Large Scale Technology Trends
Transforming access to people and information
Mobile
Social
2016
1.3 billion over 37% of
the total workforce by 2015
80%
75% of
the American
workforce by 2025
65%
of companies
are deploying at
least one social
software tool.
Big Data
Over
of
new apps will be
distributed or
deployed on
clouds in 2012.
Millennials
will make up
By
,
smartphones and tablets
will put power in the
pockets of a billion global
consumers
The world’s mobile
worker population
will reach
Cloud
70%
of organizations
are either using or
investigating cloud
computing solutions
Digital content will grow to
2.7ZB in 2012, up 48% from
2011, rocketing
toward 8ZB by 2015.
80%
growth of unstructured
data is predicted over the
next five years.
Complex Challenges
Driving need for new security approach
Cyber
DataMalicious
theft
Targeted
terrorism
& insider
software
attacks
& hacktivism
leaks
Organized
Crime
NationGroups Terrorist Groups States
Individual
Global cost of computer crime
more
email
stolen from
Exponential
Widespread
Moreaddresses
sophisticated
rise in Mobile files
compromised
from USMalware
Pentagon
Growth stolen
attacks
Data theft & legacy
Cyber terrorism &
user
accounts
stolen
credit
card
accounts
Malicious software
Targeted
attacks
records
insider leaks technology hacktivism
of IDs military contractor
stolen
Strong Tension Today
Between business innovation and cyber security requirements
Business Innovation
Specific Concerns We Hear from
Customers
Why should I trust
Microsoft’s Cloud?
What industry audits and security
certifications cover the Microsoft
Platform?
If I run my service in your
cloud, can I meet my
compliance needs?
How should an enterprise
evaluate cloud providers when it
comes to security, privacy and
compliance?
Why Should I Trust the Microsoft Cloud?
Proven Track Record
History of meeting obligations associated with the
delivery of over 400 cloud services
Scale
Spreading cost of robust security and compliance
across large number of customers provides a
trusted cloud at lower cost
Security at our Foundation
Years of experience through our
Trustworthy Computing initiative
Law Enforcement Access
Many nations have laws addressing law enforcement access to
cloud service information, to support criminal investigations
Microsoft Response Process:
Responding to government demands
If we receive a government demand
for data held by a business customer,
we take steps to redirect the
government to the customer directly,
and we notify the customer unless
we are legally prohibited from doing
so. We have never provided any
government with customer data
from any of our business or
government customers for national
security purposes(…)
http://blogs.technet.com/b/microsoft_on_the_issues/archive/2013/07/16/responding-togovernment-legal-demands-for-customer-data.aspx
If a government wants
customer data – including for
national security purposes –
it needs to follow applicable
legal process, meaning it
must serve us with a court
order for content or
subpoena for account
information.
We do not provide any
government with the ability
to break the encryption used
between our business
customers and their data in
the cloud, nor do we provide
the government with the
encryption keys.
We only respond to
requests for specific
accounts and
identifiers. There is no
blanket or
indiscriminate access
to Microsoft’s
customer data.
Law enforcement request report
In the first half of 2013, Microsoft
disclosed content in response to
2.2% of the total number of law
enforcement requests received.
Each of those disclosures was in
response to a court order or
warrant, and the vast majority of
those disclosures related to users
of our consumer services.
http://www.microsoft.com/about/corporatecitizenship/en-us/reporting/transparency/
Law enforcement sought information about
only a tiny fraction of the millions of end users
of our enterprise services, such as Office 365.
We received 19 requests for e-mail accounts
we host for enterprise customers, seeking
information about 48 accounts. We disclosed
customer data in response to five of those
requests (4 content; 1 only non-content), and
in all but one case, we were able to notify the
customer. We rejected the request, found no
responsive data, or redirected law
enforcement to obtain the information from
the customer directly in thirteen of those
cases. One request is still pending.
(…) the requests are
fairly concentrated with
over 73% of requests
coming from five
countries, the United
States, Turkey,
Germany, the United
Kingdom, and France.
Unfortunately, we are not
currently permitted to
report detailed
information about the
type and volume of any
national security orders
(e.g. FISA Orders and FISA
Directives) that we may
receive
Law enforcement
requests from
Norwegian
Authorities, H1
2013
http://blogs.technet.com/b/microsoft_on_the_issues/archive/2013/06/14/microsoft-s-u-s-lawenforcement-and-national-security-requests-for-last-half-of-2012.aspx
Microsoft’s Cloud Environment
Software as a Service (SaaS)
Consumer and
Small Business
Services
Enterprise
Services
Third-party
Hosted Services
Platform as a Service
(PaaS)
Infrastructure as a
Service (IaaS)
Global Foundation Services
Data Centers
Operations
Global Network
Security
Microsoft Data Center Scale
Microsoft has more than 10 and less than 100 DCs worldwide
Dublin
Chicago
Quincy
Amsterdam
Japan
Boydton
Des Moines
Hong Kong
San Antonio
Singapore
Multiple global CDN locations
Quincy, Washington
27MW
100% Hydro power
San Antonio, Texas
27MW
Recycled water for cooling
Chicago, Illinois
Up to 60MW
Water side economization, Containers
Dublin, Ireland
Up to 50MW
Outside air cooling, PODs
"Data Centers have become as vital to the
functioning of society as power stations."
The Economist
Customer Compliance Needs
•
•
Customers ultimately responsible for ensuring their compliance obligations are met
Microsoft will share its certifications and audit reports to allow customers to establish reliance
IaaS
PaaS
SaaS
Responsibility:
Data Classification and Accountability
Application Level Controls
Operating System Controls
CLOUD CUSTOMER
Host Level Controls
Identity and Access Management
Network Controls
Physical Security
CLOUD PROVIDER
Data Classification
What data goes where?
Information Security Management System
Information Security Management System
PREDICTABLE
AUDIT
SCHEDULE
INFORMATION
SECURITY
MANAGEMENT
FORUM
RISK
MANAGEMENT
PROGRAM
INFORMATION
SECURITY
POLICY
PROGRAM
COMPLIANCE
FRAMEWORK
Test and Audit
• ISO / IEC 27001:2005 certification
• SSAE 16/ISAE 3402 SOC 1
• AT101 SOC 2 and 3
• PCI DSS certification
• FedRAMP P-ATO, FISMA certification and accreditation
• And more …
Infrastructure Compliance Capabilities
ISO / IEC 27001:2005 Certification
SSAE 16/ISAE 3402 SOC 1, AT101 SOC 2 and 3
HIPAA/HITECH
PCI Data Security Standard Certification
FedRAMP P-ATO and FISMA Certification & Accreditation
Various State, Federal, and International Privacy Laws
(95/46/EC—aka EU Data Protection Directive; California SB1386;
etc.)
© 2013 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.
The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market
conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation.
MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.