Lori Woehler CISSP CISA Principle Group Program Manager LoriWoMicrosoftcom DCIMB221 Understand how Azure s ecurity amp c ompliance helps you and your organization meet obligations ID: 532404
Download Presentation The PPT/PDF document "Azure Security & Compliance" is the property of its rightful owner. Permission is granted to download and print the materials on this web site for personal, non-commercial use only, and to display it on your personal computer provided you do not modify the materials and that you retain all copyright notices contained in the materials. By downloading content from our website, you accept the terms of this agreement.
Slide1Slide2
Azure Security & Compliance
Lori Woehler CISSP, CISAPrinciple Group Program ManagerLoriWo@Microsoft.com
DCIM-B221Slide3
Understand how Azure
security & compliance helps you and your organization meet obligationsDefine the Azure security and compliance boundaries and responsibilitiesTake away some new resources and approaches that can make it easier to execute your security and compliance responsibilities
Session GoalsSlide4
Breakout
Sessions of interest
DCIM B385 Security & Microsoft Azure
IaaS
DCIM B387 Data Protection in Microsoft AzureDCIM B422 ExpressRoute: Connecting Private and Public Clouds through Exchange ProvidersWIN B335 Making Sense of the Microsoft Information Protection StackDCIM B214 Azure Architectural PatternsDCIM B301 Leveraging Your On-Prem Directory Infrastructure to Manager Your Azure AD IdentitiesDCIM B386 MarkRu on Cloud ComputingDCIM B306 Public Cloud Security
Related content
Find Me
Later At. . .
Ask the Experts Halls AB 6:30-8:30Slide5
Microsoft Azure Trust Center
http://azure.microsoft.com/en-us/support/trust-center/
Track resources
Security Best Practices for Developing Azure Solutions
Audit Reports, Certifications and Attestations
Windows Azure Security Technical InsightsSlide6
Resources
Learning
Microsoft Certification & Training Resources
www.microsoft.com/learning
msdn
Resources for Developers
http://microsoft.com/msdn
TechNet
Resources for IT Professionals
http://microsoft.com/technet
Sessions on Demand
http://channel9.msdn.com/Events/TechEdSlide7
Complete an evaluation
and
enter to win!Slide8
Evaluate this session
Scan this
QR
code
to evaluate
this
session.Slide9
Enter to Win a Callaway Golf Set & Big Bertha Driver
Stop by the Azure booth and enter for a
daily
drawing to win a
Callaway Strata Plus Men’s 18-piece golf set AND a Big Bertha 2014 driver. Drive your business forward with Microsoft AzureSlide10
430B+
Microsoft Azure AD authentications
280%
year-over-year
database growth in Microsoft Azure
50%
of Fortune 500 use Microsoft Azure
$25,000
in the cloud would cost $100,000 on premises
(Microsoft Azure BI Team, STMG Proof Points Central)
Economics
Scale
30,000
to
250,000
Scale from
site visitors instantly
(Case Study: Autocosmos)
2
weeks
to deliver new services vs. 6-12 months with traditional solution
(Case Study: HarperCollins Publishers)
Speed
Technology trends: driving cloud adoption
10
of CIOs will embrace a cloud-first strategy in 2016
(IDC CIO Agenda webinar)
Cloud Trend:
70%
BENEFITS
AZURE ADOPTIONSlide11
Pre-adoption
concern
60%
cited concerns around data security as a barrier to adoption
45%
concerned that the cloud would result in a lack of data control
Benefits
realized
94%
experienced security benefits they didn’t previously have
on-premise
62%said privacy protection increased as a result of moving to the cloudCloud innovation
OPPORTUNITY for Security
& Compliance
BENEFITS
SECURTIY
Design/Operation
Infrastructure
Network
Identity/access
Data
PRIVACY
COMPLIANCE
Barriers to Cloud Adoption study,
ComScore
, September 2013Slide12
Trustworthy foundation
Built on Microsoft experience and innovation
20+ Data Centers
Trustworthy
Computing
Initiative
Security
Development Lifecycle
Global
Data Center
Services
Malware
Protection
Center
Microsoft Security
Response Center
Windows
Update
1
st
Microsoft
Data Center
Active
Directory
SOC 1
CSA Cloud Controls Matrix
PCI DSS Level 1
FedRAMP/
FISMA
UK G-Cloud Level 2
ISO/IEC 27001:2005
HIPAA/
HITECH
Digital Crimes Unit
SOC 2
E.U. Data Protection Directive
Operations Security Assurance
1989
1995
2000
2005
2010Slide13
Trustworthy foundation
Built on Microsoft experience and innovation
Trustworthy
Computing
Initiative
Security
Development Lifecycle
Global
Data Center
Services
Malware
Protection Center Microsoft SecurityResponse CenterMicrosoft Update Active
Directory
SOC 1
CSA Cloud Controls Matrix
PCI DSS Level 1
FedRAMP/
FISMA
UK G-Cloud Level 2
ISO/IEC 27001:2005
HIPAA/
HITECH
Digital Crimes Unit
SOC 2
E.U. Data Protection Directive
Operations Security Assurance
1
st
Microsoft
Data Center
1989
1995
2000
2005
2010
20+ Data Centers:
Operating Microsoft Azure in 8 data centers around the world
20+ Data CentersSlide14
20+ Data Centers
Trustworthy foundation
Built on Microsoft experience and innovation
Trustworthy
Computing
Initiative
Security
Development Lifecycle
Global
Data Center
Services
Windows
Update
1
st
Microsoft
Data Center
Active
Directory
SOC 1
CSA Cloud Controls Matrix
PCI DSS Level 1
FedRAMP/
FISMA
UK G-Cloud Level 2
ISO/IEC 27001:2005
HIPAA/
HITECH
Digital Crimes Unit
SOC 2
E.U. Data Protection Directive
Operations Security Assurance
Malware
Protection
Center
Microsoft Security
Response Center
1989
1995
2000
2005
2010
Security Centers of Excellence:
Protecting Microsoft customers by combatting evolving threatsSlide15
20+ Data Centers
Trustworthy foundation
Built on Microsoft experience and innovation
Trustworthy
Computing
Initiative
Security
Development Lifecycle
Global
Data Center
Services
Malware
Protection
Center
Microsoft Security
Response Center
Windows
Update
1
st
Microsoft
Data Center
Active
Directory
SOC 1
CSA Cloud Controls Matrix
PCI DSS Level 1
FedRAMP/
FISMA
UK G-Cloud Level 2
ISO/IEC 27001:2005
HIPAA/
HITECH
SOC 2
E.U. Data Protection Directive
Operations Security Assurance
Digital Crimes Unit
1989
1995
2000
2005
2010
Digital Crimes Unit:
Using legal and technical expertise
to disrupt the way cybercriminals operateSlide16
20+ Data Centers
Trustworthy foundation
Built on Microsoft experience and innovation
Trustworthy
Computing
Initiative
Security
Development Lifecycle
Global
Data Center
Services
Malware
Protection
Center
Microsoft Security
Response Center
Windows
Update
1
st
Microsoft
Data Center
Active
Directory
Digital Crimes Unit
SOC 1
CSA Cloud Controls Matrix
PCI DSS Level 1
FedRAMP/
FISMA
UK G-Cloud Level 2
ISO/IEC 27001:2005
HIPAA/
HITECH
SOC 2
E.U. Data Protection Directive
1989
1995
2000
2005
2010
Compliance Standards:
Investing heavily in robust compliance processes, including ISO 27001, FedRAMP, and HIPAA
Operations Security AssuranceSlide17
Microsoft Azure
17
Global Physical Infrastructure
servers / network / datacenters
Compute
Data Services
Network Services
N Central US, S Central US, N Europe, W Europe, E Asia, SE Asia + 24 Edge CDN Locations
Automated
Managed Resources
Elastic
Usage Based
UNIFIED PLATFORM FOR MODERN BUSINESS
App ServicesSlide18
Unified platform for modern business
Microsoft commitment
Enhance Security
Protect
Privacy
Simplify ComplianceSlide19
ISO
27001:5
NIST
800-53
SOC 1 Type 2SOC 2 Type 2FedRAMP/FISMAPCI DSS Level 1
UK G-CloudUS-EU Safe Harbor
Information security standards
Effective controls
Government
& industry certifications
Simplified complianceSlide20
20
Security compliance strategy
Security analytics
Risk management best practices
Security benchmark analysis
Test and audit
Security Compliance
Framework
Security goals set in context of business and industry requirements
Security analytics & best practices deployed to detect and respond to threats
Benchmarked to a high bar of certifications and accreditations to ensure compliance Continual monitoring, test and audit
Business Objectives
Industry Standards
& Regulations
Certificates and AttestationsSlide21
21
Program
Description
ISO/IEC 27001
Internationally recognized information security standard, broadly accepted outside U.S.
PCI DSS Level 1
Information security standard designed to prevent fraud through controls around credit card data
UK G-Cloud IL2
‘Protect' level of security for data processing, storage and transmission by UK public sector organization including local and regional government
SSAE 16 / ISAE 3402
Accounting standard relied upon as the authoritative guidance for reporting on service organizations (SOC 1, SOC 2, SOC 3)
FedRAMP/FISMAU.S. Federal law enacted in 2002, based on NIST 800 series, 18 control domains, with in-depth audit, and applies to all U.S. Federal agencies
Certifications & programsSlide22
Contractual commitments
EU Data Privacy Approval
Microsoft makes strong contractual commitments to safeguard customer data covered by HIPAA BAA, Data Processing Agreement, & E.U. Model Clauses
Enterprise cloud-service specific privacy protections benefit every industry & region
Microsoft meets high bar for protecting privacy of EU customer data
EU Data Privacy approval allows Microsoft to transfer personal data across international borders
Only Microsoft is jointly approved from EU Article 29
Broad contractual scopeSlide23
S
hared responsibility
reduce security costs + Maintain Flexibility, access, & control
Customer
Microsoft
On-Premises
IaaS
PaaS
SaaS
Storage
Servers
Networking
O/S
Middleware
Virtualization
Data
Applications
RuntimeSlide24
PaaS Customers
Important Things to Know about Azure Security & Compliance to Help You Meet Your Own Security & Compliance ObligationsSlide25
Access Control
Data ProtectionGeolocationData Classification and HandlingPrivacy and Data Regulatory ComplianceLogging & Monitoring Access and Data Protection
ISMS Programmatic Controls
Certifications, Accreditations and Audits
Paas
Customer ResponsibilitiesSlide26
IaaS Customers
Important Things to Know about Azure Security & Compliance to Help You Meet Your Own Security & Compliance ObligationsSlide27
Application Security & SDL
Access ControlData ProtectionO/S Baselines, Patching, AV, Vulnerability ScanningPenetration TestingLogging, Monitoring, Incident
Response
ISMS Programmatic Controls
Certifications, Accreditations & Audits
IaaS Customer ResponsibilitiesSlide28
Identify Your Organization’s Obligations and Responsibilities
Adopt a Standard Control SetEstablish Policies and StandardsDocument System(s) in ScopeDevelop narratives for each controlTest Control Design & Execution
Identify Exceptions and Issues
Determine Risk Exposure
Define Remediation Goals and Plans
Monitor the SystemReport on Compliance StatusCompliance Cheat SheetSlide29
Identify Your Organization’s Obligations and Responsibilities
ISO 27001:5, NIST 800-53, FedRAMP, SSAE 16 (SOC 1, SOC 2), PCI, HIPAA, EUMC and numerous othersAdopt a Standard Control Set
Cross-referenced, extensible
Establish Policies and Standards
Aligned to controls and lifecycle
Document System(s) in ScopePhysical datacenters, Network, Infrastructure, Services and ComponentsDevelop narratives for each controlHundreds++Test Control Design & ExecutionStandardization and centralization to scale and drive best practicesIdentify Exceptions and IssuesStrive for excellence and drive continuous improvement Determine Risk ExposureNot everything is critical and high riskDefine Remediation Goals and PlansTime, Quality, EffortMonitor the SystemDefine metrics, targets, decisions and performance indicatorsReport on Compliance StatusMap to obligations, responsibilities, asks and decisions
RESOURCES
PRIORITIES
DELIVERABLES
TIMELINESSlide30
Is Azure PCI Compliant? Will My CDE Be PCI Compliant on Azure?
Can ____ audit Azure?Can we have your pen test reports?Will you fill out this 500 question survey?Why isn’t Azure ____ compliant?
What do admins do in Azure?
What is a hypervisor and what is its role?
What will Azure provide if we have a security incident
?How does Azure use my data and will you turn over my data at the request of governments or law enforcement?Most Frequently Asked Questions*Slide31
Microsoft Azure Trust Center
http://azure.microsoft.com/en-us/support/trust-center/
Track resources
Security Best Practices for Developing Azure Solutions
Audit Reports, Certifications and Attestations
“Windows Azure Security Technical Insights”Slide32
Come Visit Us in the Microsoft Solutions Experience!
Look for Datacenter and Infrastructure Management
TechExpo
Level 1 Hall CD
For More Information
Windows Server 2012 R2
http://technet.microsoft.com/en-US/evalcenter/dn205286
Windows Server
Microsoft Azure
Microsoft Azure
http://azure.microsoft.com/en-us/
System Center
System Center 2012 R2
http://technet.microsoft.com/en-US/evalcenter/dn205295
Azure Pack
Azure Pack
http://www.microsoft.com/en-us/server-cloud/products/windows-azure-packSlide33
Resources
Learning
Microsoft Certification & Training Resources
www.microsoft.com/learning
msdn
Resources for Developers
http://microsoft.com/msdn
TechNet
Resources for IT Professionals
http://microsoft.com/technet
Sessions on Demand
http://channel9.msdn.com/Events/TechEdSlide34
Complete an evaluation
and
enter to win!Slide35
Evaluate this session
Scan this
QR
code
to evaluate
this
session.Slide36
Enter to Win a Callaway Golf Set & Big Bertha Driver
Stop by the Azure booth and enter for a
daily
drawing to win a
Callaway Strata Plus Men’s 18-piece golf set AND a Big Bertha 2014 driver. Drive your business forward with Microsoft AzureSlide37
©
2014
Microsoft Corporation. All rights reserved. Microsoft, Windows,
and
other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.
The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.