Cortana Analytics Workshop: Cortana Analytics -- Security, Privacy & Compliance
3 likes981 views
The document outlines Microsoft's cloud security principles, including strategies for privacy, control, and compliance within its Azure services. It details operational security measures, incident response protocols, data encryption, segregation, and customer data management, emphasizing a shared responsibility model. Microsoft also highlights its commitment to transparency and governance, enabling customers to manage their data securely while meeting compliance standards.
Cortana Analytics Workshop: Cortana Analytics -- Security, Privacy & Compliance
- 3. Microsoft Cloud principles Privacy and Control Security Transparency Compliance 3 3
- 4. Security with Cortana Analytics Microsoft delivers enterprise cloud services customers can trust • Industry-leading best practices in the design and management of online services • Enhanced security, operational management, and threat mitigation practices • Trustworthy enterprise cloud services • Centers of excellence 4
- 5. Cloud services – shared responsibility Microsoft Azure On-Premises Infrastructure (as a Service) Platform (as a Service) Software (as a Service) Each customer environment is isolated on top of Azure’s Infrastructure Shared Physical Environment Managed by: 5
- 6. Company-wide, mandatory development and operations processes that embeds security into every phase of development and ops process. We make security a priority at every step, from code development to incident response. Security Development Lifecycle (SDL) and Operations Security Assurance (OSA) Assume breach simulation Dedicated security expert “Red Team” that simulate real-world attacks at network, platform, and application layers, testing the ability of Azure to detect, protect against, and recover from breaches. Global, 24x7 incident response service that works to mitigate the effects of attacks and malicious activity. Incident response Azure Security Design and Operations 6
- 7. Prevent and assume breach Prevent breach – A methodical Secure Development Lifecycle and Operational Security minimizes probability of exposure Assume breach – Identifies & addresses potential gaps: • Ongoing live site testing of security response plans improves mean time to detection and recovery • Bug bounty program encourages security researchers in the industry to discover and report vulnerabilities • Reduce exposure to internal attack (once inside, attackers do not have broad access) Latest Threat Intelligence to prevent breaches and to test security response plans State of the art Security Monitoring and Response Prevent and assume breach Security monitoring and response Prevent breach • Secure Development Lifecycle • Operational Security Assume breach • Bug Bounty Program • War game exercises • Live site penetration testing Threat intelligence 7
- 8. Operational security Strategy: Employ risk-based, multi-dimensional approach to safeguarding services and data Security Monitoring and Response Threat Intelligence Feed Data Protection Access control, encryption, key management Data & Keys Admin Access Identity management, dual-factor authentication, training and awareness, screening, Least and Temporary Privilege User Application Security Access control, monitoring, anti- malware, vulnerability scanning, patch and configuration management Application Host Protection Access control, monitoring, anti- malware, vulnerability scanning, patch and configuration management Host System Network Security Segmentation, intrusion detection, vulnerability scanning Internal Network Network Security Edge ACLs, DOS, intrusion detection, vulnerability scanning Network Perimeter Physical Security Physical controls, video surveillance, access control Facility 8
- 9. Infrastructure protection 24-hour monitored PHYSICAL SECURITY Centralized MONITORING AND ALERTS Antivirus/Antimalware PROTECTION Red Teaming PENETRATION TESTING FIREWALLS Update MANAGEMENT 9
- 10. Monitoring & alerts • Performs monitoring & alerting on security events for the platform • Enables security data collection via Monitoring Agent or Windows Event Forwarding AZURE • Configures monitoring • Exports events to SQL Database, HDInsight or a SIEM for analysis • Monitors alerts & reports • Responds to alerts CUSTOMER Customer VMs Microsoft Azure ! Enable Monitoring Agent Extract event information to SIEM or other reporting system Customer Admin Portal SMAPI Events Guest VM Guest VM Cloud Services HDInsight Azure storage Alerting & reporting 10
- 11. Update management Azure • Applies regularly scheduled updates to the platform • Releases critical patches immediately • Rigorously reviews & tests all changes • Uses a combination of third-party scanning tools for Azure environment • Utilizes integrated deployment systems to manage the distribution and installation of security updates Customer • Applies similar patch management strategies for their Virtual Machines • Monitor 100,000+ vulnerability reports • Sourced from customers & worldwide network of security researchers • Prioritize critical updates • Monthly OS releases with patches • Reconciliation report • Resolution summary • Scanning & reporting of all Azure VMs • Track & remediate any findings SCANNING AUDIT VALIDATION PATCHING ROLLOUT MONTHLY MSRC PATCH REVIEW 11
- 12. Antivirus/antimalware protection • Performs monitoring & alerting of antimalware events for the platform • Enables real time protection, on-demand scanning, and monitoring via Microsoft Antimalware for Cloud Services and Virtual Machines AZURE • Configures Microsoft Antimalware or an AV/AM solution from a partner • Extracts events to SIEM • Monitors alerts & reports • Responds to alerts CUSTOMER Customer VMs Microsoft Azure ! Enable & configure anti-malware Extract event information to SIEM or other reporting system Customer Admin Portal SMAPI Events Guest VM Azure storage Alerting & reporting Guest VM Cloud Services 12
- 13. Threat protection • Performs big data analysis of logs for intrusion detection & prevention for the platform • Employs denial of service attack prevention measures for the platform • Regularly performs penetration testing • Can add extra layers of protection by deploying additional controls, including DOS, IDS, web application firewalls • Conducts authorized penetration testing of their application Azure Customer Customer Environment Cloud Access & Firewall Virtual network Application tier Logic tier Database tier VPN Corp 1 Internet End Users 443 443 Microsoft Azure THREAT DETECTION: DOS/IDS Capabilities 13
- 14. DDoS system overview MSFT Routing Layer Detection Pipeline Profile DB Scrubbing Array SLB Application Attack Traffic Scrubbed Traffic Flow Data Routing Updates Internet • Traffic is re-routed to scrubbers via dynamic routing updates • Traffic is SYN auth. and rate limited MITIGATION PROCESS • Traffic to a given /32 VIP Inbound or Outbound is tracked, recorded, and analyzed in real time to determine attack behavior DETECTION PROCESS • TCP SYN • UDP/ICMP/TCP Flood SUPPORTED DDOS ATTACK PROFILES 14
- 15. Architected for more secure multi-tenancy • Centrally manages the platform and helps isolate customer environments using the Fabric Controller • Runs a configuration-hardened version of Windows Server as the Host OS • Uses Hyper-V, a battle tested and enterprise proven hypervisor • Runs Windows Server and Linux on Guest VMs for platform services • Manages their environment through service management interfaces and subscriptions • Chooses from the gallery or brings their own OS for their Virtual Machines Azure Customer SQL Database Fabric Controller Azure Storage Guest VM Guest VM Customer 2 Guest VM Customer 1 Customer Admin Portal SMAPI Host OS Hypervisor Microsoft Azure End Users 15
- 16. Firewalls 16 • Restricts access from the Internet, permits traffic only to endpoints, and provides load balancing and NAT at the Cloud Access Layer • Isolates traffic and provides intrusion defense through a distributed firewall AZURE • Applies corporate firewall using site-to-site VPN • Configures endpoints • Defines access controls between tiers and provides additional protection via the OS firewall CUSTOMER VPN Corp Firewall Internet Client Cloud Access Microsoft Azure Customer 1 Application tier 443 Logic tier Database tier Virtual Network 443 16
- 17. Identity & access Azure enables customers to better control access in a multi-tenant environment Azure Active Directory (AAD) offers enterprise identity and access management in the cloud. Enterprise cloud directory Security reports monitor access patterns that help identify potential threats. Access monitoring and logging Strong authentication adds an extra layer of security for user logins. Multi-Factor Authentication (MFA) Users get a single sign-on option across multiple applications and services. Single sign-on Developers can integrate their app with Azure AD for single sign-on functionality for their users. Integration with customer applications 17
- 18. Access monitoring and logging Azure • Uses password hashes for synchronization • Offers security reporting that tracks inconsistent traffic patterns, including: – Sign-ins from unknown sources – Multiple failed sign-ins – Sign-ins from multiple geographies in short timeframes – Sign-ins from suspicious IP addresses and suspicious devices Customer • Reviews reports and mitigates potential threats • Can enable Multi-Factor Authentication X X X X XX X X X X X X X X X User Non-user 18
- 19. Incident Assessment Customer Notification DevOps Engaged Event Detected Security Team Engaged Event Start Determine Customer Impact Customer Process Step 1 Determine Affected Customers Security Event Confirmed Azure Customer Notification • Leverages a 9-step incident response process • Focuses on containment & recovery • Analyzes logs and VHD images in the event of platform-level incident and provides forensics information to customers when needed • Makes contractual commitments regarding customer notification Azure incident response 19
- 20. PrivacyPrivacy & Control Microsoft makes our commitment to the privacy of our customers a priority with independently audited policies and practices that include restricting the mining of customer data for advertising or similar commercial purposes. 20
- 21. PrivacyTrustworthy foundation Microsoft privacy principles are designed to facilitate the responsible use of customer data, be transparent about practices, and offer meaningful privacy choices. Privacy by design Guidelines that help ensure privacy is applied in the development and deployment of products and services. Microsoft privacy standard Azure uses logical isolation to segregate each customer’s data from that of others. Data segregation 21
- 22. Customer data When a customer utilizes Cortana Analytics, they own their data. Control over data location Customers choose data location and replication options. Control over access to data Strong authentication, carefully logged “just in time” support access, and regular audits. Encryption key management Customers have the flexibility to generate and manage their own encryption keys. Control over data deletion When customers delete data or leave Azure, Microsoft follows procedures to render the previous customer’s data inaccessible. 22
- 23. Data control For many services, customers can specify the geographic areas where their customer data is storedData location Access to customer data by Microsoft personnel is restricted; Microsoft provides cloud-service-specific privacy statements and strong contractual commitments to safeguard customer data Data access Technical safeguards help keep customer data secure; Customers have the flexibility to implement additional encryption and manage their own keys Data protection 23
- 24. Data location and replication • Microsoft will not store customer data outside the customer- specified geography except for global services and certain regional services • Azure replicates data both locally and to different physical locations • Every blob is replicated across three computers in a Microsoft Azure datacenter • Geo-replicated storage in a datacenter hundreds of miles away • Microsoft may transfer customer data within a geo (e.g., within Europe) for data redundancy or other purposes AZURE • Chooses where data resides • Configures data replication options CUSTOMER Microsoft Azure datacenters 24
- 25. Data access Role-based access control Customer data is only used to provide the service, including purposes compatible with providing those service and is never used for advertising Restricted data access Customer data is only accessed when necessary to support customer’s use of Azure, or when required by law Microsoft employee access management Microsoft controls employee access to Azure customer environment 25
- 26. Access controls are verified by independent audit and certifications Restricted data access Customer data is only accessed when necessary to support customer’s use of Azure (e.g. troubleshooting or feature improvement), or when required by law. When granted, access is controlled and logged. Strong authentication, including MFA, helps limit access to authorized personnel only. Access is revoked as soon as it’s no longer needed. 26
- 27. Data protection Data segregation Logical isolation segregates each customer’s data from that of others. In-transit data protection Industry-standard protocols encrypt data in transit to/from outside components, as well as data in transit internally by default. Data redundancy Customers have multiple options for replicating data, including number of copies and number and location of replication datacenters. At-rest data protection Customers can implement a range of encryption options for virtual machines and storage. Encryption Data encryption in storage or in transit can be deployed by the customer to align with best practices for ensuring confidentiality and integrity of data. Data destruction When customers delete data or leave Azure, Microsoft follows procedures to render the previous customer’s data inaccessible. 27
- 28. Data segregation SQL Database Fabric Controller Azure Storage Guest VM Guest VM Customer 2 Guest VM Customer 1 Customer Admin Portal SMAPI End Users Host OS Hypervisor Microsoft Azure Access Control • Access is through Storage account keys and Shared Access Signature (SAS) keys • Storage blocks are hashed by the hypervisor to separate accounts Storage Isolation • SQL Database isolates separate databases using SQL accounts SQL Isolation Network Isolation • VM switch at the host level blocks inter-tenant communication 28
- 29. Encryption in Transit Azure • Encrypts most communication between Azure datacenters • Encrypts transactions through Azure Portal using HTTPS • Supports FIPS 140-2 Customer • Can choose HTTPS for REST API (recommended) • Configures HTTPS endpoints for application running in Azure • Encrypts traffic between Web client and server by implementing TLS on IIS Azure Datacenter Azure Datacenter Azure Portal 29
- 30. Encryption at Rest • Data drives – full disk encryption using BitLocker • Boot drives – BitLocker and partner solutions • SQL Server – Transparent Data and Column Level Encryption • Files & folders – EFS in Windows Server Virtual Machines • BitLocker encryption of drives using Azure Import/Export service • StorSimple with AES-256 encryption Storage Applications • Client Side encryption through .NET Crypto API • RMS Service and SDK for file encryption by your applications 30 RMS SDK.NET Crypto SQL TDE BitLocker Partners EFS BitLocker StorSimple Virtual Machines Applications Storage
- 31. Azure Key Vault Service Azure Vault Create Manage Monitor Import Keys from On-Premises HSM Microsoft Azure Key Vault offers encryption key management in the cloud, enabling customers to safeguard keys for use in applications they develop as well as SaaS applications that encrypt data on their behalf. In Azure, customers can: • Create/import, store, and manage cryptographic keys • Secure those keys in FIPS 140-2 Level 2 Hardware Security Modules (HSMs) Benefits: • Scale to meet the encryption needs of cloud applications • Improve performance of cloud applications by storing keys in the cloud • Reduce the time and cost required to maintain dedicated HSM hardware • Maintain control over keys - grant and revoke use by applications as needed • Gain visibility into key use through Azure logging Customer keys stay locked in very tightly monitored HSMs. Rogue operators and software cannot see customer keys. What is the feature? Grant/Revoke Permission for Applications to Use Keys 31
- 33. Application • .NET encryption API Managed by customer .NET Cryptography documentation • RMS SDK – encrypt data by using RMS SDK Managed by customer via on-prem RMS key management service or RMS online RMS SDK documentation Platform • SQL TDE/CLE on SQL server on Azure IAAS servers Managed by customers SQL TDE/CLE documentation • SQL Azure TDE and Column Encryption features in progress Managed by Microsoft in first release and by customers in next release • StorSimple – provides primary, backup, archival Managed by customers Supports AES-256 to encrypt data in StorSimple StorSimple link and documentation System • BitLocker support for data volumes • Partner solutions for system volume encryption • BitLocker support Managed by customers BitLocker for fixed or removable volumes BitLocker commandline tool Others • Import/Export of xstore data onto drives can be protected by BitLocker Managed by customers Import/export step by step blog Layer Encryption support Key Management Comments Data Encryption 33
- 34. Data Destruction Data Deletion • Index immediately removed from primary location • Geo-replicated copy of the data (index) removed asynchronously • Customers can only read from disk space they have written to • NIST 800-88 compliant processes are used for destruction of defective disks Disk Handling 34
- 35. Cortana Analytics Transparency on Azure Azure helps enable customer control over customer data by providing transparency into where it is stored, who can access it, and how Microsoft helps secure it, with accessible tools and straightforward language. 35
- 36. Data storage and use Customers know where and how their data is stored and used Customers control where customer data is stored Microsoft doesn’t use customer data for advertising Microsoft doesn’t share customer data with our advertiser-supported services or mine it for marketing Microsoft uses customer data only to provide the services, including purposes compatible with providing the services Customers may delete customer data or leave the service at any time 36
- 37. Data access Customer controls who has access to customer data Microsoft may hire other companies to provide limited services, such as customer support, on its behalf Subcontractors are prohibited from using customer data for any other purpose Customer knows who can access their data and under what conditions 37
- 38. Microsoft and compliance Microsoft invests heavily in the development of innovative compliance technology, processes and integration in Azure. The Microsoft compliance framework for online services maps controls to multiple regulatory standards, which helps drive the design and building of services that meet today’s high level of security and privacy needs. 38
- 39. Microsoft and Compliance 39 Microsoft maintains a team of experts focused on ensuring that Azure meets its own compliance obligations, which helps customers meet their own compliance requirements. Compliance certifications Compliance strategy helps customers address business objectives and industry standards & regulations, including ongoing evaluation and adoption of emerging standards and practices. Continual evaluation, benchmarking, adoption, test & audit Ongoing verification by third-party audit firms. Independent verification Microsoft shares audit report findings and compliance packages with customers. Access to audit reports Prescriptive guidance on securing data, apps, and infrastructure in Azure makes it easier for customers to achieve compliance. Proven practices Azure meets a broad set of international, regional, and industry-specific compliance and regulatory standards.