Cloud Computing In a Post‐Snowden World

Guy Wiggins, Kelley Drye & Warren LLPAlicia Lowery Rosenbaum, Microsoft Legal and Corporate Affairs

August 18, 2014

325 Attorneys6 Offices – NY, Washington DC, CT, CH, NJ and LA

Guy WigginsDirector of Practice ManagementKelley Drye & Warren LLP

• Cloud Infrastructure as a service (IAAS) – involves the provisioning of fundamental computer resources (e.g. processing, storage)

• Cloud Software as a Service (SaaS) – involves access to a provider’s software as a Service (e.g. G‐mail, SalesForce)

• Cloud Platform as a Service (Paas) – involving the provision to users of the capability to deploy onto cloud infrastructure applications created by the user with provider supported programming languages and tools (e.g. Azure)

Common DefinitionsFrom NIST (National Institute of Standard and Technology)

Three basic types of Cloud Service Models

• Private Cloud – maintain all technology components, servers and software for a single organization. May be managed by a 3rd party.

• Public Cloud – available to anyone, from individuals to large organizations and is owned and controlled by the provider of the service. Offers the greatest potential flexibility and cost savings. E.gSalesforce

• Community Cloud – cloud infrastructure shared by several organizations that supports a specific community with shared concerns.

• Hybrid Cloud – involves a mix of two or more of these models

Common DefinitionsFrom NIST (National Institute of Standard and Technology)

Four models for deployment of cloud infrastructure

• Pay just for what you need – Cloud technologies make it easy to scale up and scale down depending on demand for storage, bandwidth, processing etc.

• Flexible Pricing – pay just for what you use, and quickly increase or decrease usage with minimal involvement by the service provider.

• Agility – Cloud technologies allow companies to move quickly. No long procurement cycles – and new business ideas and services can be brought to market much more quickly.

• Improved Focus on business value – instead of maintaining current systems, your IT Department can spend more time solving new business problems.

• Mobility – being on the cloud means that that information is instantly available to all devices, from PC’s to laptops to tablets and iphones. Most Cloud services are also browser and OS agnostic

Cloud Value PropositionWhat makes moving to the Cloud compelling for a business?

Can the Cloud be Trusted?How to assess risk

Key concernsPrivacyLoss of controlRegulatory CompliancePhysical/logical security

• Need for Due Diligence – “Governance, Risk and Compliance”

• Risk Assessments – Business Impact of “What If’s”

• Ensuring you use the right contractual terms to enable your strategy

• Security and Privacy

• Business Continuity

• 3rd Party Litigation and e‐Discovery

• Regulation Compliance

• Bankruptcy

• M &A (non prevailing product goes extinct)

• Contract Breach (Blown SLA’s)

• Force Majeure

• Extended Outage

• Exit Strategy – how can I get my data off once it’s on?

• Can’t Recover Your Data

Due Diligence QuestionsAsking “What If”

• Crafting a Plan – think about working with a neutral 3rd party vendor

• Define your Standards

• What are the Triggers that set contingency in motion?

• Is there a neutral Third Party that can execute the plan

• Is there a way to continue working while the contingency plan is being executed

• Test to verify that the plan works

• Make sure you have unambiguous contract terms if possible 

Contingency PlanningIf something goes wrong, what is the plan?

• Clear articulation of fees for services and modifications

• Well‐defined performance metrics and remedies for service failures

• Security, privacy and audit commitments that will satisfy regulatory concerns and understanding where data resides

• Business continuity, disaster recovery and force majeure events

• Clear restrictions on use and ownership of customer data and IP• Provision for termination of contract and moving to a different provider, including data recovery

• Addressing the impacts of disputes and bankruptcy (e.g. software escrow)• E‐Discovery – is there a reasonable process to put in a place a hold and preserve data?

Contractual Issues ChecklistKey areas to review

August 18, 2014

Thank you for being here today

Alicia Lowery RosenbaumAttorneyMicrosoft Legal & Corporate Affairs

Trust considerations

- Forbes, 2013

Is cloud computing secure?Where is my data and do I have access?

security

What does privacy mean? Is my data used for advertising? privacy

How do you support my compliance needs? compliance

Security

Security best practices like penetration testing, Defense-in-depth to protect against cyber-threats

Built in Capabilities Flexible Customer Controls

• Physical and data security with access control, encryption and strong authentication

• Unique customer controls with Rights Management Services to empower customers to protect information

Defense in depthPhysical controls, video surveillance, access control

Edge routers, firewalls, intrusion detection, vulnerability scanning

Access control and monitoring, anti-malware, patch and configuration management

Secure engineering (SDL), access control and monitoring, anti-malware

Account management, training and awareness, screening

Threat and vulnerability management, security monitoring, and response, access control and monitoring, file/data integrity, encryption

Physical Security

Network

Host

Application

Admin

Data

Independently verified to meet key standards – ISO 27001, SSAE 16, FISMA

Physical Security

Seismic bracing

24x7 onsite security staff

Days of backup power

Tens of thousands of servers

Customer data isolation

Customer A

Designed to support logical isolation of data that multiple customers store in same physical hardware.

Intended or unintended mingling of data belonging to a different customer/tenant is prevented by design using Active Directory organizational units

15

Customer B

Administrators

Automatic account deletionUnique accountsZero access privileges

SDLAnnual training

Background checksScreening

‘Lock Box’Zero access privilege & role based access

Request

Approve

Request with reason Zero standing privileges

Temporaryaccessgranted

Grants least privilege required to complete task.Verify eligibility by checking if

1. Background check completed

2. Fingerprinting completed

3. Security training completed

Data at RestDisks encrypted with Bitlocker

Encrypted shredded storage

Data in-transitSSL/TLS Encryption

Client to Server

Server to Server

Data center to Data center User

Encryption

Encrypted shredded storage

A B C D

Key Store A

B

C

D

Content DBA

B

C

D

E

PrivacyPrivacy by design means that we do not use your information for anything

other than providing you services

No Advertising Transparency Privacy controls

No advertising products out of Customer Data

No scanning of email or documents to build analytics or mine data

Various customer controls at admin and user level to enable or regulate sharing

If the customer decides to leave the service, they get to take to take their data and delete it in the service

Access to information about geographical location of data, who has access and when

Notification to customers about changes in security, privacy and audit information

Transparency

Where is Data Stored?

Who accesses and what is accessed?

Core Customer Data accessed only for troubleshooting and malware prevention purposes .Core Customer Data access is limited to key personnel on an exception basis only.

Clear Data Maps and Geographic boundary information provided‘Ship To’ address determines Data Center Location

Do I get notified?

Microsoft notifies you of changes in data center locations.

We don’t provide any government with direct, unfettered access to your data.

To be clear, here’s what we do, and what we don’t do:

On government snooping…

We don’t assist any government’s efforts to break our encryption or provide any government with encryption keys.

We don’t engineer back doors into our products and we take steps to ensure governments can independently verify this.

If, as reports suggest, there is a bigger surveillance program, we are not involved

Article 29 Working Party - collection of data protection authorities in Europe regulating world’s toughest privacy laws

EU Data Protection Authorities validate Microsoft’s approach to privacy

Validation by EU Data Protection Authorities for Microsoft’s commercial commitments for DPA/EU Model Clauses. (covering Office 365, Azure, CRM Online, and Intune)

• Microsoft is the only provider to have received this validation

• Standard part of contracts as of July 1sthttp://www.tgdaily.com/enterprise/100136-microsoft-gains-eu-security-approval

Office 365 is built with a focus on privacy and security that allows us to obtain important industry certifications and enables customers to meet international laws and regulations3rd party certification and audits.

Built in Capabilities Customer controls for compliance

• Data Loss Prevention (DLP)• Archiving and Legal Hold• E-Discovery

Email archiving and retention

Preserve Search

Secondary mailbox with separate quotaManaged through EAC or PowerShellAvailable on-premises, online, or through EOA

Automated and time-based criteriaSet policies at item or folder levelExpiration date shown in email message

Capture deleted and edited email messagesTime-Based In-Place Hold Granular Query-Based In-Place HoldOptional notification

Web-based eDiscovery Center and multi-mailbox searchSearch primary, In-Place Archive, and recoverable itemsDelegate through roles-based administrationDe-duplication after discoveryAuditing to ensure controls are met

In-Place Archive Governance Hold eDiscovery

Data Loss Prevention (DLP)

Empower users to manage their compliance

• Contextual policy education• Doesn’t disrupt user workflow• Works even when disconnected• Configurable and customizable• Admin customizable text and actions• Built-in templates based on common regulations • Import DLP policy templates from security partners or

build your own

We’ll now open it up for questions

Questions

Thank You