Upload
adam-webb
View
218
Download
2
Tags:
Embed Size (px)
Citation preview
No one questions that Microsoft can write great software.
Customers want to know if we can be innovative, scalable, reliable in
the cloud.
(1996)450M+ active users
(1997)550M users/mth
(1998)x100Musers
Largest non-TCP/IP
cloud service
(1999)320M+ active users
Windows Live
Messenger
(1999)2 Billion
queries/mth
(2001)20M+ active users
(2003)5
Billion conf
mins/yr
(2004)2 Billion
emails/day
Web Applications
(2010)400M+ consume
rs at release
Microsoft Is a LEADER In The Cloud
HIGHLY SECURED DATA CENTERSEnterprise class reliability and security
…delivering highly secure, private, and reliable experiences based on sound business practices
Key Features• Geo-redundant
datacenters• N+1 Architecture• 9 Layer Data Security…• CyberTrust Certified• Secure access via SSL• ITIL/MOF Operational
Practices• 24 x 7 x 365 Support• 99.9% Uptime
Financially-backed SLA
• Filtering Routers• Firewalls• Intrusion Detection
Systems• System Level Security• Application
Authentication• Application Level
Counter-measures• Virus Scanning• Separate Data Networks• Authentication to Data
Infrastructure Services
Security and Compliance
Global Delivery
EnvironmentalAwareness
Global Foundation Services
Microsoft®
US data location guaranteed today
across all enterprise services
FISMA, SAS 70, ISO
certification across all
facilities and services
ISO27001
(strategic)
SAS70(audit)
FISMA
(tactical)
Global Foundation
Services
Microsoft’s Cloud Environment
4
Physical infrastructure
Logical Infrastructure
Compute runtimes Identity and directory
stores
Cloud Platform Services
And others
Cloud Infrastructure
Consumer and Small Business Services
Enterprise Services
Third-Party
Hosted Services
A Commitment to Trustworthy Computing
5
Build software and services to better help protect Microsoft customers and the industry; ensure information and data are safe and confidential.
Privacy
Develop online services with the privacy of customers in mind.No matter where our customers live or work, Microsoft strives to help them protect their privacy.
ReliabilityMake dependable software and continue to improve the reliability of technologies, products, and support processes with a continuing focus on the customer’s experience.
Business Practices
Ensure integrity and transparency in all business practices, and maintain the highest standards in business conduct.
Security
How Microsoft Responds to the Challenges
6
Risk-based Information
Security Program
Maintaining a Deep Set of Security
Controls
Comprehensive
Compliance Framework
Response to Cloud Security Challenges
Information Security Program
7
International Organization for Standardization / International Electrotechnical Commission 27001:2005
Certified
Risk Management Process
Identify threat and vulnerabilities to the environmentCalculate riskReport risks across Microsoft cloud environmentAddress risks based on impact assessment and a business caseTest remediation effectiveness and residual riskManage risks on an ongoing basis
8
Response Teams
10
Security Incident Response Global Criminal Compliance
Responds to suspected security incidents 24 hours a day
Supports worldwide investigations by law enforcement into criminal activity involving Microsoft online services, including emergency situations when appropriate
Response process: Preparation Identification Containment Mitigation Recovery Lessons Learned
Response process: Begins with validated legal
request Is based on country of origin Includes guidance for law
enforcement
11
Defense-in-Depth Layers
Physical Network Host Security
Identity and
Access Managem
ent
DataApplication
Security Development Lifecycle (SDL)
SDL Process
• Product Team Coordination OSSC uses questionnaires and other product development documentation to validate that SDL has been applied correctly
• Threat Models Review OSSC analyzes the product teams’ threat models to verify that they are complete and current
• Security Bugs Review All bugs relating to security and privacy of customers’ data are reviewed and addressed
• Tools Use Validation OSSC ensures that product teams have correctly and appropriately made use of the tools, documented code, and patterns and practices available to them12
Training Design Verification Release ResponseImplementationRequirements
ISO/IEC 27001:2005 certificationStatement of Auditing Standard 70 Type I and Type II attestations
Certification and Attestations
Comprehensive Compliance Framework
14
Payment Card Industry Data Security Standard Health Insurance Portability and Accountability Act
Industry Standards and RegulationsMedia Ratings Council
Sarbanes-Oxley , etc.
Identify and integrate:– Regulatory requirements– Customer requirements
Assess and remediate:– Eliminate or mitigate gaps in
control design
Controls FrameworkTest effectiveness and assess risk
Attain certifications and attestations
Improve and optimize:– Examine root cause of non-
compliance– Track until fully remediated
Predictable Audit Schedule
Microsoft Online Services Security
15
Strategic Information
Security Program
Based on industry best practices to
enable rapid adaption to cloud
infrastructure changes
Certification Framework Streamlines
certification process for product and
service delivery teams
Trusted BrandEstablished through meeting business obligations along with legal and commercial
expectations
Confidence Born from years of
experience managing security risks in
traditional development and
operating environments
This material is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS DOCUMENT.
©2009 Microsoft Corporation. All rights reserved.Microsoft, Active Directory, Hotmail, Microsoft Dynamics, MSN, SharePoint, SQL Server, Windows, and Xbox LIVE are either trademarks or registered trademarks of the Microsoft
group of companies.