Security & privacy in the cloud; an easy road?

Martin Vliem CISSP, CISA

National Security Officer

Microsoft The Netherlands

[email protected]

Security & privacy in the cloud; an easy road?

A journey to the trusted cloud

O LD W O R LD Information scarce

Static hierarchies Compete to win Individual productivity Focus on planning ahead

Efficiency of process

NE W W O R L D

Information abundant Dynamic networks Collaborate to win

Collective value creation

Experiment, learn and respond Effectiveness of outcomes

THE SHIFT

DATA

The evolution of attacks

In the beginning

Isolated cases of nation-state espionage and young hackers

exploring networks

Today

Massive data thefts across verticals; rampant economic

and military espionage;

advanced persistent threats, destructive attacks

Computing

becomes pervasive

Computers used as tools to facilitate traditional offenses; hacking cases increase with motives becoming more

diverse (e.g., fraud, hactivisim)

Future

Internet of Things enables new forms of large-scale

attacks.

Militarization of Cyberspace continues.

Fundamental questions

How secure is my data?

Can I control my data, is my data private?

How can I stay compliant with law and regulations?

What happens with my data?

A structured approach:

1. Data driven risk management 2. Cloud vendor assurances

3. Additional custom controls

Supervisor External Audit Internal Audit Risk Management

CONCEPTUAL MODEL

GOVERNANCE, RISK MANAGEMENT AND COMPLIANCE.

FROM INNOVATION TO OBLIGATION

SUPERVISORY RIGHTS

RISK ADJUSTMENTS

BUSINESS CASE Operations DATA processing

Your

DATACENTER YourRESPONSIBILITY

You own your data and identities and the responsibility for protecting them. You own the security of on-premises resources

Your DATA

Cloud Security is a partnership

Microsoft cloud services are built on a

foundation of trust and security. Microsoft provides you security controls and

capabilities to help you protect your data and applications.

You own your data and identities and the responsibility for protecting them. You own the security of on-premises

resources and cloud components you control (varies by service type)

Your DATA

Opportunities versus risk

Data driven risk

management & defense

You already had this responsibility…

Transfer operational & security controls to your cloud vendor Embrace cloud capabilities for enhancing security

Timeframe # of Enterprise customer data

requests # of requests had data disclosed in response

Jan – Jun 2015 6 2 (3 rejected/redirected to customer)

(1 pending a resolution)

Jul – Dec 2014 3 1 (2 rejected/redirected to customer)

(1 customer instruction)

Jan – Jun 2014 5 0 (5 rejected/redirected to customer)

Jul – Dec 2013 3 3

Jan – Jun 2013 19 5

Jan – Dec 2012 11 4

Source: http://aka.ms/letranspreport; *2012 data combines all 12 months and excludes Skype

“After all, people won’t use technology they don’t trust. We need to strike a better balance between privacy and national security to restore trust and uphold our fundamental liberties.

In particular, a year on, there are five things the U.S.

government still needs to do:



 End bulk collection

 Reform the FISA Court



 ”

https://www.reformgovernmentsurveillance.com/

Brad Smith, President & Chief Legal Officer, Microsoft on the Issues Blog - June 4, 2014

Trusted cloud principles

Assurances: descriptive | independently verified | contractual

Trusted cloud principles

Assurances: descriptive | independently verified | contractual

ASSUME BREACH

Protect Compromised^{First Host} Detect

 CYBERTHREATS 

Domain Admin Compromised

 DATA LOSS (Attacker Undetected) 11-14 months 

Breach

Discovered Respond

Infrastructure as a Service

Azure - IaaS

Platform as a Service

Azure - PaaS

Software as a Service

Office 365 - SaaS On Premises

Security Dependencies

1. Security strategy, governance, and operationalization: Provide clear vision, standards, and guidance for your organization 2. Administrative control: Defend against the loss of control of your cloud services and on-premises systems

3. Data: Identify and protect your most important information assets

4. User identity and device security: Strengthen protection for accounts and devices

5. Application security: Ensure application code is resilient to attacks

6. Network: Ensure connectivity, isolation, and visibility into anomalous behavior

7. Operating system and middleware: Protect integrity of hosts

8. Private or on-premises environments: Secure the foundation

Control area’s – supported by cloud

TRUST & FREEDOM OF CHOICE +

Microsoft Online Services Terms (OST), … ISO27001, 27002, 27018, Audit Report, … Microsoft Trustcenter whitepapers, …

CONTRACTING INDEPENDENTLY VERIFIED DESCRIPTIVE INFORMATION

CUSTOMER AS DATA CONTROLLER

RISKS

SECURITY PRIVACY

QUALITY OF SERVICE

GOVERNANCE RISK

MANAGEMENT COMPLIANCE

DATA “ownership”

MICROSOFT AS DATA PROCESSOR

CONTROLS

SECURITY PRIVACY &

CONTROL COMPLIANCE

RELIABILITY

TRANSPARENCY

ADDITIONAL CONTROLS

Your DATA

Trustworthy Computing 2.0

20

Secure OPERATIONS Secure

DEVELOPMENT

Secure and Empower CUSTOMERS

International certifications like ISO, SOX and HIPPA certify that our control activities operate in accordance with expectations and comply with regulatory obligations.

Security Development Lifecycle focuses on security as a core component in

the software development process, reducing the risk of costly issues, improving the security and privacy of applications, and protecting enterprise data and reputations.

Operational Security Assurance (OSA) provides real-world

effectiveness against today’s threat models that goes well beyond our external (and necessary) certifications.

Software Integrity Policies include mandatory engineering policies like code signing and checking for malware.

Security features

in our products help safeguard data and protect access to systems.

Security services help customers protect, detect and respond to security

events through technology and consulting services.

Controllability of data and services ensures customers can meet

their own internal compliance requirements.

Cybercrime Prevention combines top legal and technical talent, cutting-edge forensics, and business intelligence to fight digital crime.

Transparency

into our practices and access to governments to review our source code provides assurance to all customers.

Secure ECOSYSTEM

Cybersecurity collaboration

with security researchers and vendors, and between MSIT and customers, helps contribute to safer systems and experiences.

Developing Cyber Norms working with governments to develop offensive, defensive and industry norms to promote cyber security

Your DATA

Cloud first;

your choice!

References

• SAFE Handbook: http://aka.ms/safehandbook

• Cyberspace 2015: https://www.microsoft.com/security/cybersecurity/

• A Data driver security defense: https://gallery.technet.microsoft.com/Fixing-the-1- Problem-in-2e58ac4a

• Enterprise Cloud strategy e-book: https://info.microsoft.com/enterprise-cloud-strategy- ebook.html

• Microsoft Cloud IT Architecture resources: https://technet.microsoft.com/en- us/library/dn919927.aspx

• Microsoft Security Intelligence Report: https://www.microsoft.com/security/sir/default.aspx

• Microsoft Cyber Trust Blog: https://blogs.microsoft.com/cybertrust

• Video:

https://www.youtube.com/watch?v=QiVC0ayqi_s&list=PLaKubdFVFSsi5ROGoIQ_DMOF3dK fpRmWE&index=1

23