There is often confusion about what cloud vendors like Microsoft make secure and what falls to you in ensuring your data is safe. An effective strategy requires a deeper understanding of vendor security, your own responsibilities and how to incorporate the two to protect your business.
In our session you will learn about:
- Key trends driving change in IT and cloud security
- Examples of how your peers are addressing their organization's cloud security responsibilities
- Best practices for designing your cloud security plan
2. WELCOME
• Thank you for attending
• Today’s topic
• Is there a solution that right for you?
• Setting the stage, what we’re hearing from our
customers…
3. YOUR PRESENTERS
Skip Purdy
Sr Solutions Architect
Skip.Purdy@softchoice.com
https://www.linkedin.com/in/skippu
Luke Black
Manager, Microsoft Marketing and
Programs
Luke.Black@softchoice.com
https://www.linkedin.com/in/luke-black/
9. Time
Trad
IT
No plan DI
Y
> 30%
Fail
• Pilots
• 3-5 yrs
Biz
Cloud
Adoption
+ Cust Exp
Manage Risk
Biz Impact
• Skills
gap
Governanc
e• No
control
10. Time
Trad
IT
No plan DI
Y
> 30%
Fail
• Pilots
• 3-5 yrs
Biz
Cloud
Adoption
+ Cust Exp
Manage Risk
Biz Impact
• Skills
gap
Governanc
e• No
control
11. Time
Trad
IT
No plan DI
Y
> 30%
Fail
• Pilots
• 3-5 yrs
Biz
Cloud
Adoption
+ Cust Exp
Manage Risk
Biz Impact
• Skills
gap
Governanc
e• No
control
12. ARE THESE ISSUES?
records lost over the last 12 months
(Forrester, “Top Cybersecurity Threats in 2017”)
2 BILLION
People re-use credentials; the Yahoo! Breach alone is
estimated to have exposed the credentials of more than
25% of global internet users
25%
13. ARE THESE ISSUES?
of enterprise firms suffered at least two breaches in 2016
44%
Average time to detection of a breach is in excess of 99 days
99 DAYS
14. ARE THESE ISSUES?
of enterprises report not having enough security staff
62%
of enterprises state finding employees with the right
skills is a further challenge
65%
17. WHAT DO WE MEAN BY CLOUD?
Infrastructure
as a Service
IaaS
Caching
Legacy
Networking
Security
File
Technical
System Mgmt.
MIGRATE TO IT
Platform
as a Service
PaaS
Application Development
Decision Support
Web
Streaming
BUILD ON IT
Software
as a Service
SaaS
Email
CRM
Collaborative
ERP
CONSUME
19. The customer is both
accountable and
responsible for all aspects
of security and operating
solutions when they are
deployed on-premises
On-Prem
With IaaS deployments,
the elements such as
building, servers,
networking hardware, and
the hypervisor, should be
managed by the platform
vendor. The customer is
responsible or has a
shared responsibility for
securing and managing
the operating system,
network configuration,
applications, identity,
clients, and data.
IaaS
PaaS solutions build on
IaaS deployments and the
provider is additionally
responsible to manage
and secure the network
controls. The customer is
still responsible or has a
shared responsibility for
securing and managing
applications, identity,
clients, and data.
PaaS
With SaaS a vendor
provides the application
and abstracts customers
from the underlying
components.
Nonetheless, the
customer continues to be
accountable and must
ensure that data is
classified correctly, and
shares a responsibility to
manage their users, and
end point devices.
SaaS
IN A SHARED RESPONSIBILITY MODEL, A LAYERED APPROACH
TO SECURITY IS ILLUSTRATED AS:
23. A CLOUD YOU CAN TRUST
At Microsoft, we never take your
trust for granted
• We are serious about our commitment to
protect customers in a cloud first world.
• We live by standards and practices
designed to earn your confidence.
• We collaborate with industry and regulators
to build trust in the cloud ecosystem.
“Businesses and users are going to embrace
technology only if they can trust it.”
– Satya Nadella
28. WHAT IS IDENTITY MANAGEMENT?
LOB app Data Set Word.doc = Read & Write
ACCESS CONTROL (WHAT)
Controls when and how access
is granted to authenticate users
IDENTITY (WHO)
Establishes an validates
a user’s digital identity
29. STREAMLINING EMPLOYEE IDENTITY AND ACCESS MANAGEMENT TO
APPLICATIONS, SYSTEMS, AND DATA ACROSS THE ORGANIZATION
Sample Size = 2,320
Priority levels for streaming employee identities across organizations
Not on our agenda / Low Priority (1,2) 13%
Moderate Priority (3) 30%
High Priority (4, 5) 56%
Don’t Know (98) 1%
31. IDENTITY AS THE CORE OF ENTERPRISE MOBILITY
Azure Active Directory as the control plane
Single sign-onSelf-service
Simple connection
On-premises
Other
directories
Windows Server
Active Directory
SaaSAzure
Public
cloud
CloudMicrosoft Azure Active Directory
Customers
Partners
34. WHAT DO WE MEAN BY HOST INFRASTRUCTURE (IAAS)
• Managed Operating system
– Patching
– Backup
– Antivirus, malware
• Storage
– Key storage, management of API Keys and Certs
35. CAPABILITY BENEFITS
AZURE RESOURCE
MANAGER
• Template based deployment
• Manage application infrastructure as source code
• Identical environment configurations
• Resource Policy
• Resource Locks
AZURE STORAGE
ENCRYPTION
• Encryption for Data at Rest
• Client side libraries for encryption in transit
SUPPORTING CAPABILITIES FOR SECURE APPLICATIONS
37. WHAT DO WE MEAN BY NETWORK INFRASTRUCTURE (IAAS)
• Configuration, management and securing of network elements:
– Virtual networking
– Load balancing
– DNS
– Gateways
• Means for services to communicate and interoperate
38. The Ultimate Protection Against Cloud Security
Threats
Barracuda Solutions for Azure
Web Based
Apps
Networking
and
Infrastructure
Integrated intrusion prevention
URL filtering
User and application aware
IPsec VPNs secure remote
connectivity
Dynamically scales with your
network
Data loss prevention
Application layer DDoS attack
protection
Granular identity and access
management
Comprehensive administration
and management
CLOUD SECURITY THREATS
Networking Protection
Application Protection
Continuity gaps
Secure
connectivity
Exploited system
vulnerabilities
Compromised
credentials
Hacked APIs
Data breaches
DDoS attacks
44. CLASSIFY DATA – BEGIN THE JOURNEY
Classify data based on sensitivity
SECRET
CONFIDENTIAL
INTERNAL
NOT RESTRICTED
IT admin sets policies,
templates, and rules
PERSONAL
Start with the data that is most
sensitive
IT can set automatic rules; users can
complement it
Associate actions such as visual
markings and protection
45. PROTECT DATA AGAINST UNAUTHORIZED USE
VIEW EDIT COPY PASTE
Email
attachment
FILE
PROTECT DATA NEEDING PROTECTION BY:
Encrypting data
Including authentication requirement and a definition of use rights
(permissions) to the data
Providing protection that is persistent and travels with the data
Personal apps
Corporate apps
46. Monitor use, control and block abuse
Sue
Joe blocked in North America
Jane accessed from India
Bob accessed from South America
MAP VIEW
Jane blocked in Africa
Jane
Competitors
Jane access is revoked
Sue
Bob
Jane
47. TIME
ADOPTION
STAGES OF ADOPTION:
Governance Workshop
SaaS TechCheck
Accelerator
Analyzer
Accelerator
Professional Services
Keystone
Detect & Respond
• Monitor ongoing
• Use new capabilities
• Review policies
Secure Data
• Classify data
• Implement rights management solution
• Encryption where required
Secure Host & Network
• Understand your current state
• Secure operating system
• Secure the network
Secure Identity
• Gain control of SaaS
• Align identity
• Make it easy for users
Build Plan
• Define roles & access levels
• Procurement rules
• Resource Policies
51. Microsoft security packaging
Office 365
Windows 10
Enterprise
Mobility +
Security
Operations
Mgmt. + Security
Windows Server
2016
SQL Server 2016
52.
53.
54. Information
protection
Identity-driven
security
Managed mobile
productivity
Identity and access
management
Azure Information
Protection Premium P2
Intelligent classification and
encryption for files shared
inside and outside your
organization
(includes all capabilities in P1)
Azure Information
Protection Premium P1
Manual classification and
encryption for all files and
storage locations
Cloud-based file tracking
Microsoft Cloud
App Security
Enterprise-grade visibility,
control, and protection for
your cloud applications
Microsoft Advanced
Threat Analytics
Protection from advanced
targeted attacks leveraging
user and entity behavioral
analytics
Microsoft Intune
Mobile device and app
management to protect
corporate apps and data on
any device
Azure Active Directory
Premium P2
Identity and access
management with advanced
protection for users and
privileged identities
(includes all capabilities in P1)
Azure Active Directory
Premium P1
Secure single sign-on to
cloud and on-premises apps
MFA, conditional access, and
advanced security reporting
EMS
E3
EMS
E5
Let’s bring together everything we discussed today.
Content Developers: Provide recommendation for DSM welcome/introduction notes below
Sample:
You’re busy. We know. Thank you for spending this time with us
Today’s session is on cloud & the challenges consumption based spending presents us with
We recognize within the room organizations are at different states of cloud adoption, and there are no one-size fits all solutions, but we promise there will be something of value here for everyone.
I’d like to start by relating what I’m hearing from customers
DSM: Here’s your presenters. Please make notes of any questions you have and we will be happy to answer.
Welcome to our Discovery Series on Cloud Security. There has been a lot of interest and opportunity with Cloud technologies the past few years and also confusion around Cloud Security. This confusion can cause slower adoption of Cloud technologies or open new risks. That’s why Softchoice selected our Discovery Series to be on Cloud Security to clear up some of that confusion. Our goal is that be the end of the conversation today you will have a better idea of what the Cloud Provider’s responsibilities are and what yours are with respect to security.
Cloud mean many different things to different people so we will start today level setting on what we mean by Cloud in the context of the conversation today. We will show a model of cloud security responsibilities that will form a foundation for the discussion today.
ASK: Does someone have an example, either within their organization or one from the industry, where the Business has deployed IT without involving the business? What problems does that cause?
All these areas are areas of security risk for companies moving to Cloud.
ASK: Which of these are you most concerned about for Cloud Security?
If you are feeling overwhelmed with addressing Cloud Security – do not worry – there is a step by step way to approach it.
Further up the stack – less you have to do
There is a lot to cover in security and we certainly don’t have time to cover all of it today. However, we will discuss those keys areas, that no matter what you are doing in the cloud, you should ensure you have in place for security foundation. We’ve highlighted what we will cover here.
GD: The title of this slide will be “Microsoft Data Center Security”
Microsoft is committed – starting at the top – to providing a cloud you can trust. We take very seriously our commitment to protect customers in a cloud-first world. We follow a set of standards and best practices to ensure that our cloud services are reliable and perform as you need them to. And we actively partner with a wide range of industry and government entities to establish confidence and trust in the wider cloud ecosystem.
Slide script:
Microsoft datacenters employ controls at the perimeter, building, and computer room with increasing security at each level, utilizing a combination of technology and traditional physical measures.
Security starts at the perimeter with camera monitoring, security officers, physical barriers and fencing.
At the building, seismic bracing and extensive environmental protections protect the physical structure and integrated alarms, cameras, and access controls (including two-factor authentication via biometrics and smart cards) govern access. The systems are monitored 24x7 from the operations center.
Similar access controls are used at the computer room, which also has redundant power.
With the extensive security and data protection measures we have in place, we are able to achieve a broad range of international, industry, and regional certifications and attestations from recognized third-party authorities.
This table illustrates the certifications and attestations for our key cloud services.
Background
Certifications and attestations represent verification that control activities operate in accordance with expectations. Operating a huge global cloud infrastructure, across many businesses, comes with the need to meet an array of compliance and regulatory obligations. With this in mind, Microsoft products and services hold key certifications, attestations, and authorizations as applicable to their service.
Several key certifications and attestations deserve to be highlighted:
Our ISO 27001:2013 certification provides assurance of a broad, risk-based information security program. Microsoft Cloud Infrastructure and Operations—the organization that builds, manages, and secures our datacenters globally—was the first major cloud service infrastructure to be certified for ISO 27001. Microsoft’s Cloud Infrastructure & Operations (MCIO) team has gone beyond the ISO/IEC 27001:2013 standard (which includes some 150 security controls) to develop over 800 defense-in-depth security controls to account for the unique challenges of the cloud infrastructure and what it takes to mitigate some of the risks involved.
Microsoft is the first cloud computing platform to meet the worlds first international standard for cloud privacy—ISO/IEC 27018 as verified by independent auditors. Under ISO 27018, cloud service providers (CSPs) must operate under five key principles:
CSPs must not use the personal data they receive for advertising and marketing unless expressly instructed to do so by the customer. Moreover, it must be possible for a customer to use the service without submitting to such use of its personal data for advertising or marketing.
Customers have explicit control of how their information is used.
CSPs must inform customers where their data resides, disclose the use of subcontractors to process PII and make clear commitments about how that data is handled.
In case of a breach, CSPs should notify customers, and keep clear records about the incident and the response to it.
A successful third-party audit of a CSP’s compliance documents the service’s conformance with the standard, and can then be relied upon by the customer to support their own regulatory obligations. To remain compliant, the CSP must subject itself to yearly third-party reviews.
We have SSAE 16/ISAE 3402 SOC 1, 2, and 3 attestations in place. These attestations are both type I and type II. They provide assurance of effective control performance.
In 2012, Microsoft became one of the first in the industry to successfully complete a SOC 2 Type 2 and SOC 3 audit (which are designed to better accommodate cloud services) for our cloud infrastructure (datacenters and networks). We continue to demonstrate compliance through ongoing assessments.
In 2008, Microsoft was the first major cloud service provider to receive a SAS 70 report (the predecessor to SOC reports) for our cloud infrastructure.
Microsoft was an early adopter of the SOC 1, SOC 2 and SOC 3 in 2011. The SOC audit reports attest to the design and operating effectiveness of controls related to security, availability, and confidentiality.
We meet the US HIPAA/HITECH health data protection requirements and have incorporated those requirements into our ISO 27001 program. Microsoft was the first major productivity cloud service vendor to offer a HIPAA Business Associate Agreement (BAA) to healthcare entities with access to Protected Health Information (PHI). We have since extended that to offer a single HIPAA BAA for all of our commercial online services.
We meet the Payment Card Industry Data Security Standard as an infrastructure provider.
Microsoft’s first FISMA Authorization to Operate (ATO) was granted in 2010 for the MCIO cloud organization. Since then, Microsoft enterprise cloud services, including Office 365 and Microsoft Azure, have received provisional authorities to operate (P-ATOs) by the Federal Risk and Authorization Program (FedRAMP) Joint Authorization Board (JAB).
In the United Kingdom, Azure was awarded Impact Level 2 (IL2) accreditation, further enhancing Microsoft and its partner offerings on the current G-Cloud procurement Framework and CloudStore.
The industry organization Cloud Security Alliance (CSA) created a Cloud Controls Matrix to identify primary criteria for service offerings. Microsoft was the first cloud service provider to complete a third-party assessment against the Cloud Security Alliance (CSA) Cloud Controls Matrix (CCM) as part of its SOC 2 audit for Azure. This assessment was completed as a means of meeting the assurance and reporting needs of the majority of cloud services users worldwide.
We have incorporated many other obligations to our compliance program, providing assurance that we are able to meet obligations such as the European Union Data Protection Directive and California Senate Bill 1386, such as the European Union Data Protection Directive and California Senate Bill 1386.
Notes: Updated August 2015
Not every certification is listed on this slide.
Not every Azure and Office 365 service has been fully audited for every certification.
Further up the stack – less you have to do
GD: Please re-do this image to clean it up. I don’t have access to the original
Microsoft has a solution for this
[Click] Traditional identity and access management solutions providing sing-sign on to on-premises applications and directory services such as Active Directory and others are used from the vast majority of organizations and huge investments were made to deploy and maintain them. These solutions are perfect for the on-premises world.
[Click] Now, as we have discussed, there are new pressing requirements to provide the same experience to cloud applications hosted in any public cloud.
[Click] Azure Active Directory can be the solution to this new challenge by extending the reach of on-premises identities to the cloud in a secure and efficient way.
[Click] In order to do that, one simple connection is needed from on-premises directories to Azure AD.
[Click] and everything else will be handled by Azure AD. Secure single sign-on to thousands of SaaS applications hosted in any cloud by using the same credentials that exist on-premises, and even add multifactor authentication without changing code
[Click] And we don’t forget the users. Azure AD provides Self-service capabilities and easy access to all the application, consumer or business, they need.
in the cloud but on-premises too (Application Proxy)
Approved by Demi Albuz
But the issue will not be resolved just by wrangling identity; understanding where your data, information and intellectual property is going is important as well. Cloud App Security identifies the services in use in your organization, and offers the tools to control access, sharing and loss prevention as well as to identify abnormal usage, high risk usage and security incidents. This insight assists your organization’s ability to detect, respond to and prevent threats.
Further up the stack – less you have to do
With IaaS the customer has responsibility for securing and managing
Azure Resource Manager enables you to work with the resources in your solution as a group.
You can deploy, update or delete all of the resources for your solution in a single, coordinated operation. You use a template for deployment and that template can work for different environments such as testing, staging and production.
Resource Manager provides security, auditing, and tagging features to help you manage your resources after deployment.
Resource Manager provides several benefits:
You can deploy, manage, and monitor all of the resources for your solution as a group, rather than handling these resources individually.
You can repeatedly deploy your solution throughout the development lifecycle and have confidence your resources are deployed in a consistent state.
You can manage your infrastructure through declarative templates rather than scripts.
You can define the dependencies between resources so they are deployed in the correct order.
You can apply access control to all services in your resource group because Role-Based Access Control (RBAC) is natively integrated into the management platform.
You can apply tags to resources to logically organize all of the resources in your subscription.
You can clarify billing for your organization by viewing the rolled-up costs for the entire group or for a group of resources sharing the same tag.
Resource Policy
Azure Resource Manager now allows you to control access through custom policies.
With policies, you can prevent users in your organization from breaking conventions that are needed to manage your organization's resources.
You create policy definitions that describe the actions or resources that are specifically denied.
You assign those policy definitions at the desired scope, such as the subscription, resource group, or an individual resource.
Policies and RBAC work together. To be able to use policy, the user must be authenticated through RBAC. Unlike RBAC, policy is a default allow and explicit deny system.
RBAC focuses on the actions a user can perform at different scopes. For example, a particular user is added to the contributor role for a resource group at the desired scope, so the user can make changes to that resource group.
Policy focuses on resource actions at various scopes. For example, through policies, you can control the types of resources that can be provisioned or restrict the locations in which the resources can be provisioned.
Resource Locks
As an administrator, you may need to lock a subscription, resource group or resource to prevent other users in your organization from accidentally deleting or modifying critical resources. You can set the lock level to CanNotDelete or ReadOnly.
CanNotDelete means authorized users can still read and modify a resource, but they can't delete it.
ReadOnly means authorized users can read from a resource, but they can't delete it or perform any actions on it. The permission on the resource is restricted to the Reader role. Applying ReadOnly can lead to unexpected results because some operations that seem like read operations actually require additional actions. For example, placing a ReadOnly lock on a storage account will prevent all users from listing the keys. The list keys operation is handled through a POST request because the returned keys are available for write operations. For another example, placing a ReadOnly lock on an App Service resource will prevent Visual Studio Server Explorer from being able to display files for the resource because that interaction requires write access.
Unlike role-based access control, you use management locks to apply a restriction across all users and roles.
Storage Service Encryption
A new feature of Azure Storage that will encrypt data when it is written to your Azure Storage supporting block blobs, page blobs and append blobs. This feature can be enabled for new storage accounts using the Azure Resource Manager deployment model and is available for all redundancy levels (LRS, ZRS, GRS, RA-GRS). Storage Service Encryption is available for both Standard and Premium Storage, handling encryption, decryption, and key management in a totally transparent fashion. All data is encrypted using 256-bit AES encryption, one of the strongest block ciphers available.
Azure Disk Encryption
A new capability that lets you encrypt your Windows and Linux IaaS virtual machine disks. Azure Disk Encryption leverages the industry standard BitLocker feature of Windows and the DM-Crypt feature of Linux to provide volume encryption for the OS and the data disks. The solution is integrated with Azure Key Vault to help you control and manage the disk encryption keys and secrets in your key vault subscription, while ensuring that all data in the virtual machine disks are encrypted at rest in your Azure storage. (in this case, Key Vault stands in for a hardware based TPM
Further up the stack – less you have to do
With IaaS the customer has responsibility for securing and managing
Further up the stack – less you have to do
1.For years, RMS helped businesses provide persistent protection over their data through encryption, access control and policy enforcement
2.We added tracking and revocation capabilities for greater control over shared data
3. Now we also have classification and labeling capabilities so that you can identify what data needs protection and protect only the data that needs protection
1.For years, RMS helped businesses provide persistent protection over their data through encryption, access control and policy enforcement
2.We added tracking and revocation capabilities for greater control over shared data
3. Now we also have classification and labeling capabilities so that you can identify what data needs protection and protect only the data that needs protection
Data is born protected,
Using companies’ criteria
Enforced by IT
Enforced on any device
<keep personal data.... Personal>
Extra protection is available for sensitive data
Not just encryption, but rights of who can access it and what they can do with the data
Welcome to our Discovery Series on Cloud Security. There has been a lot of interest and opportunity with Cloud technologies the past few years and also confusion around Cloud Security. This confusion can cause slower adoption of Cloud technologies or open new risks. That’s why Softchoice selected our Discovery Series to be on Cloud Security to clear up some of that confusion. Our goal is that be the end of the conversation today you will have a better idea of what the Cloud Provider’s responsibilities are and what yours are with respect to security.
2 min: high level set on security strategy and tech - O365, Azure, EMS, OMS à CISO comprehensive security package is ECS
Current
Most of our day will focus on EMS. This slide is here to level-set on what is included in the two levels.
Before we talk to customers about products, it is best to engage the security story all-up. So let’s start there.