Trust in the Cloud Ovidiu Pismac MCSE Security, CISSP, MCSE Private Cloud / Server & Desktop infrastructure, MCTS Forefront Microsoft Romania ovidiup@microsoft.com
Technology trends: driving cloud adoption BENEFITS Speed Scale Economics Cloud Trend: 70% 2 weeks to deliver new services vs. 6-12 months with traditional solution Scale from 30,000 to 250,000 site visitors instantly $25,000 in the cloud would cost $100,000 on premises of CIOs will embrace a cloud-first strategy in 2016 (IDC CIO Agenda webinar) 430B+ AD authentications 280% year-over-year database growth in 50% of Fortune 500 use AZURE ADOPTION
Cloud innovation OPPORTUNITY FOR SECURITY & COMPLIANCE BENEFITS Pre-adoption Benefits realized concern 94% 60% cited concerns around experienced security benefits data security they as didn t a barrier previously to adoptionhave on-premise 62% 45% concerned that the said privacy protection increased cloud would as a result in of a moving lack of data to the control cloud SECURTIY Design/Operation Infrastructure Network Identity/access Data PRIVACY COMPLIANCE
Trustworthy foundation BUILT ON MICROSOFT EXPERIENCE AND INNOVATION 1 st Microsoft Data Center Active Directory Trustworthy Computing Initiative Malware Protection Center SOC 1 UK G-Cloud Level 2 SOC 2 FedRAMP/ FISMA Operations Security Assurance 20+ Data Centers Microsoft Security Response Center Windows Update Global Data Center Services Security Development Lifecycle Digital Crimes Unit ISO/IEC 27001:2005 E.U. Data Protection Directive HIPAA/ HITECH CSA Cloud Controls Matrix PCI DSS Level 1
Trustworthy foundation BUILT ON MICROSOFT EXPERIENCE AND INNOVATION 1 st Microsoft Data Center Microsoft Windows Update Microsoft Security Response Center Trustworthy Computing Initiative 20+ Data Centers: FedRAMP/ Compliance Standards: Malware UK G-Cloud FISMA Protection Level 2 Active Investing Operating Center Microsoft Trustworthy Azure Security Computing Centers Directory heavily robust SOC 2 SOC 1 compliance processes, 11 data including centers Created around of the Excellence: the SDL which has ISO 27001, FedRAMP, world, and plus HIPAA 2 become in ChinaProtecting the industry Microsoft standard for developing customers secure by combatting software CSA Cloud Controls Matrix evolving threats Security Development Global Lifecycle Data Center Services Digital Crimes Unit E.U. Data Protection ISO/IEC Directive HIPAA/ 27001:2005 HITECH Operations Security Assurance 20+ Data Centers PCI DSS Level 1
UNIFIED PLATFORM FOR MODERN BUSINESS Automated Managed Resources Elastic Usage Based
Shared responsibility REDUCE SECURITY COSTS + MAINTAIN FLEXIBILITY, ACCESS, & CONTROL On-Premises IaaS PaaS SaaS Customer Microsoft
Market Endorsement Gartner Magic Quadrant for Enterprise Application Platform as a Service(PaaS) Gartner Magic Quadrant for Cloud Infrastructure as a Service(IaaS) Gartner Magic Quadrant for Public Cloud Storage Services Gartner Magic Quadrant for Virtualization
Transparency & independent verification AID CUSTOMERS IN MEETING SECURITY & COMPLIANCE OBLIGATIONS Third-party verification Access to audit reports Compliance packages Best practices and guidance Trust Center Cloud Security Alliance Security Response Center progress report Security intelligence report
Microsoft approach in action 10
Design & operations Software Development Lifecycle (SDL) Operational security controls Assume breach Incident response Security embedded in planning, design, devel opment, & deployment Rigorous controls to prevent, detect, contai n, & respond to threats Hardening cloud services through simulated real-world attacks Global, 24x7 incident response to mitigate effects of attacks
Security We chose Azure because all things being equal, it is the easiest cloud platform to work with. Security and patching is already taken care of, so it is less labour-intensive. 12
Infrastructure protection 24 hour monitored physical security Secure multi-tenant environment Firewalls Patch management System monitoring and logging Antivirus/antimalware protection Threat detection Forensics
Service security starts with physical data center Cameras 24X7 security staff Barriers Fencing Alarms Two-factor access control: Biometric readers & card readers Security operations center Seismic bracing Days of backup power Perimeter Building Computer room
Architected for secure multi-tenancy Customer Admin Portal SMAPI Fabric Controller Customer 1 Guest VM Customer 2 Guest VM Hypervisor Host OS End Users Guest VM Azure Storage SQL Database AZURE: Centrally manages the platform and helps isolate customer environments using the Fabric Controller Runs a configuration-hardened version of Windows Server as the Host OS Uses Hyper-V, a battle tested and enterprise proven hypervisor Runs Windows Server and Linux on Guest VMs for platform services CUSTOMER: Manages their environment through service management interfaces and subscriptions Chooses from the gallery or brings their own OS for their Virtual Machines
Microsoft and Interoperability Microsoft commitment to support Linux Red Hat, SUSE, CentOS, OpenSuse, Ubuntu, Oracle Linux, new FreeBSD 10 on Hyper-V DHMC runs both Windows Server as guest operating systems under Hyper-V, as well as Linux. To date, DHMC has virtualized Web servers, sites on Microsoft Office SharePoint Server, reporting servers, medical applications, domain controllers, file and print servers, Citrix servers, and more. CentOS Dartmouth Hitchcock Medical Center Case Study System Center Configuration Manager 2012 SP1 supports administering non-windows platforms: Linux, Unix (monitored by SCOM) and Mac OS X systems System Center Operations Manager 2012 SP1 supports monitoring of non-windows, including Linux Red Hat, SUSE, CentOS; Unix HP UX, Sun Solaris and IBM AIX; from January 2013 new Linux distributions supported: Debian Linux, Oracle Linux, Ubuntu Linux Server System Center Virtual Machine Manager 2012 manages VMware ESX servers and Citrix XEN Servers
Product Operations Manager Configuration Manager Endpoint Protection Virtual Machine Manager Linux UNIX Red Hat SUSE CentOS Ubuntu Debian Oracle AIX HP-UX Solaris Hyper-V No Plans Azure IaaS Future Debian 7.0 has Linux Integration Services
Network protection Network isolation Virtual Networks Cloud to on-premises connections Segregates network access between customers, management systems & the internet Connects cloud services using private IP addresses, subnets Site to site, point to site, and ExpressRoute help enable secure connect to Azure 19
Identity & access Microsoft employee access management Monitor & protect access to cloud apps Enterprise cloud identity Azure AD Multi-Factor Authentication
Data protection Data encryption options: Bitlocker, Azure RMS, AES 256 /512 Data segregation Data location and redundancy Data destruction
Data location and redundancy AZURE: Creates three copies of data in each datacenter Offers geo-replication in a datacenter 400+ miles away Does not transfer Customer Data outside of a geo (ex: from US to Europe or from Asia to US) CUSTOMER: Chooses where data resides Configures data replication options Note: data centers, Australia Q2 FY15
Data destruction Data Deletion Index immediately removed from primary location Geo-replicated copy of the data (index) removed asynchronously Customers can only read from disk space they have written to Disk Handling Wiping is NIST 800-88 compliant Defective disks are destroyed at the datacenter
Privacy by design Privacy by Design Restricted data access & use Contractual commitments Privacy controls are built into Azure design and operations Customer data is only used to provide the service and is never used for advertising Data Processing Agreements, EU Model Clauses, HIPAA BAA 10101010101010101010101010101010 1010101010101010101010101010101010101010101010101010
Contractual commitments EU Data Privacy Approval Microsoft meets high bar for protecting privacy of EU customer data Microsoft offers customers EU Model Clauses for transfer of personal data across international borders Microsoft s approach was approved by the Article 29 committee of EU data protection authorities the first company & cloud vendor to obtain this Broad contractual scope Microsoft makes strong contractual commitments to safeguard customer data covered by HIPAA BAA, Data Processing Agreement, & E.U. Model Clauses Enterprise cloud-service specific privacy protections benefit every industry & region
Privacy Our vision is to be the national leader in patient-centered e-healthcare. Using Windows Azure as our delivery system provides us with a level of trust and reliability that makes this possible.
Simplified compliance Information security standards Effective controls Government & industry certifications ISO 27001 SOC 1 Type 2 SOC 2 Type 2 FedRAMP/FISMA PCI DSS Level 1 UK G-Cloud
Certifications & programs Program ISO/IEC 27001 SOC 1 SSAE 16/ISAE 3402 SOC 2 FedRAMP/FISMA PCI DSS Level 1 UK G-Cloud IL2 HIPAA BAA Description The ISO/IEC 27001:2005 certificate validates that Azure has implemented the internationally recognized information security controls defined in this standard. Azure has also been audited against the Service Organization Control (SOC) reporting framework for SOC 1 Type 2 (formerly SAS 70), attesting to the design and operating effectiveness of its controls. Azure has been audited for SOC 2 Type 2, which includes a further examination of Azure controls related to security, availability, and confidentiality Azure has received Provisional Authorization to Operate from the Federal Risk and Authorization Management Program (FedRAMP) Joint Authorization Board (JAB), having undergone the assessments necessary to verify that it meets FedRAMP security standards. Azure has been validated for PCI-DSS Level 1 compliance by an independent Qualified Security Assessor (QSA). In the United Kingdom, Azure has been awarded Impact Level 2 (IL2) accreditation, further enhancing Microsoft and its partner offerings on the current G-Cloud procurement Framework and CloudStore. To help customers comply with HIPAA and HITECH Act security and privacy provisions, Microsoft offers a HIPAA Business Associate Agreement (BAA) to healthcare entities with access to Protected Health Information (PHI).
Compliance Windows Azure was attractive because it has built-in capabilities for compliance with a wide range of regulations and privacy mandates.
Microsoft commitment Unified platform for modern business
Trusted by leading companies
Talk to a Microsoft security expert Explore additional resources: Trustworthy Computing Cloud Services: www.microsoft.com/trustedcloud Microsoft Trust Center for : http://www.windowsazure.com/en-us/support/trust-center Microsoft Security Intelligence Report http://www.microsoft.com/sir