In the Cloud We Trust!
Dejan Cvetkovic
CTO, Microsoft CEE
Agenda
Compliance for Financial Services
Financial Services Compliance Program
Risk Management and Threat Intelligence
The Microsoft Approach to Compliance
What Motivates Financial Services Regulators
Visibility into Risk Management
What Motivates Financial Institutions
“I need Microsoft to partner with my company, listen to our business requirements, show me that you understand, and help me
address these.”
“Our brand is what people trust to make decisions all over the world. It is our competitive edge. It is the critical element of what we sell and how we are perceived by our customers.”
“As a consumer, I like the idea of continued innovation. However, my business audit rules require that we have periods of zero change.
Sometimes we even have to revert to the state of a system at particular time.”
“There are evolving laws in many countrieswhich require data to be located in specific geographies. Can your service help me keep-up with the change in requirements?”
“Customer information and our intellectual property is the core of our business. We have contractual and legal obligationsto keep it secure. We have to be in-control of that process and cannot tolerate risk of service provider promises.”
“We are entrusted with non-public data on behalf of our customers that cannot be compromised. Member data and customer data are our crown jewels. Are you keeping that data confidential?”
A cloud you can trust
We collaborate with customers and governments.
We live by industry standards and references.
We contractually commit on our obligations.
Trusted cloud principles
Our key principles to gain your organization’s trust in the cloud.
You have visibility
into how your data is
being handled and
used.
Transparency
Your content is stored
and managed in
compliance with
applicable laws,
regulations, and
standards.
Compliance
No one is able to use
your data in a way
that you do not
approve.
Privacy &
Control
The confidentiality,
integrity, and
availability of your
data is protected.
Security
Compliance and Transparency
Microsoft maintains a team of experts focused on ensuring that cloud meets its own compliance obligations, which helps customers meet their own compliance
requirements.
Compliance certifications
Compliance strategy helps customers address business objectives and industry standards & regulations, including ongoing evaluation and adoption of emerging standards and practices.
Continual evaluation, benchmarking,
adoption, test & audit
Microsoft datacenters and cloud services undergo ongoing verification by third-party audit firms.
Independent verification
Microsoft shares audit report findings and compliance packages with customers.
Access to audit reports
Prescriptive guidance on securing data, apps, and infrastructure in Azure makes it easier for customers to achieve compliance.
The Microsoft legacy of trust
First Microsoft datacenter Microsoft Security Response Center Active Directory Windows Update Trustworthy Computing Initiative Malware Protection Center Security Development Lifecycle Digital Crimes Unit ISO/IEC 27001:2005 CJIS (Gov. cloud) SOC 1 PCI DSS 2.0 SOC 2 FedRAMP (Pub. cloud) SAS 70 Defense Messaging System Windows C2 Operations Security Assurance ISO/IEC 27018 PCI DSS 3.0 FISMA Federal Desktop Core Configuration Azure Government CRM Online Government FedRAMP JAB P-ATO (Gov. cloud) IRS 1075 (Gov. cloud) 2014 2012 2010 2005 2000 1996 1989 2015Microsoft HyperScale Cloud - Azure Compliance
Azure has the largest compliance portfolio in the industry
United
States
HIPAA / HITECH FedRAMP
JAB P-ATO FIPS 140-2 21 CFRPart 11 FERPA DISA Level 2 CJIS IRS 1075 ITAR-ready 508 VPATSection
Industry
ISO 27001 SOC 1 Type 2 SOC 2 Type 2 PCI DSS Level 1 Cloud Controls ISO 27018
Matrix Content Delivery andSecurity Association AssessmentsShared
Regional
European Union
Audit cycle
CY Q1
Readiness Onsite audit Remediation Readiness Onsite audit Remediation CY Q4
Guiding principles
Align & integrate new certification within current calendar Partner with other business groups to protect users
Automate the process of collecting evidence Build once to increase return on investment
Standardize the process for certifications and attestations Build to last processes that are reliable across services
Scale to add new certifications and services Repurpose for consistency between customers
Sustain by establishing repeatable processes Accountability builds trust with customers and partners
Cyber Threat Intelligence Program
Every day Microsoft datacenters receive hundreds of millions of attempted check-ins from computers infected with malware
Big Data from botnets and malware such as Conficker, Waledac, Rustock, Kelihos, Zeus, Nitol, and Bamital.
The Microsoft Cyber Threat Intelligence Program takes advantage of the Azure cloud
computing platform to fight botnets and malware.
Partnering with Financial Services organizations
We share our CTIP intelligence with CERTs and ISPs
On September 29, 2014, the Microsoft Digital Crimes Unit
announced a partnership with Financial Services Information
Sharing and Analysis Center (FS-ISAC)
Assessing Risk in the MS Cloud
All Cu st ome rs Co mpli an ce Pr ogr am• For fee 1:1 access to Microsoft experts, information, and evidence
Ad Hoc Request
• Industry aligned responses (PCI) • DLP controls • FAQs Targeted information • SME engagement • Pentest report • Audit webcasts
• Early release documentation (Pandemics protection, DDOS)
Compliance Program Summits
• Ability to add controls to Audit • Ability to influence direction
(SIFMA vs ENISA vs Other)
• Cross group learnings
• Ability to request new updates (encryption)
Compliance Program Community
• Data Privacy
• ISO/SSAE16 audit reports • Industry Regulator examination
• Data deletion, • Data usage • Data location
Contractual Obligations, Audit Reports and Insights
• Geo Location • Sub Contractors • Best Practice Guidance
• Roadmap and Changes
• Certification links
Trust Center and Certifications
• Audit Log Access • Third party tooling
Co nt en t flo w
Financial Services focus
• Financial Services Contractual Commitments
• Regulator Right to Examine. Contract terms
support any regulator who requires direct examination of cloud operations and controls.
• Ability to address changes in your compliance
environment. If there are changes to government laws, regulations, or requirements that affect the financial services Industry, Microsoft will collaborate with your company on how to accommodate
them, including adding additional products, services, or solutions.
• Contractual right to enroll in the fee-based
Financial Services Compliance Program.
• Financial Services Compliance Program
• Invitation to an exclusive compliance discussion at
Microsoft headquarters
• Direct channel into cloud’s engineering teams.
Engage with cloud security and compliance
engineering leadership and subject matter experts
• Access to compliance artifacts and data not
generally available, such as the Microsoft Information
• Security Policy, penetration testing reports of the
cloud platform
• An opportunity to meet with the cloud Risk
Management Office, enabling you to better assess Azure’s overall approach to risk management.
• Audit influence. The ability to influence future
additions to Azure’s audit scope.