Compliance, Security and Trust Microsoft’s Commitment Security Privacy Compliance www.windowsazure.com/trustcenter/ Comprehensive compliance framework Industry Standards and Regulations • • Payment Card Industry Data Security Standard Health Insurance Portability and Accountability Act • Media Ratings Council Sarbanes-Oxley, GLBA, FFIEC, etc. • Controls Framework • Predictable Audit Schedule • • • Identify and integrate • • • Regulatory requirements Customer requirements Assess and remediate • Test effectiveness and assess risk Attain certifications and attestations Improve and optimize • • Eliminate or mitigate gaps in control design Examine root cause of non-compliance Track until fully remediated Certifications and Attestations • • ISO/IEC 27001:2005 certification SOC 1 and SOC 2 attestations • • • HIPAA Business Associate Agreement FISMA authorization And more Datacenter infrastructure compliance ISO / IEC 27001:2005 certification SOC 1 Type 2 (SSAE 16 / ISAE 3402) attestation SOC 2 Type 2 and SOC 3 (AT 101) attestations HIPAA / HITECH Act PCI Data Security Standard validation FISMA authorization * Various state, federal, and international privacy laws * 95/46/EC—aka EU Data Protection Directive; California SB1386; etc. Windows Azure compliance programs • ISO 27001 • SSAE 16 (SOC 1 Type 2) • SOC 2 Type 2 (in process) • CSA Cloud Control Matrix FISMA ISO • EU Model Clauses • UK Government accreditation for IL 2 data • HIPAA Business Associate Agreement (BAA) • FISMA/FedRAMP authorization (in process) HIPAA Statement on Customer Privacy On June 6, media outlets including the Washington Post and Guardian began reporting allegations that the United States National Security Agency (NSA) is collecting customer communications data from major technology companies, including Microsoft. Microsoft issued the following statement about the company’s alleged involvement in these activities: REDMOND, Wash., June 6, 2013 - We provide customer data only when we receive a legally binding order or subpoena to do so, and never on a voluntary basis. In addition we only ever comply with orders for requests about specific accounts or identifiers. If the government has a broader voluntary national security program to gather customer data we don’t participate in it. Privacy http://www.windowsazure.com/en-us/support/legal/privacy-statement/ Shades of Cloud – Risk Allocation On Premises Infrastructure Platform Software (as a Service) (as a Service) (as a Service) Applications Applications Applications Applications Data Data Data Data Runtime Runtime Runtime Runtime Middleware Middleware Middleware Middleware O/S O/S O/S O/S Virtualization Virtualization Virtualization Virtualization Servers Servers Servers Servers Storage Storage Storage Storage Networking Networking Networking Networking Managed by: MS Datacenter Experience Defense-in-depth 10 Things to Know About Azure Security http://technet.microsoft.com/en-us/cloud/gg663906.aspx Physical Network Identity and Access Management Host Security Application Data Data Center Security Cameras Cameras Cameras Security patrols Security patrols Security patrols Barriers Alarms Alarms Fencing Two-factor access control Two-factor access control Biometric readers Card readers • Biometric readers • Card readers World-Class Security Security operations center Perimeter Building Computer room Extensive Monitoring Network • Isolated from Microsoft corpnet • VLANs and packet filters in routers • Host boundary protection • DDoS protection • Penetration testing • Monitoring and logging • Security incidents and breach notification Identity and access Windows Azure customer support personnel • • • • Access control requirements established by Windows Azure Security Policy No access to customer data by default No user / administrator accounts on VMs Monitoring and logging when local accounts are created on VMs Access to PaaS VMs is highly restricted • Most common authorization is based on customer troubleshooting request • Full incident monitoring and logging • Temporary accounts for limited duration and 2FA enforced Access to IaaS VMs is not possible Host Stripped-down version of Win 2012 • No drivers except approved ones, no graphics modules • Network connectivity restricted using host firewall Host boundaries enforced hypervisor All Guest access to network and disk is mediated by Root VM (via the Hypervisor) When VMs are provisioned, they are cloned from known configs • PaaS images managed and updated by Microsoft • With IaaS, customers can bring their own images (and manage them) Patch management Support lifecycle policy Application • Security Best Practices for Developing Windows Azure Applications • Windows Azure does not inspect, approve, or monitor customer applications • Customer application and storage account logging and monitoring • Anti-malware scanning for customer applications • Protection against external attacks, including third-party options • Disaster recovery and business continuity • Forensic investigations Data Redundant storage • Locally redundant storage • Geo-replication Storage accounts and keys Data backup Data deletion and destruction Windows Azure data cleansing and leakage Data encryption (in transit, at rest) Geographic regions for customer data Asia • • • East (Hong Kong) Japan East and West Southeast (Singapore) Europe • • North (Ireland) West (Netherlands) United States • • • • North Central (Illinois) South Central (Texas) East (Virginia) West (California) AtmanCo Situation: • Maker of personality tests for potential employees • Needed to scale to handle 5K to 10K tests at a time to avoid turning down business • Potential French customer needed servers hosted in Europe • Management of servers under IaaS model burdensome Solution: • Azure VMs and Web Sites provided Scale and Flexibility MYOB Situation: • Offers AccountRight which streamlines and automates business processes for small businesses and accountants • Needed Mobile support and Offline support Solution: • AccountRight Live launched as an Azure hosted offering that synched with the existing desktop suite • Provide API that lets almost 600 external developers build a solid ecosystem NTP Software Situation: • NTP Software Universal File Access provides Mobile and web interfaces that allow Enterprise clients to provide access to File Data Selectively and Securely • Needed to integrate with client’s on premise storage system while letting them preserve security Solution: • Integrates with client’s Windows Azure account to leverage larger organization discounts for volume and minimize impact on primary storage systems Sangkuriang Internasional Situation: • Built secure instant messaging service (EMASS) and wanted to not be in the service provider business • Needed to adapt to the Mobile centric reality of Indonesian society to stay competitive • Platform needed to support a wide range of technology Solution: • EMASS deployed as 15 cloud apps running on Azure based virtual machines Summit Data Corp Situation: • Wanted to tap into the growing fitness market • Needed a platform that supported high scalability (hundreds of thousands of users) • Required a platform that would keep innovating and not stagnate Solution: • Active Fitness leverages Windows Azure Mobile Services to support hundreds of thousands of users Call To Action The time is right for ISVs to break out of their normal confines by leveraging Azure and its many capabilities Azure has matured to enable many, varied options If you do not seize the opportunity someone else in your space will!