Comprehensive compliance framework ISO/IEC 27001:2005 certification SOC 1 and SOC 2 attestations Certifications and Attestations Predictable Audit Schedule Test effectiveness and assess risk Attain certifications and attestations Improve and optimize Examine root cause of non-compliance Track until fully remediated Controls Framework Identify and integrate Regulatory requirements Customer requirements Assess and remediate Eliminate or mitigate gaps in control design Payment Card Industry Data Security Standard Health Insurance Portability and Accountability Act Industry Standards and Regulations Media Ratings Council Sarbanes-Oxley, GLBA, FFIEC, etc. HIPAA Business Associate Agreement FISMA authorization And more
Datacenter infrastructure compliance ISO / IEC 27001:2005 certification SOC 1 Type 2 (SSAE 16 / ISAE 3402) attestation SOC 2 Type 2 and SOC 3 (AT 101) attestations HIPAA / HITECH Act PCI Data Security Standard validation FISMA authorization * Various state, federal, and international privacy laws * 95/46/EC—aka EU Data Protection Directive; California SB1386; etc.
Windows Azure compliance programs ISO SSAE 16 (SOC 1 Type 2) SOC 2 Type 2 (in process) CSA Cloud Control Matrix EU Model Clauses UK Government accreditation for IL 2 data HIPAA Business Associate Agreement (BAA) FISMA/FedRAMP authorization (in process) FISMA ISO HIPAA SSAE
Statement on Customer Privacy On June 6, media outlets including the Washington Post and Guardian began reporting allegations that the United States National Security Agency (NSA) is collecting customer communications data from major technology companies, including Microsoft. Microsoft issued the following statement about the company’s alleged involvement in these activities: REDMOND, Wash., June 6, We provide customer data only when we receive a legally binding order or subpoena to do so, and never on a voluntary basis. In addition we only ever comply with orders for requests about specific accounts or identifiers. If the government has a broader voluntary national security program to gather customer data we don’t participate in it.
Shades of Cloud – Risk Allocation On Premises Storage Servers Networking O/S Middleware Virtualization Data Applications Runtime Infrastructure (as a Service) Storage Servers Networking O/S Middleware Virtualization Data Applications Runtime Platform (as a Service) Storage Servers Networking O/S Middleware Virtualization Applications Runtime Data Software (as a Service) Storage Servers Networking O/S Middleware Virtualization Applications Runtime Data Customer Vendor Managed by:
MS Datacenter Experience
Defense-in-depth Identity and Access Manageme nt Applicatio n DataNetworkPhysical 10 Things to Know About Azure Security
Data Center Security Cameras Security patrols Barriers Fencing Cameras Security patrols Alarms Two-factor access control Biometric readers Card readers Security operations center BuildingPerimeter Computer room Cameras Security patrols Alarms Two-factor access control Biometric readers Card readers World-Class Security Extensive Monitoring
Network Isolated from Microsoft corpnet VLANs and packet filters in routers Host boundary protection DDoS protection Penetration testing Monitoring and logging Security incidents and breach notification
Identity and access Windows Azure customer support personnel Access control requirements established by Windows Azure Security Policy No access to customer data by default No user / administrator accounts on VMs Monitoring and logging when local accounts are created on VMs Access to PaaS VMs is highly restricted Most common authorization is based on customer troubleshooting request Full incident monitoring and logging Temporary accounts for limited duration and 2FA enforced Access to IaaS VMs is not possible
Host Stripped-down version of Win 2012 No drivers except approved ones, no graphics modules Network connectivity restricted using host firewall Host boundaries enforced hypervisor All Guest access to network and disk is mediated by Root VM (via the Hypervisor) When VMs are provisioned, they are cloned from known configs PaaS images managed and updated by Microsoft With IaaS, customers can bring their own images (and manage them) Patch management Support lifecycle policy
Application Security Best Practices for Developing Windows Azure Applications Windows Azure does not inspect, approve, or monitor customer applications Customer application and storage account logging and monitoring Anti-malware scanning for customer applications Protection against external attacks, including third-party options Disaster recovery and business continuity Forensic investigations
Data Redundant storage Locally redundant storage Geo-replication Storage accounts and keys Data backup Data deletion and destruction Windows Azure data cleansing and leakage Data encryption (in transit, at rest)
Geographic regions for customer data Asia East (Hong Kong) Japan East and West Southeast (Singapore) Europe North (Ireland) West (Netherlands) United States North Central (Illinois) South Central (Texas) East (Virginia) West (California)
AtmanCo Situation: Maker of personality tests for potential employees Needed to scale to handle 5K to 10K tests at a time to avoid turning down business Potential French customer needed servers hosted in Europe Management of servers under IaaS model burdensome Solution: Azure VMs and Web Sites provided Scale and Flexibility
MYOB Situation: Offers AccountRight which streamlines and automates business processes for small businesses and accountants Needed Mobile support and Offline support Solution: AccountRight Live launched as an Azure hosted offering that synched with the existing desktop suite Provide API that lets almost 600 external developers build a solid ecosystem
NTP Software Situation: NTP Software Universal File Access provides Mobile and web interfaces that allow Enterprise clients to provide access to File Data Selectively and Securely Needed to integrate with client’s on premise storage system while letting them preserve security Solution: Integrates with client’s Windows Azure account to leverage larger organization discounts for volume and minimize impact on primary storage systems
Sangkuriang Internasional Situation: Built secure instant messaging service (EMASS) and wanted to not be in the service provider business Needed to adapt to the Mobile centric reality of Indonesian society to stay competitive Platform needed to support a wide range of technology Solution: EMASS deployed as 15 cloud apps running on Azure based virtual machines
Summit Data Corp Situation: Wanted to tap into the growing fitness market Needed a platform that supported high scalability (hundreds of thousands of users) Required a platform that would keep innovating and not stagnate Solution: Active Fitness leverages Windows Azure Mobile Services to support hundreds of thousands of users
Call To Action The time is right for ISVs to break out of their normal confines by leveraging Azure and its many capabilities Azure has matured to enable many, varied options If you do not seize the opportunity someone else in your space will!