Softchoice & Microsoft: Public Cloud Security Webinar

Editor's Notes

• #2: Let’s bring together everything we discussed today.
• #3: Content Developers: Provide recommendation for DSM welcome/introduction notes below Sample: You’re busy. We know. Thank you for spending this time with us Today’s session is on cloud & the challenges consumption based spending presents us with We recognize within the room organizations are at different states of cloud adoption, and there are no one-size fits all solutions, but we promise there will be something of value here for everyone. I’d like to start by relating what I’m hearing from customers
• #4: DSM: Here’s your presenters. Please make notes of any questions you have and we will be happy to answer.
• #5: Welcome to our Discovery Series on Cloud Security. There has been a lot of interest and opportunity with Cloud technologies the past few years and also confusion around Cloud Security. This confusion can cause slower adoption of Cloud technologies or open new risks. That’s why Softchoice selected our Discovery Series to be on Cloud Security to clear up some of that confusion. Our goal is that be the end of the conversation today you will have a better idea of what the Cloud Provider’s responsibilities are and what yours are with respect to security.
• #6: Cloud mean many different things to different people so we will start today level setting on what we mean by Cloud in the context of the conversation today. We will show a model of cloud security responsibilities that will form a foundation for the discussion today.
• #8: ASK: Does someone have an example, either within their organization or one from the industry, where the Business has deployed IT without involving the business? What problems does that cause?
• #12: All these areas are areas of security risk for companies moving to Cloud. ASK: Which of these are you most concerned about for Cloud Security?
• #16: If you are feeling overwhelmed with addressing Cloud Security – do not worry – there is a step by step way to approach it.
• #19: Further up the stack – less you have to do
• #21: There is a lot to cover in security and we certainly don’t have time to cover all of it today. However, we will discuss those keys areas, that no matter what you are doing in the cloud, you should ensure you have in place for security foundation. We’ve highlighted what we will cover here.
• #22: GD: The title of this slide will be “Microsoft Data Center Security”
• #24: Microsoft is committed – starting at the top – to providing a cloud you can trust. We take very seriously our commitment to protect customers in a cloud-first world. We follow a set of standards and best practices to ensure that our cloud services are reliable and perform as you need them to. And we actively partner with a wide range of industry and government entities to establish confidence and trust in the wider cloud ecosystem.
• #25: Slide script: Microsoft datacenters employ controls at the perimeter, building, and computer room with increasing security at each level, utilizing a combination of technology and traditional physical measures. Security starts at the perimeter with camera monitoring, security officers, physical barriers and fencing. At the building, seismic bracing and extensive environmental protections protect the physical structure and integrated alarms, cameras, and access controls (including two-factor authentication via biometrics and smart cards) govern access. The systems are monitored 24x7 from the operations center. Similar access controls are used at the computer room, which also has redundant power.
• #26: With the extensive security and data protection measures we have in place, we are able to achieve a broad range of international, industry, and regional certifications and attestations from recognized third-party authorities. This table illustrates the certifications and attestations for our key cloud services. Background Certifications and attestations represent verification that control activities operate in accordance with expectations. Operating a huge global cloud infrastructure, across many businesses, comes with the need to meet an array of compliance and regulatory obligations. With this in mind, Microsoft products and services hold key certifications, attestations, and authorizations as applicable to their service. Several key certifications and attestations deserve to be highlighted: Our ISO 27001:2013 certification provides assurance of a broad, risk-based information security program. Microsoft Cloud Infrastructure and Operations—the organization that builds, manages, and secures our datacenters globally—was the first major cloud service infrastructure to be certified for ISO 27001. Microsoft’s Cloud Infrastructure & Operations (MCIO) team has gone beyond the ISO/IEC 27001:2013 standard (which includes some 150 security controls) to develop over 800 defense-in-depth security controls to account for the unique challenges of the cloud infrastructure and what it takes to mitigate some of the risks involved. Microsoft is the first cloud computing platform to meet the worlds first international standard for cloud privacy—ISO/IEC 27018 as verified by independent auditors. Under ISO 27018, cloud service providers (CSPs) must operate under five key principles: CSPs must not use the personal data they receive for advertising and marketing unless expressly instructed to do so by the customer. Moreover, it must be possible for a customer to use the service without submitting to such use of its personal data for advertising or marketing. Customers have explicit control of how their information is used. CSPs must inform customers where their data resides, disclose the use of subcontractors to process PII and make clear commitments about how that data is handled. In case of a breach, CSPs should notify customers, and keep clear records about the incident and the response to it. A successful third-party audit of a CSP’s compliance documents the service’s conformance with the standard, and can then be relied upon by the customer to support their own regulatory obligations. To remain compliant, the CSP must subject itself to yearly third-party reviews. We have SSAE 16/ISAE 3402 SOC 1, 2, and 3 attestations in place. These attestations are both type I and type II. They provide assurance of effective control performance. In 2012, Microsoft became one of the first in the industry to successfully complete a SOC 2 Type 2 and SOC 3 audit (which are designed to better accommodate cloud services) for our cloud infrastructure (datacenters and networks). We continue to demonstrate compliance through ongoing assessments. In 2008, Microsoft was the first major cloud service provider to receive a SAS 70 report (the predecessor to SOC reports) for our cloud infrastructure. Microsoft was an early adopter of the SOC 1, SOC 2 and SOC 3 in 2011. The SOC audit reports attest to the design and operating effectiveness of controls related to security, availability, and confidentiality. We meet the US HIPAA/HITECH health data protection requirements and have incorporated those requirements into our ISO 27001 program. Microsoft was the first major productivity cloud service vendor to offer a HIPAA Business Associate Agreement (BAA) to healthcare entities with access to Protected Health Information (PHI). We have since extended that to offer a single HIPAA BAA for all of our commercial online services. We meet the Payment Card Industry Data Security Standard as an infrastructure provider. Microsoft’s first FISMA Authorization to Operate (ATO) was granted in 2010 for the MCIO cloud organization. Since then, Microsoft enterprise cloud services, including Office 365 and Microsoft Azure, have received provisional authorities to operate (P-ATOs) by the Federal Risk and Authorization Program (FedRAMP) Joint Authorization Board (JAB). In the United Kingdom, Azure was awarded Impact Level 2 (IL2) accreditation, further enhancing Microsoft and its partner offerings on the current G-Cloud procurement Framework and CloudStore. The industry organization Cloud Security Alliance (CSA) created a Cloud Controls Matrix to identify primary criteria for service offerings. Microsoft was the first cloud service provider to complete a third-party assessment against the Cloud Security Alliance (CSA) Cloud Controls Matrix (CCM) as part of its SOC 2 audit for Azure. This assessment was completed as a means of meeting the assurance and reporting needs of the majority of cloud services users worldwide. We have incorporated many other obligations to our compliance program, providing assurance that we are able to meet obligations such as the European Union Data Protection Directive and California Senate Bill 1386, such as the European Union Data Protection Directive and California Senate Bill 1386. Notes: Updated August 2015 Not every certification is listed on this slide. Not every Azure and Office 365 service has been fully audited for every certification. 
• #28: Further up the stack – less you have to do
• #29: GD: Please re-do this image to clean it up. I don’t have access to the original
• #32: Microsoft has a solution for this [Click] Traditional identity and access management solutions providing sing-sign on to on-premises applications and directory services such as Active Directory and others are used from the vast majority of organizations and huge investments were made to deploy and maintain them. These solutions are perfect for the on-premises world. [Click] Now, as we have discussed, there are new pressing requirements to provide the same experience to cloud applications hosted in any public cloud. [Click] Azure Active Directory can be the solution to this new challenge by extending the reach of on-premises identities to the cloud in a secure and efficient way. [Click] In order to do that, one simple connection is needed from on-premises directories to Azure AD. [Click] and everything else will be handled by Azure AD. Secure single sign-on to thousands of SaaS applications hosted in any cloud by using the same credentials that exist on-premises, and even add multifactor authentication without changing code [Click] And we don’t forget the users. Azure AD provides Self-service capabilities and easy access to all the application, consumer or business, they need. in the cloud but on-premises too (Application Proxy)
• #33: Approved by Demi Albuz But the issue will not be resolved just by wrangling identity; understanding where your data, information and intellectual property is going is important as well. Cloud App Security identifies the services in use in your organization, and offers the tools to control access, sharing and loss prevention as well as to identify abnormal usage, high risk usage and security incidents. This insight assists your organization’s ability to detect, respond to and prevent threats.
• #34: Further up the stack – less you have to do
• #35: With IaaS the customer has responsibility for securing and managing
• #36: Azure Resource Manager enables you to work with the resources in your solution as a group. You can deploy, update or delete all of the resources for your solution in a single, coordinated operation. You use a template for deployment and that template can work for different environments such as testing, staging and production. Resource Manager provides security, auditing, and tagging features to help you manage your resources after deployment. Resource Manager provides several benefits: You can deploy, manage, and monitor all of the resources for your solution as a group, rather than handling these resources individually. You can repeatedly deploy your solution throughout the development lifecycle and have confidence your resources are deployed in a consistent state. You can manage your infrastructure through declarative templates rather than scripts. You can define the dependencies between resources so they are deployed in the correct order. You can apply access control to all services in your resource group because Role-Based Access Control (RBAC) is natively integrated into the management platform. You can apply tags to resources to logically organize all of the resources in your subscription. You can clarify billing for your organization by viewing the rolled-up costs for the entire group or for a group of resources sharing the same tag. Resource Policy Azure Resource Manager now allows you to control access through custom policies. With policies, you can prevent users in your organization from breaking conventions that are needed to manage your organization's resources. You create policy definitions that describe the actions or resources that are specifically denied. You assign those policy definitions at the desired scope, such as the subscription, resource group, or an individual resource. Policies and RBAC work together. To be able to use policy, the user must be authenticated through RBAC. Unlike RBAC, policy is a default allow and explicit deny system. RBAC focuses on the actions a user can perform at different scopes. For example, a particular user is added to the contributor role for a resource group at the desired scope, so the user can make changes to that resource group. Policy focuses on resource actions at various scopes. For example, through policies, you can control the types of resources that can be provisioned or restrict the locations in which the resources can be provisioned. Resource Locks As an administrator, you may need to lock a subscription, resource group or resource to prevent other users in your organization from accidentally deleting or modifying critical resources. You can set the lock level to CanNotDelete or ReadOnly. CanNotDelete means authorized users can still read and modify a resource, but they can't delete it. ReadOnly means authorized users can read from a resource, but they can't delete it or perform any actions on it. The permission on the resource is restricted to the Reader role. Applying ReadOnly can lead to unexpected results because some operations that seem like read operations actually require additional actions. For example, placing a ReadOnly lock on a storage account will prevent all users from listing the keys. The list keys operation is handled through a POST request because the returned keys are available for write operations. For another example, placing a ReadOnly lock on an App Service resource will prevent Visual Studio Server Explorer from being able to display files for the resource because that interaction requires write access. Unlike role-based access control, you use management locks to apply a restriction across all users and roles. Storage Service Encryption A new feature of Azure Storage that will encrypt data when it is written to your Azure Storage supporting block blobs, page blobs and append blobs. This feature can be enabled for new storage accounts using the Azure Resource Manager deployment model and is available for all redundancy levels (LRS, ZRS, GRS, RA-GRS). Storage Service Encryption is available for both Standard and Premium Storage, handling encryption, decryption, and key management in a totally transparent fashion. All data is encrypted using 256-bit AES encryption, one of the strongest block ciphers available.  Azure Disk Encryption A new capability that lets you encrypt your Windows and Linux IaaS virtual machine disks. Azure Disk Encryption leverages the industry standard BitLocker feature of Windows and the DM-Crypt feature of Linux to provide volume encryption for the OS and the data disks. The solution is integrated with Azure Key Vault to help you control and manage the disk encryption keys and secrets in your key vault subscription, while ensuring that all data in the virtual machine disks are encrypted at rest in your Azure storage. (in this case, Key Vault stands in for a hardware based TPM
• #37: Further up the stack – less you have to do
• #38: With IaaS the customer has responsibility for securing and managing
• #41: Further up the stack – less you have to do
• #43: 1.For years, RMS helped businesses provide persistent protection over their data through encryption, access control and policy enforcement 2.We added tracking and revocation capabilities for greater control over shared data 3. Now we also have classification and labeling capabilities so that you can identify what data needs protection and protect only the data that needs protection
• #44: 1.For years, RMS helped businesses provide persistent protection over their data through encryption, access control and policy enforcement 2.We added tracking and revocation capabilities for greater control over shared data 3. Now we also have classification and labeling capabilities so that you can identify what data needs protection and protect only the data that needs protection
• #45: Data is born protected, Using companies’ criteria Enforced by IT Enforced on any device <keep personal data.... Personal>
• #46: Extra protection is available for sensitive data Not just encryption, but rights of who can access it and what they can do with the data
• #49: Welcome to our Discovery Series on Cloud Security. There has been a lot of interest and opportunity with Cloud technologies the past few years and also confusion around Cloud Security. This confusion can cause slower adoption of Cloud technologies or open new risks. That’s why Softchoice selected our Discovery Series to be on Cloud Security to clear up some of that confusion. Our goal is that be the end of the conversation today you will have a better idea of what the Cloud Provider’s responsibilities are and what yours are with respect to security.
• #52: 2 min: high level set on security strategy and tech - O365, Azure, EMS, OMS à CISO comprehensive security package is ECS
• #53: Current
• #55: Most of our day will focus on EMS. This slide is here to level-set on what is included in the two levels. Before we talk to customers about products, it is best to engage the security story all-up. So let’s start there.