanced persistent threats, destructive attacks

Fundamental questions How secure is my data? A structured approach: 1. Data driven risk management 2. Cloud vendor assurances 3. Additional custom controls Can I control my data, is my data private? How can I stay compliant with law and regulations? What happens with my data?

SUPERVISORY RIGHTS Supervisor External Audit RISK ADJUSTMENTS Internal Audit Risk Management BUSINESS CASE Operations DATA processing CONCEPTUAL MODEL GOVERNANCE, RISK MANAGEMENT AND COMPLIANCE. FROM INNOVATION TO OBLIGATION

Your DATA You own your data and identities and the responsibility for protecting them. You own the security of on-premises resources Your DATACENTER Your RESPONSIBILITY

Your DATA Microsoft cloud services are built on a foundation of trust and security. Microsoft provides you security controls and capabilities to help you protect your data and applications. You own your data and identities and the responsibility for protecting them. You own the security of on-premises resources and cloud components you control (varies by service type) Cloud Security is a partnership

Opportunities versus risk Data driven risk management & defense You already had this responsibility Transfer operational & security controls to your cloud vendor Embrace cloud capabilities for enhancing security

Timeframe # of Enterprise customer data requests # of requests had data disclosed in response Jan Jun 2015 6 2 (3 rejected/redirected to customer) (1 pending a resolution) Jul Dec 2014 3 1 (2 rejected/redirected to customer) (1 customer instruction) Jan Jun 2014 5 0 (5 rejected/redirected to customer) Jul Dec 2013 3 3 Jan Jun 2013 19 5 Jan Dec 2012 11 4 Source: http://aka.ms/letranspreport; *2012 data combines all 12 months and excludes Skype

After all, people won t use technology they don t trust. We need to strike a better balance between privacy and national security to restore trust and uphold our fundamental liberties. In particular, a year on, there are five things the U.S. government still needs to do: End bulk collection Reform the FISA Court https://www.reformgovernmentsurveillance.com/ Brad Smith, President & Chief Legal Officer, Microsoft on the Issues Blog - June 4, 2014

Trusted cloud principles Assurances: descriptive independently verified contractual

Trusted cloud principles Assurances: descriptive independently verified contractual

ASSUME BREACH Protect First Host Compromised Domain Admin Compromised Detect Breach Discovered Respond CYBERTHREATS DATA LOSS (Attacker Undetected) 11-14 months

Software as a Service Office 365 - SaaS Platform as a Service Azure - PaaS Infrastructure as a Service Azure - IaaS On Premises Security Dependencies 1. Security strategy, governance, and operationalization: Provide clear vision, standards, and guidance for your organization 2. Administrative control: Defend against the loss of control of your cloud services and on-premises systems 3. Data: Identify and protect your most important information assets 4. User identity and device security: Strengthen protection for accounts and devices 5. Application security: Ensure application code is resilient to attacks 6. Network: Ensure connectivity, isolation, and visibility into anomalous behavior 7. Operating system and middleware: Protect integrity of hosts 8. Private or on-premises environments: Secure the foundation Control area s supported by cloud

SECURITY RELIABILITY PRIVACY & CONTROL COMPLIANCE TRANSPARENCY DATA ownership Your DATA CONTROLS ADDITIONAL CONTROLS RISKS MICROSOFT AS DATA PROCESSOR CUSTOMER AS DATA CONTROLLER CONTRACTING Microsoft Online Services Terms (OST), GOVERNANCE SECURITY INDEPENDENTLY VERIFIED ISO27001, 27002, 27018, Audit Report, RISK MANAGEMENT PRIVACY DESCRIPTIVE INFORMATION Microsoft Trustcenter whitepapers, COMPLIANCE QUALITY OF SERVICE + TRUST & FREEDOM OF CHOICE

Trustworthy Computing 2.0 Security services help customers protect, detect and respond to security events through technology and consulting services. Controllability of data and services ensures customers can meet their own internal compliance requirements. Security Development Lifecycle focuses on security as a core component in the software development process, reducing the risk of costly issues, improving the security and privacy of applications, and protecting enterprise data and reputations. Secure DEVELOPMENT Secure and Empower CUSTOMERS Secure OPERATIONS Security features in our products help safeguard data and protect access to systems. Transparency into our practices and access to governments to review our source code provides assurance to all customers. International certifications like ISO, SOX and HIPPA certify that our control activities operate in accordance with expectations and comply with regulatory obligations. Software Integrity Policies include mandatory engineering policies like code signing and checking for malware. Developing Cyber Norms working with governments to develop offensive, defensive and industry norms to promote cyber security Cybercrime Prevention combines top legal and technical talent, cutting-edge forensics, and business intelligence to fight digital crime. Secure ECOSYSTEM Operational Security Assurance (OSA) provides real-world effectiveness against today s threat models that goes well beyond our external (and necessary) certifications. Cybersecurity collaboration with security researchers and vendors, and between MSIT and customers, helps contribute to safer systems and experiences. 20

Cloud first; your choice! Your DATA

References SAFE Handbook: http://aka.ms/safehandbook Cyberspace 2015: https://www.microsoft.com/security/cybersecurity/ A Data driver security defense: https://gallery.technet.microsoft.com/fixing-the-1- Problem-in-2e58ac4a Enterprise Cloud strategy e-book: https://info.microsoft.com/enterprise-cloud-strategyebook.html Microsoft Cloud IT Architecture resources: https://technet.microsoft.com/enus/library/dn919927.aspx Microsoft Security Intelligence Report: https://www.microsoft.com/security/sir/default.aspx Microsoft Cyber Trust Blog: https://blogs.microsoft.com/cybertrust Video: https://www.youtube.com/watch?v=qivc0ayqi_s&list=plakubdfvfssi5rogoiq_dmof3dk fprmwe&index=1 23

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information