Cloud Principles - Office 365
description
Transcript of Cloud Principles - Office 365
Data CentersSecurity and PrivacyClient Requirements
1
Cloud Principles
AGENDA
• Microsoft Cloud Principles• Security and Privacy
The Inevitable Questions
3
Is cloud computing secure?
Are Microsoft Online Services secure?
Security
Where is my data?
Who has access to my data ?
TransparencyWhat does privacy at Microsoft mean?
Are you using my data to build advertising products?
Privacy
What certifications and capabilities does Microsoft hold?How does Microsoft support customer compliance needs?Do I have the right to audit Microsoft?
Compliance
Office 365 - Foundation
Excellence in cutting edge
security practices
Relentless on Security
Compliance with World Class Industry standards verified by 3rd
parties
Independently Verified
We Respect your
Privacy
Your Privacy
Matters
You know ‘where’ data resides, ‘who’ can access it and ‘what’ we do
with it
Leadership in Transparency
Microsoft Online Services Trust Center
5
http://trustoffice365.com
•Office 365 Privacy Whitepaper
•Office 365 Security Whitepaper and Service Description
•Office 365 Standard Responses to Request for Information
•Office 365 Information Security Management Framework
Microsoft Office 365 – Cloud Principles Services are highly configurable and scalable without customization.
Services are under the Microsoft Security Policy.
We provide transparency in data location and transfers.
We audit on your behalf and provide certification reports.
Microsoft’s liability is capped, consistent with industry standards.
Office 365 is an evergreen service. Customers need to stay current.
Our solution evolves rapidly with a documented roadmap.
We provide services offers to help you migrate to the cloud efficiently.
12345678
Configurable Services.Services are highly configurable and scalable without customization.
7
1
Office 365 is a highly standardized service that Microsoft offers under highly standardized contractual terms and condition.
Customers can mix and match services to meet their requirements.
Benefits exist because we take this approach: i.e. built in upgrades, reliability, availability and price
Office 365 is A HIGHLY CONFIGURABLE, but not a customizable solution.
8
Services are highly configurable and scalable without customization
Security.Services are under the Microsoft Security Policy.
2
Compliance
Privacy and
Regulations
Security
Security
10
Establish SecurityRequirements
Create Quality Gates / Bug Bars
Security & Privacy Risk Assessment
Microsoft Security development lifecycleReduce vulnerabilities, limit exploit severity
Training Requirements
Education
Administer and track
security training
Core SecurityTraining
Design Implementation Verification
Process
Guide product teams to meet SDL requirements
Establish DesignRequirements
Analyze AttackSurface
ThreatModeling
Use Approved Tools
Deprecate Unsafe
Functions
Static Analysis
Dynamic Analysis
Fuzz Testing
Attack Surface Review
Incident Response Plan
Final Security Review
Release Archive
Execute Incident
Response Plan
Ongoing Process Improvements
Release Response
IncidentResponse (MSRC)
Establish release
criteria and sign-off as part of FSR
Accountability
Service Security – Defense in DepthA risk-based, multi-dimensional approach to safeguarding services and dataSecurity Management
Network perimeter
Internal network
Host
Application
Data
User
Facility
Threat and vulnerability management, monitoring, and response
Edge routers, intrusion detection, vulnerability scanning
Dual-factor authentication, intrusion detection, vulnerability scanning
Access control and monitoring, anti-malware, patch and configuration management
Secure engineering (SDL), access control and monitoring, anti-malware
Access control and monitoring, file/data integrity
Account management, training and awareness, screening
Physical controls, video surveillance, access control
Industry-recognized security improvements
https://www.cert.org/blogs/certcc/2011/04/office_shootout_microsoft_offi.html
Privacy
14
Choices to keep Office 365 Customer Data separate from consumer services.
Office 365 Customer Data belongs to the customer. Customers can export their data at any time.
At Microsoft, our strategy is to consistently set a “high bar” around privacy practices that support global standards for data handling and transfer
Privacy at Office 365
No Mingling
Data Portability
No advertising products out of Customer Data. No scanning of email or documents to build analytics or mine data.
No Advertising
How Privacy of Data is Protected?
Microsoft Online Services Customer Data1 Usage Data Account andAddress Book Data
Customer Data (excluding Core Customer data)
CoreCustomer Data
Operating and Troubleshooting the Service Yes Yes Yes Yes
Security, Spam and Malware Prevention Yes Yes Yes Yes
Improving the Purchased Service, Analytics Yes Yes Yes No
Personalization, User Profile, Promotions No Yes No No
Communications (Tips, Advice, Surveys, Promotions) No No/Yes No No
Voluntary Disclosure to Law Enforcement No No No No
Advertising5 No No No No
We use customer data for just what they pay us for - to maintain and provide Office 365 Service
Usage Data Address Book Data Customer Data (excluding Core Customer Data*) Core Customer Data
Operations Response Team (limited to key personnel only)
Yes. Yes, as needed. Yes, as needed. Yes, by exception.
Support OrganizationYes, only as required in response to Support Inquiry.
Yes, only as required in response to Support Inquiry.
Yes, only as required in response to Support Inquiry. No.
Engineering Yes.No Direct Access. May Be Transferred During Trouble-shooting.
No Direct Access. May Be Transferred During Trouble-shooting.
No.
PartnersWith customer permission. See Partner for more information.
With customer permission. See Partner for more information.
With customer permission. See Partner for more information.
With customer permission. See Partner for more information.
Others in Microsoft No.No (Yes for Office 365 for small business Customers for marketing purposes).
No. No.
Compliance
17
Office 365 compliance
Address privacy, security and handling of Customer Data.
Going above and beyond the EU Model Clauses to address additional requirements from individual EU member states
Enables customers to comply with their local regulations.
Office 365 is the first major business productivity public cloud service provider willing to sign EU Model Clauses with all customers.
EU Model Clauses a set of stringent European Union wide data protection requirements
Data Processing Agreement
EU Model Clauses
ISO27001 is one of the best security benchmarks available across the world.
Office 365 first major business productivity public cloud service to implement rigorous ISO security controls on physical, logical, process and management
ISO27001
We are the first and only major cloud based productivity to offer the following
Office 365 compliance
EU generally prohibits personal data from crossing borders into other countries except under circumstances in which the transfer has been legitimated by a recognized mechanism, such as the "Safe Harbor" certification
Microsoft was first certified under the Safe Harbor program in 2001, and we recertify compliance with the Safe Harbor Principles every twelve months
EU Safe Harbor
HIPAA is a U.S. law that requires HIPAA covered entities to meet certain privacy and security standards with respect to individually identifiable health information
Microsoft is offering to sign the Business Associate Agreement (BAA) for any Microsoft Enterprise Agreement customer. The BAA helps enables our customers to comply with HIPAA concerning protected health information.
US Health Insurance Portability and Accountability Act
Comply with additional industry leading standards
Office 365 Compliance With Key Standards
ISO 27001 All customers Available
EU Safe Harbor EU customers Available
SSAE 16 (Statement on standards for Attestation Engagement) SOC 1 (Type I & Type II) compliance
Primarily US customers Available
FISMA US Government Available
HIPAA/BAA All Customers Available
EU Model Clauses EU Customers Available
Data Processing Agreement All Customers Available
FERPA EDU Customers Available
Transparency.We provide transparency in data location and transfers.
3
Transparency
Microsoft notifies you of changes in data center locations.
Core Customer Data accessed only for troubleshooting and malware prevention purposes Core Customer Data access limited to key personnel on an exception basis.
How to get notified?
Who accesses and What is accessed?
Clear Data Maps and Geographic boundary information provided‘Ship To’ address determines Data Center Location
Where is Data Stored?
At Microsoft, our strategy is to consistently set a “high bar” around privacy practices that support global standards for data handling and transfer
Audits.We audit on your behalf and provide certification reports.
4
This saves customers time and money, and allows Microsoft to provide assurances to customers at
scale.
Microsoft provides transparency
• Alignment and adoption of industry standards ensure a comprehensive set of practices and controls in place to protect sensitive data.
• While not permitting audits, we provide independent third-party verifications of Microsoft security, privacy, and continuity controls.
“I need to know Microsoft is doing the right things…”
24
Auditing on Your Behalf
Compliance Management Framework
Policy
Control Framework
Standards
Operating Procedures
Business rules for protecting information and systems which store and process information
A process or system to assure the implementation of policy
System or procedural specific requirements that must be met
Step-by-step procedures
Liability.Microsoft’s liability is capped, consistent with industry standards.
26
5
Liability represents aggregate amount.
Liability is limited to direct damages.
Microsoft’s liability is capped at 12 months’ services fees.
27
Microsoft’s liability is capped, consistent with industry standard.
Evergreen.Office 365 is an evergreen service. Customers need to stay current.
6
29
Office 365 is an evergreen service.
• As a result, software update cycles of the on-premises part of the overall solution ideally should be in sync (or at least N-1 for the client software) to avoid integration and compatibility issues.
• For major upgrades the deployment window is roughly 18 months from announcement to enforcement.
• One of the great benefits of the service is that it is evergreen, meaning always up to date when it comes to security patches, updates and upgrades.
Rapid Evolution.Our solution evolves rapidly with a documented roadmap.
7
31
Our solution evolves rapidly with a documented roadmap.
• Features like enterprise search will be delivered from the cloud in a foreseeable future and customization via Azure integration extends the capabilities of the platform.
• Another great benefits of the service is that there is a clear roadmap towards feature parity with on-premises solutions.
Deployment.We provide services offers to help you migrate to the cloud efficiently.
8
• Offering Essential, Standard or Enterprise Cloud Vantage Services Offerings from Microsoft.
• Leveraging Microsoft Online or 3rd party tools
• End-to-end migration or resource augmentation
• End-to-end migration
Recommended PartnerMicrosoft Cloud Vantage
We provide services offers to help you migrate to the cloud efficiently.
Delivering a “Business Ready” Cloud PlatformCloud Vantage Services helps you
realize business value from your
Office 365 investments by providing
deep expertise and collaboration
across the full lifecycle to smoothly
transition to Office 365, and make the
most out of your cloud investments.
Cloud Vantage ServicesDeep Expertise
• Single point of accountability for Office 365 across the lifecycle
• Global network of technical and operations experts
• Broad industry expertise
Collaboration• Partner for smooth program orchestration
• Increase IT agility through change management and roadmap planning
• Align on measurable business value results
Full lifecycle• Enable end-users and IT team for transition to cloud
• Prepare IT environment for Office 365 consumption
• Deliver on time deployment
• Provide enterprise grade support
Microsoft Online Services Trust Center
35
http://trustoffice365.com
•Office 365 Privacy Whitepaper (New!)
•Office 365 Security Whitepaper and Service Description
•Office 365 Standard Responses to Request for Information
•Office 365 Information Security Management Framework
36
© 2013 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentations. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.