Microsoft strategy to address cloud security v5 1(frddy ton)
Transcript of Microsoft strategy to address cloud security v5 1(frddy ton)
Cloud Computing New opportunities New Challenges New responsibilities
Freddy Tan, CISSP
Chief Security Advisor
Microsoft Asia
Agenda
Openness
Standards
Interoperability
Data portability
Open Government
Trust
Cybercrime
Privacy
Data Governance
Security
Innovation
Developers
R&D
Citizen Services
Applications
Freddy Tan Chief Security
Adviser
Access
Broadband
Skills
Affordability
Accessibility
Getting Access to the Cloud
Broadband is driving the cloud revolution
Variety of delivery models (wired, wireless, hybrid)
Driven by demands from users with different modes of
access
– Smartphones
– Netbooks
– e-readers
– PCs
Creating two-sided market:
– Demand side for customers/consumers
– Supply side for developers and service providers
The promise of cloud interoperability
New challenges
So what have changed?
Top Threats to Cloud Computing
Threat #1: Abuse and Nefarious Use of Cloud Computing
Threat #2: Insecure Interfaces and APIs
Threat #3: Malicious
Threat #4: Shared Technology Issues
Threat #5: Data Loss or Leakage
Threat #6: Account or Service Hijacking
Threat #7: Unknown Risk Profile
$560 million in losses related to identity theft, phishing scams and
outright fraud in 2008
Source : www.esecurityplanet.com/features/article.php/3871456/Cyber-Crooks-Doubled-Their-Take-in-09-FBI.htm
So what have changed?
These security issues have expanded and come to
the forefront:
– Data Security
– Data Privacy vs. Law Enforcement Needs
• Electronic Evidence Discovery Requirements
– Cross-Border Data Flows
• EU Safe Harbor Policy Template
» Commission Decision of 5 February 2010 on standard
contractual clauses for the transfer of personal data to
processors established in third countries under Directive
95/46/EC of the European Parliament and of the Council
(notified under document C(2010) 593)
– Jurisdictional Tensions
New responsibilities
Microsoft Business Needs
Microsoft must follow national and international laws and regulations.
Some examples of laws that may be applicable
– The Privacy Act, 1974 – HIPAA (Health Insurance Portability and Accountability Act, 1996) – COPPA (Children's Online Privacy Protection Act, 1998) – GLBA (Gramm-Leach-Bliley Act, 1999) – SOX (Sarbanes-Oxley Act, 2002) – Regional regulations,
• EU Directives – Directive 95/46/EC (Data Protection Directive)
– Directive 2002/58/EC (the E-Privacy Directive)
– Directive 2006/24/EC Article 5 (The Data Retention Directive)
• Privacy Online: OECD Guidance on Policy and Practice, 2002
– In-country regulations,
• State of California SB1386, 2003
• Japan’s privacy laws – Act for the Protection of Personal Information (2003)
Microsoft IT Streamlines Regulatory Compliance - http://technet.microsoft.com/en-us/library/dd537744.aspx
Confidence & Trusted Brand Security Timeline
11
MSN
Microsoft.com
Hotmail
Microsoft Online Services
Windows Live
First ISO 27001 cert
1st Data Center
1989 1994-95 1997 2002 2004 2005 2008-09
Security Development Lifecycle
First SAS-70 Type I cert
Trustworthy Computing Directive
Microsoft’s Approach to Cloud Security
Challenges
Risk-based Information
Security Program
Deep Set of Security Controls
Comprehensive
Compliance Framework
Response to Cloud Security Challenges
Microsoft’s Approach to Cloud Security
Challenges
13
Risk-based Information
Security Program
Maintaining a Deep Set of
Security Controls
Comprehensive Compliance Framework
Response to Cloud Security
Challenges
Information Security Program
ISO 27001:2005 certified
Microsoft’s Approach to Cloud Security
Challenges
15
Risk-based Information
Security Program
Maintaining a Deep Set of
Security Controls
Comprehensive Compliance Framework
Response to Cloud Security Challenges
Control Framework: Domains
16
The control objectives are published at:
http://www.globalfoundationservices.com/documents/MicrosoftComplianceFramework1009.pdf
Domains
Structure
1. General Information
2. Information Security
3. Organization of Information Security
4. Asset Management
5. Human Resources Security
6. Physical and Environmental Security
7. Communications and Operations
Management
8. Access Control
9. Information Systems Acquisition,
Development, and Maintenance
10. Information Security Incident
Management
11. Business Continuity Management
12. Risk Management
13. Compliance
14. Privacy
Control Framework: Structure
Domains
Structure
• Domain
• Sub Domain
• Control Objective (ISO 27001 has
152 vs 292)
• Associated Standard (External
Compliance Requirement)
• Applicable Security, Standard
Operating Procedure or System
Reference
• Sample Control Activity
• Sample Testing Activity
Control Modules
Microsoft’s Approach to Cloud Security
Challenges
19
Risk-based Information
Security Program
Maintaining a Deep Set of
Security Controls
Comprehensive Compliance Framework
Response to Cloud Security Challenges
Comprehensive Compliance Framework
• ISO/IEC 27001:2005 certification • Statement of Auditing Standard (SAS) 70 Type I and Type II attestations
Certification and Attestations
• Payment Card Industry Data Security Standard
• Health Insurance Portability and Accountability Act
Industry Standards and Regulations
• Media Ratings Council
• Sarbanes-Oxley , etc.
• Identify and integrate: – Regulatory requirements – Customer requirements
• Assess and remediate: – Eliminate or mitigate gaps in control
design
Controls Framework
• Test effectiveness and assess risk • Attain certifications and attestations • Improve and optimize: – Examine root cause of non-compliance – Track until fully remediated
Predictable Audit Schedule
Cloud Security Considerations
Rela
tive S
ensitiv
ity o
f D
ata
Relative Dependence on an External Service Provider and
Common Risk Pooling with Cotenants
Strict limits on sensitive data due to mission,
security requirements, policy, or compliance
considerations.
Organizational need to take advantage of
higher returns to scale to eliminate excess
capacity, secure cost savings, or support a
distributed workforce.
Private Community Public
Infrastructure is owned or
leased by a single
organization and is
operated solely for that
organization.
Infrastructure is shared by
several organizations and
supports a specific
community that has shared
concerns.
Infrastructure is owned by an
organization selling cloud
services to the general public
or a large industry group.
Rela
tive S
ensitiv
ity o
f D
ata
Microsoft Vision for Government Computing
Government Public Cloud
Government Private Cloud – Self-Hosted
Government Private Cloud – Partner-Hosted
Microsoft’s Online Services Security Strategic Information Security Program
Data Governance Strategy
References
The Case for Data Governance, Jan 2010
People and Process, Jan 2010
Managing Technical Risk, Apr 2010
A Capability Maturity Model, Apr 2010
All papers are published and available, at
www.microsoft.com/datagovernance
Microsoft Open Data initiatives
Use open standards to
enhance collaboration and
sharing across different
data sources
Conclusion - Security Considerations
– No one-size-fits-all model for cloud computing
– Users must assess their risk, and have flexibility and
choice among service offerings
– Users must be able to make informed choices in light
of the sensitivity of data, their mission and other risk
factors
• Consider the different Cloud deployment models
» Private Cloud
» Community Cloud
» Public Cloud
Additional Resources
OECD Guidelines for the Security of Information Systems
and Networks
OECD Guidelines on the Protection of Privacy and
Transborder Flows of Personal Data
Guidelines for the Regulation of Computerized Personal
Data Files, G.A. res. 44/132, 44 U.N. GAOR Supp. (No. 49)
at 211, U.N. Doc. A/44/49 (1989).
Directive 95/46/EC of the European Parliament and of the
Council of 24 October 1995 on the protection of
individuals with regard to the processing of personal data
and on the free movement of such data
Security Guidance for Critical Areas of Focus in Cloud
Computing V2.1 Dec 2009,
www.cloudsecurityalliance.org/csaguide.pdf
References
Microsoft Cloud: www.microsoft.com/cloud
Microsoft Trustworthy Computing, home page: http://www.microsoft.com/twc
Microsoft Online Privacy Notice Highlights: http://www.microsoft.com/privacy
Microsoft Privacy Guidelines for Developing Software Products and Services:
http://www.microsoft.com/downloads/details.aspx?displaylang=en&FamilyID=c48cf80f-6e87-48f5-83ec-
a18d1ad2fc1f
The ISO 27001:2005 certificate for Global Foundation Services, Microsoft: http://www.bsi-
global.com/en/Assessment-and-certification-services/Client-directory/CertificateClient-Directory-Search-
Results/?pg=1&licencenumber=IS+533913&searchkey=companyXeqXmicrosoft
Microsoft Global Foundation Services, home page: www.globalfoundationservices.com
The Microsoft Security Development Lifecycle (SDL): www.microsoft.com/security/sdl/default.aspx
Microsoft Security Development Lifecycle (SDL) – version 3.2, process guidance: http://msdn.microsoft.com/en-
us/library/cc307748.aspx
The Microsoft SDL Threat Modeling Tool: http://www.microsoft.com/security/sdl/getstarted/threatmodeling.aspx
Microsoft Online Services: www.microsoft.com/online
Microsoft Security Response Center: www.microsoft.com/security/msrc
Microsoft Compliance Framework Whitepaper:
www.globalfoundationservices.com/documents/MicrosoftComplianceFramework1009.pdf
Securing Microsoft’s Cloud Infrastructure:
http://www.globalfoundationservices.com/security/documents/SecuringtheMSCloudMay09.pdf
Questions
Strategic Information
Security Program Based on industry best
practices to enable rapid adaption to cloud
infrastructure changes
Certification Framework
Streamlines certification process for product and service delivery teams
Trusted Brand Established through meeting
business obligations along with legal and commercial expectations
Confidence Born from years of
experience managing security risks in traditional
development and operating environments