Compliance, Security
and Trust
Microsoft’s Commitment
Security
Privacy
Compliance
www.windowsazure.com/trustcenter/
Comprehensive compliance framework
Industry Standards and Regulations
•
•
Payment Card Industry Data Security Standard
Health Insurance Portability and Accountability Act
•
Media Ratings Council
Sarbanes-Oxley, GLBA, FFIEC, etc.
•
Controls Framework
•
Predictable Audit Schedule
•
•
•
Identify and integrate
•
•
•
Regulatory requirements
Customer requirements
Assess and remediate
•
Test effectiveness and assess risk
Attain certifications and attestations
Improve and optimize
•
•
Eliminate or mitigate gaps in control design
Examine root cause of non-compliance
Track until fully remediated
Certifications and Attestations
•
•
ISO/IEC 27001:2005 certification
SOC 1 and SOC 2 attestations
•
•
•
HIPAA Business Associate Agreement
FISMA authorization
And more
Datacenter infrastructure compliance
ISO / IEC 27001:2005 certification
SOC 1 Type 2 (SSAE 16 / ISAE 3402) attestation
SOC 2 Type 2 and SOC 3 (AT 101) attestations
HIPAA / HITECH Act
PCI Data Security Standard validation
FISMA authorization
* Various state, federal, and international privacy
laws
* 95/46/EC—aka EU Data Protection Directive; California SB1386; etc.
Windows Azure compliance programs
• ISO 27001
• SSAE 16 (SOC 1 Type 2)
• SOC 2 Type 2 (in process)
• CSA Cloud Control Matrix
FISMA
ISO
• EU Model Clauses
• UK Government accreditation for IL 2 data
• HIPAA Business Associate Agreement (BAA)
• FISMA/FedRAMP authorization (in process)
HIPAA
Statement on Customer Privacy
On June 6, media outlets including the Washington Post and Guardian began
reporting allegations that the United States National Security Agency (NSA)
is collecting customer communications data from major technology companies,
including Microsoft. Microsoft issued the following statement about the
company’s alleged involvement in these activities:
REDMOND, Wash., June 6, 2013 - We provide customer data only when we
receive a legally binding order or subpoena to do so, and never on a voluntary basis.
In addition we only ever comply with orders for requests about specific accounts or
identifiers. If the government has a broader voluntary national security program to
gather customer data we don’t participate in it.
Privacy
http://www.windowsazure.com/en-us/support/legal/privacy-statement/
Shades of Cloud – Risk Allocation
On Premises
Infrastructure
Platform
Software
(as a Service)
(as a Service)
(as a Service)
Applications
Applications
Applications
Applications
Data
Data
Data
Data
Runtime
Runtime
Runtime
Runtime
Middleware
Middleware
Middleware
Middleware
O/S
O/S
O/S
O/S
Virtualization
Virtualization
Virtualization
Virtualization
Servers
Servers
Servers
Servers
Storage
Storage
Storage
Storage
Networking
Networking
Networking
Networking
Managed by:
MS Datacenter Experience
Defense-in-depth
10 Things to Know About Azure Security
http://technet.microsoft.com/en-us/cloud/gg663906.aspx
Physical
Network
Identity
and Access
Management
Host
Security
Application
Data
Data Center Security
Cameras
Cameras
Cameras
Security patrols
Security patrols
Security patrols
Barriers
Alarms
Alarms
Fencing
Two-factor access control
Two-factor access control
Biometric readers
Card readers
•
Biometric readers
•
Card readers
World-Class
Security
Security operations center
Perimeter
Building
Computer room
Extensive Monitoring
Network
•
Isolated from Microsoft corpnet
•
VLANs and packet filters in routers
•
Host boundary protection
•
DDoS protection
•
Penetration testing
•
Monitoring and logging
•
Security incidents and breach notification
Identity and access
Windows Azure customer support personnel
•
•
•
•
Access control requirements established by Windows Azure Security Policy
No access to customer data by default
No user / administrator accounts on VMs
Monitoring and logging when local accounts are created on VMs
Access to PaaS VMs is highly restricted
• Most common authorization is based on customer troubleshooting
request
• Full incident monitoring and logging
• Temporary accounts for limited duration and 2FA enforced
Access to IaaS VMs is not possible
Host
Stripped-down version of Win 2012
• No drivers except approved ones, no graphics modules
• Network connectivity restricted using host firewall
Host boundaries enforced hypervisor
All Guest access to network and disk is mediated
by Root VM (via the Hypervisor)
When VMs are provisioned, they are cloned from
known configs
• PaaS images managed and updated by Microsoft
• With IaaS, customers can bring their own images (and
manage them)
Patch management
Support lifecycle policy
Application
• Security Best Practices for Developing Windows Azure Applications
• Windows Azure does not inspect, approve, or monitor customer
applications
• Customer application and storage account logging and monitoring
• Anti-malware scanning for customer applications
• Protection against external attacks, including third-party options
• Disaster recovery and business continuity
• Forensic investigations
Data
Redundant storage
• Locally redundant storage
• Geo-replication
Storage accounts and keys
Data backup
Data deletion and destruction
Windows Azure data cleansing and leakage
Data encryption (in transit, at rest)
Geographic regions for customer data
Asia
•
•
•
East (Hong Kong)
Japan East and West
Southeast (Singapore)
Europe
•
•
North (Ireland)
West (Netherlands)
United States
•
•
•
•
North Central (Illinois)
South Central (Texas)
East (Virginia)
West (California)
AtmanCo
Situation:
• Maker of personality tests for potential employees
• Needed to scale to handle 5K to 10K tests at a time to
avoid turning down business
• Potential French customer needed servers hosted in
Europe
• Management of servers under IaaS model burdensome
Solution:
• Azure VMs and Web Sites provided Scale and Flexibility
MYOB
Situation:
• Offers AccountRight which streamlines and automates
business processes for small businesses and
accountants
• Needed Mobile support and Offline support
Solution:
• AccountRight Live launched as an Azure hosted
offering that synched with the existing desktop suite
• Provide API that lets almost 600 external developers
build a solid ecosystem
NTP Software
Situation:
• NTP Software Universal File Access provides Mobile
and web interfaces that allow Enterprise clients to
provide access to File Data Selectively and Securely
• Needed to integrate with client’s on premise storage
system while letting them preserve security
Solution:
• Integrates with client’s Windows Azure account to
leverage larger organization discounts for volume
and minimize impact on primary storage systems
Sangkuriang Internasional
Situation:
• Built secure instant messaging service (EMASS) and
wanted to not be in the service provider business
• Needed to adapt to the Mobile centric reality of
Indonesian society to stay competitive
• Platform needed to support a wide range of
technology
Solution:
• EMASS deployed as 15 cloud apps running on Azure
based virtual machines
Summit Data Corp
Situation:
• Wanted to tap into the growing fitness market
• Needed a platform that supported high scalability
(hundreds of thousands of users)
• Required a platform that would keep innovating
and not stagnate
Solution:
• Active Fitness leverages Windows Azure Mobile
Services to support hundreds of thousands of users
Call To Action
The time is right for ISVs to break out of their normal confines by
leveraging Azure and its many capabilities
Azure has matured to enable many, varied options
If you do not seize the opportunity someone else in your space
will!