Windows AzureSecurity and ComplianceStevan VidichDirector, Windows Azure MarketingMicrosoft

WS-B334

Windows Azure Trust Centerhttp://www.windowsazure.com/trustcenter/

Security

Privacy

Compliance

Microsoft experience and credentials

Trustworthy ComputingInitiative (TwC)

BillG Memo

Microsoft Security Engineering

Center/Security Development

Lifecycle

Global Foundation

Services (GFS)

Malware Protection

Center

Microsoft SecurityResponse Center

(MSRC)

Windows Update

1st Microsoft Data Center

1989 1995 2000 2005 2010

ActiveDirectory

Trustworthy Computing Security CentersProtecting Microsoft customers throughout the entire life cycle(in development, deployment, and operations)

Conception

Release

Product Life Cycle

Microsoft Security

Engineering Center (MSEC)

SDL

Security Science

Microsoft Security

Response Center(MSRC)

Microsoft Malware

Protection Center (MMPC)

Datacenter infrastructure compliance

ISO / IEC 27001:2005 certification

SOC 1 Type 2 (SSAE 16 / ISAE 3402) attestationSOC 2 Type 2 and SOC 3 (AT 101) attestations

HIPAA / HITECH Act

PCI Data Security Standard validation

FISMA authorization

Various state, federal, and international privacy laws (95/46/EC—aka EU Data Protection Directive; California SB1386; etc.)

Public cloud – shared responsibilityOn Premises

Storage

Servers

Networking

O/S

Middleware

Virtualization

Data

Applications

Runtime

Infrastructure(as a Service)

Storage

Servers

Networking

O/S

Middleware

Virtualization

Data

Applications

Runtime

Platform(as a Service)

Storage

Servers

Networking

O/S

Middleware

Virtualization

Applications

Runtime

Data

Software(as a Service)

Storage

Servers

Networking

O/S

Middleware

Virtualization

Applications

Runtime

Data

Customer

Vendor

Managed by:

Defense-in-depth

Identityand Access Manageme

nt

Host Security Application DataNetworkPhysical

10 Things to Know About Azure Securityhttp://technet.microsoft.com/en-us/cloud/gg663906.aspx

Data center security• Cameras

• Security patrols

• Barriers

• Fencing

• Cameras

• Security patrols

• Alarms

• Two-factor access control• Biometric readers• Card readers

• Security operations center

Extensive Monitoring

BuildingPerimeter Computer room

• Cameras

• Security patrols

• Alarms

• Two-factor access control• Biometric readers• Card readers

World-ClassSecurity

NetworkIsolated from Microsoft corpnetVLANs and packet filters in routersHost boundary protectionDDoS protectionPenetration testingMonitoring and loggingSecurity incidents and breach notification

Identity and accessWindows Azure customer support personnelAccess control requirements established by Windows Azure Security PolicyNo access to customer data by defaultNo user / administrator accounts on VMsMonitoring and logging when local accounts are created on VMs

Access to PaaS VMs is highly restrictedMost common authorization is based on customer troubleshooting requestFull incident monitoring and loggingTemporary accounts for limited duration and 2FA enforced

Access to IaaS VMs is not possible

HostStripped-down version of Windows ServerNo drivers except approved ones, no graphics modulesNetwork connectivity restricted using host firewall

Host boundaries enforced by external hypervisor based on Hyper-VAll Guest access to network and disk is mediated by Root VM (via the Hypervisor)When VMs are provisioned, they are cloned from limited number of known configurationsPaaS images managed and updated by MicrosoftWith IaaS, customers can bring their own images (and manage them)

Patch managementSupport lifecycle policy

Gue

st V

M

Gue

st V

M

Gue

st V

M

Gue

st V

M

Roo

t VM

Hypervisor

Network / Disk

ApplicationSecurity Best Practices for Developing Windows Azure ApplicationsWindows Azure does not inspect, approve, or monitor customer applicationsCustomer application and storage account logging and monitoringAnti-malware scanning for customer applicationsProtection against external attacks, including third-party optionsDisaster recovery and business continuityForensic investigations

DataRedundant storageLocally redundant storageGeo-replication

Storage accounts and keysData backupData deletion and destructionWindows Azure data cleansing and leakageData encryption (in transit, at rest)

Privacy

http://www.windowsazure.com/en-us/support/legal/privacy-statement/

Geographic regions for customer dataAsiaEast (Hong Kong)Southeast (Singapore)

EuropeNorth (Ireland)West (Netherlands)

United StatesNorth Central (Illinois)South Central (Texas)East (Virginia)West (California)

Comprehensive compliance framework

• ISO/IEC 27001:2005 certification• SOC 1 and SOC 2 attestations

Certifications and Attestations

Predictable Audit Schedule

• Test effectiveness and assess risk• Attain certifications and

attestations• Improve and optimize• Examine root cause of non-

compliance• Track until fully remediated

Controls Framework

• Identify and integrate• Regulatory requirements• Customer requirements

• Assess and remediate • Eliminate or mitigate gaps in control

design

• Payment Card Industry Data Security Standard • Health Insurance Portability and Accountability Act

Industry Standards and Regulations

• Media Ratings Council • Sarbanes-Oxley, GLBA, FFIEC,

etc.

• HIPAA Business Associate Agreement• FISMA authorization• And more

Windows Azure compliance programsISO 27001SSAE 16 (SOC 1 Type 2)SOC 2 Type 2 (in process)CSA Cloud Control MatrixEU Model ClausesUK Government accreditation for IL 2 dataHIPAA Business Associate Agreement (BAA)FISMA / FedRAMP authorization (in process)

FISMA ISO

HIPAA

SSAE

Windows Azure Trust Centerhttp://www.windowsazure.com/trustcenter/

Security

Privacy

Compliance

Evaluation

Complete your session evaluations today and enter to win prizes daily. Provide your feedback at a CommNet kiosk or log on at www.2013mms.com.Upon submission you will receive instant notification if you have won a prize. Prize pickup is at the Information Desk located in Attendee Services in the Mandalay Bay Foyer. Entry details can be found on the MMS website.

We want to hear from you!

Resources

http://channel9.msdn.com/Events

Access MMS Online to view session recordings after the event.

© 2013 Microsoft Corporation. All rights reserved. Microsoft, Windows and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.