2. Mobil e 65% of companies are deploying at least one social software tool. SocialClou d Digital content will grow to Over 80% of new apps will be distributed or deployed on clouds in 2012. Big Data 70% of organizations are either using or investigating cloud computing solutions By 2016, smartphones and tablets will put power in the pockets of a billion global consumers The world’s mobile worker population will reach 80% growth of unstructured data is predicted over the next five years. 1.3 billion over 37% of the total workforce by 2015 Millennials will make up 75% of the American workforce by 2025 2.7ZB in 2012, up 48% from 2011, rocketing toward 8ZB by 2015. Large Scale Technology Trends Transforming access to people and information

3. Exponential Growth of IDs Widespread legacy technology rise in Mobile Malware Malicious software more compromised records More sophisticated attacks Individual Organized Crime Groups Terrorist Groups Nation- States Targeted attacks user accounts stolencredit card accounts stolen Data theft & insider leaks email addresses stolen from US military contractor files stolen from Pentagon Cyber terrorism & hacktivism Global cost of computer crime Complex Challenges Driving need for new security approach Malicious softwareTargeted attacks Data theft & insider leaks Cyber terrorism & hacktivism

4. Strong Tension Today Between business innovation and cyber security requirements Business Innovation Cyber Security Requirements

6. Specific Concerns We Hear from Customers Why should I trust Microsoft’s Cloud? What industry audits and security certifications cover the Microsoft Platform ? If I run my service in your cloud, can I meet my compliance needs ? How should an enterprise evaluate cloud providers when it comes to security, privacy and compliance?

7. Why Should I Trust the Microsoft Cloud? Proven Track Record History of meeting obligations associated with the delivery of over 400 cloud services Scale Spreading cost of robust security and compliance across large number of customers provides a trusted cloud at lower cost Security at our Foundation Years of experience through our Trustworthy Computing initiative

8. Law Enforcement Access Microsoft Response Process: Many nations have laws addressing law enforcement access to cloud service information, to support criminal investigations

9. Responding to government demands If we receive a government demand for data held by a business customer, we take steps to redirect the government to the customer directly, and we notify the customer unless we are legally prohibited from doing so. We have never provided any government with customer data from any of our business or government customers for national security purposes(…) We only respond to requests for specific accounts and identifiers. There is no blanket or indiscriminate access to Microsoft’s customer data. If a government wants customer data – including for national security purposes – it needs to follow applicable legal process, meaning it must serve us with a court order for content or subpoena for account information. We do not provide any government with the ability to break the encryption used between our business customers and their data in the cloud, nor do we provide the government with the encryption keys. http://blogs.technet.com/b/microsoft_on_the_issues/archive/2013/07/16/responding-to- government-legal-demands-for-customer-data.aspx

10. Law enforcement request report In the first half of 2013, Microsoft disclosed content in response to 2.2% of the total number of law enforcement requests received. Each of those disclosures was in response to a court order or warrant, and the vast majority of those disclosures related to users of our consumer services. Unfortunately, we are not currently permitted to report detailed information about the type and volume of any national security orders (e.g. FISA Orders and FISA Directives) that we may receive Law enforcement sought information about only a tiny fraction of the millions of end users of our enterprise services, such as Office 365. We received 19 requests for e-mail accounts we host for enterprise customers, seeking information about 48 accounts. We disclosed customer data in response to five of those requests (4 content; 1 only non-content), and in all but one case, we were able to notify the customer. We rejected the request, found no responsive data, or redirected law enforcement to obtain the information from the customer directly in thirteen of those cases. One request is still pending. (…) the requests are fairly concentrated with over 73% of requests coming from five countries, the United States, Turkey, Germany, the United Kingdom, and France. http://www.microsoft.com/about/corporatecitizenship/en-us/reporting/transparency/

11. Law enforcement requests from Norwegian Authorities, H1 2013 http://blogs.technet.com/b/microsoft_on_the_issues/archive/2013/06/14/microsoft-s-u-s-law- enforcement-and-national-security-requests-for-last-half-of-2012.aspx

12. Global Foundation Services Microsoft’s Cloud Environment Platform as a Service (PaaS) Infrastructure as a Service (IaaS) Consumer and Small Business Services Enterprise Services Third-party Hosted Services SecurityGlobal NetworkOperationsData Centers Software as a Service (SaaS)

13. Microsoft Data Center Scale Chicago Quincy Dublin Amsterdam Hong Kong Singapore Japan "Data Centers have become as vital to the functioning of society as power stations." The Economist San Antonio Multiple global CDN locations Microsoft has more than 10 and less than 100 DCs worldwide Boydton Des Moines Quincy, Washington27MW100% Hydro power San Antonio, Texas27MWRecycled water for cooling Chicago, IllinoisUp to 60MWWater side economization, Containers Dublin, IrelandUp to 50MWOutside air cooling, PODs

14. Customer Compliance Needs Customers ultimately responsible for ensuring their compliance obligations are met Microsoft will share its certifications and audit reports to allow customers to establish reliance Responsibility: Data Classification and Accountability Application Level Controls Operating System Controls Host Level Controls Identity and Access Management Network Controls Physical Security CLOUD PROVIDER CLOUD CUSTOMER SaaS PaaS IaaS

15. Data Classification

16. What data goes where?

17. Information Security Management System ISO / IEC 27001:2005 certification SSAE 16/ISAE 3402 SOC 1 AT101 SOC 2 and 3 PCI DSS certification FedRAMP P-ATO, FISMA certification and accreditation And more … PREDICTABLE AUDIT SCHEDULE COMPLIANCE FRAMEWORK Information Security Management System INFORMATION SECURITY MANAGEMENT FORUM RISK MANAGEMENT PROGRAM INFORMATION SECURITY POLICY PROGRAM Test and Audit

18. Infrastructure Compliance Capabilities ISO / IEC 27001:2005 Certification SSAE 16/ISAE 3402 SOC 1, AT101 SOC 2 and 3 HIPAA/HITECH PCI Data Security Standard Certification FedRAMP P-ATO and FISMA Certification & Accreditation Various State, Federal, and International Privacy Laws (95/46/EC—aka EU Data Protection Directive; California SB1386; etc.)

19. © 2013 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.