Windows AzureSecurity and ComplianceStevan VidichDirector, Windows Azure MarketingMicrosoft
WS-B334
Windows Azure Trust Centerhttp://www.windowsazure.com/trustcenter/
Security
Privacy
Compliance
Microsoft experience and credentials
Trustworthy ComputingInitiative (TwC)
BillG Memo
Microsoft Security Engineering
Center/Security Development
Lifecycle
Global Foundation
Services (GFS)
Malware Protection
Center
Microsoft SecurityResponse Center
(MSRC)
Windows Update
1st Microsoft Data Center
1989 1995 2000 2005 2010
ActiveDirectory
Trustworthy Computing Security CentersProtecting Microsoft customers throughout the entire life cycle(in development, deployment, and operations)
Conception
Release
Product Life Cycle
Microsoft Security
Engineering Center (MSEC)
SDL
Security Science
Microsoft Security
Response Center(MSRC)
Microsoft Malware
Protection Center (MMPC)
Datacenter infrastructure compliance
ISO / IEC 27001:2005 certification
SOC 1 Type 2 (SSAE 16 / ISAE 3402) attestationSOC 2 Type 2 and SOC 3 (AT 101) attestations
HIPAA / HITECH Act
PCI Data Security Standard validation
FISMA authorization
Various state, federal, and international privacy laws (95/46/EC—aka EU Data Protection Directive; California SB1386; etc.)
Public cloud – shared responsibilityOn Premises
Storage
Servers
Networking
O/S
Middleware
Virtualization
Data
Applications
Runtime
Infrastructure(as a Service)
Storage
Servers
Networking
O/S
Middleware
Virtualization
Data
Applications
Runtime
Platform(as a Service)
Storage
Servers
Networking
O/S
Middleware
Virtualization
Applications
Runtime
Data
Software(as a Service)
Storage
Servers
Networking
O/S
Middleware
Virtualization
Applications
Runtime
Data
Customer
Vendor
Managed by:
Defense-in-depth
Identityand Access Manageme
nt
Host Security Application DataNetworkPhysical
10 Things to Know About Azure Securityhttp://technet.microsoft.com/en-us/cloud/gg663906.aspx
Data center security• Cameras
• Security patrols
• Barriers
• Fencing
• Cameras
• Security patrols
• Alarms
• Two-factor access control• Biometric readers• Card readers
• Security operations center
Extensive Monitoring
BuildingPerimeter Computer room
• Cameras
• Security patrols
• Alarms
• Two-factor access control• Biometric readers• Card readers
World-ClassSecurity
NetworkIsolated from Microsoft corpnetVLANs and packet filters in routersHost boundary protectionDDoS protectionPenetration testingMonitoring and loggingSecurity incidents and breach notification
Identity and accessWindows Azure customer support personnelAccess control requirements established by Windows Azure Security PolicyNo access to customer data by defaultNo user / administrator accounts on VMsMonitoring and logging when local accounts are created on VMs
Access to PaaS VMs is highly restrictedMost common authorization is based on customer troubleshooting requestFull incident monitoring and loggingTemporary accounts for limited duration and 2FA enforced
Access to IaaS VMs is not possible
HostStripped-down version of Windows ServerNo drivers except approved ones, no graphics modulesNetwork connectivity restricted using host firewall
Host boundaries enforced by external hypervisor based on Hyper-VAll Guest access to network and disk is mediated by Root VM (via the Hypervisor)When VMs are provisioned, they are cloned from limited number of known configurationsPaaS images managed and updated by MicrosoftWith IaaS, customers can bring their own images (and manage them)
Patch managementSupport lifecycle policy
Gue
st V
M
Gue
st V
M
Gue
st V
M
Gue
st V
M
Roo
t VM
Hypervisor
Network / Disk
ApplicationSecurity Best Practices for Developing Windows Azure ApplicationsWindows Azure does not inspect, approve, or monitor customer applicationsCustomer application and storage account logging and monitoringAnti-malware scanning for customer applicationsProtection against external attacks, including third-party optionsDisaster recovery and business continuityForensic investigations
DataRedundant storageLocally redundant storageGeo-replication
Storage accounts and keysData backupData deletion and destructionWindows Azure data cleansing and leakageData encryption (in transit, at rest)
Privacy
http://www.windowsazure.com/en-us/support/legal/privacy-statement/
Geographic regions for customer dataAsiaEast (Hong Kong)Southeast (Singapore)
EuropeNorth (Ireland)West (Netherlands)
United StatesNorth Central (Illinois)South Central (Texas)East (Virginia)West (California)
Comprehensive compliance framework
• ISO/IEC 27001:2005 certification• SOC 1 and SOC 2 attestations
Certifications and Attestations
Predictable Audit Schedule
• Test effectiveness and assess risk• Attain certifications and
attestations• Improve and optimize• Examine root cause of non-
compliance• Track until fully remediated
Controls Framework
• Identify and integrate• Regulatory requirements• Customer requirements
• Assess and remediate • Eliminate or mitigate gaps in control
design
• Payment Card Industry Data Security Standard • Health Insurance Portability and Accountability Act
Industry Standards and Regulations
• Media Ratings Council • Sarbanes-Oxley, GLBA, FFIEC,
etc.
• HIPAA Business Associate Agreement• FISMA authorization• And more
Windows Azure compliance programsISO 27001SSAE 16 (SOC 1 Type 2)SOC 2 Type 2 (in process)CSA Cloud Control MatrixEU Model ClausesUK Government accreditation for IL 2 dataHIPAA Business Associate Agreement (BAA)FISMA / FedRAMP authorization (in process)
FISMA ISO
HIPAA
SSAE
Windows Azure Trust Centerhttp://www.windowsazure.com/trustcenter/
Security
Privacy
Compliance
Evaluation
Complete your session evaluations today and enter to win prizes daily. Provide your feedback at a CommNet kiosk or log on at www.2013mms.com.Upon submission you will receive instant notification if you have won a prize. Prize pickup is at the Information Desk located in Attendee Services in the Mandalay Bay Foyer. Entry details can be found on the MMS website.
We want to hear from you!
Resources
http://channel9.msdn.com/Events
Access MMS Online to view session recordings after the event.
© 2013 Microsoft Corporation. All rights reserved. Microsoft, Windows and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.