Upload
walter-barker
View
216
Download
0
Tags:
Embed Size (px)
Citation preview
Cyber/Cloud SecurityMuligheter 2013Ole Tom Seierstad/[email protected]
2
Mobile
65% of companies are deploying at least one social software tool.
Social Cloud
Digital content will grow toOver 80% of new apps will be distributed or deployed on clouds in 2012.
Big Data
70% of organizations are either using orinvestigating cloud computing solutions
By 2016,
smartphones and tablets will put power in the pockets of a billion global consumers
The world’s mobileworker populationwill reach
80% growth of unstructured data is predicted over the next five years.1.3 billion over 37% of
the total workforce by 2015
Millennials will make up
75% of the American workforce by 2025
2.7ZB in 2012, up 48% from 2011, rocketing toward 8ZB by 2015.
Large Scale Technology TrendsTransforming access to people and information
3
Exponential Growth of IDs
Widespread legacy technology
rise in Mobile Malware
250%
Malicious software
5Xmore compromised records
More sophisticated attacks
Individual
Organized Crime
Groups Terrorist GroupsNation-States
Targeted attacks
77 Millionuser accounts stolen
200,000credit card accounts stolen
Data theft & insider leaks
90,000email addresses stolen from US military contractor
24,000files stolen from Pentagon
Cyber terrorism & hacktivism$1 TrillionGlobal cost of computer crime
Complex ChallengesDriving need for new security approach
Malicious software Targeted attacksData theft & insider leaks
Cyber terrorism & hacktivism
4
Security Strategy
Strong Tension TodayBetween business innovation and cyber security requirements
Business Innovation
Cloud Big Data
SocialMobile
Cyber Security Requirements
IdentityManagement
ConfigurationManagement
ThreatManagement
StrongResponse
Purposefully Designed Technology Can help drive business success
5
Specific Concerns We Hear from Customers
Why should I trust Microsoft’s Cloud?
What industry audits and security certifications cover the Microsoft
Platform?
If I run my service in your cloud, can I meet my compliance needs?
How should an enterprise evaluate cloud providers when it comes to security, privacy and
compliance?
Why Should I Trust the Microsoft Cloud?Proven Track Record
History of meeting obligations associated with the delivery of over 400 cloud services
Scale
Spreading cost of robust security and compliance across large number of customers provides a trusted cloud at lower cost
Security at our Foundation
Years of experience through our Trustworthy Computing initiative
Law Enforcement Access
Microsoft Response Process:
Many nations have laws addressing law enforcement access to cloud service information, to support criminal investigations
WILL REDIRECT THE REQUESTING ENTITY, WHEN LAW PERMITS
ONLY PRODUCES DATA IN RESPONSE
TO VALID LEGAL PROCESSES
WILL NOTIFY CUSTOMERS PRIOR
TO DISCLOSING DATA, WHEN PERMITTED
WILL LIMIT THE DISCLOSURE TO
ONLY THE REQUIRED INFORMATION
Responding to government demands
If we receive a government demand for data held by a business customer,
we take steps to redirect the government to the customer directly,
and we notify the customer unless we are legally prohibited from doing
so. We have never provided any government with customer data
from any of our business or government customers for national
security purposes(…)
We only respond to requests for specific
accounts and identifiers. There is no
blanket or indiscriminate access
to Microsoft’s customer data.
If a government wants customer data – including for national security purposes – it needs to follow applicable
legal process, meaning it must serve us with a court
order for content or subpoena for account
information.
We do not provide any government with the ability
to break the encryption used between our business
customers and their data in the cloud, nor do we provide
the government with the encryption keys.
http://blogs.technet.com/b/microsoft_on_the_issues/archive/2013/07/16/responding-to-government-legal-demands-for-customer-data.aspx
Law enforcement request report
In the first half of 2013, Microsoft disclosed content in response to 2.2% of the total number of law enforcement requests received. Each of those disclosures was in
response to a court order or warrant, and the vast majority of those disclosures related to users
of our consumer services.
Unfortunately, we are not currently permitted to
report detailed information about the
type and volume of any national security orders
(e.g. FISA Orders and FISA Directives) that we may
receive
Law enforcement sought information about only a tiny fraction of the millions of end users of our enterprise services, such as Office 365. We received 19 requests for e-mail accounts
we host for enterprise customers, seeking information about 48 accounts. We disclosed
customer data in response to five of those requests (4 content; 1 only non-content), and in all but one case, we were able to notify the customer. We rejected the request, found no
responsive data, or redirected law enforcement to obtain the information from
the customer directly in thirteen of those cases. One request is still pending.
(…) the requests are fairly concentrated with
over 73% of requests coming from five
countries, the United States, Turkey,
Germany, the United Kingdom, and France.
http://www.microsoft.com/about/corporatecitizenship/en-us/reporting/transparency/
Law enforcement requests from Norwegian Authorities, H1 2013
http://blogs.technet.com/b/microsoft_on_the_issues/archive/2013/06/14/microsoft-s-u-s-law-enforcement-and-national-security-requests-for-last-half-of-2012.aspx
12
Global Foundation Services
Microsoft’s Cloud Environment
Platform as a Service(PaaS)
Infrastructure as a Service (IaaS)
Consumer and Small Business Services
Enterprise Services
Third-party Hosted
Services
SecurityGlobal NetworkOperationsData Centers
Software as a Service (SaaS)
13
Microsoft Data Center Scale
ChicagoQuincyDublin Amsterdam
Hong Kong
Singapore
Japan
"Data Centers have become as vital to the functioning of society as power stations."
The Economist
San Antonio
Multiple global CDN locations
Microsoft has more than 10 and less than 100 DCs worldwide
BoydtonDes Moines
Quincy, Washington 27MW 100% Hydro power
San Antonio, Texas 27MW Recycled water for cooling
Chicago, Illinois Up to 60MW Water side economization, Containers
Dublin, Ireland Up to 50MW Outside air cooling, PODs
14
Customer Compliance Needs• Customers ultimately responsible for ensuring their compliance obligations are met• Microsoft will share its certifications and audit reports to allow customers to establish reliance
Responsibility:
Data Classification and Accountability
Application Level Controls
Operating System Controls
Host Level Controls
Identity and Access Management
Network Controls
Physical Security
CLOUD PROVIDER
CLOUD CUSTOMER
SaaSPaaSIaaS
15
Data Classification
Cloud?
Windows Server 2012 R2; FCI
Office 2013c& ADRMS & Partner
Business driven, technology supportive
How do we know what to protect?
16
What data goes where?
Data storage & processingDefine Your Strategy
Services that are public
High profile targets
LabelingContractual commitments
R & D data
17
Information Security Management SystemBusiness Objectives Industry Standards & Regulations
Certificates and Attestations
• ISO / IEC 27001:2005 certification• SSAE 16/ISAE 3402 SOC 1• AT101 SOC 2 and 3
• PCI DSS certification• FedRAMP P-ATO, FISMA certification and accreditation• And more …
PREDICTABLE AUDIT
SCHEDULE
COMPLIANCE FRAMEWORK
Information Security Management System
INFORMATION SECURITY
MANAGEMENT FORUM
RISK MANAGEMENT
PROGRAM
INFORMATION SECURITY
POLICY PROGRAM
Test and Audit
18
Infrastructure Compliance Capabilities
ISO / IEC 27001:2005 Certification
SSAE 16/ISAE 3402 SOC 1, AT101 SOC 2 and 3
HIPAA/HITECH
PCI Data Security Standard Certification
FedRAMP P-ATO and FISMA Certification & Accreditation
Various State, Federal, and International Privacy Laws (95/46/EC—aka EU Data Protection Directive; California SB1386; etc.)
© 2013 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.