De waarde en toepassingen van Cloud groeien, vertrouwen blijft uitdagend. De dialoog tussen organisaties en Cloud-leverancier(s) rondom security, privacy en rechtmatigheid is daarin fundamenteel. In deze presentatie gaan we in op een aantal veel voorkomende zorgen rondom de inzet van Cloud. Tevens beschrijven we een praktisch waarborgenmodel, dat kan dienen als kader bij de evaluatie van Cloud-diensten en daarmee het vertrouwen in de Cloud kan helpen verhogen. Heeft u zelf vragen? Stel ze gerust en ga de dialoog aan; Cloud is uiteindelijk een partnerschap!
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Martin Vliem (Microsoft): Met vertrouwen naar de cloud
1. Trust < Cloud < Trust
Martin Vliem
National Security Officer
CCSP, CISSP, CISA
martin.vliem@microsoft.com
https://www.linkedin.com/in/mvliem
2. "The Americans have need of the telephone, but
we do not. We have plenty of messenger boys."
1878, Sir William Preece
Chief Engineer, British Post Office
"There is no reason anyone would want a
computer in their home."
1977, Ken Olson
President, chairman and founder of Digital
Equipment Corp.
"A rocket will never be able to leave the Earth's
atmosphere."
1936, New York Times
"By the turn of the century, we will live in a
paperless society."
1986, Roger Smith
Chairman of General Motors
"Nuclear-powered vacuum cleaners will probably be
a reality in 10 years.“
1955, Alex Lewyt
President of vacuum cleaner company Lewyt Corp.
"X-rays will prove to be a hoax.“
1883, Lord Kelvin
President of the Royal Society
"When the Paris Exhibition [of 1878] closes,
electric light will close with it and no more will be
heard of it.“
1878, Erasmus Wilson
Oxford professor
"Rail travel at high speed is not possible because passengers,
unable to breathe, would die of asphyxia.“
Dr Dionysys Larder (1793-1859)
Professor of Natural Philosophy and Astronomy,
University College London.
Digital Transformation
expectations?
3. Digital Transformation
incoming traffic AMS-IX 1.088.442 TB
Mei 2017
690 TB
Juli 2001
Third parties are allowed to use the AMS-IX statistics that are published on the website. Upon doing so, please make sure to mention that AMS-IX holds copyright on this information and to accompany the figures with a link directing to the
figures on our website. https://ams-ix.net/technical/statistics/historical-traffic-data
5. Trust concerns
Can I control my data?
Is my data secured?
What happens with my data?
Am I compliant?
Will my data remain available?
Satya Nadella
CEO Microsoft
9. 1. Data Breaches
2. Weak Identity, Credential and Access Mgmt
3. Insecure APIs
4. System and Application Vulnerabilities
5. Account Hijacking
6. Malicious Insiders
7. Advanced Persistent Threats (APTs)
8. Data Loss
9. Insufficient Due Diligence
10. Abuse and Nefarious Use of Cloud Services
11. Denial of Service
12. Shared Technology Issues
Notorious nine 2013
1. Data breaches
2. Data loss
3. Account or service traffic
hijacking
4. Insecure interfaces and APIs
5. Denial of service
6. Malicious insiders
7. Abuse of cloud services
8. Insufficient due diligence
9. Shared technology
vulnerabilities
https://cloudsecurityalliance.org/download/the-treacherous-twelve-cloud-computing-top-threats-in-2016/
The CSA Treacherous 12
Top Cloud threats 2016
16. EMPOWERING YOU
- Customer Security Considerations -
SECURING THE PLATFORM
- Service Integrated Controls-
A TRUST DIALOGUE
17. Infrastructure as a Service
Azure - IaaS
Platform as a Service
Azure - PaaS
Software as a Service
Office 365 - SaaS
On Premises
Security Dependencies
1. Security strategy, governance, and operationalization: Provide clear vision, standards, and guidance for your organization
2. Administrative control: Defend against the loss of control of your cloud services and on-premises systems
3. Data: Identify and protect your most important information assets
4. User identity and device security: Strengthen protection for accounts and devices
5. Application security: Ensure application code is resilient to attacks
6. Network: Ensure connectivity, isolation, and visibility into anomalous behavior
7. Operating system and middleware: Protect integrity of hosts
8. Private or on-premises
environments: Secure the
foundation
Customer controlled responsibilities
19. 1. Cloud security, privacy & compliance is a partnership, governance is key
• Business case and Risk management is foundational
• Implement flexible goverance processes
• Design security requirements & policies
2. Request cloud provider assurances on integrated security capabilities
• Many operational & security responsibilities can be transferred to the service
provider.
3. Additional customer controls & requirements, empowered by cloud
platforms: discover, manage, protect, report
• Administrative Privilege Management
• Identity Systems and Identity Management
• Security Management & Threat Awareness
• Information protection Protection
Summary
key aproach and activities
20. References
1. Descriptive:
Microsoft trustcenter: https://www.microsoft.com/en-us/TrustCenter/default.aspx
2. Independently verified:
Microsoft Service Trust portal: https://servicetrust.microsoft.com
3. Contractual:
Microsoft online service terms & SLA: https://www.microsoft.com/en-us/Licensing/product-
licensing/products.aspx
Microsoft Cloud IT Architecture resources: https://technet.microsoft.com/en-us/library/dn919927.aspx
Cloud Services Due Diligence Checklist (ISO 19086 based): https://www.microsoft.com/en-us/trustcenter/Compliance/Due-Diligence-Checklist
SAFE Handbook: http://aka.ms/safehandbook
Microsoft Cyber Trust Blog: https://blogs.microsoft.com/cybertrust
Microsoft Secure: https://www.microsoft.com/en-us/security/default.aspx
A Data driven security defense: https://gallery.technet.microsoft.com/Fixing-the-1-Problem-in-2e58ac4a
Enterprise Cloud strategy e-book: https://info.microsoft.com/enterprise-cloud-strategy-ebook.html
Microsoft Security Intelligence Report: https://www.microsoft.com/security/sir/default.aspx
21.
22. The content of the information provided by Microsoft, if any (the “Content”) is provided for
information purposes only. It does not under any circumstance constitute a legally binding offer
or acceptance of Microsoft Ireland Operations Limited or any other Microsoft Group affiliate. This
Content shall not be construed as (i) any commitment from Microsoft Ireland Operations Limited
or any other Microsoft Group affiliate and/or (ii) supplementing or amending the terms of any
existing agreement with Microsoft Ireland Operations Limited or any other Microsoft Group
affiliate. In case of any discrepancies between the Content and this disclaimer, the terms of the
latter shall prevail. Microsoft, all rights reserved.