Large Scale Technology Trends Transforming access to people and information Mobile Social 2016 1.3 billion over 37% of the total workforce by 2015 80% 75% of the American workforce by 2025 65% of companies are deploying at least one social software tool. Big Data Over of new apps will be distributed or deployed on clouds in 2012. Millennials will make up By , smartphones and tablets will put power in the pockets of a billion global consumers The world’s mobile worker population will reach Cloud 70% of organizations are either using or investigating cloud computing solutions Digital content will grow to 2.7ZB in 2012, up 48% from 2011, rocketing toward 8ZB by 2015. 80% growth of unstructured data is predicted over the next five years. Complex Challenges Driving need for new security approach Cyber DataMalicious theft Targeted terrorism & insider software attacks & hacktivism leaks Organized Crime NationGroups Terrorist Groups States Individual Global cost of computer crime more email stolen from Exponential Widespread Moreaddresses sophisticated rise in Mobile files compromised from USMalware Pentagon Growth stolen attacks Data theft & legacy Cyber terrorism & user accounts stolen credit card accounts Malicious software Targeted attacks records insider leaks technology hacktivism of IDs military contractor stolen Strong Tension Today Between business innovation and cyber security requirements Business Innovation Specific Concerns We Hear from Customers Why should I trust Microsoft’s Cloud? What industry audits and security certifications cover the Microsoft Platform? If I run my service in your cloud, can I meet my compliance needs? How should an enterprise evaluate cloud providers when it comes to security, privacy and compliance? Why Should I Trust the Microsoft Cloud? Proven Track Record History of meeting obligations associated with the delivery of over 400 cloud services Scale Spreading cost of robust security and compliance across large number of customers provides a trusted cloud at lower cost Security at our Foundation Years of experience through our Trustworthy Computing initiative Law Enforcement Access Many nations have laws addressing law enforcement access to cloud service information, to support criminal investigations Microsoft Response Process: Responding to government demands If we receive a government demand for data held by a business customer, we take steps to redirect the government to the customer directly, and we notify the customer unless we are legally prohibited from doing so. We have never provided any government with customer data from any of our business or government customers for national security purposes(…) http://blogs.technet.com/b/microsoft_on_the_issues/archive/2013/07/16/responding-togovernment-legal-demands-for-customer-data.aspx If a government wants customer data – including for national security purposes – it needs to follow applicable legal process, meaning it must serve us with a court order for content or subpoena for account information. We do not provide any government with the ability to break the encryption used between our business customers and their data in the cloud, nor do we provide the government with the encryption keys. We only respond to requests for specific accounts and identifiers. There is no blanket or indiscriminate access to Microsoft’s customer data. Law enforcement request report In the first half of 2013, Microsoft disclosed content in response to 2.2% of the total number of law enforcement requests received. Each of those disclosures was in response to a court order or warrant, and the vast majority of those disclosures related to users of our consumer services. http://www.microsoft.com/about/corporatecitizenship/en-us/reporting/transparency/ Law enforcement sought information about only a tiny fraction of the millions of end users of our enterprise services, such as Office 365. We received 19 requests for e-mail accounts we host for enterprise customers, seeking information about 48 accounts. We disclosed customer data in response to five of those requests (4 content; 1 only non-content), and in all but one case, we were able to notify the customer. We rejected the request, found no responsive data, or redirected law enforcement to obtain the information from the customer directly in thirteen of those cases. One request is still pending. (…) the requests are fairly concentrated with over 73% of requests coming from five countries, the United States, Turkey, Germany, the United Kingdom, and France. Unfortunately, we are not currently permitted to report detailed information about the type and volume of any national security orders (e.g. FISA Orders and FISA Directives) that we may receive Law enforcement requests from Norwegian Authorities, H1 2013 http://blogs.technet.com/b/microsoft_on_the_issues/archive/2013/06/14/microsoft-s-u-s-lawenforcement-and-national-security-requests-for-last-half-of-2012.aspx Microsoft’s Cloud Environment Software as a Service (SaaS) Consumer and Small Business Services Enterprise Services Third-party Hosted Services Platform as a Service (PaaS) Infrastructure as a Service (IaaS) Global Foundation Services Data Centers Operations Global Network Security Microsoft Data Center Scale Microsoft has more than 10 and less than 100 DCs worldwide Dublin Chicago Quincy Amsterdam Japan Boydton Des Moines Hong Kong San Antonio Singapore Multiple global CDN locations Quincy, Washington 27MW 100% Hydro power San Antonio, Texas 27MW Recycled water for cooling Chicago, Illinois Up to 60MW Water side economization, Containers Dublin, Ireland Up to 50MW Outside air cooling, PODs "Data Centers have become as vital to the functioning of society as power stations." The Economist Customer Compliance Needs • • Customers ultimately responsible for ensuring their compliance obligations are met Microsoft will share its certifications and audit reports to allow customers to establish reliance IaaS PaaS SaaS Responsibility: Data Classification and Accountability Application Level Controls Operating System Controls CLOUD CUSTOMER Host Level Controls Identity and Access Management Network Controls Physical Security CLOUD PROVIDER Data Classification What data goes where? Information Security Management System Information Security Management System PREDICTABLE AUDIT SCHEDULE INFORMATION SECURITY MANAGEMENT FORUM RISK MANAGEMENT PROGRAM INFORMATION SECURITY POLICY PROGRAM COMPLIANCE FRAMEWORK Test and Audit • ISO / IEC 27001:2005 certification • SSAE 16/ISAE 3402 SOC 1 • AT101 SOC 2 and 3 • PCI DSS certification • FedRAMP P-ATO, FISMA certification and accreditation • And more … Infrastructure Compliance Capabilities ISO / IEC 27001:2005 Certification SSAE 16/ISAE 3402 SOC 1, AT101 SOC 2 and 3 HIPAA/HITECH PCI Data Security Standard Certification FedRAMP P-ATO and FISMA Certification & Accreditation Various State, Federal, and International Privacy Laws (95/46/EC—aka EU Data Protection Directive; California SB1386; etc.) © 2013 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.