Microsoft Azure

Trust in the Cloud

Ovidiu Pismac

MCSE Security, CISSP, MCSE Private Cloud / Server & Desktop infrastructure, MCTS Forefront

Microsoft Romania

ovidiup@microsoft.com

Microsoft Azure

430B+ Microsoft Azure AD

authentications

280% year-over-year

database growth in

Microsoft Azure

50%of Fortune 500 use

Microsoft Azure

$25,000in the cloud would cost

$100,000 on premises

EconomicsScale

30,000 to

250,000

Scale from

site visitors instantly

2 weeksto deliver new services

vs. 6-12 months with

traditional solution

Speed

Technology trends: driving cloud adoption

of CIOs will embrace a

cloud-first strategy in 2016

(IDC CIO Agenda webinar)

Cloud Trend:

70%

BENEFITS

AZURE ADOPTION

Microsoft Azure

Pre-adoption concern

60%cited concerns around

data security as a barrier

to adoption

45%concerned that the

cloud would result in a

lack of data control

Benefits realized

94%experienced security

benefits they didn’t

previously have

on-premise

62%said privacy protection

increased as a result of

moving to the cloud

Cloud innovation OPPORTUNITY FOR SECURITY & COMPLIANCE BENEFITS

SECURTIY

• Design/Operation

• Infrastructure

• Network

• Identity/access

• Data

PRIVACY

COMPLIANCE

Microsoft Azure

Trustworthy foundationBUILT ON MICROSOFT EXPERIENCE AND INNOVATION

20+ Data Centers

Trustworthy Computing

Initiative

Security Development

LifecycleGlobal Data Center

Services

Malware Protection

Center

Microsoft SecurityResponse Center

Windows Update

1st

Microsoft Data

CenterActive

DirectorySOC 1

CSA Cloud Controls Matrix

PCI DSS Level 1

FedRAMP/FISMAUK G-Cloud

Level 2

ISO/IEC 27001:2005

HIPAA/HITECH

Digital Crimes

Unit

SOC 2

E.U. Data Protection Directive

Operations Security

Assurance

Microsoft Azure

Trustworthy Computing

Initiative

Security Development

LifecycleGlobal Data Center

Services

Malware Protection

Center

Microsoft SecurityResponse Center

Microsoft Update

ActiveDirectory

SOC 1

CSA Cloud Controls Matrix

PCI DSS Level 1

FedRAMP/FISMAUK G-Cloud

Level 2

ISO/IEC 27001:2005

HIPAA/HITECH

Digital Crimes

Unit

SOC 2

E.U. Data Protection Directive

Operations Security

Assurance

1st

Microsoft Data

Center

Trustworthy Computing

Created the SDL which has

become the industry standard

for developing secure software

20+ Data Centers

20+ Data Centers

Trustworthy Computing

Initiative

Security Development

LifecycleGlobal Data Center

Services

Windows Update

1st

Microsoft Data

CenterActive

DirectorySOC 1

CSA Cloud Controls Matrix

PCI DSS Level 1

FedRAMP/FISMAUK G-Cloud

Level 2

ISO/IEC 27001:2005

HIPAA/HITECH

Digital Crimes

Unit

SOC 2

E.U. Data Protection Directive

Operations Security

Assurance

Malware Protection

Center

Microsoft SecurityResponse Center

Security Centers

of Excellence:

Protecting Microsoft

customers by combatting

evolving threats

Trustworthy Computing

Initiative

Security Development

LifecycleGlobal Data Center

Services

Malware Protection

Center

Microsoft SecurityResponse Center

Microsoft Update

ActiveDirectory

SOC 1

CSA Cloud Controls Matrix

PCI DSS Level 1

FedRAMP/FISMAUK G-Cloud

Level 2

ISO/IEC 27001:2005

HIPAA/HITECH

Digital Crimes

Unit

SOC 2

E.U. Data Protection Directive

Operations Security

Assurance

1st

Microsoft Data

Center

20+ Data Centers:

Operating Microsoft Azure in

11 data centers around the

world, plus 2 in China

20+ Data Centers20+ Data Centers

Trustworthy Computing

Initiative

Security Development

LifecycleGlobal Data Center

Services

Malware Protection

Center

Microsoft SecurityResponse Center

Windows Update

1st

Microsoft Data

CenterActive

Directory

Digital Crimes

Unit

SOC 1

CSA Cloud Controls Matrix

PCI DSS Level 1

FedRAMP/FISMAUK G-Cloud

Level 2

ISO/IEC 27001:2005

HIPAA/HITECH

SOC 2

E.U. Data Protection Directive

Compliance Standards:

Investing heavily in robust

compliance processes, including

ISO 27001, FedRAMP, and HIPAA

Operations Security

Assurance

Trustworthy foundationBUILT ON MICROSOFT EXPERIENCE AND INNOVATION

Microsoft Azure

Microsoft Azure

Automated

Managed Resources

Elastic

Usage Based

UNIFIED PLATFORM FOR MODERN BUSINESS

Microsoft Azure

Shared responsibilityREDUCE SECURITY COSTS + MAINTAIN FLEXIBILITY, ACCESS, & CONTROL

Customer Microsoft

On-Premises IaaS PaaS SaaS

Microsoft Azure

Market Endorsement

Gartner Magic Quadrant for Cloud

Infrastructure as a Service(IaaS)

Gartner Magic Quadrant for

Enterprise Application Platform as

a Service(PaaS)

Gartner Magic Quadrant for Public

Cloud Storage Services

Gartner Magic Quadrant for

Virtualization

Microsoft Azure

Transparency & independent verification

Best practices and guidance

Third-party verification

Cloud Security Alliance

Security intelligence

report

Compliance packages

Trust Center

Access to audit reports

Security Response Center progress

report

AID CUSTOMERS IN MEETING SECURITY & COMPLIANCE OBLIGATIONS

Microsoft Azure

Microsoft approach in action

10

Microsoft Azure

Security embedded

in

planning, design, devel

opment, & deployment

Rigorous controls to

prevent, detect, contai

n, & respond to threats

Hardening cloud

services through

simulated real-world

attacks

Global, 24x7 incident

response to mitigate

effects of attacks

Design & operations

Operational security controls

Assume breach

Incident response

Software Development Lifecycle (SDL)

Microsoft Azure

Security

12

We chose Azure because all things

being equal, it is the easiest cloud

platform to work with. Security and

patching is already taken care of, so

it is less labour-intensive.”

Microsoft Azure

24 hour monitored physical security

Secure multi-tenant environment

Firewalls

Patch management

System monitoring and logging

Antivirus/antimalware protection

Threat detection

Forensics

Infrastructure protection

Microsoft Azure

Service security starts with physical data center

Cameras

24X7 security staff

Barriers

Fencing

Alarms

Two-factor access control: Biometric readers & card readers

Security operations center

Days of backup power

Seismic bracing

BuildingPerimeter Computer room

Microsoft Azure

Architected for secure multi-tenancy

AZURE:

• Centrally manages the platform and helps

isolate customer environments using the

Fabric Controller

• Runs a configuration-hardened version of

Windows Server as the Host OS

• Uses Hyper-V, a battle tested and enterprise

proven hypervisor

• Runs Windows Server and Linux on Guest

VMs for platform services

CUSTOMER:

• Manages their environment through service

management interfaces and subscriptions

• Chooses from the gallery or brings their own

OS for their Virtual Machines

Azure

Storage

SQL

Database

FabricController

Customer

Admin

Guest VM Guest VM

Customer 2

Guest VM

Customer 1Portal

SMAPI

End

Users

Host OS

Hypervisor

Microsoft Azure

Microsoft Azure

Microsoft Azure

Microsoft and Interoperability

“DHMC runs both Windows Server as guest operating systems under

Hyper-V, as well as Linux. To date, DHMC has virtualized Web servers,

sites on Microsoft Office SharePoint® Server, reporting servers,

medical applications, domain controllers, file and print servers, Citrix

servers, and more.”

Dartmouth Hitchcock Medical Center Case Study

Microsoft commitment to support Linux – Red

Hat, SUSE, CentOS, OpenSuse, Ubuntu, Oracle

Linux, new FreeBSD 10 on Hyper-V

System Center Configuration Manager 2012 SP1

supports administering non-Windows platforms:

Linux, Unix (monitored by SCOM) and Mac OS X

systems

System Center Operations Manager 2012 SP1

supports monitoring of non-Windows, including

Linux – Red Hat, SUSE, CentOS; Unix – HP UX, Sun

Solaris and IBM AIX; from January 2013 – new Linux

distributions supported: Debian Linux, Oracle

Linux, Ubuntu Linux Server

System Center Virtual

Machine Manager 2012 manages VMware ESX

servers and Citrix XEN Servers

CentOS

ProductLinux UNIX

Red Hat SUSE CentOS Ubuntu Debian Oracle AIX HP-UX Solaris

Operations

Manager

Configuration

Manager

Endpoint

Protection

No Plans

Virtual Machine

Manager

Hyper-V

Azure IaaS Future

Debian 7.0 has Linux Integration Services

Microsoft Azure 19

Network protection

Segregates network

access between

customers,

management systems

& the internet

Connects cloud

services using private

IP addresses, subnets

Site to site, point to

site, and ExpressRoute

help enable secure

connect to Azure

Virtual Networks

Cloud to on-premises connections

Network isolation

Microsoft Azure

Microsoft employee access management

Monitor & protect access to cloud apps

Enterprise cloud identity –Azure AD

Multi-Factor Authentication

Identity & access

Microsoft Azure

Data encryption options: Bitlocker, Azure RMS,

AES 256 /512

Data segregation

Data location and redundancy

Data destruction

Data protection

Microsoft Azure

Data location and redundancy

Note: Microsoft Azure data centers, Australia – Q2 FY15

AZURE:

• Creates three copies of data in

each datacenter

• Offers geo-replication in a

datacenter 400+ miles away

• Does not transfer Customer Data

outside of a geo (ex: from US to

Europe or from Asia to US)

CUSTOMER:

• Chooses where data resides

• Configures data replication

options

Microsoft Azure

Data Deletion

Data destruction

• Wiping is NIST 800-88 compliant

• Defective disks are destroyed at the datacenter

• Index immediately removed from primary location

• Geo-replicated copy of the data (index) removed

asynchronously

• Customers can only read from disk space they have written to

Disk Handling

Microsoft Azure

Privacy controls

are built into Azure

design and

operations

Customer data is

only used to provide

the service and is

never used for

advertising

Data Processing

Agreements, EU

Model

Clauses, HIPAA

BAA

1010101010101010101010101010101010101010101010101010

1010101010101010101010101010

10101010101010101010101010101010

Restricted data access & use

Contractual commitments

Privacy by Design

Privacy by design

Microsoft Azure

Contractual commitments

EU Data Privacy Approval

• Microsoft makes strong contractual commitments to safeguard customer data

covered by HIPAA BAA, Data Processing Agreement, & E.U. Model Clauses

• Enterprise cloud-service specific privacy protections benefit every industry &

region

• Microsoft meets high bar for protecting privacy of EU customer data

• Microsoft offers customers EU Model Clauses for transfer of personal data

across international borders

• Microsoft’s approach was approved by the Article 29 committee of EU data

protection authorities – the first company & cloud vendor to obtain this

Broad contractual scope

Microsoft Azure

Privacy

Our vision is to be the national leader

in patient-centered e-healthcare.…

Using Windows Azure as our delivery

system provides us with a level of trust

and reliability that makes this

possible.”

Microsoft Azure

ISO 27001 SOC 1 Type 2

SOC 2 Type 2

FedRAMP/FISMA

PCI DSS Level 1

UK G-Cloud

Information

security

standards

Effective controls

Government & industry certifications

Simplified compliance

Microsoft Azure

Program Description

ISO/IEC 27001The ISO/IEC 27001:2005 certificate validates that Azure has implemented the internationally recognized

information security controls defined in this standard.

SOC 1

SSAE 16/ISAE 3402

Azure has also been audited against the Service Organization Control (SOC) reporting framework for SOC 1 Type

2 (formerly SAS 70), attesting to the design and operating effectiveness of its controls.

SOC 2Azure has been audited for SOC 2 Type 2, which includes a further examination of Azure controls related to

security, availability, and confidentiality

FedRAMP/FISMAAzure has received Provisional Authorization to Operate from the Federal Risk and Authorization Management

Program (FedRAMP) Joint Authorization Board (JAB), having undergone the assessments necessary to verify that it

meets FedRAMP security standards.

PCI DSS Level 1 Azure has been validated for PCI-DSS Level 1 compliance by an independent Qualified Security Assessor (QSA).

UK G-Cloud IL2In the United Kingdom, Azure has been awarded Impact Level 2 (IL2) accreditation, further enhancing Microsoft

and its partner offerings on the current G-Cloud procurement Framework and CloudStore.

HIPAA BAATo help customers comply with HIPAA and HITECH Act security and privacy provisions, Microsoft offers a HIPAA

Business Associate Agreement (BAA) to healthcare entities with access to Protected Health Information (PHI).

Certifications & programs

Microsoft Azure

Compliance

Windows Azure was attractive because

it has built-in capabilities for

compliance with a wide range of

regulations and privacy mandates.”

Microsoft Azure

Unified platform for modern business

Microsoft commitment

Microsoft Azure

Trusted by leading companies

Microsoft Azure

Talk to a Microsoft security expert

Explore additional resources:

Trustworthy Computing Cloud Services: www.microsoft.com/trustedcloud

Microsoft Trust Center for Microsoft Azure:

http://www.windowsazure.com/en-us/support/trust-center

Microsoft Security Intelligence Report

http://www.microsoft.com/sir

Microsoft Azure