Trust < Cloud < Trust Martin Vliem National Security Officer CCSP, CISSP, CISA martin.vliem@microsoft.com https://www.linkedin.com/in/mvliem
Digital Transformation expectations? "The Americans have need of the telephone, but we do not. We have plenty of messenger boys." 1878, Sir William Preece Chief Engineer, British Post Office "Nuclear-powered vacuum cleaners will probably be a reality in 10 years. 1955, Alex Lewyt President of vacuum cleaner company Lewyt Corp. "There is no reason anyone would want a computer in their home." 1977, Ken Olson President, chairman and founder of Digital Equipment Corp. "A rocket will never be able to leave the Earth's atmosphere." 1936, New York Times "X-rays will prove to be a hoax. 1883, Lord Kelvin President of the Royal Society "When the Paris Exhibition [of 1878] closes, electric light will close with it and no more will be heard of it. 1878, Erasmus Wilson Oxford professor "By the turn of the century, we will live in a paperless society." 1986, Roger Smith Chairman of General Motors "Rail travel at high speed is not possible because passengers, unable to breathe, would die of asphyxia. Dr Dionysys Larder (1793-1859) Professor of Natural Philosophy and Astronomy, University College London.
Digital Transformation incoming traffic AMS-IX 1.088.442 TB Mei 2017 690 TB Juli 2001 Third parties are allowed to use the AMS-IX statistics that are published on the website. Upon doing so, please make sure to mention that AMS-IX holds copyright on this information and to accompany the figures with a link directing to the figures on our website. https://ams-ix.net/technical/statistics/historical-traffic-data
Digital Transformation Supported through technology & cloud
Trust concerns Satya Nadella CEO Microsoft Can I control my data? Is my data secured? What happens with my data? Am I compliant? Will my data remain available?
Fear is a poor advisor Dutch expression 6
Zipf s law Rel. Frequency 1st 2nd 3rd Order
Opportunity versus risk Agility Cost Transformation Modernization Data loss Down time Privacy Malware attacks Information security & risk management guidelines Frameworks & standards & baselines (ISO 27002, NIST 800-53r4, CSA CCM) Risk templates (ISO27001, NIST 800-37, NIST CSF)
The CSA Treacherous 12 Top Cloud threats 2016 1. Data Breaches 2. Weak Identity, Credential and Access Mgmt 3. Insecure APIs 4. System and Application Vulnerabilities 5. Account Hijacking 6. Malicious Insiders 7. Advanced Persistent Threats (APTs) 8. Data Loss 9. Insufficient Due Diligence 10. Abuse and Nefarious Use of Cloud Services 11. Denial of Service 12. Shared Technology Issues Notorious nine 2013 1. Data breaches 2. Data loss 3. Account or service traffic hijacking 4. Insecure interfaces and APIs 5. Denial of service 6. Malicious insiders 7. Abuse of cloud services 8. Insufficient due diligence 9. Shared technology vulnerabilities https://cloudsecurityalliance.org/download/the-treacherous-twelve-cloud-computing-top-threats-in-2016/
Cloud Services Due Diligence checklist based on ISO19086
Cloud assurance CUSTOMER OR EMPLOYEE OF CLOUD CONSUMER AS DATA SUBJECT 1 Information security, privacy, compliance, legal, policy requirements MITIGATING CONTROLS 3 Customer requests assurances from Cloud vendor 2 Continuous assessment cycle GOVERNANCE, RISK & COMPLIANCE CONTRACTING 4 Cloud provider provides assurance RISKS MITIGATING CONTROLS INDEPENDENTLY VERIFIED CLOUD PROVIDER CLAIMS ADDITIONAL CONTROLS & PROCESSES DESCRIPTIVE INFORMATION 5 Evaluates claims and add additional controls INTERACTIVE INFORMATION & CONTROLS OPTIONAL CONTROLS & SERVICES 6 Demonstrate compliance / control risk CLOUD PROVIDER (processor) CLOUD CONSUMER (controller)
A Partnership Cloud service provider responsibility Tenant responsibility Responsibility SaaS PaaS IaaS On-prem Data governance & rights management Client endpoints ALWAYS RETAINED BY CUSTOMER Account & access management Identity & directory infrastructure Application Network controls VARIES BY SERVICE TYPE Operating system Physical hosts Physical network TRANSFERS TO CLOUD PROVIDER Physical datacenter Microsoft Customer
SECURING THE PLATFORM - Ser vice Integrated Controls- EMPOWERING YOU - Customer Security Considerations - A TRUST DIALOGUE
Transparency
Threats prevented by a cloud platform
SECURING THE PLATFORM - Ser vice Integrated Controls- EMPOWERING YOU - Customer Security Considerations - A TRUST DIALOGUE
Customer controlled responsibilities Software as a Service Office 365 - SaaS Platform as a Service Azure - PaaS Infrastructure as a Service Azure - IaaS On Premises Security Dependencies 1. Security strategy, governance, and operationalization: Provide clear vision, standards, and guidance for your organization 2. Administrative control: Defend against the loss of control of your cloud services and on-premises systems 3. Data: Identify and protect your most important information assets 4. User identity and device security: Strengthen protection for accounts and devices 5. Application security: Ensure application code is resilient to attacks 6. Network: Ensure connectivity, isolation, and visibility into anomalous behavior 7. Operating system and middleware: Protect integrity of hosts 8. Private or on-premises environments: Secure the foundation
Cloud: trust but verify Sharing responsibilities ONPREMISES APPROACH CLOUD-ENABLED PROCESSING
Summary key aproach and activities 1. Cloud security, privacy & compliance is a partnership, governance is key Business case and Risk management is foundational Implement flexible goverance processes Design security requirements & policies 2. Request cloud provider assurances on integrated security capabilities Many operational & security responsibilities can be transferred to the service provider. 3. Additional customer controls & requirements, empowered by cloud platforms: discover, manage, protect, report Administrative Privilege Management Identity Systems and Identity Management Security Management & Threat Awareness Information protection Protection
References 1. Descriptive: Microsoft trustcenter: https://www.microsoft.com/en-us/trustcenter/default.aspx 2. Independently verified: Microsoft Service Trust portal: https://servicetrust.microsoft.com 3. Contractual: Microsoft online service terms & SLA: https://www.microsoft.com/en-us/licensing/productlicensing/products.aspx Microsoft Cloud IT Architecture resources: https://technet.microsoft.com/en-us/library/dn919927.aspx Cloud Services Due Diligence Checklist (ISO 19086 based): https://www.microsoft.com/en-us/trustcenter/compliance/due-diligence-checklist SAFE Handbook: http://aka.ms/safehandbook Microsoft Cyber Trust Blog: https://blogs.microsoft.com/cybertrust Microsoft Secure: https://www.microsoft.com/en-us/security/default.aspx A Data driven security defense: https://gallery.technet.microsoft.com/fixing-the-1-problem-in-2e58ac4a Enterprise Cloud strategy e-book: https://info.microsoft.com/enterprise-cloud-strategy-ebook.html Microsoft Security Intelligence Report: https://www.microsoft.com/security/sir/default.aspx
The content of the information provided by Microsoft, if any (the Content ) is provided for information purposes only. It does not under any circumstance constitute a legally binding offer or acceptance of Microsoft Ireland Operations Limited or any other Microsoft Group affiliate. This Content shall not be construed as (i) any commitment from Microsoft Ireland Operations Limited or any other Microsoft Group affiliate and/or (ii) supplementing or amending the terms of any existing agreement with Microsoft Ireland Operations Limited or any other Microsoft Group affiliate. In case of any discrepancies between the Content and this disclaimer, the terms of the latter shall prevail. Microsoft, all rights reserved.