• No results found

In the Cloud We Trust!

N/A
N/A
Info
Download
Protected

Academic year: 2021

Share "In the Cloud We Trust!"

Copied!
16
0
0

Loading.... (view fulltext now)

Download now ( 16 Page )

Full text

(1)

In the Cloud We Trust!

Dejan Cvetkovic

CTO, Microsoft CEE

(2)

Agenda

Compliance for Financial Services

Financial Services Compliance Program

Risk Management and Threat Intelligence

The Microsoft Approach to Compliance

(3)

What Motivates Financial Services Regulators

Visibility into Risk Management

(4)

What Motivates Financial Institutions

“I need Microsoft to partner with my company, listen to our business requirements, show me that you understand, and help me

address these.”

Our brand is what people trust to make decisions all over the world. It is our competitive edge. It is the critical element of what we sell and how we are perceived by our customers.”

“As a consumer, I like the idea of continued innovation. However, my business audit rules require that we have periods of zero change.

Sometimes we even have to revert to the state of a system at particular time.”

“There are evolving laws in many countrieswhich require data to be located in specific geographies. Can your service help me keep-up with the change in requirements?”

“Customer information and our intellectual property is the core of our business. We have contractual and legal obligationsto keep it secure. We have to be in-control of that process and cannot tolerate risk of service provider promises.”

“We are entrusted with non-public data on behalf of our customers that cannot be compromised. Member data and customer data are our crown jewels. Are you keeping that data confidential?”

(5)

A cloud you can trust

We collaborate with customers and governments.

We live by industry standards and references.

We contractually commit on our obligations.

(6)

Trusted cloud principles

Our key principles to gain your organization’s trust in the cloud.

You have visibility

into how your data is

being handled and

used.

Transparency

Your content is stored

and managed in

compliance with

applicable laws,

regulations, and

standards.

Compliance

No one is able to use

your data in a way

that you do not

approve.

Privacy &

Control

The confidentiality,

integrity, and

availability of your

data is protected.

Security

(7)

Compliance and Transparency

Microsoft maintains a team of experts focused on ensuring that cloud meets its own compliance obligations, which helps customers meet their own compliance

requirements.

Compliance certifications

Compliance strategy helps customers address business objectives and industry standards & regulations, including ongoing evaluation and adoption of emerging standards and practices.

Continual evaluation, benchmarking,

adoption, test & audit

Microsoft datacenters and cloud services undergo ongoing verification by third-party audit firms.

Independent verification

Microsoft shares audit report findings and compliance packages with customers.

Access to audit reports

Prescriptive guidance on securing data, apps, and infrastructure in Azure makes it easier for customers to achieve compliance.

(8)

The Microsoft legacy of trust

First Microsoft datacenter Microsoft Security Response Center Active Directory Windows Update Trustworthy Computing Initiative Malware Protection Center Security Development Lifecycle Digital Crimes Unit ISO/IEC 27001:2005 CJIS (Gov. cloud) SOC 1 PCI DSS 2.0 SOC 2 FedRAMP (Pub. cloud) SAS 70 Defense Messaging System Windows C2 Operations Security Assurance ISO/IEC 27018 PCI DSS 3.0 FISMA Federal Desktop Core Configuration Azure Government CRM Online Government FedRAMP JAB P-ATO (Gov. cloud) IRS 1075 (Gov. cloud) 2014 2012 2010 2005 2000 1996 1989 2015

(9)

Microsoft HyperScale Cloud - Azure Compliance

Azure has the largest compliance portfolio in the industry

United

States

HIPAA / HITECH FedRAMP

JAB P-ATO FIPS 140-2 21 CFRPart 11 FERPA DISA Level 2 CJIS IRS 1075 ITAR-ready 508 VPATSection

Industry

ISO 27001 SOC 1 Type 2 SOC 2 Type 2 PCI DSS Level 1 Cloud Controls ISO 27018

Matrix Content Delivery andSecurity Association AssessmentsShared

Regional

European Union

(10)

Audit cycle

CY Q1

Readiness Onsite audit Remediation Readiness Onsite audit Remediation CY Q4

Guiding principles

Align & integrate new certification within current calendar Partner with other business groups to protect users

Automate the process of collecting evidence Build once to increase return on investment

Standardize the process for certifications and attestations Build to last processes that are reliable across services

Scale to add new certifications and services Repurpose for consistency between customers

Sustain by establishing repeatable processes Accountability builds trust with customers and partners

(11)

Cyber Threat Intelligence Program

Every day Microsoft datacenters receive hundreds of millions of attempted check-ins from computers infected with malware

Big Data from botnets and malware such as Conficker, Waledac, Rustock, Kelihos, Zeus, Nitol, and Bamital.

The Microsoft Cyber Threat Intelligence Program takes advantage of the Azure cloud

computing platform to fight botnets and malware.

(12)

Partnering with Financial Services organizations

We share our CTIP intelligence with CERTs and ISPs

On September 29, 2014, the Microsoft Digital Crimes Unit

announced a partnership with Financial Services Information

Sharing and Analysis Center (FS-ISAC)

(13)

Assessing Risk in the MS Cloud

All Cu st ome rs Co mpli an ce Pr ogr am

• For fee 1:1 access to Microsoft experts, information, and evidence

Ad Hoc Request

• Industry aligned responses (PCI) • DLP controls • FAQs Targeted information • SME engagement • Pentest report • Audit webcasts

• Early release documentation (Pandemics protection, DDOS)

Compliance Program Summits

• Ability to add controls to Audit • Ability to influence direction

(SIFMA vs ENISA vs Other)

• Cross group learnings

• Ability to request new updates (encryption)

Compliance Program Community

• Data Privacy

• ISO/SSAE16 audit reports • Industry Regulator examination

• Data deletion, • Data usage • Data location

Contractual Obligations, Audit Reports and Insights

• Geo Location • Sub Contractors • Best Practice Guidance

• Roadmap and Changes

• Certification links

Trust Center and Certifications

• Audit Log Access • Third party tooling

Co nt en t flo w

(14)

Financial Services focus

• Financial Services Contractual Commitments

• Regulator Right to Examine. Contract terms

support any regulator who requires direct examination of cloud operations and controls.

• Ability to address changes in your compliance

environment. If there are changes to government laws, regulations, or requirements that affect the financial services Industry, Microsoft will collaborate with your company on how to accommodate

them, including adding additional products, services, or solutions.

• Contractual right to enroll in the fee-based

Financial Services Compliance Program.

• Financial Services Compliance Program

• Invitation to an exclusive compliance discussion at

Microsoft headquarters

• Direct channel into cloud’s engineering teams.

Engage with cloud security and compliance

engineering leadership and subject matter experts

• Access to compliance artifacts and data not

generally available, such as the Microsoft Information

• Security Policy, penetration testing reports of the

cloud platform

• An opportunity to meet with the cloud Risk

Management Office, enabling you to better assess Azure’s overall approach to risk management.

• Audit influence. The ability to influence future

additions to Azure’s audit scope.

(15)
(16)

In the Cloud We Trust!

Dejan Cvetkovic

CTO, Microsoft CEE

References

Download now ( PDF - 16 Page - 1.35 MB )

Related documents

Changing the Game. What Health Care Reform Means for Gay, Lesbian, Bisexual, and Transgender Americans

Coordinated initiatives by Department of Health and Human Services, the federal Office of Personnel Management, and the states around the establishment and operation of the

ABB

The argument \T is used to specify the total time of movement in seconds directly in the instruction. Time is thus substituted for the speed specified in the argu- ments Speed,

Methodological implications of the of extension of the number of considered markets in a non-Walrasian equilibrium model

labour force. In this situation, the stimulation of the aggregate demand of goods and services is not sufficient for ensuring full employment. It is also required that

A Glottometric Subgrouping of the Early Germanic Languages

In this thesis, the development of the Germanic language family, from the breakup of Proto-Germanic to the latest period of the early attested daughter languages (namely Gothic,

Learning to Forecast and Cyclical Behavior of Output and Inflation

While average output and inflation result the same as under rational expectations, higher moments differ substantially: output and inflation show persistence, inflation

Designing Transit Networks for Equity and Accessibility

The primary purpose of developing the multiple route model without stop grouping was to expand the solution method, a genetic algorithm, to have the ability to store and

Solar Photovoltaic Financing: Deployment on Public Property by State and Local Governments

For state and local governments, several methods of financing the production of these goods are available, including systems benefit charge (SBC) funds, issuance of energy