Microsoft Azure
Trust in the Cloud
Ovidiu Pismac
MCSE Security, CISSP, MCSE Private Cloud / Server & Desktop infrastructure, MCTS Forefront
Microsoft Romania
Microsoft Azure
430B+
Microsoft Azure AD authentications280%
year-over-year database growth in Microsoft Azure50%
of Fortune 500 use Microsoft Azure$25,000
in the cloud would cost $100,000 on premises
Economics
Scale
30,000
to250,000
Scale fromsite visitors instantly
2 weeks
to deliver new services vs. 6-12 months with traditional solution
Speed
Technology trends: driving cloud adoption
of CIOs will embrace a
cloud-first strategy in 2016
(IDC CIO Agenda webinar)
Cloud Trend:
70%
BENEFITS
Microsoft Azure
Pre-adoption concern
60%
cited concerns around
data security as a barrier
to adoption
45%
concerned that the
cloud would result in a
lack of data control
Benefits realized
94%
experienced security
benefits they didn’t
previously have
on-premise
62%
said privacy protection
increased as a result of
moving to the cloud
Cloud innovation
OPPORTUNITY FOR SECURITY & COMPLIANCE BENEFITS
Microsoft Azure
Trustworthy foundation
BUILT ON MICROSOFT EXPERIENCE AND INNOVATION
Microsoft Azure
Trustworthy Computing Initiative Security Development Lifecycle Global Data Center Services Malware Protection Center Microsoft Security Response Center Microsoft Update Active Directory SOC 1 CSA Cloud Controls Matrix PCI DSS Level 1 FedRAMP/ FISMA UK G-Cloud Level 2 ISO/IEC 27001:2005 HITECHHIPAA/ Digital Crimes Unit SOC 2 E.U. Data Protection Directive Operations Security Assurance 1st Microsoft Data CenterTrustworthy Computing
Created the SDL which has
become the industry standard
for developing secure software
20+ Data Centers 20+ Data Centers Trustworthy Computing Initiative Security Development Lifecycle Global Data Center Services Windows Update 1st Microsoft Data Center Active Directory SOC 1 CSA Cloud Controls Matrix PCI DSS Level 1 FedRAMP/ FISMA UK G-Cloud Level 2 ISO/IEC 27001:2005 HITECHHIPAA/ Digital Crimes Unit SOC 2 E.U. Data Protection Directive Operations Security Assurance Malware Protection Center Microsoft Security Response Center
Security Centers
of Excellence:
Protecting Microsoft
customers by combatting
evolving threats
Trustworthy Computing Initiative Security Development Lifecycle Global Data Center Services Malware Protection Center Microsoft Security Response Center Microsoft Update Active Directory SOC 1 CSA Cloud Controls Matrix PCI DSS Level 1 FedRAMP/ FISMA UK G-Cloud Level 2 ISO/IEC 27001:2005 HITECHHIPAA/ Digital Crimes Unit SOC 2 E.U. Data Protection Directive Operations Security Assurance 1st Microsoft Data Center20+ Data Centers:
Operating Microsoft Azure in
11 data centers around the
world, plus 2 in China
20+ Data Centers 20+ Data Centers Trustworthy Computing Initiative Security Development Lifecycle Global Data Center Services Malware Protection Center Microsoft Security Response Center Windows Update 1st Microsoft Data Center Active Directory Digital Crimes Unit SOC 1 CSA Cloud Controls Matrix PCI DSS Level 1 FedRAMP/ FISMA UK G-Cloud Level 2 ISO/IEC 27001:2005 HITECHHIPAA/ SOC 2 E.U. Data Protection Directive
Compliance Standards:
Investing heavily in robust
compliance processes, including
ISO 27001, FedRAMP, and HIPAA
Operations Security Assurance
Trustworthy foundation
Microsoft Azure
Microsoft Azure
Automated Managed Resources Elastic Usage BasedMicrosoft Azure
Shared responsibility
REDUCE SECURITY COSTS + MAINTAIN FLEXIBILITY, ACCESS, & CONTROL
Customer Microsoft
Microsoft Azure
Market Endorsement
Gartner Magic Quadrant for Cloud
Infrastructure as a Service(IaaS)
Gartner Magic Quadrant for
Enterprise Application Platform as
a Service(PaaS)
Gartner Magic Quadrant for Public
Microsoft Azure
Transparency & independent verification
Best practices
and guidance
Third-party
verification
Cloud Security
Alliance
Security
intelligence
report
Compliance
packages
Trust
Center
Access to
audit reports
Security Response
Center progress
report
Microsoft Azure
Microsoft approach in action
Microsoft Azure
Security embedded
in
planning, design, devel
opment, & deployment
Rigorous controls to
prevent, detect, contai
n, & respond to threats
Hardening cloud
services through
simulated real-world
attacks
Global, 24x7 incident
response to mitigate
effects of attacks
Design & operations
Operational
security
controls
Assume
breach
Incident
response
Software
Microsoft Azure
Security
12
We chose Azure because all things
being equal, it is the easiest cloud
platform to work with. Security and
patching is already taken care of, so
Microsoft Azure
24 hour monitored physical security
Secure multi-tenant environment
Firewalls
Patch management
System monitoring and logging
Antivirus/antimalware protection
Threat detection
Forensics
Microsoft Azure
Service security starts with physical data center
Cameras
24X7 security staff Barriers
Fencing Alarms
Two-factor access control: Biometric readers & card readers
Security operations center Days of backup power Seismic bracing
Building
Microsoft Azure
Architected for secure multi-tenancy
AZURE:
•
Centrally manages the platform and helps
isolate customer environments using the
Fabric Controller
•
Runs a configuration-hardened version of
Windows Server as the Host OS
•
Uses Hyper-V, a battle tested and enterprise
proven hypervisor
•
Runs Windows Server and Linux on Guest
VMs for platform services
CUSTOMER:
• Manages their environment through service
management interfaces and subscriptions
• Chooses from the gallery or brings their own
OS for their Virtual Machines
Microsoft Azure
Microsoft and Interoperability
“DHMC runs both Windows Server as guest operating systems under Hyper-V, as well as Linux. To date, DHMC has virtualized Web servers,
sites on Microsoft Office SharePoint® Server, reporting servers, medical applications, domain controllers, file and print servers, Citrix
servers, and more.”
Dartmouth Hitchcock Medical Center Case Study
Microsoft commitment to support Linux – Red
Hat, SUSE, CentOS, OpenSuse, Ubuntu, Oracle
Linux, new FreeBSD 10 on Hyper-V
System Center Configuration Manager 2012 SP1
supports administering non-Windows platforms:
Linux, Unix (monitored by SCOM) and Mac OS X
systems
System Center Operations Manager 2012 SP1
supports monitoring of non-Windows, including
Linux – Red Hat, SUSE, CentOS; Unix – HP UX, Sun
Solaris and IBM AIX; from January 2013 – new Linux
distributions supported: Debian Linux, Oracle
Linux, Ubuntu Linux Server
System Center Virtual
Machine Manager 2012 manages VMware ESX
servers and Citrix XEN Servers
Product
Linux
UNIX
Red Hat SUSE CentOS Ubuntu Debian Oracle
AIX
HP-UX Solaris
Operations
Manager
Configuration
Manager
Endpoint
Protection
No Plans
Virtual Machine
Manager
Hyper-V
Azure IaaS
Future
Microsoft Azure
19
Network protection
Segregates network
access between
customers,
management systems
& the internet
Connects cloud
services using private
IP addresses, subnets
Site to site, point to
site, and ExpressRoute
help enable secure
connect to Azure
Virtual
Networks
Cloud to
on-premises
connections
Network
Microsoft Azure
Microsoft employee access management
Monitor & protect access to cloud apps
Enterprise cloud identity –Azure AD
Multi-Factor Authentication
Microsoft Azure
Data encryption options: Bitlocker, Azure RMS,
AES 256 /512
Data segregation
Data location and redundancy
Data destruction
Microsoft Azure
Data location and redundancy
Note: Microsoft Azure data centers, Australia – Q2 FY15
AZURE:
•
Creates three copies of data in
each datacenter
•
Offers geo-replication in a
datacenter 400+ miles away
•
Does not transfer Customer Data
outside of a geo (ex: from US to
Europe or from Asia to US)
CUSTOMER:
•
Chooses where data resides
•
Configures data replication
Microsoft Azure
Data Deletion
Data destruction
• Wiping is NIST 800-88 compliant
• Defective disks are destroyed at the datacenter
• Index immediately removed from primary location
• Geo-replicated copy of the data (index) removed
asynchronously
• Customers can only read from disk space they have written to
Microsoft Azure
Privacy controls
are built into Azure
design and
operations
Microsoft Azure
Contractual commitments
EU Data Privacy
Approval
• Microsoft makes strong contractual commitments to safeguard customer data
covered by HIPAA BAA, Data Processing Agreement, & E.U. Model Clauses
• Enterprise cloud-service specific privacy protections benefit every industry &
region
• Microsoft meets high bar for protecting privacy of EU customer data
• Microsoft offers customers EU Model Clauses for transfer of personal data
across international borders
• Microsoft’s approach was approved by the Article 29 committee of EU data
protection authorities – the first company & cloud vendor to obtain this
Broad
Microsoft Azure
Privacy
Our vision is to be the national leader
in patient-centered e-healthcare.…
Using Windows Azure as our delivery
system provides us with a level of trust
and reliability that makes this
Microsoft Azure
ISO 27001
SOC 1 Type 2
SOC 2 Type 2
FedRAMP/FISMA
PCI DSS Level 1
UK G-Cloud
Information
security
standards
Effective
controls
Government
& industry
certifications
Microsoft Azure
Program Description