Azure Security & ComplianceLori Woehler CISSP, CISAPrinciple Group Program [email protected]
DCIM-B221
Understand how Azure security & compliance helps you and your organization meet obligationsDefine the Azure security and compliance boundaries and responsibilitiesTake away some new resources and approaches that can make it easier to execute your security and compliance responsibilities
Session Goals
Breakout Sessions of interestDCIM B385 Security & Microsoft Azure IaaS
DCIM B387 Data Protection in Microsoft Azure
DCIM B422 ExpressRoute: Connecting Private and Public Clouds through Exchange Providers
WIN B335 Making Sense of the Microsoft Information Protection Stack
DCIM B214 Azure Architectural Patterns
DCIM B301 Leveraging Your On-Prem Directory Infrastructure to Manager Your Azure AD Identities
DCIM B386 MarkRu on Cloud Computing
DCIM B306 Public Cloud Security
Related content
Find Me Later At. . . Ask the Experts Halls AB 6:30-8:30
Microsoft Azure Trust Centerhttp://azure.microsoft.com/en-us/support/trust-center/
Track resources
Security Best Practices for Developing Azure Solutions
Audit Reports, Certifications and Attestations
Windows Azure Security Technical Insights
Resources
Learning
Microsoft Certification & Training Resources
www.microsoft.com/learning
msdn
Resources for Developers
http://microsoft.com/msdn
TechNet
Resources for IT Professionals
http://microsoft.com/technet
Sessions on Demand
http://channel9.msdn.com/Events/TechEd
Enter to Win a Callaway Golf Set & Big Bertha Driver Stop by the Azure booth and enter for a daily drawing to win a Callaway Strata Plus Men’s 18-piece golf set AND a Big Bertha 2014 driver.
Drive your business forward with Microsoft Azure
Microsoft Azure
430B+ Microsoft Azure AD authentications
280% year-over-year database growth in Microsoft Azure
50%of Fortune 500 use Microsoft Azure
$25,000in the cloud would cost $100,000 on premises(Microsoft Azure BI Team, STMG Proof Points Central)
EconomicsScale
30,000
to
250,000
Scale from
site visitors instantly(Case Study: Autocosmos)
2
weeksto deliver new services vs. 6-12 months with traditional solution(Case Study: HarperCollins Publishers)
Speed
Technology trends: driving cloud adoption
10
of CIOs will embrace a cloud-first strategy in 2016
(IDC CIO Agenda webinar)
Cloud Trend:
70%
BENEFITS
AZURE ADOPTION
Microsoft Azure
Pre-adoption concern
60%cited concerns around data security as a barrier to adoption
45%concerned that the cloud would result in a lack of data control
Benefits realized
94%experienced security benefits they didn’t previously have on-premise
62%said privacy protection increased as a result of moving to the cloud
Cloud innovation OPPORTUNITY FOR SECURITY & COMPLIANCE BENEFITS
SECURTIY
• Design/Operation
• Infrastructure• Network• Identity/access• Data
PRIVACY
COMPLIANCEBarriers to Cloud Adoption study, ComScore, September 2013
Microsoft Azure
Trustworthy foundationBUILT ON MICROSOFT EXPERIENCE AND INNOVATION
20+ Data Centers
Trustworthy ComputingInitiative
Security Development
LifecycleGlobal Data Center
Services
Malware Protection
Center
Microsoft SecurityResponse Center
Windows Update
1st Microsoft
Data Center Active
DirectorySOC 1
CSA Cloud Controls Matrix
PCI DSS Level 1
FedRAMP/FISMAUK G-Cloud
Level 2
ISO/IEC 27001:2005
HIPAA/HITECH
Digital Crimes Unit
SOC 2
E.U. Data Protection Directive
Operations Security
Assurance
1989 1995 2000 2005 2010
Microsoft Azure
Trustworthy foundationBUILT ON MICROSOFT EXPERIENCE AND INNOVATION
Trustworthy ComputingInitiative
Security Development
LifecycleGlobal Data Center
Services
Malware Protection
Center
Microsoft SecurityResponse Center
Microsoft Update
ActiveDirectory
SOC 1
CSA Cloud Controls Matrix
PCI DSS Level 1
FedRAMP/FISMAUK G-Cloud
Level 2
ISO/IEC 27001:2005
HIPAA/HITECH
Digital Crimes Unit
SOC 2
E.U. Data Protection Directive
Operations Security
Assurance
1st Microsoft
Data Center
1989 1995 2000 2005 2010
20+ Data Centers:Operating Microsoft Azure in 8 data centers around the world
20+ Data Centers
Microsoft Azure
20+ Data Centers
Trustworthy foundationBUILT ON MICROSOFT EXPERIENCE AND INNOVATION
Trustworthy ComputingInitiative
Security Development
LifecycleGlobal Data Center
Services
Windows Update
1st Microsoft
Data Center Active
DirectorySOC 1
CSA Cloud Controls Matrix
PCI DSS Level 1
FedRAMP/FISMAUK G-Cloud
Level 2
ISO/IEC 27001:2005
HIPAA/HITECH
Digital Crimes Unit
SOC 2
E.U. Data Protection Directive
Operations Security
Assurance
Malware Protection
Center
Microsoft SecurityResponse Center
1989 1995 2000 2005 2010
Security Centers of Excellence:Protecting Microsoft customers by combatting evolving threats
Microsoft Azure
20+ Data Centers
Trustworthy foundationBUILT ON MICROSOFT EXPERIENCE AND INNOVATION
Trustworthy ComputingInitiative
Security Development
LifecycleGlobal Data Center
Services
Malware Protection
Center
Microsoft SecurityResponse Center
Windows Update
1st Microsoft
Data Center Active
DirectorySOC 1
CSA Cloud Controls Matrix
PCI DSS Level 1
FedRAMP/FISMAUK G-Cloud
Level 2
ISO/IEC 27001:2005
HIPAA/HITECH
SOC 2
E.U. Data Protection Directive
Operations Security
Assurance
Digital Crimes Unit
1989 1995 2000 2005 2010
Digital Crimes Unit:Using legal and technical expertise to disrupt the way cybercriminals operate
Microsoft Azure
20+ Data Centers
Trustworthy foundationBUILT ON MICROSOFT EXPERIENCE AND INNOVATION
Trustworthy ComputingInitiative
Security Development
LifecycleGlobal Data Center
Services
Malware Protection
Center
Microsoft SecurityResponse Center
Windows Update
1st Microsoft
Data Center Active
Directory
Digital Crimes Unit
SOC 1
CSA Cloud Controls Matrix
PCI DSS Level 1
FedRAMP/FISMAUK G-Cloud
Level 2
ISO/IEC 27001:2005
HIPAA/HITECH
SOC 2
E.U. Data Protection Directive
1989 1995 2000 2005 2010
Compliance Standards:Investing heavily in robust compliance processes, including ISO 27001, FedRAMP, and HIPAA
Operations Security
Assurance
Microsoft Azure 17
Microsoft Azure
Global Physical Infrastructureservers / network / datacenters
Compute Data Services Network Services
N Central US, S Central US, N Europe, W Europe, E Asia, SE Asia + 24 Edge CDN Locations
Automated
Managed
Resources
Elastic
Usage Based
UNIFIED PLATFORM FOR MODERN BUSINESS
App Services
Microsoft Azure
Unified platform for modern business
Microsoft commitment
Enhance Security
Protect Privacy
Simplify Compliance
Microsoft Azure
ISO 27001:5NIST 800-53
SOC 1 Type 2SOC 2 Type 2
FedRAMP/FISMAPCI DSS Level 1UK G-CloudUS-EU Safe Harbor
Information security standards
Effective controls
Government
& industry certifications
Simplified compliance
Microsoft Azure 20
Security compliance strategy
Security analytics
Risk management best practices
Security benchmark analysis
Test and audit
Security ComplianceFramework
• Security goals set in context of business and industry requirements
• Security analytics & best practices deployed to detect and respond to threats
• Benchmarked to a high bar of certifications and accreditations to ensure compliance
• Continual monitoring, test and audit
Business ObjectivesIndustry Standards
& Regulations
Certificates and Attestations
Microsoft Azure 21
Program Description
ISO/IEC 27001 Internationally recognized information security standard, broadly accepted outside U.S.
PCI DSS Level 1 Information security standard designed to prevent fraud through controls around credit card data
UK G-Cloud IL2 ‘Protect' level of security for data processing, storage and transmission by UK public sector organization including local and regional government
SSAE 16 / ISAE 3402
Accounting standard relied upon as the authoritative guidance for reporting on service organizations (SOC 1, SOC 2, SOC 3)
FedRAMP/FISMA U.S. Federal law enacted in 2002, based on NIST 800 series, 18 control domains, with in-depth audit, and applies to all U.S. Federal agencies
Certifications & programs
Microsoft Azure
Contractual commitments
EU Data Privacy Approval
• Microsoft makes strong contractual commitments to safeguard customer data covered by HIPAA BAA, Data Processing Agreement, & E.U. Model Clauses
• Enterprise cloud-service specific privacy protections benefit every industry & region
• Microsoft meets high bar for protecting privacy of EU customer data
• EU Data Privacy approval allows Microsoft to transfer personal data across international borders
• Only Microsoft is jointly approved from EU Article 29
Broad contractual scope
Microsoft Azure
Shared responsibilityREDUCE SECURITY COSTS + MAINTAIN FLEXIBILITY, ACCESS, & CONTROL
Customer Microsoft
On-Premises IaaS PaaS SaaS
Storage
Servers
Networking
O/S
Middleware
Virtualization
Data
Applications
Runtime
PaaS CustomersImportant Things to Know about Azure Security & Compliance to Help You Meet Your Own Security & Compliance Obligations
Access ControlData Protection
GeolocationData Classification and HandlingPrivacy and Data Regulatory Compliance
Logging & Monitoring Access and Data ProtectionISMS Programmatic ControlsCertifications, Accreditations and Audits
Paas Customer Responsibilities
IaaS CustomersImportant Things to Know about Azure Security & Compliance to Help You Meet Your Own Security & Compliance Obligations
Application Security & SDLAccess ControlData ProtectionO/S Baselines, Patching, AV, Vulnerability ScanningPenetration TestingLogging, Monitoring, IncidentResponseISMS Programmatic ControlsCertifications, Accreditations & Audits
IaaS Customer Responsibilities
Identify Your Organization’s Obligations and ResponsibilitiesAdopt a Standard Control SetEstablish Policies and StandardsDocument System(s) in ScopeDevelop narratives for each controlTest Control Design & ExecutionIdentify Exceptions and IssuesDetermine Risk ExposureDefine Remediation Goals and PlansMonitor the SystemReport on Compliance Status
Compliance Cheat Sheet
Identify Your Organization’s Obligations and Responsibilities
ISO 27001:5, NIST 800-53, FedRAMP, SSAE 16 (SOC 1, SOC 2), PCI, HIPAA, EUMC and numerous others
Adopt a Standard Control SetCross-referenced, extensible
Establish Policies and StandardsAligned to controls and lifecycle
Document System(s) in ScopePhysical datacenters, Network, Infrastructure, Services and Components
Develop narratives for each controlHundreds++
Test Control Design & ExecutionStandardization and centralization to scale and drive best practices
Identify Exceptions and IssuesStrive for excellence and drive continuous improvement
Determine Risk ExposureNot everything is critical and high risk
Define Remediation Goals and PlansTime, Quality, Effort
Monitor the SystemDefine metrics, targets, decisions and performance indicators
Report on Compliance StatusMap to obligations, responsibilities, asks and decisions
RESOURCESPRIORITIES
DELIVERABLESTIMELINES
Is Azure PCI Compliant? Will My CDE Be PCI Compliant on Azure?Can ____ audit Azure?Can we have your pen test reports?Will you fill out this 500 question survey?Why isn’t Azure ____ compliant?What do admins do in Azure?What is a hypervisor and what is its role?What will Azure provide if we have a security incident?How does Azure use my data and will you turn over my data at the request of governments or law enforcement?
Most Frequently Asked Questions*
Microsoft Azure Trust Centerhttp://azure.microsoft.com/en-us/support/trust-center/
Track resources
Security Best Practices for Developing Azure Solutions
Audit Reports, Certifications and Attestations
“Windows Azure Security Technical Insights”
Come Visit Us in the Microsoft Solutions Experience!
Look for Datacenter and Infrastructure ManagementTechExpo Level 1 Hall CD
For More InformationWindows Server 2012 R2http://technet.microsoft.com/en-US/evalcenter/dn205286
Windows Server
Microsoft Azure
Microsoft Azurehttp://azure.microsoft.com/en-us/
System Center
System Center 2012 R2http://technet.microsoft.com/en-US/evalcenter/dn205295
Azure PackAzure Packhttp://www.microsoft.com/en-us/server-cloud/products/windows-azure-pack
Resources
Learning
Microsoft Certification & Training Resources
www.microsoft.com/learning
msdn
Resources for Developers
http://microsoft.com/msdn
TechNet
Resources for IT Professionals
http://microsoft.com/technet
Sessions on Demand
http://channel9.msdn.com/Events/TechEd
Enter to Win a Callaway Golf Set & Big Bertha Driver Stop by the Azure booth and enter for a daily drawing to win a Callaway Strata Plus Men’s 18-piece golf set AND a Big Bertha 2014 driver.
Drive your business forward with Microsoft Azure
© 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.