230 likes | 447 Views
Compliance, Security and Trust. Patrick Hynds, Microsoft Regional Directory, CEO of DTS, Inc. Duane Laflotte, CTO of Criticalsites. Microsoft’s Commitment. Security Privacy Compliance. www.windowsazure.com/trustcenter/. Comprehensive compliance framework.
E N D
Compliance, Securityand Trust Patrick Hynds, Microsoft Regional Directory, CEO of DTS, Inc. Duane Laflotte, CTO of Criticalsites
Microsoft’s Commitment Security Privacy Compliance www.windowsazure.com/trustcenter/
Comprehensive compliance framework • Payment Card Industry Data Security Standard • Health Insurance Portability and Accountability Act Industry Standards and Regulations • Media Ratings Council • Sarbanes-Oxley, GLBA, FFIEC, etc. • Predictable Audit Schedule • Test effectiveness and assess risk • Attain certifications and attestations • Improve and optimize • Examine root cause of non-compliance • Track until fully remediated • Controls Framework • Identify and integrate • Regulatory requirements • Customer requirements • Assess and remediate • Eliminate or mitigate gaps in control design • ISO/IEC 27001:2005 certification • SOC 1 and SOC 2 attestations Certifications and Attestations • HIPAA Business Associate Agreement • FISMA authorization • And more
Datacenter infrastructure compliance * 95/46/EC—aka EU Data Protection Directive; California SB1386; etc.
Windows Azure compliance programs FISMA ISO • ISO 27001 • SSAE 16 (SOC 1 Type 2) • SOC 2 Type 2 (in process) • CSA Cloud Control Matrix • EU Model Clauses • UK Government accreditation for IL 2 data • HIPAA Business Associate Agreement (BAA) • FISMA/FedRAMP authorization (in process) SSAE HIPAA
Statement on Customer Privacy On June 6, media outlets including the Washington Post and Guardian began reporting allegations that the United States National Security Agency (NSA) is collecting customer communications data from major technology companies, including Microsoft. Microsoft issued the following statement about the company’s alleged involvement in these activities: REDMOND, Wash., June 6, 2013 - We provide customer data only when we receive a legally binding order or subpoena to do so, and never on a voluntary basis. In addition we only ever comply with orders for requests about specific accounts or identifiers. If the government has a broader voluntary national security program to gather customer data we don’t participate in it.
Privacy http://www.windowsazure.com/en-us/support/legal/privacy-statement/
Shades of Cloud – Risk Allocation • On Premises • Infrastructure • (as a Service) • Platform • (as a Service) • Software • (as a Service) Applications Applications Applications Applications Data Data Data Data Managed by: Runtime Runtime Runtime Runtime Customer Middleware Middleware Middleware Middleware O/S O/S O/S O/S Vendor Virtualization Virtualization Virtualization Virtualization Servers Servers Servers Servers Storage Storage Storage Storage Networking Networking Networking Networking
Defense-in-depth 10 Things to Know About Azure Security http://technet.microsoft.com/en-us/cloud/gg663906.aspx Physical Network Identityand Access Management HostSecurity Application Data
Data Center Security Cameras Security patrols Barriers Fencing • Cameras • Security patrols • Alarms • Two-factor access control • Biometric readers • Card readers • Security operations center Cameras Security patrols Alarms Two-factor access control Biometric readers Card readers World-ClassSecurity Computer room Perimeter Building Extensive Monitoring
Network • Isolated from Microsoft corpnet • VLANs and packet filters in routers • Host boundary protection • DDoS protection • Penetration testing • Monitoring and logging • Security incidents and breach notification
Identity and access • Windows Azure customer support personnel • Access control requirements established by Windows Azure Security Policy • No access to customer data by default • No user / administrator accounts on VMs • Monitoring and logging when local accounts are created on VMs • Access to PaaS VMs is highly restricted • Most common authorization is based on customer troubleshooting request • Full incident monitoring and logging • Temporary accounts for limited duration and 2FA enforced • Access to IaaS VMs is not possible
Host • Stripped-down version of Win 2012 • No drivers except approved ones, no graphics modules • Network connectivity restricted using host firewall • Host boundaries enforced hypervisor • All Guest access to network and disk is mediated by Root VM (via the Hypervisor) • When VMs are provisioned, they are cloned from known configs • PaaS images managed and updated by Microsoft • With IaaS, customers can bring their own images (and manage them) • Patch management • Support lifecycle policy Root VM Guest VM Guest VM Guest VM Guest VM Hypervisor Network / Disk
Application • Security Best Practices for Developing Windows Azure Applications • Windows Azure does not inspect, approve, or monitor customer applications • Customer application and storage account logging and monitoring • Anti-malware scanning for customer applications • Protection against external attacks, including third-party options • Disaster recovery and business continuity • Forensic investigations
Data • Redundant storage • Locally redundant storage • Geo-replication • Storage accounts and keys • Data backup • Data deletion and destruction • Windows Azure data cleansing and leakage • Data encryption (in transit, at rest)
Geographic regions for customer data • Asia • East (Hong Kong) • Japan East and West • Southeast (Singapore) • Europe • North (Ireland) • West (Netherlands) • United States • North Central (Illinois) • South Central (Texas) • East (Virginia) • West (California)
AtmanCo • Situation: • Maker of personality tests for potential employees • Needed to scale to handle 5K to 10K tests at a time to avoid turning down business • Potential French customer needed servers hosted in Europe • Management of servers under IaaS model burdensome • Solution: • Azure VMs and Web Sites provided Scale and Flexibility
MYOB • Situation: • Offers AccountRight which streamlines and automates business processes for small businesses and accountants • Needed Mobile support and Offline support • Solution: • AccountRight Live launched as an Azure hosted offering that synched with the existing desktop suite • Provide API that lets almost 600 external developers build a solid ecosystem
NTP Software • Situation: • NTP Software Universal File Access provides Mobile and web interfaces that allow Enterprise clients to provide access to File Data Selectively and Securely • Needed to integrate with client’s on premise storage system while letting them preserve security • Solution: • Integrates with client’s Windows Azure account to leverage larger organization discounts for volume and minimize impact on primary storage systems
SangkuriangInternasional • Situation: • Built secure instant messaging service (EMASS) and wanted to not be in the service provider business • Needed to adapt to the Mobile centric reality of Indonesian society to stay competitive • Platform needed to support a wide range of technology • Solution: • EMASS deployed as 15 cloud apps running on Azure based virtual machines
Summit Data Corp • Situation: • Wanted to tap into the growing fitness market • Needed a platform that supported high scalability (hundreds of thousands of users) • Required a platform that would keep innovating and not stagnate • Solution: • Active Fitness leverages Windows Azure Mobile Services to support hundreds of thousands of users
Call To Action The time is right for ISVs to break out of their normal confines by leveraging Azure and its many capabilities Azure has matured to enable many, varied options If you do not seize the opportunity someone else in your space will!