Securing the Cloud Infrastructure



Similar documents
Securing the Microsoft Cloud

Securing the Microsoft Cloud

Securing Microsoft s Cloud Infrastructure

Hans Bos Microsoft Nederland.

Information Security Management System for Microsoft s Cloud Infrastructure

A Flexible and Comprehensive Approach to a Cloud Compliance Program

Microsoft s Compliance Framework for Online Services

Transparency. Privacy. Compliance. Security. What does privacy at Microsoft mean? Are you using my data to build advertising products?

Cloud Security Trust Cisco to Protect Your Data

John Essner, CISO Office of Information Technology State of New Jersey

Operational security for online services overview

Addressing Cloud Computing Security Considerations

RMS. Privacy Policy for RMS Hosting Plus and RMS(one) Guiding Principles

Securing the Microsoft Cloud Infrastructure. Reto Häni Chief Security Officer Microsoft Western Europe MEET SWISS INFOSEC!

Enterprise Cybersecurity Best Practices Part Number MAN Revision 006

Cloud Assurance: Ensuring Security and Compliance for your IT Environment

An Overview of Information Security Frameworks. Presented to TIF September 25, 2013

Microsoft Services Premier Support. Security Services Catalogue

Cyber Security and Privacy Services. Working in partnership with you to protect your organisation from cyber security threats and data theft

SAP Product and Cloud Security Strategy

Compliance, Audits and Fire Drills: In the Way of Real Security?

CORE Security and GLBA

The Education Fellowship Finance Centralisation IT Security Strategy

PCI Policy Compliance Using Information Security Policies Made Easy. PCI Policy Compliance Information Shield Page 1

Maintaining PCI-DSS compliance. Daniele Bertolotti Antonio Ricci

CPNI VIEWPOINT 01/2010 CLOUD COMPUTING

Cloud security architecture

GoodData Corporation Security White Paper

Developing National Frameworks & Engaging the Private Sector

Infor CloudSuite. Defense-in-depth. Table of Contents. Technical Paper Plain talk about Infor CloudSuite security

Microsoft Azure. White Paper Security, Privacy, and Compliance in

Microsoft s cybersecurity commitment

How does IBM deliver cloud security? An IBM paper covering SmartCloud Services 1

RSA Solution Brief RSA. Encryption and Key Management Suite. RSA Solution Brief

White Paper Achieving GLBA Compliance through Security Information Management. White Paper / GLBA

ISSUE BRIEF. Cloud Security for Federal Agencies. Achieving greater efficiency and better security through federally certified cloud services

PROTECTING YOUR VOICE SYSTEM IN THE CLOUD

External Supplier Control Requirements

How To Protect Your Network From Attack From A Network Security Threat

PII Compliance Guidelines

AIRDEFENSE SOLUTIONS PROTECT YOUR WIRELESS NETWORK AND YOUR CRITICAL DATA SECURITY AND COMPLIANCE

VENDOR MANAGEMENT. General Overview

FIVE KEY CONSIDERATIONS FOR ENABLING PRIVACY IN HEALTH INFORMATION EXCHANGES

PCI Compliance for Cloud Applications

Real-Time Security for Active Directory

Cloud Computing Security Considerations

The Next Generation of Security Leaders

Security Overview. BlackBerry Corporate Infrastructure

Health Insurance Portability and Accountability Act Enterprise Compliance Auditing & Reporting ECAR for HIPAA Technical Product Overview Whitepaper

Big Data, Big Risk, Big Rewards. Hussein Syed

Addressing the SANS Top 20 Critical Security Controls for Effective Cyber Defense

FINRA Publishes its 2015 Report on Cybersecurity Practices

How To Achieve Pca Compliance With Redhat Enterprise Linux

VMware vcloud Air Security TECHNICAL WHITE PAPER

Payment Card Industry Data Security Standard

Logging In: Auditing Cybersecurity in an Unsecure World

Cisco SAFE: A Security Reference Architecture

Security Controls What Works. Southside Virginia Community College: Security Awareness

kamai Technologies Inc. Commonly Accepted Security Practices and Recommendations (CASPR)

AN OVERVIEW OF INFORMATION SECURITY STANDARDS

Cloud Operations Excellence & Reliability

White Paper Achieving HIPAA Compliance through Security Information Management. White Paper / HIPAA

Best Practices in ICS Security for Device Manufacturers. A Wurldtech White Paper

Type of Personal Data We Collect and How We Use It

Web application security Executive brief Managing a growing threat: an executive s guide to Web application security.

AIRDEFENSE SOLUTIONS PROTECT YOUR WIRELESS NETWORK AND YOUR CRITICAL DATA SECURITY AND COMPLIANCE

Defending the Database Techniques and best practices

TOP 10 WAYS TO ADDRESS PCI DSS COMPLIANCE. ebook Series

BMC s Security Strategy for ITSM in the SaaS Environment

Adopt a unified, holistic approach to a broad range of data security challenges with IBM Data Security Services.

10 Smart Ideas for. Keeping Data Safe. From Hackers

FINAL May Guideline on Security Systems for Safeguarding Customer Information

Enterprise Risk Management taking on new dimensions

Best Practices in ICS Security for System Operators. A Wurldtech White Paper

Privacy + Security + Integrity

White Paper THE FIVE STEPS TO MANAGING THIRD-PARTY RISK. By James Christiansen, VP, Information Risk Management

The Business Case for Security Information Management

Windows Least Privilege Management and Beyond

SECURITY RISK MANAGEMENT

IMPLEMENTING A SECURITY ANALYTICS ARCHITECTURE

Get Confidence in Mission Security with IV&V Information Assurance

IBM PowerSC. Security and compliance solution designed to protect virtualized datacenters. Highlights. IBM Systems and Technology Data Sheet

How To Secure Your System From Cyber Attacks

08/10/2013. Data protection and compliance. Agenda. Data protection life cycle and goals. Introduction. Data protection overview

White Paper How Noah Mobile uses Microsoft Azure Core Services

Overview of Cloud Computing and Cloud Computing s Use in Government Justin Heyman CGCIO, Information Technology Specialist, Township of Franklin

Strengthen security with intelligent identity and access management

whitepaper The Benefits of Integrating File Integrity Monitoring with SIEM

Transcription:

EXECUTIVE STRATEGY BRIEF Microsoft recognizes that security and privacy protections are essential to building the necessary customer trust for cloud computing to reach its full potential. This strategy brief discusses the challenges of providing a trustworthy environment for cloud services, reviews Microsoft s risk-based information security and privacy controls, and describes the compliance framework we follow to ensure our cloud infrastructure meets our commitments and help customers meet their compliance needs.

Cloud Security Challenges Cloud computing offers both challenges and opportunities for IT organizations looking to harness the favorable economics and operational flexibility of an online services model. The growing interdependence of public and private services, complex global compliance requirements, and sophistication of threats requires that the hosting environment employ robust policies and processes to protect sensitive information and enable persistent regulatory compliance. For more than 15 years, Microsoft has been addressing the following online service delivery challenges: Growing Interdependence Organizations and their customers will become more interdependent on each other through use of the cloud. With these new dependencies come mutual expectations that platform services and hosted applications be secure and available. Microsoft provides a trustworthy infrastructure, a base upon which public and private sector entities and their partners can build a trustworthy experience for their users. Microsoft actively works with these groups and the development community at large to encourage adoption of security-centric risk management processes. Complex global compliance requirements Regulatory, statutory, and industry compliance is a highly complex area because worldwide each country maintains their own laws that can govern the provisioning and use of online environments. Microsoft must be able to comply with a myriad of regulatory obligations because it has data centers in a number of countries and offers online services to a global customer base. In addition, many industries impose their own unique requirements. Microsoft has implemented a compliance framework to efficiently manage its various compliance obligations without creating undue burden on the business. More dynamic hosting environment Keeping pace with growth and anticipating future needs is essential to running an effective security program. The latest wave of change has already begun with the rapid move to virtualization and a growing adoption of Microsoft s Software-plus-Services strategy, which combines the power and capabilities of computers, mobile devices, online services, and enterprise software. The advent of cloud platforms enables custom applications to be developed by third parties and hosted in the Microsoft cloud. Microsoft maintains strong internal partnerships among security, product, and service delivery teams to provide a trustworthy Microsoft cloud environment while these changes occur. Growing sophistication of threats While pranksters still seek attention through a variety of techniques including domain squatting and man-in-the-middle attacks, more sophisticated malicious attempts aimed at obtaining identities or blocking access to sensitive business data have emerged, along with a more organized underground market for stolen information. Microsoft works closely with law enforcement, industry partners and peers, and research groups to understand and respond to this evolving threat landscape. Additionally, the Microsoft Security Development Lifecycle introduces security and privacy early and throughout the development process. Risk Management Process In addition to the information security management system we have in place, we follow an annual risk management process that looks at evolving risks in the environment and across the industry. We maintain a dedicated team that works through potential risks, calculates the potential disruption, and determines Microsoft s exposure. The risk management team evaluates the effectiveness of controls in place by: Identifying threats and vulnerabilities to the environment Calculating risk Reporting risks across the Microsoft cloud environment Addressing risks based on impact assessment and the associated business case Testing remediation effectiveness and residual risk Managing risks on an ongoing basis This process allows us to focus our efforts on the high-value targets, and then apply appropriate protections to defend our customers and ourselves. Organizations and their customers will become more interdependent on each other through use of the cloud. 2

Defense in Depth Defense in depth is a best practice across the industry, and it s an approach we take across our online services and infrastructure. Applying controls at multiple layers involves employing protection mechanisms, developing risk mitigation strategies, and being capable of responding to attacks when they occur. Using multiple security measures of varying strength depending on the sensitivity of the protected asset results in improved capacity to prevent breaches or to lessen the impact of a security incident. When we deploy a service to our datacenters, we assess and address every part of the software stack from the physical controls to prevent unauthorized access to equipment, to encrypting data moving over the network, to locking down the host servers and keeping malware protection up-to-date, to ensuring applications themselves have appropriate safeguards in place. Maintaining a rich set of controls and defense in depth strategy ensures that if any one area should fail, there are compensating protections in other areas that retain security and privacy at all times. figure 1: Defense-in-depth Security at our Foundation Application security is a key element in Microsoft s approach to securing its cloud computing environment. The rigorous security practices employed by development teams at Microsoft were formalized into a process called the Security Development Lifecycle (SDL) in 2004. The SDL process is development methodology agnostic and is fully integrated with the application development lifecycle from design to response. Various phases of the SDL process emphasize education and training, and also mandate that specific activities and processes be applied as appropriate to each phase of software development. Starting with the requirements phase, the SDL process includes a number of specific activities that need to be considered for the development of applications to be hosted in the Microsoft cloud in mind. One of the key steps is threat modeling and attack surface analysis, where we assess of the potential threats that could come in, what aspects of the service are exposed and proceed to minimize the attack surface by restricting services or eliminating functions that are unnecessary. The later stages then ensure that the controls are fully tested to mitigate the potential threats, so customers can have confidence in the final service release. Security Incident Response An important part of Microsoft s security capabilities includes our support and response processes. The Security Incident Management (SIM) team responds to these issues when they occur, operating around the clock. The SIM processes are aligned with ISO/IEC 18044 and NIST SP800-61. There are six phases to the SIM incident response process: Preparation SIM staff undergo ongoing training in order to be ready to respond when a security incident occurs. Identification Looking for the cause of an incident, whether intentional or not, often means tracking the issue through multiple layers of the Microsoft cloud computing environment. SIM collaborates with members from other internal Microsoft teams to diagnose the origin of a given security incident. Containment Once the cause of the incident has been found, SIM works with all necessary teams to contain the incident. How containment occurs depends on the business impact of the incident. Mitigation SIM coordinates with relevant product and service delivery teams to reduce risk of incident recurrence. Recovery Continuing to work with other groups as needed, SIM assists in the service recovery process. PHYSICAL NETWORK IDENTITY AND ACCESS MANAGEMENT HOST SECURITY APPLICATION DATA 3

Lessons learned After resolution of the security incident, SIM convenes a joint meeting with all involved personnel to evaluate what happened and to record lessons learned during the incident response process. A second area of response is interacting with law enforcement agencies. The Global Criminal Compliance (GCC) program is involved in setting policy and providing training on Microsoft s response process. GCC also responds to valid legal requests for information. GCC has legal agents available in many countries to validate and, if necessary, translate the request. One reason that GCC is considered a best response program by many international authorities is that GCC provides a law enforcement portal that offers guidance in multiple languages to authenticated law enforcement personnel about how to submit a legal request to Microsoft. Comprehensive Compliance Framework The Microsoft online services environment must meet numerous governmentmandated and industry-specific security requirements in addition to Microsoft s own business-driven specifications. As Microsoft online businesses continue to grow and change and new online services are introduced into the Microsoft cloud, additional requirements are expected that could include regional and country-specific data security standards. The Operational Compliance team works across operation, product, and service delivery teams and with internal and external auditors to ensure Microsoft is in compliance with relevant standards and regulatory obligations. One of the successes of having implemented this program is that Microsoft s cloud infrastructure has achieved SAS70 70 type I and Type II attestations, ISO/IEC 27001:2005 certification, and FISMA NIST SP800-53 revision 3 standard. Figure 4 (on the last page) lists out Microsoft s cloud infrastructure key certifications and attestations as of December 2010. The compliance framework includes a compliance process based on the ISO 27001 approach of plan-do-check-act. On a regular basis, Microsoft monitors the change in statutory and regulatory demands and adjusts our compliance framework and audit schedule accordingly. Though Microsoft s infrastructure has received industry certifications and attestations, customers are ultimately responsible to ensure their own compliance with applicable policies, practices, and regulations. Microsoft does not claim to be responsible for providing these certifications or to comply/not comply with these certifications on behalf of the customer, but does provide guidance to assist customers in meeting their own compliance requirements. As Microsoft online businesses continue to grow and change and new online services are introduced into our cloud, additional requirements are expected that could include regional and country-specific data security standards. figure 2: Microsoft s Security Development Lifecycle TRAINING REQUIREMENTS DESIGN IMPLEMENTATION VERIFICATION RELEASE RESPONSE + Core Training + Analyze security and privacy risk + Define quality gates + Threat modeling + Attack surface analysis + Specify tools + Enforce banned functions + Static Analysis + Dynamic/Fuzz testing + Verify threat models/ attack surface + Response plan + Final security review + Release archive + Response execution 4

Figure 3: Microsoft datacenter control framework 01. General information 02. Informational security 03. Organization of information security 04. Asset management 05. Human resources security 06. Physical and environmental security 07. Communications and operations management 08. Access control 09. Information systems aquisition, development and maintenance 10. Information security incident management 11. Business continuity management 12. Risk management 13. Compliance 14. Privacy DOMAINS STRUCTURE Domain Sub-domain Control objective Associated standard (external compliance requirement) Sample control activity Sample testing activity Control Framework Customers evaluating Microsoft s cloud services often ask how our compliance framework is actually structured. We have a series of domains that are informed by the ISA/IEC 27001:2005 standard along with specific industry obligations, such as the payment card industry data security standard and the FISMA NIST SP800-53 revision 3 standard. The control framework structure depends upon how we map those domains to the specific activities that go with them. For example, we take each of those domains, identify control activities and control owners of those activities, and provide specific evidence to demonstrate that we re meeting those activities and control domain objectives. This structure and process allows thirdparty auditors to follow a clean map from control domains down to activities and evidence. In addition, this framework allows us to take each requirement and communicate how we meet specific obligations back to customer and internal teams. For example, we can take the controlled domain and controlled activity structure and focus on specific healthcare obligations for customers in that industry. Alternatively, we can take a specific control objective, such as training and awareness, and map it back to a specific need an example here would be the requirement for training under ISO/IEC 27001:2005 and Sarbanes-Oxley. Security and Privacy Considerations for Selecting Online Services Providers Microsoft s stringent security, privacy and compliance controls helps ensure customers can have confidence and trust in the online services we provide. As customers evaluate options for online services, it is important that the ability of a service provider to ensure a protected, trusted environment be included in the selection criteria. The following checklist can help in assessing the security, privacy and compliance capabilities of a potential service provider: Require that the provider has attained third-party certifications and audits, such as ISO/IEC 27001:2005 Consider the ability of vendors to accommodate changing security and compliance requirements Understand the specific regional and industry compliance obligations that must be met Ensure a clear understanding of security and compliance roles and responsibilities for delivered services Ensure data and services can be brought back in-house if necessary Require transparency in security policies and operations 5

Microsoft is confident we offer a trusted cloud environment that will help public and private organizations take advantage of the flexibility and economics of the online services model, while maintaining the robust security and privacy their business demands. For more information on Microsoft s secure cloud infrastructure, please visit www.globalfoundationservices.com Figure 4: microsoft datacenter Certifications and Attestations, december 2010 ISO 27001 SAS 70 Type II HIPAA/HITECH Various State, Federal, and International Privacy Laws (95/46/EC aka EU Data Protection Directive; California SB1386; etc.) PCI Data Security Standard FISMA Certification & Accreditation 2010 Microsoft Corporation. All rights reserved. This document is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS SUMMARY. Microsoft is a registered trademark of Microsoft Corporation in the United States and/or other countries. The names of actual companies and products mentioned herein may be the trademarks of their respective owners.

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information