Cloud Computing New opportunities New Challenges New responsibilities

Freddy Tan, CISSP

Chief Security Advisor

Microsoft Asia

Agenda

Openness

Standards

Interoperability

Data portability

Open Government

Trust

Cybercrime

Privacy

Data Governance

Security

Innovation

Developers

R&D

Citizen Services

Applications

Freddy Tan Chief Security

Adviser

Access

Broadband

Skills

Affordability

Accessibility

Getting Access to the Cloud

Broadband is driving the cloud revolution

Variety of delivery models (wired, wireless, hybrid)

Driven by demands from users with different modes of

access

– Smartphones

– Netbooks

– e-readers

– PCs

Creating two-sided market:

– Demand side for customers/consumers

– Supply side for developers and service providers

The promise of cloud interoperability

New challenges

So what have changed?

Top Threats to Cloud Computing

Threat #1: Abuse and Nefarious Use of Cloud Computing

Threat #2: Insecure Interfaces and APIs

Threat #3: Malicious

Threat #4: Shared Technology Issues

Threat #5: Data Loss or Leakage

Threat #6: Account or Service Hijacking

Threat #7: Unknown Risk Profile

$560 million in losses related to identity theft, phishing scams and

outright fraud in 2008

Source : www.esecurityplanet.com/features/article.php/3871456/Cyber-Crooks-Doubled-Their-Take-in-09-FBI.htm

So what have changed?

These security issues have expanded and come to

the forefront:

– Data Security

– Data Privacy vs. Law Enforcement Needs

• Electronic Evidence Discovery Requirements

– Cross-Border Data Flows

• EU Safe Harbor Policy Template

» Commission Decision of 5 February 2010 on standard

contractual clauses for the transfer of personal data to

processors established in third countries under Directive

95/46/EC of the European Parliament and of the Council

(notified under document C(2010) 593)

– Jurisdictional Tensions

New responsibilities

Microsoft Business Needs

Microsoft must follow national and international laws and regulations.

Some examples of laws that may be applicable

– The Privacy Act, 1974 – HIPAA (Health Insurance Portability and Accountability Act, 1996) – COPPA (Children's Online Privacy Protection Act, 1998) – GLBA (Gramm-Leach-Bliley Act, 1999) – SOX (Sarbanes-Oxley Act, 2002) – Regional regulations,

• EU Directives – Directive 95/46/EC (Data Protection Directive)

– Directive 2002/58/EC (the E-Privacy Directive)

– Directive 2006/24/EC Article 5 (The Data Retention Directive)

• Privacy Online: OECD Guidance on Policy and Practice, 2002

– In-country regulations,

• State of California SB1386, 2003

• Japan’s privacy laws – Act for the Protection of Personal Information (2003)

Microsoft IT Streamlines Regulatory Compliance - http://technet.microsoft.com/en-us/library/dd537744.aspx

Confidence & Trusted Brand Security Timeline

11

MSN

Microsoft.com

Hotmail

Microsoft Online Services

Windows Live

First ISO 27001 cert

1st Data Center

1989 1994-95 1997 2002 2004 2005 2008-09

Security Development Lifecycle

First SAS-70 Type I cert

Trustworthy Computing Directive

Microsoft’s Approach to Cloud Security

Challenges

Risk-based Information

Security Program

Deep Set of Security Controls

Comprehensive

Compliance Framework

Response to Cloud Security Challenges

Microsoft’s Approach to Cloud Security

Challenges

13

Risk-based Information

Security Program

Maintaining a Deep Set of

Security Controls

Comprehensive Compliance Framework

Response to Cloud Security

Challenges

Information Security Program

ISO 27001:2005 certified

Microsoft’s Approach to Cloud Security

Challenges

15

Risk-based Information

Security Program

Maintaining a Deep Set of

Security Controls

Comprehensive Compliance Framework

Response to Cloud Security Challenges

Control Framework: Domains

16

The control objectives are published at:

http://www.globalfoundationservices.com/documents/MicrosoftComplianceFramework1009.pdf

Domains

Structure

1. General Information

2. Information Security

3. Organization of Information Security

4. Asset Management

5. Human Resources Security

6. Physical and Environmental Security

7. Communications and Operations

Management

8. Access Control

9. Information Systems Acquisition,

Development, and Maintenance

10. Information Security Incident

Management

11. Business Continuity Management

12. Risk Management

13. Compliance

14. Privacy

Control Framework: Structure

Domains

Structure

• Domain

• Sub Domain

• Control Objective (ISO 27001 has

152 vs 292)

• Associated Standard (External

Compliance Requirement)

• Applicable Security, Standard

Operating Procedure or System

Reference

• Sample Control Activity

• Sample Testing Activity

Control Modules

Microsoft’s Approach to Cloud Security

Challenges

19

Risk-based Information

Security Program

Maintaining a Deep Set of

Security Controls

Comprehensive Compliance Framework

Response to Cloud Security Challenges

Comprehensive Compliance Framework

• ISO/IEC 27001:2005 certification • Statement of Auditing Standard (SAS) 70 Type I and Type II attestations

Certification and Attestations

• Payment Card Industry Data Security Standard

• Health Insurance Portability and Accountability Act

Industry Standards and Regulations

• Media Ratings Council

• Sarbanes-Oxley , etc.

• Identify and integrate: – Regulatory requirements – Customer requirements

• Assess and remediate: – Eliminate or mitigate gaps in control

design

Controls Framework

• Test effectiveness and assess risk • Attain certifications and attestations • Improve and optimize: – Examine root cause of non-compliance – Track until fully remediated

Predictable Audit Schedule

Cloud Security Considerations

Rela

tive S

ensitiv

ity o

f D

ata

Relative Dependence on an External Service Provider and

Common Risk Pooling with Cotenants

Strict limits on sensitive data due to mission,

security requirements, policy, or compliance

considerations.

Organizational need to take advantage of

higher returns to scale to eliminate excess

capacity, secure cost savings, or support a

distributed workforce.

Private Community Public

Infrastructure is owned or

leased by a single

organization and is

operated solely for that

organization.

Infrastructure is shared by

several organizations and

supports a specific

community that has shared

concerns.

Infrastructure is owned by an

organization selling cloud

services to the general public

or a large industry group.

Rela

tive S

ensitiv

ity o

f D

ata

Microsoft Vision for Government Computing

Government Public Cloud

Government Private Cloud – Self-Hosted

Government Private Cloud – Partner-Hosted

Microsoft’s Online Services Security Strategic Information Security Program

Data Governance Strategy

References

The Case for Data Governance, Jan 2010

People and Process, Jan 2010

Managing Technical Risk, Apr 2010

A Capability Maturity Model, Apr 2010

All papers are published and available, at

www.microsoft.com/datagovernance

Microsoft Open Data initiatives

Use open standards to

enhance collaboration and

sharing across different

data sources

Conclusion - Security Considerations

– No one-size-fits-all model for cloud computing

– Users must assess their risk, and have flexibility and

choice among service offerings

– Users must be able to make informed choices in light

of the sensitivity of data, their mission and other risk

factors

• Consider the different Cloud deployment models

» Private Cloud

» Community Cloud

» Public Cloud

Additional Resources

OECD Guidelines for the Security of Information Systems

and Networks

OECD Guidelines on the Protection of Privacy and

Transborder Flows of Personal Data

Guidelines for the Regulation of Computerized Personal

Data Files, G.A. res. 44/132, 44 U.N. GAOR Supp. (No. 49)

at 211, U.N. Doc. A/44/49 (1989).

Directive 95/46/EC of the European Parliament and of the

Council of 24 October 1995 on the protection of

individuals with regard to the processing of personal data

and on the free movement of such data

Security Guidance for Critical Areas of Focus in Cloud

Computing V2.1 Dec 2009,

www.cloudsecurityalliance.org/csaguide.pdf

References

Microsoft Cloud: www.microsoft.com/cloud

Microsoft Trustworthy Computing, home page: http://www.microsoft.com/twc

Microsoft Online Privacy Notice Highlights: http://www.microsoft.com/privacy

Microsoft Privacy Guidelines for Developing Software Products and Services:

http://www.microsoft.com/downloads/details.aspx?displaylang=en&FamilyID=c48cf80f-6e87-48f5-83ec-

a18d1ad2fc1f

The ISO 27001:2005 certificate for Global Foundation Services, Microsoft: http://www.bsi-

global.com/en/Assessment-and-certification-services/Client-directory/CertificateClient-Directory-Search-

Results/?pg=1&licencenumber=IS+533913&searchkey=companyXeqXmicrosoft

Microsoft Global Foundation Services, home page: www.globalfoundationservices.com

The Microsoft Security Development Lifecycle (SDL): www.microsoft.com/security/sdl/default.aspx

Microsoft Security Development Lifecycle (SDL) – version 3.2, process guidance: http://msdn.microsoft.com/en-

us/library/cc307748.aspx

The Microsoft SDL Threat Modeling Tool: http://www.microsoft.com/security/sdl/getstarted/threatmodeling.aspx

Microsoft Online Services: www.microsoft.com/online

Microsoft Security Response Center: www.microsoft.com/security/msrc

Microsoft Compliance Framework Whitepaper:

www.globalfoundationservices.com/documents/MicrosoftComplianceFramework1009.pdf

Securing Microsoft’s Cloud Infrastructure:

http://www.globalfoundationservices.com/security/documents/SecuringtheMSCloudMay09.pdf

Questions

freddyt@microsoft.com

Strategic Information

Security Program Based on industry best

practices to enable rapid adaption to cloud

infrastructure changes

Certification Framework

Streamlines certification process for product and service delivery teams

Trusted Brand Established through meeting

business obligations along with legal and commercial expectations

Confidence Born from years of

experience managing security risks in traditional

development and operating environments