By 2020, a corporate no-cloud policy will be as rare as a no-internet policy is today. 1 The question is no longer: How do I move to the cloud? Instead, it s Now that I m in the cloud, how do I make sure I ve optimized my investment and risk exposure? 2 By 2020 clouds will stop being referred to as public and private. It will simply be the way business is done and IT is provisioned. 3 1 Gartner: Smarter with Gartner, Why a No-Cloud Policy Will Become Extinct, February 2, 2016 2 KPMG: 2014 Cloud Survey Report, Elevating business in the cloud, December 10, 2014 3 IDC: IDC Market Spotlight, Cloud Definitions and Opportunity, April 2015
Old models no longer work (did they ever?).
ASSUME BREACH
38 Cloud regions worldwide North Central US United Kingdom South West US 2 West Central US West US US Gov Arizona 3 US Gov Texas 3 Central US US Gov Iowa US DoD West South Central US Canada Central US Gov Virginia Canada East US DoD East East US United Kingdom West East US 2 North Europe France 3 France 3 West Europe Germany Northeast 2 Germany Korea South 3 Central 2 China West 1 Japan East West India Central India South India Korea Central 3 China East 1 East Asia Japan West 100+ datacenters One of 3 largest networks in the world Southeast Asia 1 China datacenters operated by 21 Vianet 2 German data trustee services provided by T-systems 3 France, South Korea and US Gov datacenter regions have been announced but are not currently operational Brazil South Australia Southeast Australia East Global datacenters Sovereign datacenters
MICROSOFT DATACENTERS Microsoft invests heavily to help ensure that our datacenters are some of the most secure facilities on the planet
What separation exists between different consumers of the service? Are interfaces constrained to authenticated users only? What do you need to do to configure the service or your devices to access the service? What governance process is in place for the service? Are there processes for the operational security of the service? How does the supply chain support the security principles that the service implements? Is data in transit and at rest adequately protected? Are the service provider personnel with access to customer data subject to background checks? Do you have the tools available to securely manage the service? Are all external interfaces identified and have protections? How is the service protected from the administrators of the service? What is done to protect your data against, tampering, loss, damage or seizure? https://www.ncsc.gov.uk/guidance/ implementing-cloud-securityprinciples How is the service designed to identify and mitigate threats? What audit information is available to you to monitor access to the service?
HOLISTIC APPROACH TO SECURITY LEADERSHIP IN COMPLIANCE COMMITMENT TO TRANSPARENCY & PRIVACY
Platform Intelligence Partners
Customers expect Customer data will be safeguarded using state-of-the industry security technology and processes. Customer data will be encrypted in transit and at rest. What we re doing about it Our datacenters are equipped with state-of-the-art physical security measures. We operate a 24x7 incident response team to mitigate threats and attacks. We encrypt customer data transferred between our data centers. We protect your stored data with built-in tools and provide access to further encryption capabilities.
POWERED BY THE INTELLIGENT SECURITY GRAPH Unique insights, informed by trillions of signals. This signal is leveraged across all of Microsoft s security services 1.2B devices scanned each month Malware data from Windows Defender Shared threat data from partners, researchers and law Enforcement worldwide 400B emails analyzed 200+ global cloud consumer and Commercial services Botnet data from Microsoft Digital Crimes Unit Enterprise security for 90% of Fortune 500 750M+ Azure user accounts 18+B Bing web pages scanned 450B monthly authentications
PARTNERING TO IMPROVE CYBER SECURITY
Customers expect Cloud services to enable compliance by adhering to international standards, certifications and applicable regulatory requirements. Ability to see the certifications for each of their cloud provider s cloud service. What we re doing about it We lead the industry in pursuing compliance with the latest standards for data privacy and security, such as ISO 27018. Our global infrastructure investments enables us to meet unique data residency, sovereignty and compliance requirements. We regularly undergo independent audits to certify our compliance. We collaborate with our partners, when requested, to work with their customers and regulators to help them meet their compliance requirements.
Global requirements Local & regional compliance requirements Infrastructure investments Highly-regulated industries Future requirements
REGIONAL INDUSTRY US GOV GLOBAL Azure has the deepest and most comprehensive compliance coverage in the industry July 2017 ISO 27001 ISO 27018 ISO 27017 ISO 22301 ISO 9001 SOC 1 Type 2 SOC 2 Type 2 SOC 3 CSA STAR Self-Assessment CSA STAR Certification CSA STAR Attestation Moderate JAB P-ATO High JAB P-ATO DoD DISA SRG Level 2 DoD DISA SRG Level 4 DoD DISA SRG Level 5 SP 800-171 FIPS 140-2 Section 508 VPAT ITAR CJIS IRS 1075 PCI DSS Level 1 CDSA MPAA FACT UK Shared Assessments FISC Japan HIPAA / HITECH Act HITRUST GxP 21 CFR Part 11 MARS-E IG Toolkit UK FERPA GLBA FFIEC Argentina PDPA EU Model Clauses UK G-Cloud China DJCP China GB 18030 China TRUCS Singapore MTCS Australia IRAP/CCSL New Zealand GCIO Japan My Number Act ENISA IAF Japan CS Mark Gold Spain ENS Spain DPA India MeitY Canada Privacy Laws Privacy Shield Germany IT Grundschutz workbook
Providing clarity and consistency for the protection of personal data The General Data Protection Regulation (GDPR) imposes new rules on organizations in the European Union (EU) and those that offer goods and services to people in the EU, or that collect and analyze data tied to EU residents, no matter where they are located. Enhanced personal privacy rights Increased duty for protecting data Mandatory breach reporting Significant penalties for non-compliance Microsoft believes the GDPR is an important step forward for clarifying and enabling individual privacy rights
What are the key changes to address the GDPR? Personal privacy Controls and notifications Transparent policies IT and training Individuals have the right to: Access their personal data Correct errors in their personal data Erase their personal data Object to processing of their personal data Export personal data Organizations will need to: Protect personal data using appropriate security Notify authorities of personal data breaches Obtain appropriate consents for processing data Keep records detailing data processing Organizations are required to: Provide clear notice of data collection Outline processing purposes and use cases Define data retention and deletion policies Organizations will need to: Train privacy personnel & employee Audit and update data policies Employ a Data Protection Officer (if required) Create & manage compliant vendor contracts
Protecting customer privacy Supporting modern laws and treaties Increasing transparency
Customers expect Control over who has access to customer data. Data access will require permission from the customer before their cloud vendor s personnel or its subcontractors can obtain access. Their data can be permanently deleted or taken with them if they leave. What we re doing about it Your customers will have flexibility, choice and transparency on where customer data is stored. We will not use your customer s data for advertising or commercial purposes. We will not disclose your customer s information outside of Microsoft except with your customer s consent or when required by law. We can provide your customer with a variety of tools to extract their customer data. We delete your customer data after your service is terminated or expires.
PROTECTING CUSTOMER DATA PRIVACY
Customers expect Clear, plain-language explanation of how their cloud provider uses, manages and protects customer data. Proactive transparency in requests for customer data from law enforcement. What we re doing about it We provide understandable and strict policy of what we will and will NOT use customer data for. When responding to law enforcement requests, we strive to defend customer rights and privacy, and ensure due process is followed. For each of our services, we provide information on where customer data may be stored and processed.
Learn more at microsoft.com/transparency MICROSOFT TRANSPARENCY HUB Microsoft provides a number of disclosures to help stakeholders evaluate how we are meeting our commitments
GET ANSWERS TO COMMON ENTERPRISE QUESTIONS AT THE MICROSOFT TRUST CENTER AND SERVICE TRUST PREVIEW