Upload
eduardo-castro
View
1.500
Download
1
Embed Size (px)
DESCRIPTION
This presentation includes topics about Security in SQL Azure and Windows Azure.Regards,Eduardo Castro MartinezComunidad Windows
Citation preview
Dr. Eduardo Castro Martínez
Microsoft MVP
http://comunidadwindows.org
http://tiny.cc/comwindows
http://ecastrom.blogspot.com
Source: Saugatuck Technology Inc., 2009 Cloud Infrastructure Survey (Julne09), WW N=670
Saugatuck Insight:
Saugatuck believes
that many users will
find that changes
required in internal
organization and
politics for moving
from dedicated to
shared resources
pose significant
challenges to the
adoption of Cloud
Computing.
Security Privacy
Reliability Business Practice
Questions
Is your service secure?
Are you ISO 27001
certified?
Jurisdiction?
Have you ever had a
service outage?
Do you have performance
SLA?
Do you have an incident response plan?
Do you have SAS Type II Report?
Do you provide 24*7 support?
Are you HIPAA compliant?
How do you ensure data
isolation?
Data retention?
location ownership control
10
Hybrid Public Private
SaaS Software as a Service
PaaS Platform as a Service
IaaS Infrastructure as a Service
Spoofing Tampering &
Disclosure
Port Scanning/
Service
Enumeration
Elevation of
Privilege
Load-balanced
Infrastructure
Network
bandwidth
throttling
CiscoGuard
enabled on
Storage nodes
Configurable
scale-out
Denial of
Service
Service Definition
file, Windows
Firewall, VM switch
packet filtering
VM switch
hardening
Certificate
Services
Shared-Access
Signatures
HTTPS
Sidechannel
protections
VLANs
Top of Rack
Switches
Custom packet
filtering
Partial Trust
Runtime
Hypervisor
custom
sandboxing
Virtual Service
Accounts
Windows Azure
Customer Tenant
Customer Admin Users
External Web Site
Physical Attacks
On Servers Central Admin
Windows Azure
Customer Tenant
Customer Admin Users
Physical Attacks On Servers
Windows Azure
Customer Tenant
Central Admin
Windows Azure
Customer Tenant
External Web Site
Windows Azure
Customer Tenant
Customer Admin Users
Windows Azure
Customer Tenant
Users
Windows Azure
Customer Tenant
Customer Admin
23
Managed Code
Access Security:
partial trust
Windows Account:
running with least
privileges
Windows FW (VM):
rules based on service
model
Virtual Machine: fixed
CPU, memory, disk
resources Root Partition Packet
Filter: defense in
depth against VM
“jailbreaking”
Network ACLs: dedicated VLANS for tenant nodes
Hypervisor
Network/Disk
R
o
o
t
V
M
G
u
e
s
t
V
M
G
u
e
s
t
V
M
G
u
e
s
t
V
M
G
u
e
s
t
V
M
G
u
e
s
t
V
M
G
u
e
s
t
V
M
G
u
e
s
t
V
M
Service security starts with the data center
Data center within a data center
Motion sensors
24×7 secured access
Biometric controlled access systems
Video camera surveillance
Security breach alarms
World-Class Security
Security
Risk
Management Privacy
Data
World-Class Security
FISMA
ISO 27001
HIPAA
PCI
HBI
MBI
Provides assurance
Required by law when performing certain tasks
Recommendatio
n
Customer and
Partner Requests
and Feedback
Market
Size Competitive
Position
Compliance Landscape
General Process and Security
Financial Reporting
Credit Card Processing
Vertical Specific
US Govt Federal and State
Banking Investing Healthcare Energy
EU Privacy Directive 1995/46
PCI DSS
Sarbanes Oxley
• ITAR
• FISMA
• FIPS-140
• BASE II • BASE II
• NASD
• HIPAA • NERC 1300
SAS Type II
ISO 27001 General Process and Security
General Process and Security
PCI-DSS specification not
“cloud aware”. New spec
coming in 14 months
ISO27001 and SAS70 were
the most frequently
discussed by customers,
partners, and field
PCI DSS frequently mentioned
too.
Even without PCI DSS, it is
possible for customers to write
PCI compliant apps, although
this is not viable for some
ISO 27001 SAS 70 Type 2 PCI DSS Level 1
Datacenters GFS X X X
Rackspace X X X
Terrecloud (hoster of
VMWare vCloud)
X In Europe
X --
PaaS / IaaS Windows Azure -- -- --
AWS -- X --
GAE -- -- --
Force.com /
VMForce.com
X X --
Saas BPOS X X --
Google App
Engine
-- X --
Salesforce.com X X --
Microsoft
BPOS has achieved
distinct certifications
on top of GFS
Although they have
SAS70, AWS does
not share contents of
audit with public
Microsoft
Microsoft
42
Dr. Eduardo Castro Martínez
Microsoft MVP
http://comunidadwindows.org
http://tiny.cc/comwindows
http://ecastrom.blogspot.com