Salmon Software - Azure Documentation

advertisement
SALMON SOFTWARE
CLOUD INFRASTRUCTURE
Detailed Description
Abstract
Salmon software deploys their cloud solutions using Windows Azure. This document outlines
the infrastructure configuration deployed for the delivery their cloud service.
ispn
Table of Contents
1.
Introduction .................................................................................................................................... 2
2.
Background Information Reference ................................................................................................ 3
2.1.
Microsoft Azure........................................................................................................................... 3
2.1.1.
Virtual Machines ..................................................................................................................... 3
2.1.2.
Virtual Networks ..................................................................................................................... 3
2.1.3.
Network Endpoints and Access Control Lists .......................................................................... 4
2.1.4.
Blob Storage ............................................................................................................................ 4
2.2.
Microsoft Windows Server 2012 Service Roles .......................................................................... 4
2.2.1.
Remote Desktop Services ....................................................................................................... 4
2.2.2.
Remote App ............................................................................................................................ 4
3.
Salmon Software | Azure Architecture ........................................................................................... 5
3.1.
Diagram ....................................................................................................................................... 5
3.2.
Architecture Overview ................................................................................................................ 5
3.3.
Servers......................................................................................................................................... 6
3.4.
Communications ......................................................................................................................... 6
3.5.
Backup ......................................................................................................................................... 6
3.6.
Integration with External Systems .............................................................................................. 6
4.
Additional Information/Frequently Asked Questions..................................................................... 9
4.1.
Privacy ......................................................................................................................................... 9
4.1.1.
Location of Customer Data ..................................................................................................... 9
4.1.2.
E.U. Data Protection Directive .............................................................................................. 10
4.1.3.
Customer Data and Other Data Types .................................................................................. 11
4.2.
Compliance ............................................................................................................................... 11
4.3.
Frequently Asked Questions (FAQ) ........................................................................................... 15
1. Introduction
This document describes Salmon software’s infrastructure architecture in Windows Azure. It
outlines the specific services used both in Windows Azure and the Windows Service roles required to
deliver the overall solution. It also contains additional, relevant security information and frequently
asked questions (FAQs).
2. Background Information Reference
2.1.
Microsoft Azure
Microsoft Azure is a cloud computing platform and infrastructure, created by Microsoft, for building,
deploying and managing applications and services through a global network of Microsoft-managed
datacentres. It provides both PaaS and IaaS services and supports many different programming
languages, tools and frameworks, including both Microsoft-specific and third-party software and
systems.
Salmon Software utilise Virtual Machines, Virtual Networks and Blob Storage in the delivery of their
service.
2.1.1.
Virtual Machines
A virtual machine (VM) is a software implementation of a computing environment in which an
operating system (OS) or program can be installed and run.
The virtual machine typically emulates a physical computing environment, but requests for CPU,
memory, hard disk, network and other hardware resources are managed by a virtualization layer
which translates these requests to the underlying physical hardware.
Azure Virtual Machines deliver on-demand, scalable compute infrastructure. These Windows Server
Virtual Machines run on top of the trustworthy Azure foundation.
2.1.2.
Virtual Networks
Windows Azure Virtual Network provides you with the capability to extend your network into
Windows Azure and treat deployments in Windows as a natural extension to your on-premises
network.
Virtual Network enables you to accomplish the following:



Create a virtual private network in Windows Azure: You can bring your preferred private
IPv4 space (10.x, 172.x, 192.x) to Windows Azure.
Configure cross-premises connectivity over site-to-site IPsec VPNs: You can extend your onpremises network to Windows Azure and treat virtual machines and services deployed in
your virtual networks as though they were on your local premises.
Configure custom DNS servers for all services within a virtual network: You can point all
virtual machines and services to a DNS server on-premises or a DNS server running in a
virtual network. This capability enables you to use your domain controllers in Windows
Azure.
Please see the following link for a list of supported hardware for VPN devices and virtual networks.
Site-to-site connections require a public-facing IPv4 IP address, and a compatible VPN device or
RRAS running on Windows Server 2012.
http://msdn.microsoft.com/en-us/library/azure/jj156075.aspx
2.1.3.
Network Endpoints and Access Control Lists
All virtual machines that you create in Azure can automatically communicate using a private network
channel with other virtual machines in the same cloud service or virtual network. However, other
resources on the Internet or other virtual networks require endpoints to handle the inbound
network traffic to the virtual machine.
Each endpoint has a public port and a private port:
The private port is used internally by the virtual machine to listen for traffic on that endpoint.
The public port is used by the Azure load balancer to communicate with the virtual machine from
external resources. After an endpoint is created, it is possible to use the network access control list
(ACL) to define rules that help isolate and control the incoming traffic on the public port.
A Network Access Control List (ACL) is a security enhancement available for a Windows Azure
deployment. An ACL provides the ability to selectively permit or deny traffic for a virtual machine
endpoint. This packet filtering capability provides an additional layer of security.







Using Network ACLs, you can do the following:
Selectively permit or deny incoming traffic based on remote subnet IPv4 address range to a
virtual machine input endpoint.
Blacklist IP addresses
Create multiple rules per virtual machine endpoint
Specify up to 50 ACL rules per virtual machine endpoint
Use rule ordering to ensure the correct set of rules are applied on a given virtual machine
endpoint (lowest to highest)
Specify an ACL for a specific remote subnet IPv4 address.
2.1.4.
Blob Storage
Blob storage stores file data. A blob can be any type of text or binary data, such as a document,
media file, or application installer.
2.2.
2.2.1.
Microsoft Windows Server 2012 Service Roles
Remote Desktop Services
Remote Desktop Services accelerates and extends desktop and application deployments to any
device, improving remote worker efficiency, while helping to keep critical intellectual property
secure and simplify regulatory compliance. Remote Desktop Services enables virtual desktop
infrastructure (VDI), session-based desktops, and applications, allowing users to work anywhere.
2.2.2.
Remote App
RemoteApp enables you to make programs that are accessed remotely through Remote Desktop
Services appear as if they are running on the end user's local computer. These programs are referred
to as RemoteApp programs. Instead of being presented to the user in the desktop of the Remote
Desktop Session Host (RD Session Host) server, the RemoteApp program is integrated with the
client's desktop. The RemoteApp program runs in its own resizable window, can be dragged
between multiple monitors, and has its own entry in the taskbar. If a user is running more than one
RemoteApp program on the same RD Session Host server, the RemoteApp program will share the
same Remote Desktop Services session
3. Salmon Software | Azure Architecture
3.1.
Diagram
Windows Azure
RDS Server
IIS Server
Software
SQL Server
Data Storage
External Network
Virtual Network
Web Browser
HTTPS Tunnel
End Point & ACL Control
3.2.
Architecture Overview
Each customer using Salmon Software hosted in Azure use an individual subscription that ring fences
their resources
Salmon software deploy their software using two Microsoft Windows Server 2012 virtual servers.
One of the Servers runs Remote Desktop Services and manages the connections to the desktop
sessions in order to allow remote users to connect. The connection uses RempteApp, a component
of Remote Desktop Services to present the application to end users’ desktops via their start menu.
This presentation virtualisation allows users to run the application as if it’s running on their local
machine. This is known as the RDS Server.
The second server houses the application software, associated SQL databases and utilities required
for the application run on the second server. This is known as the Application Server.
Connections to the servers are controlled using endpoints and Access control lists ACLs.
Backups and any additional files required for the operation of the service are held in Blob storage.
3.3.
Servers
Both Servers are running Windows Server 2012 and are up to date with the latest service packs and
windows updates. The hardware specification will depend on the customers’ requirements and can
be changed as needed.
3.4.
Communications
The RDS Server allows external communication on port 443 endpoint for SSL communications to the
RemoteApp service that is running in IIS. The Application Server has no endpoint connections open
externally. Internally communications between the servers is controlled using the Server Firewall.
Optionally, using the ACL, the external endpoint communications can be locked down to specific IP
addresses or addresses ranges.
All external communication is encrypted using a third party SSL cert. No unencrypted traffic is
allowed.
3.5.
Backup
The backups will be run nightly for the SQL and application data. This data will be stored in Blob
storage and configured as per the client’s requirements. The servers will also be backed up on a
regular basis and saved to blob storage.
3.6.
Integration with External Systems
Using SFTP or VPN connections files from external systems can be retrieved or received using
monitor and scheduled tasks. Files both from and going to external systems can reside on the Azure
platform, the client’s internal network, or an external location depending on the system and
requirements.
Example Integration Schema
Connectivity Overview
EMIR
Trading Platforms Funds Platforms
(DTCC/Regis – TR...) (360T/FXALL…) (ICD/MyTreasury…)
Microsoft Azure
Environment
Rates Providers
(Bloomberg/
Reuters…)
MYSIS
SWIFT
Internet
Client Internal Network
AZURE ENVIRONMENT
VPN/Virtual Network
or
SFTP
ERP
(SAP, Oracle,
MS Dynamics, Sun...)
Example Integration Schema
Import and Export Essentials
Import Schema
VPN/SFTP
External system output file
Directory location
(can be on Azure environment, client
local environment or external
environment)
Salmon Import Process
Monitor/Scheduled Task
Export Schema
VPN/SFTP
Salmon Export Process
Salmon Output file
(in format required by
external system)
Directory location
(can be on Azure environment, client
local environment or external
environment)
4. Additional Information/Frequently Asked Questions
4.1.
Privacy
Privacy is one of the foundations of Microsoft’s Trustworthy Computing. Microsoft has a
longstanding commitment to privacy, which is an integral part of our product and service lifecycle.
We work to be transparent in our privacy practices, offer customers meaningful privacy choices, and
manage responsibly the data we store.
The Microsoft Privacy Principles, our specific privacy statements, and our internal privacy standards
guide how we collect, use, and protect Customer Data. General information about cloud privacy is
available from the Microsoft Privacy Web site. We also published a white paper Privacy in the Cloud
to explain how Microsoft is addressing privacy in the realm of cloud computing.
The Azure Privacy Statement describes the specific privacy policy and practices that govern
customers’ use of Azure.
4.1.1.
Location of Customer Data
Microsoft currently operates Azure in data centers around the world. In this section, we address
common customer inquiries about access and location of Customer Data.
Customers may specify the geographic area(s) ("geos" and "regions") of the Microsoft data centers
in which Customer Data will be stored. Available geos and regions are shown below. Please see
service availability by region.
GEO
REGION
(PREVIOUSLY MAJOR REGION)
(PREVIOUSLY SUB-REGION)
US East (Virginia)
United States
US West (California)
US North Central (Illinois)
US South Central (Texas)
Europe
Asia Pacific
Japan
Europe North (Ireland)
Europe West (Netherlands)
Asia Pacific East (Hong Kong)
Asia Pacific Southeast (Singapore)
Japan East (Saitama Prefecture)
Japan West (Osaka Prefecture)
Microsoft may transfer Customer Data within a geo (e.g., within Europe) for data redundancy or
other purposes. For example, Azure replicates Blob and Table data between two regions within the
same geo for enhanced data durability in case of a major data center disaster.
Microsoft will not transfer Customer Data outside the geo(s) customer specifies (for example, from
Europe to U.S. or from U.S. to Asia) except where necessary for Microsoft to provide customer
support, troubleshoot the service, or comply with legal requirements; or where customer configures
the account to enable such transfer of Customer Data, including through the use of:
Features that do not enable geo selection such as Content Delivery Network (CDN) that provides a
global caching service;
Web and Worker Roles, which backup software deployment packages to the United States
regardless of deployment geo;
Preview, beta, or other pre-release features that may store or transfer Customer Data to the United
States regardless of deployment geo;
Azure Active Directory (except for Access Control), which for Europe may transfer Active Directory
Data to the United States, and for Asia and Japan may store Active Directory Data globally;
Azure Multi-Factor Authentication, which stores authentication data in the United States;
Microsoft does not control or limit the geos from which customers or their end users may access
Customer Data.
See the E.U. Data Protection Directive section below for information on the regulatory framework
under which Microsoft transfers data.
4.1.2.
E.U. Data Protection Directive
The E.U. Data Protection Directive (95/46/EC) sets a baseline for handling personal data in the
European Union. The E.U. has stricter privacy rules than the U.S. and most other countries. To allow
for the continuous flow of information required by international business (including cross border
transfer of personal data), the European Commission reached an agreement with the U.S.
Department of Commerce whereby U.S. organizations can self-certify as complying with the Safe
Harbor Framework. Microsoft (including, for this purpose, all of our U.S. subsidiaries) is Safe Harbor
certified under the U.S. Department of Commerce. In addition to the E.U. Member States, members
of the European Economic Area (Iceland, Liechtenstein, and Norway) also recognize organizations
certified under the Safe Harbor program as providing adequate privacy protection to justify transborder transfers from their countries to the U.S. Switzerland has a nearly identical agreement
(“Swiss-U.S. Safe Harbor”) with the U.S. Department of Commerce to legitimize transfers from
Switzerland to the U.S., to which Microsoft has also certified.
The Safe Harbor certification allows for the legal transfer of E.U. personal data outside E.U. to
Microsoft for processing. Under the E.U. Data Protection Directive and our contractual agreement,
Microsoft acts as the data processor, whereas the customer is the data controller with the final
ownership of the data and responsibility under the law for making sure that data can be legally
transferred to Microsoft. It is important to note that Microsoft will transfer E.U. Customer Data
outside the E.U. only under very limited circumstances. See the Location of Data section for details.
Microsoft also offers additional contractual commitments to its volume licensing customers:
A Data Processing Agreement that details our compliance with the E.U. Data Protection Directive
and related security requirements for Azure core features within ISO/IEC 27001:2005 scope.
E.U. Model Contractual Clauses that provide additional contractual guarantees around transfers of
personal data for Azure core features within ISO/IEC 27001:2005 scope.
Please contact your Microsoft account manager or Microsoft Volume Licensing for details.
4.1.3.
Customer Data and Other Data Types
Customer Data is all the data, including all text, sound, software or image files that you provide, or
are provided on your behalf, to us through your use of the Services. For example, Customer Data
includes data that you upload for storage or processing in the Services and applications that you or
your end users upload for hosting in the Services. It does not include configuration or technical
settings and information.
Administrator Data is the information about administrators (including account contact and
subscription administrators) provided during sign-up, purchase, or administration of the Services,
such as name, address, phone number, and e-mail address.
Metadata includes configuration and technical settings and information. For example, it includes the
disk configuration settings for an Azure Virtual Machine or database design for an Azure SQL
Database.
Access Control Data is used to manage access to other types of data or functions within Azure. It
includes passwords, security certificates, and other authentication-related data.
4.2.
Compliance
Microsoft partners with customers to help them address a wide range of international, country, and
industry-specific regulatory requirements. By providing customers with compliant, independently
verified cloud services, Microsoft makes it easier for customers to achieve compliance for the
infrastructure and applications they run in Azure. Microsoft provides Azure customers with detailed
information about our security and compliance programs, including audit reports and compliance
packages, to help customers assess our services against their own legal and regulatory requirements.
In addition, Microsoft has developed an extensible compliance framework that enables it to design
and build services using a single set of controls to speed up and simplify compliance across a diverse
set of regulations and rapidly adapt to changes in the regulatory landscape.
ISO/IEC 27001:2005 Audit and Certification
Azure is committed to annual certification against the ISO/IEC 27001:2005, a broad international
information security standard. The ISO/IEC 27001:2005 certificate validates that Microsoft has
implemented the internationally recognized information security controls defined in this standard,
including guidelines and general principles for initiating, implementing, maintaining, and improving
information security management within an organization.
ISO Scope: The following Azure features are in scope for the current ISO audit: Cloud Services
(including Fabric and RDFE), Storage (Tables, Blobs, Queues), Virtual Machines (including with SQL
Server), Virtual Network, Traffic Manager, Web Sites, BizTalk Services, Media Services, Mobile
Services, Service Bus, Workflow, Multi-Factor Authentication, Active Directory, Right Management
Service, SQL Database, (version 11.0.9164.000 and higher), and HDInsight. This includes the
Information Security Management System (ISMS) for Azure, encompassing infrastructure,
development, operations, and support for these features. Also included are Power BI for Office 365
and Power Query Service.
The certificate issued by the British Standards Institution (BSI) is publically available.
SOC 1 and SOC 2 SSAE 16/ISAE 3402 Attestations
Azure has been audited against the Service Organization Control (SOC) reporting framework for both
SOC 1 Type 2 and SOC 2 Type 2. Both reports are available to customers to meet a wide range of US
and international auditing requirements.
The SOC 1 Type 2 audit report attests to the design and operating effectiveness of Azure controls.
The SOC 2 Type 2 audit included a further examination of Azure controls related to security,
availability, and confidentiality. Azure is audited annually to ensure that security controls are
maintained.
Audits are conducted in accordance with the Statement on Standards for Attestation Engagements
(SSAE) No. 16 put forth by the Auditing Standards Board (ASB) of the American Institute of Certified
Public Accountants (AICPA) and International Standard on Assurance Engagements (ISAE) 3402 put
forth by the International Auditing and Assurance Standards Board (IAASB). In addition, the SOC 2
Type 2 audit included an examination of the Cloud Controls Matrix (CCM) from the Cloud Security
Alliance (CSA).
Scope: The following Azure features are in scope for the current SOC 1 Type 2 and SOC 2 Type 2
attestations: Cloud Services (includes stateless Web, and Worker roles), Storage (Tables, Blobs,
Queues), Virtual Machines (includes persistent virtual machines for use with supported operating
systems) and Virtual Network (includes Traffic Manager).
Cloud Security Alliance Cloud Controls Matrix
Azure has been audited against the Cloud Controls Matrix (CCM) established by the Cloud Security
Alliance (CSA). The audit was completed as part of the SOC 2 Type 2 assessment, the details of which
are included in that report. This combined approach is recommended by the American Institute of
Certified Public Accountants (AICPA) and CSA as a means of meeting the assurance and reporting
needs of the majority cloud services users.
The CSA CCM is designed to provide fundamental security principles to guide cloud vendors and to
assist prospective customers in assessing the overall security risk of a cloud provider. By having
completed an assessment against the CCM, Azure offers transparency into how its security controls
are designed and managed with verification by an expert, independent audit firm.
Detailed information about how Azure fulfills the security, privacy, compliance, and risk
management requirements defined in the CCM is also published in the CSA’s Security Trust and
Assurance Registry (STAR).
In addition, the Microsoft Approach to Cloud Transparency paper provides an overview of how it
addresses various risk, governance, and information security frameworks and standards, including
the CSA CCM.
Federal Risk and Authorization Management Program (FedRAMP)
fedramp
Azure has been granted a Provisional Authorities to Operate (P-ATO) from the Federal Risk and
Authorization Management Program (FedRAMP) Joint Authorization Board (JAB). Following a
rigorous security review, the JAB approved a provisional authorization that an executive department
or agency can leverage to issue a security authorization and an accompanying Authority to Operate
(ATO). This will allow US federal, state, and local governments to more rapidly realize the benefits of
the cloud using Azure.
FedRAMP is a mandatory U.S. government-wide program that provides a standardized approach to
security assessment, authorization, and continuous monitoring for cloud products and services. This
approach uses a “do once, use many times” framework that will save cost, time, and staff required
to conduct redundant agency security assessments.
Scope: The following Azure features are in scope for the FedRAMP JAB P-ATO: Cloud Services (Web
and Worker roles), Storage (Tables, Blobs, Queues, Drives), Virtual Machines (includes persistent
virtual machines), SQL Databases and Virtual Network (includes Traffic Manager).
Payment Card Industry (PCI) Data Security Standards (DSS) Level 1
Payment Card Industry
Azure is Level 1 compliant under the Payment Card Industry (PCI) Data Security Standards (DSS) as
verified by an independent Qualified Security Assessor (QSA), allowing merchants to establish a
secure cardholder environment and to achieve their own certification.
The PCI DSS is an information security standard designed to prevent fraud through increased
controls around credit card data. PCI certification is required for all organizations that store, process
or transmit payment cardholder data. Customers can reduce the complexity of their PCI DSS
certification by using compliant Azure services.
Scope: The Information Security Management System (ISMS) for Azure, including infrastructure,
development, operations and support for Compute, Data Services, App Services and Network
Services are in scope for the PCI DSS Attestation of Compliance.
United Kingdom G-Cloud Impact Level 2 Accreditation
G-Cloud Impact Level 2 Accreditation
In the United Kingdom, Azure has been awarded Impact Level 2 (IL2) accreditation, further
enhancing Microsoft and its partner offerings on the current G-Cloud procurement Framework and
CloudStore. The IL2 rating will benefit a broad range of UK public sector organizations, including local
and regional government, National Health Service (NHS) trusts and some central government bodies,
who require 'protect' level of security for data processing, storage and transmission.
Scope: The following Azure features are in scope for the IL2 accreditation: Virtual Machines, Cloud
Services, Storage (Tables, Blobs, Queues, Drives), and Virtual Network.
4.3.
Frequently Asked Questions (FAQ)
Is Azure compliant with my regulatory requirements?
Please note that it is ultimately your obligation to comply with your regulatory requirements. We
provide you with information to help you do so. We commit to compliance with data protection and
privacy laws generally applicable to IT service providers. If you are subject to industry or
jurisdictional requirements, you will need to make your own assessment of your ability to comply.
Customers in many industries and geographies have found they can use Azure in a manner that
complies with applicable regulations, provided they utilize the services in a manner appropriate to
their particular circumstances.
For instance, organizations covered by the E.U. Data Protection Directive should have their own
policies, security, and training program in place to ensure their personnel do not use Azure in a way
that violates the Directive. We will do our part by abiding by the promises we have made, thereby
helping you remain compliant.
How will Microsoft use the information I store in Azure?
Microsoft will use the Customer Data you store in Azure only to provide you with the Azure service.
This may include troubleshooting aimed at preventing, detecting or repairing problems affecting the
operation of Azure and the improvement of features that involve the detection of, and protection
against, emerging and evolving threats to the user (such as malware or spam).
We may use statistical data, trends and usage information derived from your use of Azure for the
purpose of providing, operating, maintaining or improving Azure as well as any Microsoft products
and services used to deliver Azure.
Does Microsoft share data between its advertiser-supported services
and Azure? Does Azure data-mine my data for advertising?
No. Azure does not share data with its advertiser-supported services. Azure does not mine
Customer Data for advertising.
What happens if law enforcement or another third party asks
Microsoft for my Customer Data? What does Microsoft do when
subpoenaed for Customer Data?
Microsoft believes that its customers should control their own information whether stored on their
premises or in a cloud service. Accordingly, we will not disclose Customer Data to a third party
(including law enforcement, other government entity or civil litigant) except as you direct or
required by law. Should a third party contact us with a demand for Customer Data, we will attempt
to redirect the third party to request it directly from you. As part of that, we may provide your basic
contact information to the third party. If compelled to disclose Customer Data to a third party, we
will promptly notify you and provide a copy of the demand, unless legally prohibited from doing so.
Microsoft also publishes a Law Enforcement Requests Report that provides insight into the scope of
requests, as well as information from Microsoft's General Counsel about how the company responds
to national security requests.
In what circumstances is Customer Data disclosed to subcontractors,
and how do they use it?
Microsoft may hire other companies to provide limited services on its behalf, such as providing
customer support. Microsoft will only disclose Customer Data to subcontractors so they can deliver
the services we have retained them to provide. Subcontractors are prohibited from using Customer
Data for any other purpose, and they are required to maintain the confidentiality of your
information. Subcontractors that work in facilities or on equipment controlled by Microsoft must
follow our privacy standards. All other subcontractors must follow privacy standards equivalent to
our own. You can download the list of subcontractors authorized to process Customer Data in Azure.
How does Azure ensure subcontractors comply with Microsoft’s
privacy requirements?
We require subcontractors to join Microsoft's Vendor Privacy Assurance Program, to meet our
privacy requirements by contract, and to undergo regular privacy training. We contractually obligate
subcontractors that work in facilities or on equipment controlled by Microsoft to follow our privacy
standards. All other subcontractors are contractually obligated to follow privacy standards
equivalent to our own.
Does Microsoft allow customers to audit Azure operations or its data
centers?
No. Our independent audits and certifications are shared with customers in lieu of individual
customer audits. These certifications and attestations accurately represent how we obtain and meet
our security and compliance objectives, and serve as a practical mechanism to validate our promises
for all customers. Allowing potentially thousands of customers to audit our services would not be a
scalable practice and might compromise security and privacy. Our independent third-party
validation program includes audits that are conducted on an annual basis to provide verification of
Azure security controls.
Can Microsoft customize its audit for me?
No. Microsoft is not able to agree to custom audit obligations for individual customers. The costs
and potential conflicts between varying obligations make it impractical to customize audits.
For more information on the Azure Security please visit the Microsoft Trust Centre.
Microsoft Azure Trust Centre.
http://azure.microsoft.com/en-us/support/trust-center/
Download