Hans Bos Microsoft Nederland. hans.bos@microsoft.com



Similar documents
A Flexible and Comprehensive Approach to a Cloud Compliance Program

Securing the Cloud Infrastructure

Compliance, Audits and Fire Drills: In the Way of Real Security?

Securing the Microsoft Cloud

Five steps to Cloud Adoption. Laurent De Grauwe Sales Manager Datacenter

Securing the Microsoft Cloud

Microsoft s Compliance Framework for Online Services

Cloud-Scale Datacenters. Tarmo Tikerpäe DC SSP Microsoft Corporation

SUPPLY CHAIN ASSURANCE FRAMEWORK: THE SUPPLY CHAIN STANDARDS TRANSLATOR

Microsoft s Datacenter Best Practices. Darryl Chantry Datacenter Solutions Architect Worldwide Datacenter Center of Excellence

Information Security Management System for Microsoft s Cloud Infrastructure

Cloud Security and Managing Use Risks

Securing the Microsoft Cloud Infrastructure. Reto Häni Chief Security Officer Microsoft Western Europe MEET SWISS INFOSEC!

Cloud Security Trust Cisco to Protect Your Data

ANDREW HERTENSTEIN Manager Microsoft Modern Datacenter and Azure Solutions En Pointe Technologies Phone

Information Security ISO Standards. Feb 11, Glen Bruce Director, Enterprise Risk Security & Privacy

9/14/2015. Before we begin. Learning Objectives. Kevin Secrest IT Audit Manager, University of Pennsylvania

IT Audit in the Cloud

10 Considerations for a Cloud Procurement. Anthony Kelly Erick Trombley David DeBrandt Carina Veksler January 2015

Optimizing IT costs with Cloud. Tarmo Tikerpäe Datacenter SSP Microsoft Corporation

Cloud Computing An Auditor s Perspective

Cloud Services Overview

AN OVERVIEW OF INFORMATION SECURITY STANDARDS

Understanding ISO and Preparing for the Modern Era of Cloud Security

kamai Technologies Inc. Commonly Accepted Security Practices and Recommendations (CASPR)

Data safety at UXprobe. White Paper Copyright 2015 UXprobe bvba

PCI Policy Compliance Using Information Security Policies Made Easy. PCI Policy Compliance Information Shield Page 1

Orchestrating the New Paradigm Cloud Assurance

With Eversync s cloud data tiering, the customer can tier data protection as follows:

Achieving Governance, Risk and Compliance Requirements with HISP Certification Course

BECOME A SMARTER CLOUD CONSUMER

Table of Contents. FME Cloud Architecture Overview. Secure Operations. Application Security. Shared Responsibility.

Security and Privacy in Cloud Computing

Cloud Security Keeping Data Safe in the Boundaryless World of Cloud Computing

Microsoft Azure. Rich Lilly Project Leadership Associates

Managing Cloud Computing Risk

Cloud Security Certification

How To Get A Cloud Security System To Work For You

VENDOR MANAGEMENT. General Overview

IT Cloud / Data Security Vendor Risk Management Associated with Data Security. September 9, 2014

CPNI VIEWPOINT 01/2010 CLOUD COMPUTING

HIPAA and HITRUST - FAQ

SOC on Amazon Web Services (AWS) What You Need To Know Understanding the regulatory roadmap for SOC on AWS

Customer-Facing Information Security Policy

Effectively using SOC 1, SOC 2, and SOC 3 reports for increased assurance over outsourced operations. kpmg.com

Information Technology: This Year s Hot Issue - Cloud Computing

Cloud Computing Risk Assessment

Data, Data, Who Has The Data?

Cloud Standardization, Compliance and Certification. Class 2012 event 25.rd of October 2012 Dalibor Baskovc, CEO Zavod e-oblak

OFFICE OF AUDITS & ADVISORY SERVICES CLOUD COMPUTING AUDIT FINAL REPORT

IIA Conference. September 18, Paige Needling Director, Global Information Security Recall, Inc.

Security, Compliance & Risk Management for Cloud Relationships. Adnan Dakhwe, MS, CISA, CRISC, CRMA Safeway Inc. In-Depth Seminars D32

The Education Fellowship Finance Centralisation IT Security Strategy

Protecting Data and Privacy in the Cloud

CASPR Commonly Accepted Security Practices and Recommendations

IT Governance, Risk and Compliance (GRC) : A Strategic Priority. Joerg Asma

Cloud Operations Excellence & Reliability

Brad Smith, General Counsel & Executive Vice President, Legal and Corporate Affairs, Microsoft

Daren Kinser Auditor, UCSD Jennifer McDonald Auditor, UCSD

Well-Documented Controls Reduce Risk and Support Compliance Initiatives

Microsoft Azure. Microsoft Azure Security, Privacy, & Compliance

Netwrix Auditor. Сomplete visibility into who changed what, when and where and who has access to what across the entire IT infrastructure

Pharma CloudAdoption. and Qualification Trends

Cloud Security. DLT Solutions LLC June #DLTCloud

Is it Time to Look at an Ektron Managed Cloud Strategy? Copyright 2014 Ektron, Inc.

Robert Brammer. Senior Advisor to the Internet2 CEO Internet2 NET+ Security Assessment Forum. 8 April 2014

Maintaining PCI-DSS compliance. Daniele Bertolotti Antonio Ricci

HIPAA in the Cloud. How to Effectively Collaborate with Cloud Providers

A Comparison of IT Governance & Control Frameworks in Cloud Computing. Jack D. Becker ITDS Department, UNT & Elana Bailey

PROTECTING YOUR VOICE SYSTEM IN THE CLOUD

Cloud Infrastructure Operational Excellence & Reliability

The CIPM certification is comprised of two domains: Privacy Program Governance (I) and Privacy Program Operational Life Cycle (II).

Compiled by; Mark E.S. Bernard, ISO Lead Auditor, CISSP, CISM, SABSA-F2, CISA, CRISC, CGEIT

STORAGE SECURITY TUTORIAL With a focus on Cloud Storage. Gordon Arnold, IBM

2014 HIMSS Analytics Cloud Survey

Cloud Computing demystified! ISACA-IIA Joint Meeting Dec 9, 2014 By: Juman Doleh-Alomary Office of Internal Audit

SECURITY AND REGULATORY COMPLIANCE OVERVIEW

Helping people make better decisions DATA SECURITY POLICY. Kiilakiventie 1, Oulu, Finland tel:

Transcription:

Hans Bos Microsoft Nederland Email: Twitter: hans.bos@microsoft.com @hansbos

Microsoft s Cloud Environment Consumer and Small Business Services Software as a Service (SaaS) Enterprise Services Third-party Hosted Services Platform as a Service (PaaS) Infrastructure as a Service (IaaS) Global Foundation Services Data Centers Operations Global Network Security

Cloud Security Challenges

Why Should I Trust the Microsoft Cloud? Proven Track Record History of meeting obligations associated with the delivery of over 200 cloud services Scale Spreading cost of robust security and compliance across large number of customers provides a trusted cloud at lower cost Security at our Foundation Years of experience through our Trustworthy Computing Initiative

Comprehensive Compliance Framework INDUSTRY STANDARDS AND REGULATIONS ISO/IEC 27001:2005 EU Model Clauses FISMA/NIST 800-53 Sarbanes-Oxley PCI-DSS HIPAA, etc CONTROLS FRAMEWORK Identify and integrate Regulatory requirements Customer requirements Assess and remediate Eliminate or mitigate gaps in control design PREDICTABLE AUDIT SCHEDULE Test effectiveness and assess risk Attain certifications and attestations Improve and optimize Examine root cause of non-compliance Track until fully remediated CERTIFICATION AND ATTESTATIONS ISO / IEC 27001:2005 certification SSAE 16/ISAE 3402 SOC 1, 2 and 3 PCI DSS certification FISMA certification and accreditation And more

Control Framework Domains DOMAINS STRUCTURE 1. Security Policy 2. Organization of Information Security 3. Asset Management 4. Human Resources Security 5. Physical and Environmental Security 6. Communications and Operations Management 7. Access Control 8. Information Systems Acquisition, Development, and Maintenance 9. Information Security Incident Management 10.Business Continuity Management 11.Compliance

Control Framework Structure DOMAINS STRUCTURE 64 Policy Objectives 600 Unique Control Activities Audit Requirements Control Owner Documents/Records Testing Procedures Cost Data Historical Health Data Importance Data Maturity Data

Rationalized Requirements Example: Awareness Training CONTROL OBJECTIVE Security awareness training for all employees, contractors, and third-party users must be provided: When granted access to resources When organizational policies and procedures change ISO/IEC 27001:2005 A.5.2.2 SOX COBIT DS7 Trainees will be expected to understand these policies and procedures as they relate to relevant job function and protection of sensitive information HIPAA 164.530.b.1 PCI-DSS version 1.2 12.6.1

Defense-in-Depth: Infrastructure Security PHYSICAL NETWORK IDENTITY AND ACCESS MANAGEMENT HOST SECURITY APPLICATION DATA

Infrastructure Compliance Capabilities Cloud Infrastructure Certifications and Attestations (as of January 2013) ISO / IEC 27001:2005 Certification SSAE 16/ISAE 3402 SOC 1 Type I and Type II and AT Section 101 SOC 2 and 3 Type I and Type II attestations HIPAA/HITECH PCI Data Security Standard Certification FISMA Certification & Accreditation Various State, Federal, and International Privacy Laws (95/46/EC aka EU Data Protection Directive; California SB1386; etc.)

Helping You Meet Your Compliance Needs You are ultimately responsible for ensuring you meet your compliance obligations Microsoft will share its certifications and audit reports to help you design your compliance program Responsibility: Data Classification and Accountability Application Level Controls Operating System Controls Host Level Controls Identity and Access Management Network Controls Physical Security IaaS PaaS SaaS CLOUD CUSTOMER CLOUD PROVIDER

Considerations for Choice in Cloud Services Provider Require that the provider has attained third-party certifications and audits, e.g. ISO/IEC 27001:2005 Know the value of your data and processes and the security and compliance obligations you need to meet Ensure a clear understanding of security and compliance roles and responsibilities for delivered services Consider the ability of vendors to accommodate changing security and compliance requirements Ensure data and services can be brought back in house if necessary Require transparency in security policies and operations

Choice: Public, Private, Hybrid. on premise cloud services

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information