microsoft strategy to address cloud security v5 1(frddy ton)
TRANSCRIPT
![Page 1: Microsoft strategy to address cloud security v5 1(frddy ton)](https://reader033.vdocuments.pub/reader033/viewer/2022060202/559b61a91a28ab1d5f8b4774/html5/thumbnails/1.jpg)
Cloud Computing New opportunities New Challenges New responsibilities
Freddy Tan, CISSP
Chief Security Advisor
Microsoft Asia
![Page 2: Microsoft strategy to address cloud security v5 1(frddy ton)](https://reader033.vdocuments.pub/reader033/viewer/2022060202/559b61a91a28ab1d5f8b4774/html5/thumbnails/2.jpg)
Agenda
Openness
Standards
Interoperability
Data portability
Open Government
Trust
Cybercrime
Privacy
Data Governance
Security
Innovation
Developers
R&D
Citizen Services
Applications
Freddy Tan Chief Security
Adviser
Access
Broadband
Skills
Affordability
Accessibility
![Page 3: Microsoft strategy to address cloud security v5 1(frddy ton)](https://reader033.vdocuments.pub/reader033/viewer/2022060202/559b61a91a28ab1d5f8b4774/html5/thumbnails/3.jpg)
Getting Access to the Cloud
Broadband is driving the cloud revolution
Variety of delivery models (wired, wireless, hybrid)
Driven by demands from users with different modes of
access
– Smartphones
– Netbooks
– e-readers
– PCs
Creating two-sided market:
– Demand side for customers/consumers
– Supply side for developers and service providers
![Page 4: Microsoft strategy to address cloud security v5 1(frddy ton)](https://reader033.vdocuments.pub/reader033/viewer/2022060202/559b61a91a28ab1d5f8b4774/html5/thumbnails/4.jpg)
The promise of cloud interoperability
![Page 5: Microsoft strategy to address cloud security v5 1(frddy ton)](https://reader033.vdocuments.pub/reader033/viewer/2022060202/559b61a91a28ab1d5f8b4774/html5/thumbnails/5.jpg)
New challenges
So what have changed?
![Page 6: Microsoft strategy to address cloud security v5 1(frddy ton)](https://reader033.vdocuments.pub/reader033/viewer/2022060202/559b61a91a28ab1d5f8b4774/html5/thumbnails/6.jpg)
Top Threats to Cloud Computing
Threat #1: Abuse and Nefarious Use of Cloud Computing
Threat #2: Insecure Interfaces and APIs
Threat #3: Malicious
Threat #4: Shared Technology Issues
Threat #5: Data Loss or Leakage
Threat #6: Account or Service Hijacking
Threat #7: Unknown Risk Profile
![Page 7: Microsoft strategy to address cloud security v5 1(frddy ton)](https://reader033.vdocuments.pub/reader033/viewer/2022060202/559b61a91a28ab1d5f8b4774/html5/thumbnails/7.jpg)
$560 million in losses related to identity theft, phishing scams and
outright fraud in 2008
Source : www.esecurityplanet.com/features/article.php/3871456/Cyber-Crooks-Doubled-Their-Take-in-09-FBI.htm
![Page 8: Microsoft strategy to address cloud security v5 1(frddy ton)](https://reader033.vdocuments.pub/reader033/viewer/2022060202/559b61a91a28ab1d5f8b4774/html5/thumbnails/8.jpg)
So what have changed?
These security issues have expanded and come to
the forefront:
– Data Security
– Data Privacy vs. Law Enforcement Needs
• Electronic Evidence Discovery Requirements
– Cross-Border Data Flows
• EU Safe Harbor Policy Template
» Commission Decision of 5 February 2010 on standard
contractual clauses for the transfer of personal data to
processors established in third countries under Directive
95/46/EC of the European Parliament and of the Council
(notified under document C(2010) 593)
– Jurisdictional Tensions
![Page 9: Microsoft strategy to address cloud security v5 1(frddy ton)](https://reader033.vdocuments.pub/reader033/viewer/2022060202/559b61a91a28ab1d5f8b4774/html5/thumbnails/9.jpg)
New responsibilities
![Page 10: Microsoft strategy to address cloud security v5 1(frddy ton)](https://reader033.vdocuments.pub/reader033/viewer/2022060202/559b61a91a28ab1d5f8b4774/html5/thumbnails/10.jpg)
Microsoft Business Needs
Microsoft must follow national and international laws and regulations.
Some examples of laws that may be applicable
– The Privacy Act, 1974 – HIPAA (Health Insurance Portability and Accountability Act, 1996) – COPPA (Children's Online Privacy Protection Act, 1998) – GLBA (Gramm-Leach-Bliley Act, 1999) – SOX (Sarbanes-Oxley Act, 2002) – Regional regulations,
• EU Directives – Directive 95/46/EC (Data Protection Directive)
– Directive 2002/58/EC (the E-Privacy Directive)
– Directive 2006/24/EC Article 5 (The Data Retention Directive)
• Privacy Online: OECD Guidance on Policy and Practice, 2002
– In-country regulations,
• State of California SB1386, 2003
• Japan’s privacy laws – Act for the Protection of Personal Information (2003)
Microsoft IT Streamlines Regulatory Compliance - http://technet.microsoft.com/en-us/library/dd537744.aspx
![Page 11: Microsoft strategy to address cloud security v5 1(frddy ton)](https://reader033.vdocuments.pub/reader033/viewer/2022060202/559b61a91a28ab1d5f8b4774/html5/thumbnails/11.jpg)
Confidence & Trusted Brand Security Timeline
11
MSN
Microsoft.com
Hotmail
Microsoft Online Services
Windows Live
First ISO 27001 cert
1st Data Center
1989 1994-95 1997 2002 2004 2005 2008-09
Security Development Lifecycle
First SAS-70 Type I cert
Trustworthy Computing Directive
![Page 12: Microsoft strategy to address cloud security v5 1(frddy ton)](https://reader033.vdocuments.pub/reader033/viewer/2022060202/559b61a91a28ab1d5f8b4774/html5/thumbnails/12.jpg)
Microsoft’s Approach to Cloud Security
Challenges
Risk-based Information
Security Program
Deep Set of Security Controls
Comprehensive
Compliance Framework
Response to Cloud Security Challenges
![Page 13: Microsoft strategy to address cloud security v5 1(frddy ton)](https://reader033.vdocuments.pub/reader033/viewer/2022060202/559b61a91a28ab1d5f8b4774/html5/thumbnails/13.jpg)
Microsoft’s Approach to Cloud Security
Challenges
13
Risk-based Information
Security Program
Maintaining a Deep Set of
Security Controls
Comprehensive Compliance Framework
Response to Cloud Security
Challenges
![Page 14: Microsoft strategy to address cloud security v5 1(frddy ton)](https://reader033.vdocuments.pub/reader033/viewer/2022060202/559b61a91a28ab1d5f8b4774/html5/thumbnails/14.jpg)
Information Security Program
ISO 27001:2005 certified
![Page 15: Microsoft strategy to address cloud security v5 1(frddy ton)](https://reader033.vdocuments.pub/reader033/viewer/2022060202/559b61a91a28ab1d5f8b4774/html5/thumbnails/15.jpg)
Microsoft’s Approach to Cloud Security
Challenges
15
Risk-based Information
Security Program
Maintaining a Deep Set of
Security Controls
Comprehensive Compliance Framework
Response to Cloud Security Challenges
![Page 16: Microsoft strategy to address cloud security v5 1(frddy ton)](https://reader033.vdocuments.pub/reader033/viewer/2022060202/559b61a91a28ab1d5f8b4774/html5/thumbnails/16.jpg)
Control Framework: Domains
16
The control objectives are published at:
http://www.globalfoundationservices.com/documents/MicrosoftComplianceFramework1009.pdf
Domains
Structure
1. General Information
2. Information Security
3. Organization of Information Security
4. Asset Management
5. Human Resources Security
6. Physical and Environmental Security
7. Communications and Operations
Management
8. Access Control
9. Information Systems Acquisition,
Development, and Maintenance
10. Information Security Incident
Management
11. Business Continuity Management
12. Risk Management
13. Compliance
14. Privacy
![Page 17: Microsoft strategy to address cloud security v5 1(frddy ton)](https://reader033.vdocuments.pub/reader033/viewer/2022060202/559b61a91a28ab1d5f8b4774/html5/thumbnails/17.jpg)
Control Framework: Structure
Domains
Structure
• Domain
• Sub Domain
• Control Objective (ISO 27001 has
152 vs 292)
• Associated Standard (External
Compliance Requirement)
• Applicable Security, Standard
Operating Procedure or System
Reference
• Sample Control Activity
• Sample Testing Activity
![Page 18: Microsoft strategy to address cloud security v5 1(frddy ton)](https://reader033.vdocuments.pub/reader033/viewer/2022060202/559b61a91a28ab1d5f8b4774/html5/thumbnails/18.jpg)
Control Modules
![Page 19: Microsoft strategy to address cloud security v5 1(frddy ton)](https://reader033.vdocuments.pub/reader033/viewer/2022060202/559b61a91a28ab1d5f8b4774/html5/thumbnails/19.jpg)
Microsoft’s Approach to Cloud Security
Challenges
19
Risk-based Information
Security Program
Maintaining a Deep Set of
Security Controls
Comprehensive Compliance Framework
Response to Cloud Security Challenges
![Page 20: Microsoft strategy to address cloud security v5 1(frddy ton)](https://reader033.vdocuments.pub/reader033/viewer/2022060202/559b61a91a28ab1d5f8b4774/html5/thumbnails/20.jpg)
Comprehensive Compliance Framework
• ISO/IEC 27001:2005 certification • Statement of Auditing Standard (SAS) 70 Type I and Type II attestations
Certification and Attestations
• Payment Card Industry Data Security Standard
• Health Insurance Portability and Accountability Act
Industry Standards and Regulations
• Media Ratings Council
• Sarbanes-Oxley , etc.
• Identify and integrate: – Regulatory requirements – Customer requirements
• Assess and remediate: – Eliminate or mitigate gaps in control
design
Controls Framework
• Test effectiveness and assess risk • Attain certifications and attestations • Improve and optimize: – Examine root cause of non-compliance – Track until fully remediated
Predictable Audit Schedule
![Page 21: Microsoft strategy to address cloud security v5 1(frddy ton)](https://reader033.vdocuments.pub/reader033/viewer/2022060202/559b61a91a28ab1d5f8b4774/html5/thumbnails/21.jpg)
Cloud Security Considerations
Rela
tive S
ensitiv
ity o
f D
ata
Relative Dependence on an External Service Provider and
Common Risk Pooling with Cotenants
Strict limits on sensitive data due to mission,
security requirements, policy, or compliance
considerations.
Organizational need to take advantage of
higher returns to scale to eliminate excess
capacity, secure cost savings, or support a
distributed workforce.
Private Community Public
Infrastructure is owned or
leased by a single
organization and is
operated solely for that
organization.
Infrastructure is shared by
several organizations and
supports a specific
community that has shared
concerns.
Infrastructure is owned by an
organization selling cloud
services to the general public
or a large industry group.
Rela
tive S
ensitiv
ity o
f D
ata
![Page 22: Microsoft strategy to address cloud security v5 1(frddy ton)](https://reader033.vdocuments.pub/reader033/viewer/2022060202/559b61a91a28ab1d5f8b4774/html5/thumbnails/22.jpg)
Microsoft Vision for Government Computing
![Page 23: Microsoft strategy to address cloud security v5 1(frddy ton)](https://reader033.vdocuments.pub/reader033/viewer/2022060202/559b61a91a28ab1d5f8b4774/html5/thumbnails/23.jpg)
Government Public Cloud
![Page 24: Microsoft strategy to address cloud security v5 1(frddy ton)](https://reader033.vdocuments.pub/reader033/viewer/2022060202/559b61a91a28ab1d5f8b4774/html5/thumbnails/24.jpg)
Government Private Cloud – Self-Hosted
![Page 25: Microsoft strategy to address cloud security v5 1(frddy ton)](https://reader033.vdocuments.pub/reader033/viewer/2022060202/559b61a91a28ab1d5f8b4774/html5/thumbnails/25.jpg)
Government Private Cloud – Partner-Hosted
![Page 26: Microsoft strategy to address cloud security v5 1(frddy ton)](https://reader033.vdocuments.pub/reader033/viewer/2022060202/559b61a91a28ab1d5f8b4774/html5/thumbnails/26.jpg)
Microsoft’s Online Services Security Strategic Information Security Program
![Page 27: Microsoft strategy to address cloud security v5 1(frddy ton)](https://reader033.vdocuments.pub/reader033/viewer/2022060202/559b61a91a28ab1d5f8b4774/html5/thumbnails/27.jpg)
Data Governance Strategy
References
The Case for Data Governance, Jan 2010
People and Process, Jan 2010
Managing Technical Risk, Apr 2010
A Capability Maturity Model, Apr 2010
All papers are published and available, at
www.microsoft.com/datagovernance
![Page 28: Microsoft strategy to address cloud security v5 1(frddy ton)](https://reader033.vdocuments.pub/reader033/viewer/2022060202/559b61a91a28ab1d5f8b4774/html5/thumbnails/28.jpg)
Microsoft Open Data initiatives
Use open standards to
enhance collaboration and
sharing across different
data sources
![Page 29: Microsoft strategy to address cloud security v5 1(frddy ton)](https://reader033.vdocuments.pub/reader033/viewer/2022060202/559b61a91a28ab1d5f8b4774/html5/thumbnails/29.jpg)
Conclusion - Security Considerations
– No one-size-fits-all model for cloud computing
– Users must assess their risk, and have flexibility and
choice among service offerings
– Users must be able to make informed choices in light
of the sensitivity of data, their mission and other risk
factors
• Consider the different Cloud deployment models
» Private Cloud
» Community Cloud
» Public Cloud
![Page 30: Microsoft strategy to address cloud security v5 1(frddy ton)](https://reader033.vdocuments.pub/reader033/viewer/2022060202/559b61a91a28ab1d5f8b4774/html5/thumbnails/30.jpg)
Additional Resources
OECD Guidelines for the Security of Information Systems
and Networks
OECD Guidelines on the Protection of Privacy and
Transborder Flows of Personal Data
Guidelines for the Regulation of Computerized Personal
Data Files, G.A. res. 44/132, 44 U.N. GAOR Supp. (No. 49)
at 211, U.N. Doc. A/44/49 (1989).
Directive 95/46/EC of the European Parliament and of the
Council of 24 October 1995 on the protection of
individuals with regard to the processing of personal data
and on the free movement of such data
Security Guidance for Critical Areas of Focus in Cloud
Computing V2.1 Dec 2009,
www.cloudsecurityalliance.org/csaguide.pdf
![Page 31: Microsoft strategy to address cloud security v5 1(frddy ton)](https://reader033.vdocuments.pub/reader033/viewer/2022060202/559b61a91a28ab1d5f8b4774/html5/thumbnails/31.jpg)
References
Microsoft Cloud: www.microsoft.com/cloud
Microsoft Trustworthy Computing, home page: http://www.microsoft.com/twc
Microsoft Online Privacy Notice Highlights: http://www.microsoft.com/privacy
Microsoft Privacy Guidelines for Developing Software Products and Services:
http://www.microsoft.com/downloads/details.aspx?displaylang=en&FamilyID=c48cf80f-6e87-48f5-83ec-
a18d1ad2fc1f
The ISO 27001:2005 certificate for Global Foundation Services, Microsoft: http://www.bsi-
global.com/en/Assessment-and-certification-services/Client-directory/CertificateClient-Directory-Search-
Results/?pg=1&licencenumber=IS+533913&searchkey=companyXeqXmicrosoft
Microsoft Global Foundation Services, home page: www.globalfoundationservices.com
The Microsoft Security Development Lifecycle (SDL): www.microsoft.com/security/sdl/default.aspx
Microsoft Security Development Lifecycle (SDL) – version 3.2, process guidance: http://msdn.microsoft.com/en-
us/library/cc307748.aspx
The Microsoft SDL Threat Modeling Tool: http://www.microsoft.com/security/sdl/getstarted/threatmodeling.aspx
Microsoft Online Services: www.microsoft.com/online
Microsoft Security Response Center: www.microsoft.com/security/msrc
Microsoft Compliance Framework Whitepaper:
www.globalfoundationservices.com/documents/MicrosoftComplianceFramework1009.pdf
Securing Microsoft’s Cloud Infrastructure:
http://www.globalfoundationservices.com/security/documents/SecuringtheMSCloudMay09.pdf
![Page 33: Microsoft strategy to address cloud security v5 1(frddy ton)](https://reader033.vdocuments.pub/reader033/viewer/2022060202/559b61a91a28ab1d5f8b4774/html5/thumbnails/33.jpg)
Strategic Information
Security Program Based on industry best
practices to enable rapid adaption to cloud
infrastructure changes
Certification Framework
Streamlines certification process for product and service delivery teams
Trusted Brand Established through meeting
business obligations along with legal and commercial expectations
Confidence Born from years of
experience managing security risks in traditional
development and operating environments