This document provides an overview of cloud assurance challenges related to security, privacy, reliability, and auditing. It discusses the benefits of using standardized frameworks like CSA's Security, Trust & Assurance Registry (STAR) to evaluate cloud providers, including reducing complexity, enabling comparison between providers, and providing an audit trail and knowledge base. The document introduces STAR and its Cloud Controls Matrix and explains how Microsoft aligns with STAR controls.
What small businesses need to know about Azure AD premiumMiguel Tena
In this session I reflect on what Azure AD brings to the table for small businesses an do an introduction of key services in each tier of the identity platform to improve your security posture, improve onboarding/offboarding and enhance productivity through governance.
Why Microsoft Office 365 over Google Apps.
Advantages of Microsoft Office 365 over Google Apps.
Disadvantages of Google Apps over Microsoft Office 365
Evaluate Office 365 and Evaluate Google Apps.
Modernization doesn't happen overnight. But by reassessing your existing IT portfolio, including infrastructure and applications, as well as your current processes and roles, you can better understand how you can leverage cloud technologies to deliver value faster.
Microsoft Services offers an end-to-end approach to modernization and DevOps. Our goal is to help you transform your environment so you can deliver continuous value. We’ve built our approach based on experience with thousands of customers, as well as our own transformation journey.
Business executive leadership, who typically drive the need for BI solutions, are primarily focused on the end user aspect of BI: OLAP reporting and dashboards. However it is vital for businesses to understand that ETL, Integration, Data Modeling, and Data Warehousing form the cornerstones of a successful BI solution. The time and energy spent on selecting an enterprise ETL solution along with designing finely tuned and highly performing ETL processes will ultimately produce “clean” data ready to be consumed by the business. Traditionally, ETL Tools have been extremely expensive, and some of them still are. While these tools have superb functionality and support, the question remains, “does every organization need all the functionality they provide or are there cheaper alternatives that would do the job just as well?”
A Question of Trust: How Service Providers Can Attract More Customers by Deli...SafeNet
Offering an outsourced, elastic, pay-as-you-go computing infrastructure, cloud computing services can deliver clear cut benefi ts to a host of companies. Today, however, security concerns are a big barrier to many clients’ adoption of cloud services. To boost market share and gain competitive distinction, cloud service providers need to add the security infrastructure that safeguards clients’ sensitive data and fosters trust. This white paper outlines the path cloud providers can take to start building trust into cloud deployments, and details the approaches and capabilities organizations need to make this transition a reality.
This document is a comprehensive analysis of all the ways that Identity and Access Management (IAM) solutions can be run in and integrate with cloud computing systems.
Both cloud computing and IAM are relatively new, so the first part of this document defines key concepts and terminology. Next, assumptions that clarify the scope of this document in terms of network topology and functionality are presented and finally a comprehensive list of architectural scenarios are presented, along with an analysis of the costs, risks and benefits of each scenario.
The enterprise landscape is rapidly changing. Data is ubiquitous. Information is flowing into an organization’s applications from more sources than ever before. Business expec-tations are also changing. Corporations today demand speed and flexibility from their applications. Enterprise want services that allow them to make better business decisions, create more satisfied customers, and react ever more quickly to evolving market condi-tions. Current economic circumstances and increased competition are also driving the demand for a more effective model to deliver applications and services.
This relentless push for a faster, better and more cost-effective technology delivery model has set the stage for new approaches to application development, deployment and management. Several technologies such as grid computing, virtualization, and service-oriented architecture (SOA) have offered partial solutions for enterprises that require applications with greater scalability, agility and easier management capabilities. However, these alone have not been enough.
Enter cloud computing, an innovative model for delivering IT infrastructure, applications and data that shifts the emphasis from static, stand-alone application silos to dynamic, shared environments, dynamically allocated among various tasks and accessed via a network.
Today, many forward-thinking enterprises are using cloud environments to take advan-tage of the increased scalability, agility, automation, and efficiency that this technology can deliver. Yet, because cloud computing has evolved so quickly, there are still many questions surrounding it. To understand the promise of cloud computing, decision makers and IT professionals must examine its development and benefits from an enterprise perspective.
Beginning with the origins of cloud computing, this paper will help define exactly what cloud computing is and how the enterprise can benefit from it. In doing so, the paper outlines a number of “cloud characteristics” which together illustrate the true potential of cloud computing and provide a framework for assessing current and future cloud offerings. Finally, the paper draws a distinction between infrastructure-oriented clouds and platform-oriented clouds and explains how cloud platforms allow end-user applica-tions to unlock the true promise of cloud computing.
What small businesses need to know about Azure AD premiumMiguel Tena
In this session I reflect on what Azure AD brings to the table for small businesses an do an introduction of key services in each tier of the identity platform to improve your security posture, improve onboarding/offboarding and enhance productivity through governance.
Why Microsoft Office 365 over Google Apps.
Advantages of Microsoft Office 365 over Google Apps.
Disadvantages of Google Apps over Microsoft Office 365
Evaluate Office 365 and Evaluate Google Apps.
Modernization doesn't happen overnight. But by reassessing your existing IT portfolio, including infrastructure and applications, as well as your current processes and roles, you can better understand how you can leverage cloud technologies to deliver value faster.
Microsoft Services offers an end-to-end approach to modernization and DevOps. Our goal is to help you transform your environment so you can deliver continuous value. We’ve built our approach based on experience with thousands of customers, as well as our own transformation journey.
Business executive leadership, who typically drive the need for BI solutions, are primarily focused on the end user aspect of BI: OLAP reporting and dashboards. However it is vital for businesses to understand that ETL, Integration, Data Modeling, and Data Warehousing form the cornerstones of a successful BI solution. The time and energy spent on selecting an enterprise ETL solution along with designing finely tuned and highly performing ETL processes will ultimately produce “clean” data ready to be consumed by the business. Traditionally, ETL Tools have been extremely expensive, and some of them still are. While these tools have superb functionality and support, the question remains, “does every organization need all the functionality they provide or are there cheaper alternatives that would do the job just as well?”
A Question of Trust: How Service Providers Can Attract More Customers by Deli...SafeNet
Offering an outsourced, elastic, pay-as-you-go computing infrastructure, cloud computing services can deliver clear cut benefi ts to a host of companies. Today, however, security concerns are a big barrier to many clients’ adoption of cloud services. To boost market share and gain competitive distinction, cloud service providers need to add the security infrastructure that safeguards clients’ sensitive data and fosters trust. This white paper outlines the path cloud providers can take to start building trust into cloud deployments, and details the approaches and capabilities organizations need to make this transition a reality.
This document is a comprehensive analysis of all the ways that Identity and Access Management (IAM) solutions can be run in and integrate with cloud computing systems.
Both cloud computing and IAM are relatively new, so the first part of this document defines key concepts and terminology. Next, assumptions that clarify the scope of this document in terms of network topology and functionality are presented and finally a comprehensive list of architectural scenarios are presented, along with an analysis of the costs, risks and benefits of each scenario.
The enterprise landscape is rapidly changing. Data is ubiquitous. Information is flowing into an organization’s applications from more sources than ever before. Business expec-tations are also changing. Corporations today demand speed and flexibility from their applications. Enterprise want services that allow them to make better business decisions, create more satisfied customers, and react ever more quickly to evolving market condi-tions. Current economic circumstances and increased competition are also driving the demand for a more effective model to deliver applications and services.
This relentless push for a faster, better and more cost-effective technology delivery model has set the stage for new approaches to application development, deployment and management. Several technologies such as grid computing, virtualization, and service-oriented architecture (SOA) have offered partial solutions for enterprises that require applications with greater scalability, agility and easier management capabilities. However, these alone have not been enough.
Enter cloud computing, an innovative model for delivering IT infrastructure, applications and data that shifts the emphasis from static, stand-alone application silos to dynamic, shared environments, dynamically allocated among various tasks and accessed via a network.
Today, many forward-thinking enterprises are using cloud environments to take advan-tage of the increased scalability, agility, automation, and efficiency that this technology can deliver. Yet, because cloud computing has evolved so quickly, there are still many questions surrounding it. To understand the promise of cloud computing, decision makers and IT professionals must examine its development and benefits from an enterprise perspective.
Beginning with the origins of cloud computing, this paper will help define exactly what cloud computing is and how the enterprise can benefit from it. In doing so, the paper outlines a number of “cloud characteristics” which together illustrate the true potential of cloud computing and provide a framework for assessing current and future cloud offerings. Finally, the paper draws a distinction between infrastructure-oriented clouds and platform-oriented clouds and explains how cloud platforms allow end-user applica-tions to unlock the true promise of cloud computing.
TierPoint White Paper_With all due diligence_2015sllongo3
Understanding true security capabilities in the cloud environment is an important part of the evaluation process of a prospective provider. This guide will help you understand what needs investigating before turning your data over to the cloud.
Cloud computing is a flexible, cost-effective and proven delivery platform for providing business or
consumer IT services over the Internet. Cloud resources can be rapidly deployed and easily scaled, with all
processes, applications and services provisioned “on demand,” regardless of user location or device.
Cloud Computing is growing rapidly and many organizations are making the transition to cloud based deployments of applications, databases and more. However, selecting a Cloud provider can be complicated and difficult - as you really can not compare apples and oranges in the cloud. We created this checklist to make it easier for your organization to assess different providers based on the top 11 factors you'll want to consider.
In this paper, we offer our thoughts
on where we believe Cloud is going from a business perspective and why it’s relevant for your organization. Our aim is to inspire creative thinking and spark dialog. For more perspectives on Cloud and to share your thoughts, please visit http://www.cisco.com/go/cloud.
How Microsoft Secures its Online Services [WHITEPAPER]ukdpe
Service security must be proactively designed in to all aspects of the online experience, from the software itself to the supporting infrastructure, from the day-to-day best practices for your own information workers to the buildings housing the data centers. The security architecture for the Business Productivity Online Suite embodies the key principles of the company’s Trustworthy Computing Initiative: security created by design, by default, and by deployment. Developed for global enterprises, Microsoft’s multi-faceted security program applies a common set of security policies to manage risk and mitigate threats to customer data. Microsoft seeks to improve security by working to standardize the way it tests, implements, and monitor policies for all of its customers. In turn, each Business Productivity Online Suite customer benefits from Microsoft’s experience with the security concerns of customers all over the world — and from the practices Microsoft applies to address them.
Presentation from
Serge Hanssens, Advisory Director, PwC Luxembourg, delivered at the Dynamic Business Event organized by Nerea & Microsoft on April 16th 2013 in Luxembourg
Presentation from
Jean-Philippe Quin, Head of IT Business Services Transition at Lombard International Assurance, delivered at the Dynamic Business Event organized by Nerea & Microsoft on April 16th 2013 in Luxembourg
This document is a property of Microsoft Corporation.
Microsoft is defining a connected and forward-looking enterprise, the successful enterprise of the future.
This paper shows how Microsoft® Office, Microsoft SharePoint®, Microsoft Exchange, and Microsoft Office Communications Server contribute to the powerful architectural design of the Microsoft Business Productivity Infrastructure (BPI). The BPI stack approach suggests that only by thinking at a capability level (for example, “What do users want to do?‖), and then adding the right aspects of capability in each place (client, server, and services), can we create desktop applications that also deliver rich server and services capabilities to information workers.
This paper shows how two products, Microsoft® Office and Microsoft SharePoint®, contribute to the powerful architectural design of the Microsoft Business Productivity Infrastructure (BPI). The BPI stack
approach suggests that only by thinking at a capability level (for example, “What do information workers want to do?”), and then adding the right aspects of capability in each place (client, server, and services), can we create desktop applications that also deliver rich server and services capabilities to information workers.
This evaluation guide is designed to help you understand the design goals, feature set, and implementation for Microsoft® SharePoint® 2010. The guide provides an overview of the solutions and benefits provided by SharePoint 2010, as well as descriptions of new and improved features in the areas of collaboration, social networking, search, business intelligence, enterprise content management, and composite applications. It also provides a tour of the main feature areas in SharePoint 2010 and concludes with useful information for administrators and developers.
An independent study by Mainstay Partners evaluated the implementation of Microsoft® Office SharePoint® at three Fortune 500 companies with the goal of understanding how they use the Microsoft solution to enhance collaboration and foster a social online community across the organization. This report summarizes Mainstay’s assessment, which is based on interviews with executives and senior managers at the following organizations:
- Ford Motor Company
- Large Northeastern U.S.-based bank
- Electronic Arts Inc
Privacy in the Public Cloud: Microsoft Dynamics CRM OnlineNerea
Reflecting Microsoft’s approach to privacy by design, Microsoft Dynamics CRM Online was built from the ground up with strong data protection in mind.
In the following pages, we will discuss Microsoft’s philosophical and practical approach to safeguarding information in the cloud, as well as several of the tangible benefits that have resulted for Microsoft Dynamics CRM Online customers.
Email & Mobile Marketing is available with a Campaign Commander solution by Emailvision.
Campaign Commander enables automation of online marketing activities to significantly increase the relevance and profitability of marketing and emailing campaigns.
Email subscriber information that’s linked to the Microsoft Dynamics CRM produces a bi-directional data flow of important customer metrics that helps marketers improve subscriber segmentation and helps sales teams to drive greater lead generation.
Nerea is an official reseller of TARGIT BI Suite.
Through its unique and intuitive user interface, TARGIT BI Suite integrates every single step in the optimal decision process.
Fast and accurate decisions call for easy access to knowledge. When interacting with computers, it’s all about the number of clicks. The more intelligent the system is, the fewer clicks needed. TARGIT BI Suite delivers business insights in the fewest clicks.
TARGIT BI Suite provides a vast number of ways in which you can visualize, illustrate and analyze your company data. And no matter what kind of analysis you do, TARGIT BI Suite remembers your preferences for presenting data.
Event management in Microsoft Dynamics CRM 2011Nerea
Microsoft Dynamics CRM 2011 includes an Event Management module that allows you to seamlessly plan, manage and optimise your events through a ready-to-use website template. Details are published to the client portal, where selected customers and prospects register their attendance. All responses and leads from those events are then tracked in CRM and converted to maximise business opportunities.
Sudheer Mechineni, Head of Application Frameworks, Standard Chartered Bank
Discover how Standard Chartered Bank harnessed the power of Neo4j to transform complex data access challenges into a dynamic, scalable graph database solution. This keynote will cover their journey from initial adoption to deploying a fully automated, enterprise-grade causal cluster, highlighting key strategies for modelling organisational changes and ensuring robust disaster recovery. Learn how these innovations have not only enhanced Standard Chartered Bank’s data infrastructure but also positioned them as pioneers in the banking sector’s adoption of graph technology.
The Art of the Pitch: WordPress Relationships and SalesLaura Byrne
Clients don’t know what they don’t know. What web solutions are right for them? How does WordPress come into the picture? How do you make sure you understand scope and timeline? What do you do if sometime changes?
All these questions and more will be explored as we talk about matching clients’ needs with what your agency offers without pulling teeth or pulling your hair out. Practical tips, and strategies for successful relationship building that leads to closing the deal.
Removing Uninteresting Bytes in Software FuzzingAftab Hussain
Imagine a world where software fuzzing, the process of mutating bytes in test seeds to uncover hidden and erroneous program behaviors, becomes faster and more effective. A lot depends on the initial seeds, which can significantly dictate the trajectory of a fuzzing campaign, particularly in terms of how long it takes to uncover interesting behaviour in your code. We introduce DIAR, a technique designed to speedup fuzzing campaigns by pinpointing and eliminating those uninteresting bytes in the seeds. Picture this: instead of wasting valuable resources on meaningless mutations in large, bloated seeds, DIAR removes the unnecessary bytes, streamlining the entire process.
In this work, we equipped AFL, a popular fuzzer, with DIAR and examined two critical Linux libraries -- Libxml's xmllint, a tool for parsing xml documents, and Binutil's readelf, an essential debugging and security analysis command-line tool used to display detailed information about ELF (Executable and Linkable Format). Our preliminary results show that AFL+DIAR does not only discover new paths more quickly but also achieves higher coverage overall. This work thus showcases how starting with lean and optimized seeds can lead to faster, more comprehensive fuzzing campaigns -- and DIAR helps you find such seeds.
- These are slides of the talk given at IEEE International Conference on Software Testing Verification and Validation Workshop, ICSTW 2022.
Transcript: Selling digital books in 2024: Insights from industry leaders - T...BookNet Canada
The publishing industry has been selling digital audiobooks and ebooks for over a decade and has found its groove. What’s changed? What has stayed the same? Where do we go from here? Join a group of leading sales peers from across the industry for a conversation about the lessons learned since the popularization of digital books, best practices, digital book supply chain management, and more.
Link to video recording: https://bnctechforum.ca/sessions/selling-digital-books-in-2024-insights-from-industry-leaders/
Presented by BookNet Canada on May 28, 2024, with support from the Department of Canadian Heritage.
Epistemic Interaction - tuning interfaces to provide information for AI supportAlan Dix
Paper presented at SYNERGY workshop at AVI 2024, Genoa, Italy. 3rd June 2024
https://alandix.com/academic/papers/synergy2024-epistemic/
As machine learning integrates deeper into human-computer interactions, the concept of epistemic interaction emerges, aiming to refine these interactions to enhance system adaptability. This approach encourages minor, intentional adjustments in user behaviour to enrich the data available for system learning. This paper introduces epistemic interaction within the context of human-system communication, illustrating how deliberate interaction design can improve system understanding and adaptation. Through concrete examples, we demonstrate the potential of epistemic interaction to significantly advance human-computer interaction by leveraging intuitive human communication strategies to inform system design and functionality, offering a novel pathway for enriching user-system engagements.
Alt. GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using ...James Anderson
Effective Application Security in Software Delivery lifecycle using Deployment Firewall and DBOM
The modern software delivery process (or the CI/CD process) includes many tools, distributed teams, open-source code, and cloud platforms. Constant focus on speed to release software to market, along with the traditional slow and manual security checks has caused gaps in continuous security as an important piece in the software supply chain. Today organizations feel more susceptible to external and internal cyber threats due to the vast attack surface in their applications supply chain and the lack of end-to-end governance and risk management.
The software team must secure its software delivery process to avoid vulnerability and security breaches. This needs to be achieved with existing tool chains and without extensive rework of the delivery processes. This talk will present strategies and techniques for providing visibility into the true risk of the existing vulnerabilities, preventing the introduction of security issues in the software, resolving vulnerabilities in production environments quickly, and capturing the deployment bill of materials (DBOM).
Speakers:
Bob Boule
Robert Boule is a technology enthusiast with PASSION for technology and making things work along with a knack for helping others understand how things work. He comes with around 20 years of solution engineering experience in application security, software continuous delivery, and SaaS platforms. He is known for his dynamic presentations in CI/CD and application security integrated in software delivery lifecycle.
Gopinath Rebala
Gopinath Rebala is the CTO of OpsMx, where he has overall responsibility for the machine learning and data processing architectures for Secure Software Delivery. Gopi also has a strong connection with our customers, leading design and architecture for strategic implementations. Gopi is a frequent speaker and well-known leader in continuous delivery and integrating security into software delivery.
State of ICS and IoT Cyber Threat Landscape Report 2024 previewPrayukth K V
The IoT and OT threat landscape report has been prepared by the Threat Research Team at Sectrio using data from Sectrio, cyber threat intelligence farming facilities spread across over 85 cities around the world. In addition, Sectrio also runs AI-based advanced threat and payload engagement facilities that serve as sinks to attract and engage sophisticated threat actors, and newer malware including new variants and latent threats that are at an earlier stage of development.
The latest edition of the OT/ICS and IoT security Threat Landscape Report 2024 also covers:
State of global ICS asset and network exposure
Sectoral targets and attacks as well as the cost of ransom
Global APT activity, AI usage, actor and tactic profiles, and implications
Rise in volumes of AI-powered cyberattacks
Major cyber events in 2024
Malware and malicious payload trends
Cyberattack types and targets
Vulnerability exploit attempts on CVEs
Attacks on counties – USA
Expansion of bot farms – how, where, and why
In-depth analysis of the cyber threat landscape across North America, South America, Europe, APAC, and the Middle East
Why are attacks on smart factories rising?
Cyber risk predictions
Axis of attacks – Europe
Systemic attacks in the Middle East
Download the full report from here:
https://sectrio.com/resources/ot-threat-landscape-reports/sectrio-releases-ot-ics-and-iot-security-threat-landscape-report-2024/
GraphRAG is All You need? LLM & Knowledge GraphGuy Korland
Guy Korland, CEO and Co-founder of FalkorDB, will review two articles on the integration of language models with knowledge graphs.
1. Unifying Large Language Models and Knowledge Graphs: A Roadmap.
https://arxiv.org/abs/2306.08302
2. Microsoft Research's GraphRAG paper and a review paper on various uses of knowledge graphs:
https://www.microsoft.com/en-us/research/blog/graphrag-unlocking-llm-discovery-on-narrative-private-data/
In his public lecture, Christian Timmerer provides insights into the fascinating history of video streaming, starting from its humble beginnings before YouTube to the groundbreaking technologies that now dominate platforms like Netflix and ORF ON. Timmerer also presents provocative contributions of his own that have significantly influenced the industry. He concludes by looking at future challenges and invites the audience to join in a discussion.
A tale of scale & speed: How the US Navy is enabling software delivery from l...sonjaschweigert1
Rapid and secure feature delivery is a goal across every application team and every branch of the DoD. The Navy’s DevSecOps platform, Party Barge, has achieved:
- Reduction in onboarding time from 5 weeks to 1 day
- Improved developer experience and productivity through actionable findings and reduction of false positives
- Maintenance of superior security standards and inherent policy enforcement with Authorization to Operate (ATO)
Development teams can ship efficiently and ensure applications are cyber ready for Navy Authorizing Officials (AOs). In this webinar, Sigma Defense and Anchore will give attendees a look behind the scenes and demo secure pipeline automation and security artifacts that speed up application ATO and time to production.
We will cover:
- How to remove silos in DevSecOps
- How to build efficient development pipeline roles and component templates
- How to deliver security artifacts that matter for ATO’s (SBOMs, vulnerability reports, and policy evidence)
- How to streamline operations with automated policy checks on container images
PHP Frameworks: I want to break free (IPC Berlin 2024)Ralf Eggert
In this presentation, we examine the challenges and limitations of relying too heavily on PHP frameworks in web development. We discuss the history of PHP and its frameworks to understand how this dependence has evolved. The focus will be on providing concrete tips and strategies to reduce reliance on these frameworks, based on real-world examples and practical considerations. The goal is to equip developers with the skills and knowledge to create more flexible and future-proof web applications. We'll explore the importance of maintaining autonomy in a rapidly changing tech landscape and how to make informed decisions in PHP development.
This talk is aimed at encouraging a more independent approach to using PHP frameworks, moving towards a more flexible and future-proof approach to PHP development.
GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...Neo4j
Leonard Jayamohan, Partner & Generative AI Lead, Deloitte
This keynote will reveal how Deloitte leverages Neo4j’s graph power for groundbreaking digital twin solutions, achieving a staggering 100x performance boost. Discover the essential role knowledge graphs play in successful generative AI implementations. Plus, get an exclusive look at an innovative Neo4j + Generative AI solution Deloitte is developing in-house.
UiPath Test Automation using UiPath Test Suite series, part 4DianaGray10
Welcome to UiPath Test Automation using UiPath Test Suite series part 4. In this session, we will cover Test Manager overview along with SAP heatmap.
The UiPath Test Manager overview with SAP heatmap webinar offers a concise yet comprehensive exploration of the role of a Test Manager within SAP environments, coupled with the utilization of heatmaps for effective testing strategies.
Participants will gain insights into the responsibilities, challenges, and best practices associated with test management in SAP projects. Additionally, the webinar delves into the significance of heatmaps as a visual aid for identifying testing priorities, areas of risk, and resource allocation within SAP landscapes. Through this session, attendees can expect to enhance their understanding of test management principles while learning practical approaches to optimize testing processes in SAP environments using heatmap visualization techniques
What will you get from this session?
1. Insights into SAP testing best practices
2. Heatmap utilization for testing
3. Optimization of testing processes
4. Demo
Topics covered:
Execution from the test manager
Orchestrator execution result
Defect reporting
SAP heatmap example with demo
Speaker:
Deepak Rai, Automation Practice Lead, Boundaryless Group and UiPath MVP
Essentials of Automations: The Art of Triggers and Actions in FMESafe Software
In this second installment of our Essentials of Automations webinar series, we’ll explore the landscape of triggers and actions, guiding you through the nuances of authoring and adapting workspaces for seamless automations. Gain an understanding of the full spectrum of triggers and actions available in FME, empowering you to enhance your workspaces for efficient automation.
We’ll kick things off by showcasing the most commonly used event-based triggers, introducing you to various automation workflows like manual triggers, schedules, directory watchers, and more. Plus, see how these elements play out in real scenarios.
Whether you’re tweaking your current setup or building from the ground up, this session will arm you with the tools and insights needed to transform your FME usage into a powerhouse of productivity. Join us to discover effective strategies that simplify complex processes, enhancing your productivity and transforming your data management practices with FME. Let’s turn complexity into clarity and make your workspaces work wonders!
Essentials of Automations: The Art of Triggers and Actions in FME
The Microsoft approach to Cloud Transparency
1. The Microsoft approach to cloud
transparency
Using the Cloud Security Alliance’s Security, Trust & Assurance Registry (STAR)
www.microsoft.com/twcnext
4. Authors
Frank Simorjay Ariel Silverstone Aaron Weller
Microsoft Trustworthy Concise Consulting Concise Consulting
Computing
Contributors
Kellie Ann Chainier John Howie Kathy Phillips Sian Suthers
Microsoft Public Sector Global Foundation Services Microsoft Legal and Microsoft Trustworthy
Corporate Affairs Computing
Stephanie Dart Marc Lauricella
Microsoft Dynamics CRM Microsoft Trustworthy Tim Rains Stevan Vidich
Computing Microsoft Trustworthy Windows Azure Marketing
Mark Estberg Computing
Global Foundation Services Steve Wacker
Wadeware LLC
4 The Microsoft approach to cloud transparency
5. Table of contents
Introduction ............................................................................................................................................ 8
Cloud assurance challenges ........................................................................................................... 11
Security ..............................................................................................................................................11
Layers ............................................................................................................................................12
Secure data destruction or erasure ...................................................................................12
Data loss.......................................................................................................................................12
Privacy................................................................................................................................................13
Confidentiality and integrity ................................................................................................13
Reliability ..........................................................................................................................................14
Auditing, assurance, and attestation ......................................................................................14
The benefits of standardized frameworks ................................................................................. 16
Best practices ..................................................................................................................................16
Complexity .......................................................................................................................................17
Comparison .....................................................................................................................................17
Audit and knowledge base ........................................................................................................18
Security standards evolution .......................................................................................................... 19
ISO/IEC 27000 .................................................................................................................................19
COBIT .................................................................................................................................................22
NIST Special Publication (SP) 800 series ...............................................................................23
Introducing STAR ................................................................................................................................ 24
The Cloud Security Alliance (CSA) and STAR ......................................................................24
Cloud Controls Matrix (CCM)......................................................................................................... 25
5
6. STAR domains......................................................................................................................................
Aligning to STAR ................................................................................................................................ 27
Specific examples of Microsoft adoption of STAR controls ............................................... 28
CO-01 Compliance - Audit planning..................................................................................... 29
Microsoft’s reply: ...................................................................................................................... 29
DG-05 Data Governance – Secure Disposal........................................................................ 30
Microsoft’s reply: ...................................................................................................................... 30
FS-03 Facility Security - Controlled Access Points ............................................................ 31
Microsoft’s reply: ...................................................................................................................... 32
SA-12 Security Architecture – Clock Synchronization..................................................... 32
Microsoft’s reply: ...................................................................................................................... 33
Summary ............................................................................................................................................... 34
Additional reading ............................................................................................................................. 36
6 The Microsoft approach to cloud transparency
7. Executive summary
The shift to cloud computing represents a significant opportunity to
change the way that businesses operate. Similar to the concept of
outsourcing, the combination of the technologies and processes that
comprise today’s definition of cloud computing represent a new way
to view and use information technology and enhance the value of IT
organizations.
This evolution of computing represents a tremendous opportunity
for many organizations, because they can reduce or eliminate the
need to manage the server-based technologies that underlie their
business processes. In addition to changing processes and focus, this
shift provides ways to reduce costs, to be more agile in adjusting to
rapidly changing business needs, and to deploy and track resources
in a more efficient manner.
This paper provides an overview of various risk, governance, and
information security frameworks and standards. It also introduces the
cloud-specific framework of the Cloud Security Alliance (CSA), known
as the Security, Trust & Assurance Registry (STAR).
STAR is a good resource for organizations that seek an unbiased
information source to help them evaluate cloud providers and
maximize the benefits of cloud service. Microsoft’s commitment to
transparency is apparent in its adoption of STAR controls for security,
privacy, compliance, and risk management and also in its replies to
STAR control requirement statements, some of which are included
later in this paper.
7
8. Introduction
Cloud computing is a way of treating computing as a utility service.
That is, computer processing, storage, and bandwidth are managed
as commodities by providers, similar to electricity or water. This
approach represents a logical evolution of computing for many
organizations; taking advantage of cloud computing means that they
reduce or eliminate the need to manage the server-based
technologies that underlie their business processes, and can focus on
their core business activities.
In addition to providing organizations with the ability to focus on
their core business objectives, cloud computing can help them
reduce information technology and capital costs, which can provide
better results to stakeholders. Also, cloud computing helps IT
organizations support new business needs of their existing customer
base by providing rapid deployment and resource utilization
tracking. This capability directly contributes to business agility, the
ability to adapt to new conditions and quickly bring new solutions to
market.
Cloud computing provides an opportunity for organizations to take
advantage of the rapid evolution of technology and benefit from
related security, speed, scalability, and flexibility opportunities
without being burdened by on-premises solutions. Today,
organizations are frequently challenged to reduce their IT costs but
are required to be agile and responsive to market needs. The cloud
computing model allows them to pay only for the services they need.
8 The Microsoft approach to cloud transparency
9. Capital outlay can be reduced significantly, which allows them to
prioritize resources on business objectives.
The inherent agility in cloud computing also provides an additional
benefit: scalability. As business needs grow and features or sets of
data are added, cloud computing allows simple and fast scaling of
the environment. Should the computing environment’s capacity need
to be reduced, for example after a seasonal peak, it can be easily
facilitated without the negative effects that typically accompany the
sudden idling of a significant capital investment.
The opportunity offered by cloud computing requires balancing the
benefits of moving data, processing, and capacities to the cloud with
the implications of data security, privacy, reliability, and regulatory
requirements. Since the launch of MSN® in 1994, Microsoft has been
building and running online services. Microsoft enables organizations
to adopt cloud computing rapidly via its cloud services such as
Windows Azure™, Office 365, and Microsoft Dynamics® CRM and
take a business-leading approach to security, privacy, and reliability.
Microsoft cloud services are hosted in Microsoft data centers around
the world, and are designed to offer the performance, scalability,
security, and service levels that business customers expect. Microsoft
has applied state-of-the-art technology and processes to maintain
consistent and reliable access, security, and privacy for every user.
These Microsoft cloud solutions have capabilities that facilitate
compliance with a wide range of global regulations and privacy
mandates.
In this paper, Microsoft provides an overview of various risk,
governance, and information security frameworks and introduces the
cloud-specific framework developed by the Cloud Security Alliance
(CSA), called the Security, Trust & Assurance Registry (STAR). The
9
10. paper also discusses STAR’s roots and evolution, and examines how
Microsoft cloud products fulfill the security, privacy, compliance, and
risk management requirements that are defined in STAR.
This white paper provides information about how Microsoft services
such as Windows Azure, Office 365, and Microsoft Dynamics CRM
align with STAR guidelines for security, privacy, compliance, and risk
management controls.When engaging customers, Microsoft provides
documentation that specifies Microsoft-shared responsibilities with
regard to applications and data that customers entrust to them; such
documentation is essential for organizations that have regulatory
and/or compliance obligations. As with any use of a third-party
service, the customer that uses the service is ultimately accountable
for determining whether the service meets their needs and
obligations.
With regard to Windows Azure, this white paper addresses Windows
Azure core services: Cloud Services (Web and Worker roles, formerly
under Compute), Storage (Tables, Blobs, Queues), and Networking
(Traffic Manager and Windows Azure Connect). It does not provide
detailed information about other Windows Azure features, such as
Windows Azure SQL Database, Service Bus, Marketplace, and
Caching.. For more information about Windows Azure, see the
“Additional reading” section later in this paper. Office 365 and
Microsoft Dynamics CRM Online services run on a cloud
infrastructure provided by Microsoft and are accessible from various
client devices.
This white paper assumes that readers are familiar with Windows
Azure basic concepts; therefore, they are not explained within the
paper. Links to reading materials that describe these core concepts
can be found at “White Papers on Windows Azure” on Technet.
10 The Microsoft approach to cloud transparency
11. Cloud assurance challenges
Having a good grasp of risk management is important in today’s
information security and privacy landscape.
When working with cloud computing providers such as Windows
Azure and cloud-provided services such as Office 365 and Microsoft
Dynamics CRM, it is important to understand that risk assessments
need to consider the dynamic nature of cloud computing.
An organization needs to consider performing a full-scope risk
assessment that looks at several criteria whenever a new initiative is
underway. Cloud computing is no different. Some of the more
prominent criteria that typically interest organizations that are
considering cloud computing deployments are discussed in the
following sections.
Security
There are many security dimensions to consider in cloud computing
scenarios.
11
12. Layers
When evaluating controls in cloud computing, it is important to
consider the entire services stack of the cloud service provider. Many
different organizations may be involved in providing infrastructure
and application services, which increases the risk of misalignment. A
disruption of any one layer in the cloud stack, or in the customer-
defined last mile of connectivity, could compromise the delivery of
the cloud service and have negative impacts. As a result, customers
should evaluate how their service provider operates and understand
the underlying infrastructure and platforms of the service as well as
the actual applications.
Secure data destruction or erasure
Many organizations have policies that require data to be deleted
when it is no longer needed, or after a fixed interval. At times, these
policies mandate that data deletion be attested to, which may take
the form of a statement that the data has been destroyed in a
manner that prevents its reconstruction.
Many cloud providers cannot easily attest to such deletion, partially
because of the way cloud data is rapidly replicated and relocated on
many disk drives, servers, and data centers. Although the assumption
may be that such data is overwritten in its “original” or prior location,
the possibility frequently exists that a determined forensic process (or
attack) could retrieve such data.
Data loss
Cloud computing in its current multi-tenant form is relatively new,
and many deploying organizations are concerned with the maturity
of the tools used by providers to host and manage their data.
12 The Microsoft approach to cloud transparency
13. Microsoft stands out from newer entrants to the market because of
its experience in related technology platforms (such as Hotmail®,
MSN®, and others), as many as twenty years in some cases.
Beyond the typical risk of data loss on disk drives, the existence of
additional tools such as hypervisors, virtual machine managers, new
operating and storage environments, and rapidly deployed
applications introduce additional stability and redundancy factors
that must be included in data loss considerations.
Privacy
As part of the security risk assessment, a privacy review needs to be
considered to ascertain potential risks to the data and operations in
the cloud. Today, the notion of privacy goes beyond the traditional
description of customer data and extends into organizational privacy,
which includes most intellectual property constraints; that is, the
know-how, know-why, and know-when of organizations. As more
and more organizations become knowledge-based, the intellectual
property values that they generate increase. In fact, intellectual
property value is often a significant part of an organization‘s value.
Confidentiality and integrity
Similarly, concerns about confidentiality (who can see the data) and
integrity (who can modify the data) are important to include in any
evaluation. Generally, the more access points to the data, the more
complicated the risk profile creation process. Although many
regulatory frameworks focus on confidentiality, others such as
Sarbanes-Oxley focus almost exclusively on the integrity of data that
is used to produce report financial statements.
13
14. Reliability
In many cloud computing environments, the data flow that moves
information into and out of the cloud must be considered.
Sometimes multiple carriers are involved, and oftentimes access
beyond the carrier must be evaluated. For example, a failure at a
communications service provider can cause delay and affect the
reliability of cloud-based data and services. Any additional service
provider must be evaluated and assessed for risk.
Auditing, assurance, and attestation
Many organizations are experienced in traditional application and
data deployment activities, such as auditing and assessments. In a
cloud deployment, the need for some of these activities becomes
even more acute at the same time that the activities themselves
become more complex.
Embedded in the cloud concept, and especially in public cloud
deployment, is a lack of physical control by the organization that
owns the data. Physical controls must be considered to protect the
disk drives, the systems, and even the data centers in which data
resides. Such considerations also apply to software environments in
which cloud services components are deployed.
In addition, obtaining permissions for the purpose of satisfying
requirements for resiliency testing, penetration testing, and regular
vulnerability scanning can be a challenge in cloud deployments.
14 The Microsoft approach to cloud transparency
15. It can also be a challenge to address and satisfy requirements for
independent validation of controls. Cloud providers are typically
reluctant to approve many types of testing in a shared infrastructure
because of the impact that testing could have on other customers.
Frequently, an organization intending to engage in cloud deployment does not
know how to evaluate risks or how to choose a cloud provider that mitigates risks.
For certain regulatory frameworks, auditing is a requirement.
Frequently, cloud customers are faced with challenges that threaten
or appear to deny the many benefits of cloud adoption and
deployment.
15
16. The benefits of standardized
frameworks
Generally, core competencies of organizations that adopt cloud
computing do not include the deployment and management of
cloud computing technologies. Because of the potential common
and cloud-specific risks, organizations frequently rely on outside
consulting firms and cloud providers’ lengthy RFP responses to
evaluate risk for their specific cloud deployment needs.
Those responses must be evaluated by experienced cloud
professionals, in addition to internal risk experts, to ascertain the true
risk to the organization. This risk assessment should include a
determination of the risk that derives from adopting these
technologies and how to best mitigate that risk.
The cloud deployment partner selection exercise frequently takes
place in a climate of intense business pressure to reduce costs and to
increase flexibility. In such a climate, a drawn-out risk management
process may be seen as an inhibitor, rather than an enabler, of
business goals.
Best practices
Some of the unease and complexity involved in selecting a cloud
provider can be alleviated by using a common controls framework.
Such a framework should consider not only best practices in
16 The Microsoft approach to cloud transparency
17. information security, but also include a true understanding and
evaluation of cloud-specific deployment considerations and risks. In
addition, such a framework should address much of the cost involved
in the evaluation of alternate solutions and help to significantly
manage risk that must otherwise be considered.
In using a well thought-out controls framework, organizations can avoid most of
the costs related to engaging outside expertise for selecting an appropriate cloud
provider, and rely instead on combined efforts that represent years of expertise in
the field.
Complexity
A cloud-specific controls framework such as the Cloud Controls
Matrix (CCM) reduces the risk of an organization failing to consider
important factors when selecting a cloud provider. The risk is further
mitigated by relying on the cumulative knowledge of industry
experts who created the framework, and taking advantage of the
efforts of many organizations, groups, and experts in a thoughtfully
laid-out form. In addition, an effective industry framework will be
regularly updated to take account of changes in maturing
technologies, based on the experiences of experts who have
reviewed many different approaches.
Comparison
For organizations that do not have detailed knowledge about the
different ways that cloud providers can develop or configure their
17
18. offerings, reviewing a fully developed framework can provide insight
into how to compare similar offerings and distinguish between
providers. A framework can also help determine whether a specific
service offering meets or exceeds compliance requirements and/or
relevant standards.
Audit and knowledge base
Using an industry-accepted framework provides a means to review
documentation about why and how decisions were made and to
know which factors were given more weight and why. Understanding
how a decision was made can provide a basis of knowledge for
decision making in future efforts, especially when personnel changes
cause the people who made the original decision to no longer be
available.
18 The Microsoft approach to cloud transparency
19. Security standards evolution
Deciding which standard and framework to apply when selecting a
cloud computing provider used to require organizations to choose
from frameworks written in a pre-cloud computing environment.
Commonly used risk, control, and information security frameworks
include the 27000 family of standards published by the International
Organization for Standardization/International Electrotechnical
Committee (ISO/IEC); COBIT, a framework for the governance and
management of enterprise IT by Information Systems Audit and
Control Association (ISACA); the SP800 series of standards by the U.S.
National Institute of Standards and Technology (NIST), and a few
others.
The International Organization for
Standardization/International Electrotechnical
Committee (ISO/IEC) 27000 family of standards
The ISO family of standards includes some of the world’s best-known
information security reference frameworks. British Standard 7799 Part
1 first became internationalized as “The Code of Practice for
Information Security Management” in 2000 and was referred to as
ISO/IEC 17799. In 2007, this designation was changed to ISO 27002.
The current version, ISO 27002:2005, is generally accepted today as
the guide for implementation of information security management
frameworks.
19
20. ISO/IEC 27001 came from British Standard 7799 Part 2, and defines
how to implement, monitor, maintain, and continually improve an
information security management system (ISMS). It uses the ISO/IEC
standard Plan-Do-Check-Act framework.
Organizations can be certified against the ISO/IEC 27001 standard, as
Microsoft has done with Windows Azure (core services) and several
other Microsoft online services (identified later in this section), which
has led to ISO/IEC 27001 adoption by organizations looking to
validate their information security efforts with customers, regulators,
or other external stakeholders.
Today, the 27000 standards family has grown to include the
following standards:
ISO/IEC 27000:2009, Information security management systems
— Overview and vocabulary
ISO/IEC 27001:2005, Information security management systems
— Requirements
ISO/IEC 27002:2005, Code of practice for information security
management
ISO/IEC 27003, Information security management system
implementation guidance
ISO/IEC 27004, Information security management —
Measurement
ISO/IEC 27005:2008, Information security risk management
ISO/IEC 27006:2007, Requirements for bodies providing audit and
certification
20 The Microsoft approach to cloud transparency
21. The ISO/IEC 27000 family of standards, and in particular ISO/IEC 27002, constitutes
the generally accepted standards for today’s information security management.
ISO/IEC 27007:2011, Guidelines for information security
management systems auditing
ISO/IEC 27031:2011, Guidelines for information and
communications technology readiness for business continuity
Windows Azure, Microsoft Dynamics CRM, Office 365, and the
underlying Global Foundation Services (GFS) infrastructure layer
employ security frameworks based on the ISO/IEC 27001:2005
standard.
Windows Azure core services (Cloud Services, Storage, and
Networking), Microsoft Dynamics CRM, and Office 365 are ISO
27001-certified. In addition, the physical GFS infrastructure on which
all of Windows Azure runs (except CDN) and on which both Office
365 and Microsoft Dynamics CRM run, is ISO 27001-certified.
The Microsoft security framework, based on ISO/IEC 27001, enables
customers to evaluate how Microsoft meets or exceeds the security
standards and implementation guidelines. In addition, Windows
Azure and the GFS infrastructure undergo annual Statement on
Auditing Standards No. 70 (SAS 70 Type II or its successor, SSAE16
and additionally ISAE 3402) audits.
There is no ISO/IEC 27002 certification process. However, the standard provides a
suggested set of suitable controls for an Information Security Management System,
which is documented in ISO/IEC 27001 Annex A.
21
22. The Information Security Policy, which applies to Microsoft cloud
offerings, also aligns with ISO/IEC 27002 and is augmented with
requirements specific to Microsoft cloud offerings.
Links to the public copies of the Windows Azure, Microsoft Dynamics
CRM, Office 365, Global Foundation Services, and FOPE ISO
certifications are available in the “Additional reading” section later in
this paper.
COBIT
The Control Objectives for Information and related Technology
(COBIT) framework is a well thought-out and generally accepted
standard that was published to help organizations evaluate
information technology-related risk.
First published in 1996 and currently in its fifth revision (published in
2012), COBIT is published by the IT Governance Institute, which is
affiliated with the Information Systems Audit and Control Association
(ISACA). Although the previous version (4.1, published in 2007) was
organized by using 34 high-level processes and 215 detailed control
objectives, the new version is different. For COBIT 5, ISACA chose to
partition the document into 37 high-level processes and 17 goals.
COBIT is designed to bridge management and control gaps between
technical and business risks.
For more information about COBIT, see the “Additional reading”
section later in this paper.
COBIT is a very useful tool to help correlate disparate standards such as the
Information Technology Infrastructure Library (ITIL), Capability Maturity Model
Integration (CMMi), and ISO 27002.
22 The Microsoft approach to cloud transparency
23. NIST Special Publication (SP) 800 series
The U.S. National Institute of Standards and Technology (NIST)
publishes various standards for use by U.S. government agencies and
departments. Most notable among these standards is the SP800
series, which focuses on security and privacy. NIST was the originator
of the globally accepted working definition of cloud computing,
which is now published as Draft SP800-145. This draft publication has
been submitted to the ISO/IEC standards body for inclusion in a
forthcoming international standard.
Also of note in the SP800 series is SP800-53, which defines the
security controls that must be implemented in computing solutions
to meet the requirements of the Federal Information Security and
Management Act (FISMA). The controls are also found in the Federal
Risk and Authorization Management Program (FedRAMP), which is a
U.S. government-wide program that provides a standardized
approach to security assessment, authorization, and continuous
monitoring for cloud products and services. Microsoft has achieved
FISMA Moderate Authorization to Operate (ATO) for GFS and Office
365.
23
24. Introducing STAR
With the emergence of cloud computing and the increased market
understanding of its tremendous potential to help organizations
create, manage, and maintain tools to achieve growth, it has become
clear that existing standards as discussed in the previous section may
no longer be effective to address concerns about the rapid
implementation and novel business uses of this powerful technology.
The Cloud Security Alliance (CSA) and STAR
The Cloud Security Alliance (CSA) is a not-for-profit organization that
promotes the use of best practices for security assurance within cloud
computing. To reduce much of the effort, ambiguity, and costs of
getting the most relevant questions and information on cloud
providers’ security and privacy practices, the CSA has published and
maintains the Security, Trust & Assurance Registry (STAR).
Per the Cloud Security Alliance at https://cloudsecurityalliance.org/star/
STAR is a “free, publicly accessible registry that documents the security controls
provided by various cloud computing offerings, thereby helping users assess the
security of cloud providers they currently use or are considering contracting with.”
24 The Microsoft approach to cloud transparency
25. STAR domains
STAR uses the following 13 domains to address cloud
computing security
Cloud Computing Architectural Framework
Governance and Enterprise Risk Management
Legal and Electronic Discovery
Compliance and Audit
Information Lifecycle Management
Portability and Interoperability
Traditional Security, Business Continuity, and
Disaster Recovery
Data Center Operations
Incident Response, Notification, and Remediation
Application Security
Encryption and Key Management
Identity and Access Management
Virtualization
Cloud Controls Matrix (CCM)
STAR uses the Cloud Controls Matrix (CCM) to provide a controls
framework for understanding security, privacy, and reliability
concepts and principles that are aligned to the Cloud Security
Alliance guidance in 13 domains. This paper uses CCM version 1.2
currently the released version, which comprises a list of 100
questions. The CSA CCM provides organizations with a framework
that has the needed structure, detail, and clarity with regard to
25
26. information security, tailored to the service providers in the cloud
industry.
Providers may choose to submit a report that documents their
compliance with the CCM, and such reports are published by STAR.
Microsoft has published an overview of its capabilities in meeting the CCM
requirements. The goal of this STAR-registered overview is to empower customers
with information to evaluate Microsoft offerings.
Consumers of cloud services can then use the data contained in STAR
to evaluate providers and to identify questions that would be
prudent to have providers answer before moving to adopt cloud
services. (STAR is a self-assessment-based process by the cloud
providers, and the CSA does not audit or guarantee the responses
that are provided. Microsoft has chosen to not only address each of
the 100 questions in the STAR CCM but also to align the domains to
the ISO 27001 certifications received by various Microsoft services to
provide an additional layer of comfort to consumers of cloud
services. )
26 The Microsoft approach to cloud transparency
27. Aligning to STAR
When mitigating risk while deploying a cloud solution, an
organization must consider the cloud-specific risks described in the
preceding “Cloud assurance challenges” section as well as
organizational goals. Common as well as cloud-specific risks must be
weighed and evaluated carefully to assure the best results for the
organization.
One best practice is to proceed with the selection of a cloud provider
as described earlier, by using a common framework. This approach
will help mitigate risk but also help avoid the cost of engaging
outside expertise and a costly independent review process, relying
instead on combined efforts that represent years of expertise in the
field.
Using STAR, an organization can compare various cloud offerings, select criteria
important to the organization, and document how and why a specific solution was
selected. This approach helps mature future selection efforts and adds to the
organization’s knowledge base.
Organizations can use the control criteria in the CCM to help
mitigate the risk of missing important evaluation criteria. STAR also
allows organizations to use a fully developed framework to carefully
compare similar offerings. In addition, it can provide a way to
measure and quantify weighting factors for related criteria.
27
28. Specific examples of Microsoft
adoption of STAR controls
To provide some specific examples of how the STAR framework helps
both an initial selection process and ongoing due diligence,
Microsoft has selected some specific examples of STAR controls and
the corresponding Microsoft responses.
Full STAR submissions downloads
Microsoft Dynamics CRM Online Summited April 05, 2012
Microsoft Office 365 Submitted December 02, 2011
Microsoft Windows Azure Submitted March 30,2012
In the following examples, an organization can see how they can save
time and money by using the CCM framework to obtain standard
answers from cloud providers instead of developing their own lists of
questions. For example, an organization can select the questions that
are most relevant and compare the answers of Microsoft and other
providers to help decide which service to select. The examples apply
to Windows Azure, Office 365, and Microsoft Dynamics CRM.
28 The Microsoft approach to cloud transparency
29. CO-01 Compliance - Audit planning
“Audit plans, activities and operational action items focusing on data
duplication, access, and data boundary limitations shall be designed
to minimize the risk of business process disruption. Audit activities
must be planned and agreed upon in advance by stakeholders.”
Microsoft’s reply:
“Microsoft’s goals are to operate Microsoft‘s services with security as
a key principle, and to give the customer accurate assurances about
Microsoft‘s security. Microsoft has implemented and will maintain
reasonable and appropriate technical and organizational measures,
internal controls, and information security routines intended to help
protect customer data against accidental loss, destruction, or
alteration; unauthorized disclosure or access; or unlawful destruction.
Each year, Microsoft undergoes third-party audits by internationally
recognized auditors to validate that Microsoft has independent
attestation of compliance with Microsoft‘s policies and procedures
for security, privacy, continuity, and compliance
ISO 27001 certifications for Microsoft Dynamics CRM, Windows
Azure, Office 365, and Global Foundation Services (which runs the
physical infrastructure) can be found on the website of Microsoft’s
external ISO auditor, the BSI Group. Additional audit information is
available under NDA upon request by prospective customers.
Windows Azure,Office 365, and Microsoft Dynamics CRM Online
independent audit reports and certifications are shared with
customers in lieu of allowing individual customer audits. These
certifications and attestations accurately represent how Microsoft
29
30. obtains and meets Microsoft’s security and compliance objectives
and serve as a practical mechanism to validate Microsoft’s promises
for all customers.
For security and operational reasons, Windows Azure, Office 365, and
Microsoft Dynamics CRM do not allow Microsoft customers to
perform their own audits.
Customers are allowed to perform non-invasive penetration testing
of their own application on the Windows Azure platform with prior
approval.”
“Monitor and review the Information Security Management System
(ISMS)” is covered under the ISO 27001 standards, specifically
addressed in Clause 4.2.3. For more information, review of the
publicly available ISO standards we are certified against is
suggested.”
DG-05 Data Governance – Secure Disposal
“How does the service provider comply with the need for ’Policies
and procedures shall be established and mechanisms implemented
for the secure disposal and complete removal of data from all
storage media, ensuring data is not recoverable by any computer
forensic means.’”
Microsoft’s reply:
“Microsoft uses best practice procedures and a wiping solution that is
NIST 800-88 compliant. For hard drives that can’t be wiped, we use a
destruction process that destroys it (such as shredding) and renders
30 The Microsoft approach to cloud transparency
31. the recovery of information impossible (for example, disintegrate,
shred, pulverize, or incinerate). The appropriate means of disposal is
determined by the asset type. Records of the destruction are
retained.
Microsoft Dynamics CRM Online uses approved media storage and
disposal management services. Paper documents are destroyed by
approved means at the pre-determined end-of-life cycle.
All Windows Azure services utilize approved media storage and
disposal management services. Paper documents are destroyed by
approved means at the pre-determined end-of-life cycle.
Microsoft Office 365 utilizes approved media storage and disposal
management services. Paper documents are destroyed by approved
means at the pre-determined end-of-life cycle.”
“Secure disposal or re-use of equipment and disposal of media” is
covered under the ISO 27001 standards, specifically addressed in
Annex A, domains 9.2.6 and 10.7.2. For more information, we suggest
a review of the publicly available ISO standards for which we are
certified.”
FS-03 Facility Security - Controlled Access Points
“Physical security perimeters (fences, walls, barriers, guards, gates,
electronic surveillance, physical authentication mechanisms,
reception desks and security patrols) shall be implemented to
safeguard sensitive data and information systems.”
31
32. Microsoft’s reply:
“Data center buildings are nondescript and do not advertise that
Microsoft Data Center hosting services are provided at the location.
Access to the data center facilities is restricted. The main interior or
reception areas have electronic card access control devices on the
perimeter door(s), which restrict access to the interior facilities.
Rooms within the Microsoft Data Center that contain critical systems
(servers, generators, electrical panels, network equipment, etc.) are
either restricted through various security mechanisms such as
electronic card access control, keyed lock, antitailgating and/or
biometric devices.
Additional physical barriers, such as “locked cabinets” or locked cages
erected internal to facility perimeters, may be in place as required for
certain assets according to Policy and/or by business requirement.”
“Physical security perimeter and environmental security” is covered
under the ISO 27001 standards, specifically addressed in Annex A,
domain 9. For more information review of the publicly available ISO
standards Microsoft is certified against is suggested.“
SA-12 Security Architecture – Clock Synchronization
“An external accurate, externally agreed upon, time source shall be
used to synchronize the system clocks of all relevant information
processing systems within the organization or explicitly defined
security domain to facilitate tracing and reconstitution of activity
timelines. Note: specific legal jurisdictions and orbital storage and
relay platforms (US GPS & EU Galileo Satellite Network) may mandate
a reference clock that differs in synchronization with the
32 The Microsoft approach to cloud transparency
33. organizations domicile time reference, in this event the jurisdiction or
platform is treated as an explicitly defined security domain.”
Microsoft’s reply:
“In order to both increase the security of Microsoft Dynamics CRM
Online, Windows Azure, and Office 365 and to provide accurate
reporting detail in event logging and monitoring processes and
records, Microsoft Dynamics CRM Online, Windows Azure, and Office
365 use consistent clock setting standards (such as PST, GMT, UTC).
When possible, Microsoft Dynamics CRM Online, Windows Azure,
and Office 365 server clocks are synchronized through the Network
Time Protocol which hosts a central time source for standardization
and reference, in order to maintain accurate time throughout the
Microsoft Dynamics CRM Online, Windows Azure, and Office 365
environments.”
“Clock synchronization” is covered under the ISO 27001 standards,
specifically addressed in Annex A, domain 10.10.6. For more
information review of the publicly available ISO standards we are
certified against is suggested.”
33
34. Summary
The decision about how to move forward with cloud deployment is
an important one. As organizations see the benefits of cloud
computing in rapid deployment and provisioning, up or down-
scaling, and cost reduction, they find cloud migration a desirable
approach to service delivery.
However, such migration and deployment of new services are
sometimes slowed or prevented by the need to thoroughly research
(or assess) the risk involved and mitigate such risk. In the process of
implementing cloud computing, much of the risk is seen as new, or
even exotic, when compared to existing, day-to-day, operational risk.
Some of the unease and complexity involved in selecting a cloud
provider can be alleviated by using a common controls framework.
Such a framework should be based upon industry best practices and
a true understanding and evaluation of cloud-specific deployment
considerations and risks. Such a framework should also help alleviate
much of much of the cost involved in the evaluation of alternate
solutions, and help to significantly manage risks that are inherent in
the deployment of any new technology.
The Security, Trust and Assurance Registry, created by the Cloud Security Alliance
(CSA), is such a framework.
34 The Microsoft approach to cloud transparency
35. The CSA publishes and maintains STAR, which was created to reduce
much of the effort, ambiguity, and costs of getting the right
information on cloud providers’ security and privacy practices. STAR
uses the Cloud Controls Matrix (CCM) to provide a detailed
understanding of security and privacy concepts and principles that
are aligned with Cloud Security Alliance guidance.
The CSA CCM provides organizations with a framework that has the needed
structure, detail, and clarity with regard to information security, tailored to the cloud
computing services industry.
To help organizations deploy cloud computing solutions, Microsoft
offers its detailed replies to STAR, which are publicly available at the
CSA website. Microsoft‘s reply incorporates ISO 27000 guidelines,
and exemplifies the commitment Microsoft makes and importance
Microsoft places on its customers’ security and privacy.
35
36. Additional reading
• Cloud Security Alliance (CSA)
• COBIT Fact Sheet on the Information Systems Audit and
Control Association (ISACA) website
• BSI Group – the British Standards Institution
• BS ISO/IEC 27005:2011 standard that provides guidelines for
information security risk management
• International Organization for Standardization (ISO) Standards
catalogue
• Global Foundation Services
• Windows Azure ISO Certification
• Microsoft Dynamics CRM ISO Certification
• White papers on Windows Azure
• Windows Azure Platform Legal Information
• Microsoft Dynamics CRM
• CSA STAR Registry
• Microsoft Office 365 Trust Center
• Windows Azure Trust CenterDirective 95/46/EC of the
European Parliament and of the Council
36 The Microsoft approach to cloud transparency