Security and Compliance

Security and Compliance PowerPoint PPT Presentation


  • 171 Views
  • Uploaded on
  • Presentation posted in: General

Compliance Management. . . . Risk Management Program Overview. Information Security Policy. Security. Privacy

Download Presentation

Security and Compliance

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Presentation Transcript


1. Security and Compliance We have the highest bar for privacy, security and availability in all of our cloud services All are “Gold” standard Privacy – we do not make money beyond the subscription price We have invested for 15 years in cloud security Certifications to show we can be trusted Back up our availability with money back SLAs The Cloud is NOT traditional outsourcing We have the highest bar for privacy, security and availability in all of our cloud services All are “Gold” standard Privacy – we do not make money beyond the subscription price We have invested for 15 years in cloud security Certifications to show we can be trusted Back up our availability with money back SLAs The Cloud is NOT traditional outsourcing

2. Risk Management Program Overview When we think about security for Microsoft Online, we do so in the context of the Microsoft Online Risk Management Program. This includes the intertwined disciplines of security, privacy, continuity, and compliance. In a nutshell, the objective of the program is to help protect the availability, confidentiality, and integrity of Microsoft Online Services and customer data. We do that by uniformly managing security, privacy, continuity, and compliance under a single, centrally managed Program. In designing the program, we adopted and matured the best practices that had already been developing within Microsoft for years. The Global Foundation Services (GFS) arm of Microsoft has been operating online services since the launch of MSN in 1994. That team brings a deep and rich security capability to today’s Microsoft Online Services. We extend the framework that GFS has in place for maintaining certifications against industry standards, which I’ll talk about in more depth later. In 2002, the company formed the Trustworthy Computing initiative with Bill Gates committing Microsoft to fundamentally changing its mission and strategy in key areas. Today, Trustworthy Computing is a core corporate value at Microsoft, guiding nearly everything the company does. At the foundation of this initiative are these four pillars: Privacy, Security, Reliability, and Business Practices. The rigorous security practices employed by development teams at Microsoft were formalized into a process called the Security Development Lifecycle (SDL) in 2004. We’ve extended those practices to the development and operation of Microsoft Online Services. We’ve adapted and extended Microsoft’s corporate Enterprise Risk Management practices. And we maintain alignment with the ISO 27001 framework. All these ingredients helped us develop a robust risk management program and get the benefit of the breadth and depth of Microsoft’s experience. There are a few common elements shared across all components of the Program: Information Security Policy – which represents an aggregate of requirements based on internal policies and external standards Risk Assessment – through which we identify and address unique risks to services and customers by means of a comprehensive assessment and management methodology Training & Awareness – to ensure personnel are aware of the Program objectives and associated Policy, they understand their roles & responsibilities and they are adequately trained on critical procedures. Why is it so important that we have this centralized Risk Management Program? First, it helps us create a common security “bar” for all our services to meet. It allows us to use standardized solutions for better consistency, reduced complexity and by extension reduced risk. It provides us centralized monitoring and response, so we can get both service-specific and aggregated views of the health and status of our services. And that helps us provide better visibility of health and status to our customers. When we think about security for Microsoft Online, we do so in the context of the Microsoft Online Risk Management Program. This includes the intertwined disciplines of security, privacy, continuity, and compliance. In a nutshell, the objective of the program is to help protect the availability, confidentiality, and integrity of Microsoft Online Services and customer data. We do that by uniformly managing security, privacy, continuity, and compliance under a single, centrally managed Program. In designing the program, we adopted and matured the best practices that had already been developing within Microsoft for years. The Global Foundation Services (GFS) arm of Microsoft has been operating online services since the launch of MSN in 1994. That team brings a deep and rich security capability to today’s Microsoft Online Services. We extend the framework that GFS has in place for maintaining certifications against industry standards, which I’ll talk about in more depth later. In 2002, the company formed the Trustworthy Computing initiative with Bill Gates committing Microsoft to fundamentally changing its mission and strategy in key areas. Today, Trustworthy Computing is a core corporate value at Microsoft, guiding nearly everything the company does. At the foundation of this initiative are these four pillars: Privacy, Security, Reliability, and Business Practices. The rigorous security practices employed by development teams at Microsoft were formalized into a process called the Security Development Lifecycle (SDL) in 2004. We’ve extended those practices to the development and operation of Microsoft Online Services. We’ve adapted and extended Microsoft’s corporate Enterprise Risk Management practices. And we maintain alignment with the ISO 27001 framework. All these ingredients helped us develop a robust risk management program and get the benefit of the breadth and depth of Microsoft’s experience. There are a few common elements shared across all components of the Program: Information Security Policy – which represents an aggregate of requirements based on internal policies and external standards Risk Assessment – through which we identify and address unique risks to services and customers by means of a comprehensive assessment and management methodology Training & Awareness – to ensure personnel are aware of the Program objectives and associated Policy, they understand their roles & responsibilities and they are adequately trained on critical procedures. Why is it so important that we have this centralized Risk Management Program? First, it helps us create a common security “bar” for all our services to meet. It allows us to use standardized solutions for better consistency, reduced complexity and by extension reduced risk. It provides us centralized monitoring and response, so we can get both service-specific and aggregated views of the health and status of our services. And that helps us provide better visibility of health and status to our customers.

3. One area that we are very conscious of is the importance of security and availability. We want to ensure that customers feel confident that we are protecting their data and the service is highly available. Our service runs on a set of datacenters that are managed by a centralized organization within Microsoft that are making major investments in datacenter spaces and capabilities. We deploy our services on the latest hardware and network equipment in a N+1 architecture to enable failover capabilities as well as saving your data in a separate geo-redundant location. We are regularly tested by a third party CyberTrust to ensure our infrastructure is secure against attacks. We follow ITIL/MOF in our operational processes and we are in the process of getting our SAS-70 audit to ensure we have strictest level of control. Above all, we will provide 24x7 IT Pro support and our service availability is backed by a 99.9% uptime SLA with financial penalties if we fail to meet the SLA. Physical security is but one part it. When you look, we ultimately need to make sure that since we are providing an internet based service, we are protecting customer’s data in a variety of ways. We look at this as multiple layers of protection. Microsoft is actually providing 9 layers of logical security for our customers and their service and data. Summarize 9 layer security (firewalls, IDS, two factor auth, etc.)the rest… {Click} Filtering Routers: these are implemented to protect against any traffic we do not see as well constructed. One of the great benefits of providing a focused service like BPOS is we actually set up the routers to protect against any form of malform data. We block at an aggregate at the edge. Firewalls are set up as deny all. Behind the firewalls we have an Intrusion Detection System. We have a very sophisticated correlation engine for any intrusion alert that we’re tracking 24 hours a day. Below the IDS, we have System Level Security. When you look, the service operations organization actually has broad based, dual factor authentication. This means each individual within a support and service operations team have either some sort of secure ID card or a RSH secure ID token that is coupled with their role. Each individual must have a user ID and password and must apply a pin with their secure ID token. Based on the role they have, we grant access per individuals to the service.   Application Authentication: when you get below the System Level Security, the customers actually have application level authentication. We have a very sophisticated mechanism by which we provide access to data. The structure of the service provides users access to only those capabilities they are designed to have. In the reseller model where a partner is actually providing the service to the customer, they have a level of application authentication that sits over top of that which the customers have. So we’re able to provide a very rich set of security protocols for our customers, as it relates to authentication to the different services. Microsoft, as most people know, has a good history as relates to security and trustworthy computing. Our services are actually designed to make sure that we apply those security methods not only to the software, but we also treat that software as a service. So when we do our threat walling and follow the Windows initiative, we’re thinking about our applications as if they are delivered through the Internet. We apply a significant level of counter measures, such as buffer overflows and SQL injection, we make sure that the applications we’re running are sandboxed so you can’t activate elevated levels of security or access a higher level of authentication when you’re actually doing work within our application. Virus Scanning is provided for multiple set of capabilities. We actually virus scan at all over our server levels, we have in place intrusion detection at the host and we’re scanning our content via Microsoft ForeFront. Then we have Separate Data Networks. When you look inside the data center, So what when we do our threat walling and follow the Windows initiative. These are implemented in a form that breaks it apart. For example, the data bases are on a separate sub net then from the actual content server or something that is an internet facing device. When you look, even though we are an internet facing service, very few devices have direct access to the internet. All of the servers are on some form of non-routable subnet space. Finally you are authenticated into the data. The data itself is never stored on the physical servers, we run separate data networks and the data is stored on dedicated storage devices. So when you look at the content, the content is actually being sent from dedicated storage devices, which allows us to provide significant levels of backup as well. {Click} And our ISO certification, being a superset in most ways, of FISMA and SAS 70, will help us adjust more quickly to future certification needs as they evolve We offer data location in the US today We go beyond the scope of what most certs cover to also take into account environmental awareness One area that we are very conscious of is the importance of security and availability. We want to ensure that customers feel confident that we are protecting their data and the service is highly available. Our service runs on a set of datacenters that are managed by a centralized organization within Microsoft that are making major investments in datacenter spaces and capabilities. We deploy our services on the latest hardware and network equipment in a N+1 architecture to enable failover capabilities as well as saving your data in a separate geo-redundant location. We are regularly tested by a third party CyberTrust to ensure our infrastructure is secure against attacks. We follow ITIL/MOF in our operational processes and we are in the process of getting our SAS-70 audit to ensure we have strictest level of control. Above all, we will provide 24x7 IT Pro support and our service availability is backed by a 99.9% uptime SLA with financial penalties if we fail to meet the SLA. Physical security is but one part it. When you look, we ultimately need to make sure that since we are providing an internet based service, we are protecting customer’s data in a variety of ways. We look at this as multiple layers of protection. Microsoft is actually providing 9 layers of logical security for our customers and their service and data. Summarize 9 layer security (firewalls, IDS, two factor auth, etc.)the rest… {Click} Filtering Routers: these are implemented to protect against any traffic we do not see as well constructed. One of the great benefits of providing a focused service like BPOS is we actually set up the routers to protect against any form of malform data. We block at an aggregate at the edge. Firewalls are set up as deny all. Behind the firewalls we have an Intrusion Detection System. We have a very sophisticated correlation engine for any intrusion alert that we’re tracking 24 hours a day. Below the IDS, we have System Level Security. When you look, the service operations organization actually has broad based, dual factor authentication. This means each individual within a support and service operations team have either some sort of secure ID card or a RSH secure ID token that is coupled with their role. Each individual must have a user ID and password and must apply a pin with their secure ID token. Based on the role they have, we grant access per individuals to the service.   Application Authentication: when you get below the System Level Security, the customers actually have application level authentication. We have a very sophisticated mechanism by which we provide access to data. The structure of the service provides users access to only those capabilities they are designed to have. In the reseller model where a partner is actually providing the service to the customer, they have a level of application authentication that sits over top of that which the customers have. So we’re able to provide a very rich set of security protocols for our customers, as it relates to authentication to the different services. Microsoft, as most people know, has a good history as relates to security and trustworthy computing. Our services are actually designed to make sure that we apply those security methods not only to the software, but we also treat that software as a service. So when we do our threat walling and follow the Windows initiative, we’re thinking about our applications as if they are delivered through the Internet. We apply a significant level of counter measures, such as buffer overflows and SQL injection, we make sure that the applications we’re running are sandboxed so you can’t activate elevated levels of security or access a higher level of authentication when you’re actually doing work within our application. Virus Scanning is provided for multiple set of capabilities. We actually virus scan at all over our server levels, we have in place intrusion detection at the host and we’re scanning our content via Microsoft ForeFront. Then we have Separate Data Networks. When you look inside the data center, So what when we do our threat walling and follow the Windows initiative. These are implemented in a form that breaks it apart. For example, the data bases are on a separate sub net then from the actual content server or something that is an internet facing device. When you look, even though we are an internet facing service, very few devices have direct access to the internet. All of the servers are on some form of non-routable subnet space. Finally you are authenticated into the data. The data itself is never stored on the physical servers, we run separate data networks and the data is stored on dedicated storage devices. So when you look at the content, the content is actually being sent from dedicated storage devices, which allows us to provide significant levels of backup as well. {Click} And our ISO certification, being a superset in most ways, of FISMA and SAS 70, will help us adjust more quickly to future certification needs as they evolve We offer data location in the US today We go beyond the scope of what most certs cover to also take into account environmental awareness

4. Certifications More to come … ISO certs: BPOS-S: IS 552878 FOPE: IS 560057 Safe Harbor: # 9838 http://www.export.gov/safehrbr/companyinfo.aspx?id=9838 ISO certs: BPOS-S: IS 552878 FOPE: IS 560057 Safe Harbor: # 9838 http://www.export.gov/safehrbr/companyinfo.aspx?id=9838

5. Security

6. Multi-Layered Defense

7. Data Encryption at Rest

8. Enhanced Email Security Features Require TLS for all mail between customer and partner domain (in and outbound) Centralized mail control (all mail for domain sent/received from customer servers) Enables custom filtering and archiving Outbound mail delivery to a smarthost Enables additional processing, e.g. DLP Future: Expanded DLP capabilities in Forefront Online Protection for Exchange (FOPE)

9. Privacy 9 | Microsoft onfidential

10. What is “Privacy”? Our approach to protecting customer privacy: we ensure we use the right policy and principles that help customers and end-users maintain control over their personal information (PII) “Control over PII” means we respect our customer’s information by: being transparent about how we gather and use PII allowing customers to direct how we use their PII limiting our use of PII providing a means by which customers can update their PII to ensure accuracy striving to keep PII secure working to ensure customers can access their data Common privacy regulations customers comply with while using Microsoft Online: HIPAA, GLBA, FERPA, Mass 201, PIPEDA, and the EU Data Protection Directive along with the EU Model Clauses and security requirements in EU national privacy laws

11. Why Is Privacy Compliance Important? It’s the law Helps ensure to Customers that they’ve made the right choice by entrusting their data to Microsoft It’s the right thing to do

12. Global Privacy Regulations Microsoft Online Services has been built focusing on transparency, allowing customers control over their data, and enabling them to adhere to recognized privacy principles Example: Many locales require a privacy notice and a recording notice. It's ultimately the responsibility of the customer to comply, but we built one in as a default so customers are assisted Microsoft complies with global privacy norms. It abides by the Safe Harbor privacy framework regarding the collection, use, transfer, and retention of data from the European Union, the European Economic Area, and Switzerland Each of Microsoft Online Services has a privacy statement that details how customers’ data will be treated Longer term ? We work with governments and partners to adapt regulations to our type of services

13. Government Subpoenas Will Microsoft turn over my data to US companies or the US government? Microsoft believes customers should control their own information When compelled by U.S. law enforcement to produce customer records, Microsoft will first attempt to redirect these demands to the customer Microsoft will notify the customer unless it cannot, either because Microsoft is unable to reach the customer or is legally prohibited from doing so Microsoft will only produce the specific records ordered by law enforcement and nothing else

14. Data Transfers Microsoft set the bar high across the service – we adhere to the requirements from the strictest markets, like the EU Data Protection Directive, so that we can legally store and use data in compliance with legal requirements Microsoft offers transparency around location of customer data Microsoft tracks major international privacy laws so we know what is coming and are ready to address it

15. Compliance

16. Compliance Management Framework

17. Addressing Audit Needs Microsoft offers: Alignment and adoption of industry standards Comprehensive set of practices and controls in place to protect your data Focus on solutions for millions of users worldwide Independent third party attestations of Microsoft security, privacy, and continuity controls This allows Microsoft Online to provide assurances to customers at scale Customer almost always start with insisting that they need to perform audits of Microsoft themselves. First, customer audits do not scale. We provide 1.5 million email inboxes today with close to 1000 customers. We could not scale to handle audits by each customer. We also believe that our customers gain more value through the independent third parties that we leverage to produce in depth and comprehensive audits of our services. With both SAS70 and ISO 27001 we believe that our customers get both the depth and breadth perspective on our environment and practices. In addition, we also believe that this leads to better security both through interaction with top talent from companies like Deloitte and BSI but also by limiting the details of our practices to as few as people as possible. Customer almost always start with insisting that they need to perform audits of Microsoft themselves. First, customer audits do not scale. We provide 1.5 million email inboxes today with close to 1000 customers. We could not scale to handle audits by each customer. We also believe that our customers gain more value through the independent third parties that we leverage to produce in depth and comprehensive audits of our services. With both SAS70 and ISO 27001 we believe that our customers get both the depth and breadth perspective on our environment and practices. In addition, we also believe that this leads to better security both through interaction with top talent from companies like Deloitte and BSI but also by limiting the details of our practices to as few as people as possible.

18. Supporting Customer Compliance Customizable and feature-rich Microsoft Online offerings to suit a customer’s compliance needs Use our features to implement your policies Retention policies, archiving, legal hold, etc. Third party audits and attestations Compliance from end to end (physical infrastructure to services development & operation)

19. Service Continuity

20. Service Continuity Program Framework

21. Continuity Concerns What drives the need to have a continuity plan in place? To protect the customer and the service from any major outage Does Microsoft have a formalized continuity program in place? Yes, a robust service continuity program is in place based on industry best practices and provides the ability to recover subscribed services in a timely manner Does each service have the ability to recover from a disastrous event? Yes, all offerings have redundancy and resiliency to ensure that any major outage is minimized Is the plan exercised (tested) on a regular basis? The plan and solution are validated at least on an annual basis

23. Office 365 security and compliance features Exchange Online Retention tags Personal Archive Multi-mailbox search Litigation hold Journaling for integration with external archive services ActiveSync Policies Rights Management support Decrypt to journal S/MIME support Mail tips Transport rules Filtering Disclaimers Supervision/Ethical walls AV/AS using Forefront Online Protection for Exchange Role based Access controls Audit reports Non-owner access report Admin configuration change report

24. Office 365 security and compliance features SharePoint Online Information Management Policy Expiration Audit Policies Business Taxonomies & Tagging Site Columns Content Types Taxonomy term store Document Sets & ID’s Cross-site Collection Search Document level access controls Site collection and site level audit reports Content Activity Reports Information Management Policy Security and Site Settings reports In place Records management Records declaration Litigation hold

25. Q & A

  • Login