Cyber/Cloud SecurityMuligheter 2013Ole Tom Seierstad/oles@microsoft.com

2

Mobile

65% of companies are deploying at least one social software tool.

Social Cloud

Digital content will grow toOver 80% of new apps will be distributed or deployed on clouds in 2012.

Big Data

70% of organizations are either using orinvestigating cloud computing solutions

By 2016,

smartphones and tablets will put power in the pockets of a billion global consumers

The world’s mobileworker populationwill reach

80% growth of unstructured data is predicted over the next five years.1.3 billion over 37% of

the total workforce by 2015

Millennials will make up

75% of the American workforce by 2025

2.7ZB in 2012, up 48% from 2011, rocketing toward 8ZB by 2015.

Large Scale Technology TrendsTransforming access to people and information

3

Exponential Growth of IDs

Widespread legacy technology

rise in Mobile Malware

250%

Malicious software

5Xmore compromised records

More sophisticated attacks

Individual

Organized Crime

Groups Terrorist GroupsNation-States

Targeted attacks

77 Millionuser accounts stolen

200,000credit card accounts stolen

Data theft & insider leaks

90,000email addresses stolen from US military contractor

24,000files stolen from Pentagon

Cyber terrorism & hacktivism$1 TrillionGlobal cost of computer crime

Complex ChallengesDriving need for new security approach

Malicious software Targeted attacksData theft & insider leaks

Cyber terrorism & hacktivism

4

Security Strategy

Strong Tension TodayBetween business innovation and cyber security requirements

Business Innovation

Cloud Big Data

SocialMobile

Cyber Security Requirements

IdentityManagement

ConfigurationManagement

ThreatManagement

StrongResponse

Purposefully Designed Technology Can help drive business success

5

Specific Concerns We Hear from Customers

Why should I trust Microsoft’s Cloud?

What industry audits and security certifications cover the Microsoft

Platform?

If I run my service in your cloud, can I meet my compliance needs?

How should an enterprise evaluate cloud providers when it comes to security, privacy and

compliance?

Why Should I Trust the Microsoft Cloud?Proven Track Record

History of meeting obligations associated with the delivery of over 400 cloud services

Scale

Spreading cost of robust security and compliance across large number of customers provides a trusted cloud at lower cost

Security at our Foundation

Years of experience through our Trustworthy Computing initiative

Law Enforcement Access

Microsoft Response Process:

Many nations have laws addressing law enforcement access to cloud service information, to support criminal investigations

WILL REDIRECT THE REQUESTING ENTITY, WHEN LAW PERMITS

ONLY PRODUCES DATA IN RESPONSE

TO VALID LEGAL PROCESSES

WILL NOTIFY CUSTOMERS PRIOR

TO DISCLOSING DATA, WHEN PERMITTED

WILL LIMIT THE DISCLOSURE TO

ONLY THE REQUIRED INFORMATION

Responding to government demands

If we receive a government demand for data held by a business customer,

we take steps to redirect the government to the customer directly,

and we notify the customer unless we are legally prohibited from doing

so. We have never provided any government with customer data

from any of our business or government customers for national

security purposes(…)

We only respond to requests for specific

accounts and identifiers. There is no

blanket or indiscriminate access

to Microsoft’s customer data.

If a government wants customer data – including for national security purposes – it needs to follow applicable

legal process, meaning it must serve us with a court

order for content or subpoena for account

information.

We do not provide any government with the ability

to break the encryption used between our business

customers and their data in the cloud, nor do we provide

the government with the encryption keys.

http://blogs.technet.com/b/microsoft_on_the_issues/archive/2013/07/16/responding-to-government-legal-demands-for-customer-data.aspx

Law enforcement request report

In the first half of 2013, Microsoft disclosed content in response to 2.2% of the total number of law enforcement requests received. Each of those disclosures was in

response to a court order or warrant, and the vast majority of those disclosures related to users

of our consumer services.

Unfortunately, we are not currently permitted to

report detailed information about the

type and volume of any national security orders

(e.g. FISA Orders and FISA Directives) that we may

receive

Law enforcement sought information about only a tiny fraction of the millions of end users of our enterprise services, such as Office 365. We received 19 requests for e-mail accounts

we host for enterprise customers, seeking information about 48 accounts. We disclosed

customer data in response to five of those requests (4 content; 1 only non-content), and in all but one case, we were able to notify the customer. We rejected the request, found no

responsive data, or redirected law enforcement to obtain the information from

the customer directly in thirteen of those cases. One request is still pending.

(…) the requests are fairly concentrated with

over 73% of requests coming from five

countries, the United States, Turkey,

Germany, the United Kingdom, and France.

http://www.microsoft.com/about/corporatecitizenship/en-us/reporting/transparency/

Law enforcement requests from Norwegian Authorities, H1 2013

http://blogs.technet.com/b/microsoft_on_the_issues/archive/2013/06/14/microsoft-s-u-s-law-enforcement-and-national-security-requests-for-last-half-of-2012.aspx

12

Global Foundation Services

Microsoft’s Cloud Environment

Platform as a Service(PaaS)

Infrastructure as a Service (IaaS)

Consumer and Small Business Services

Enterprise Services

Third-party Hosted

Services

SecurityGlobal NetworkOperationsData Centers

Software as a Service (SaaS)

13

Microsoft Data Center Scale

ChicagoQuincyDublin Amsterdam

Hong Kong

Singapore

Japan

"Data Centers have become as vital to the functioning of society as power stations."

The Economist

San Antonio

Multiple global CDN locations

Microsoft has more than 10 and less than 100 DCs worldwide

BoydtonDes Moines

Quincy, Washington 27MW 100% Hydro power

San Antonio, Texas 27MW Recycled water for cooling

Chicago, Illinois Up to 60MW Water side economization, Containers

Dublin, Ireland Up to 50MW Outside air cooling, PODs

14

Customer Compliance Needs• Customers ultimately responsible for ensuring their compliance obligations are met• Microsoft will share its certifications and audit reports to allow customers to establish reliance

Responsibility:

Data Classification and Accountability

Application Level Controls

Operating System Controls

Host Level Controls

Identity and Access Management

Network Controls

Physical Security

CLOUD PROVIDER

CLOUD CUSTOMER

SaaSPaaSIaaS

15

Data Classification

Cloud?

Windows Server 2012 R2; FCI

Office 2013c& ADRMS & Partner

Business driven, technology supportive

How do we know what to protect?

16

What data goes where?

Data storage & processingDefine Your Strategy

Services that are public

High profile targets

LabelingContractual commitments

R & D data

17

Information Security Management SystemBusiness Objectives Industry Standards & Regulations

Certificates and Attestations

• ISO / IEC 27001:2005 certification• SSAE 16/ISAE 3402 SOC 1• AT101 SOC 2 and 3

• PCI DSS certification• FedRAMP P-ATO, FISMA certification and accreditation• And more …

PREDICTABLE AUDIT

SCHEDULE

COMPLIANCE FRAMEWORK

Information Security Management System

INFORMATION SECURITY

MANAGEMENT FORUM

RISK MANAGEMENT

PROGRAM

INFORMATION SECURITY

POLICY PROGRAM

Test and Audit

18

Infrastructure Compliance Capabilities

ISO / IEC 27001:2005 Certification

SSAE 16/ISAE 3402 SOC 1, AT101 SOC 2 and 3

HIPAA/HITECH

PCI Data Security Standard Certification

FedRAMP P-ATO and FISMA Certification & Accreditation

Various State, Federal, and International Privacy Laws (95/46/EC—aka EU Data Protection Directive; California SB1386; etc.)

© 2013 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.