Pre-adoption concern 60% 45% cited concerns around data security as a barrier to adoption concerned that the cloud would result in a lack of data control SECURITY • • • • • Design/Operation Infrastructure Network Identity/access Data PRIVACY COMPLIANCE Reduce cost Scale infinitely Deploy quickly Make your data highly available Move incrementally to Azure Central control over all assets Meet compliance requirements Let your apps reason over data High assurance that your data is safe Source: Ponemon Institute, Oct 2014 Read more at http://blogs.microsoft.com/on-theissues/2013/07/16/responding-to-governmentlegal-demands-for-customer-data/ report If we receive a government demand for data held by a business customer, we take steps to redirect the government to the customer directly, and we notify the customer unless we are legally prohibited from doing so. In the first half of 2014, Microsoft only received five requests from law enforcement for five users associated with an enterprise customer. In all five cases, the requests were rejected or law enforcement was successfully redirected to the customer. study Reduce cost Scale infinitely Deploy quickly Make your data highly available Move incrementally to Azure Central control over all assets Meet compliance requirements Let your apps reason over data High assurance that your data is safe Economies of scale Great HYBRID options Pay-for-use pricing Unified identity management Ease to deploy, Virtually and to scale infinite storage Optional security controls for customers Azure platform certifications EU Model Clauses, UK GCloud, FedRAMP, SOC, ISO27001, PCI DSS, HIPAA Huge investment in security Strong built-in security controls Economies of scale Pay-for-use pricing Ease to deploy, Virtually and to scale infinite storage Huge investment in security Part 1 of this presentation: Built-in controls in Azure Great HYBRID options Unified identity management Optional security controls for customers Azure platform certifications EU Model Clauses, UK GCloud, FedRAMP, SOC, ISO27001, PCI DSS, HIPAA Strong built-in security controls Part 2 of this presentation: Controls available for Azure Economies of Pay-for-use Ease to deploy, Virtually customers pricing scale and to scale infinite storage Great HYBRID options Unified identity management Optional security controls for customers Azure platform certifications EU Model Clauses, UK GCloud, FedRAMP, SOC, ISO27001, PCI DSS, HIPAA Huge investment in security Strong built-in security controls Built-in data protection controls in Azure On by default Trustworthy Computing Initiative 1st Microsoft Data Center Active Directory Windows Update Microsoft Security Response Center Global Data Center Services UK G-Cloud Level 2 Malware Protection Center SOC 2 SOC 1 Security Development Lifecycle FedRAMP/ FISMA Digital Crimes Unit 100+ Data Centers Operations Security Assurance CSA Cloud E.U. Data Controls Matrix Protection ISO/IEC Directive HIPAA/ 27001:2005 HITECH PCI DSS Level 1 Trustworthy Computing Initiative 1st Microsoft Data Center Active Directory Windows Update Microsoft Security Response Center Global Data Center Services UK G-Cloud Level 2 Malware Protection Center SOC 2 Digital Crimes Unit 100+ Data Centers Operations Security Assurance Security Centers of Excellence: GroupsE.U.toDatamonitorCSA and Cloud Controls Matrix Protection respond to vulnerabilities ISO/IEC Directive HIPAA/ 27001:2005 HITECH and incidents on a global scale. SOC 1 Security Development Lifecycle FedRAMP/ FISMA PCI DSS Level 1 Trustworthy Computing Initiative 1st Microsoft Data Center Active Directory Microsoft Security Response Center Data Center Services UK G-Cloud Level 2 Malware Protection Center Digital Crimes Unit: Actively defending attacks that only few Security Windows Update can. Development organizations Global Lifecycle FedRAMP/ FISMA SOC 2 SOC 1 Digital Crimes Unit 100+ Data Centers Operations Security Assurance CSA Cloud E.U. Data Controls Matrix Protection ISO/IEC Directive HIPAA/ 27001:2005 HITECH PCI DSS Level 1 Trustworthy Computing Initiative 1st Microsoft Data Center Compliance Standards: Malware Protection Active Investing Directory heavily in robustCenter compliance processes, including ISO 27001 and EU Data Protection Directive. Security Windows Update Microsoft Security Response Center Global Data Center Services Development Lifecycle Digital Crimes Unit FedRAMP/ FISMA UK G-Cloud Level 2 SOC 2 SOC 1 100+ Data Centers Operations Security Assurance CSA Cloud E.U. Data Controls Matrix Protection ISO/IEC Directive HIPAA/ 27001:2005 HITECH PCI DSS Level 1 REDUCE SECURITY COSTS + MAINTAIN FLEXIBILITY, ACCESS, & CONTROL On-Premises IaaS Customer PaaS Microsoft SaaS Data location Customer Choice • • Chooses region where data resides Configures data replication options Microsoft • • • Creates multiple copies of data in the datacenter Geo-replication in a datacenter 400+ miles away Does not transfer Customer Data outside of a geo Data retention and destruction Data Retention Data Deletion Disk Handling Protect data in transit • Secured by TLS best practices • Perfect forward secrecy • 2048-bit keys • Strong ciphers are used / FIPS 140-2 support • Import / Export Service (Physical Media Shipment) • Only accepts BitLocker encrypted data disks Data in transit between a user and the service Protects user from interception of their communication and helps ensure transaction integrity Data in transit between data centers Protects from bulk interception of data • Datacenter to Datacenter • Encrypts customer data transfer between Azure datacenters by EOY Microsoft operator access & logging Azure Just in Time & Role Based Access Grants temporary privilege on specific asset • • • • • No standing access to Customer Data Grants least privilege required to complete a task Multi-factor authentication required for all administration Locked down admin console used for operator access Access is audited, logged, and analyzed Operator requests access Microsoft Network Security controls available for Azure customers Part 2 of this presentation: Controls available for Azure Economies of Pay-for-use Ease to deploy, Virtually customers pricing scale and to scale infinite storage Great HYBRID options Unified identity management Optional security controls for customers Azure platform certifications EU Model Clauses, UK GCloud, FedRAMP, SOC, ISO27001, PCI DSS, HIPAA Huge investment in security Strong built-in security controls … Storage Virtual Machine with custom app Key Manager e.g. HSM Active Directory Users, machines ■■■■■■@microsoft.com (or a Microsoft account.) … Storage Virtual Machine with custom app Key Manager e.g. HSM Active Directory Users, machines … Storage Virtual Machine with custom app Key Manager e.g. HSM Active Directory Users, machines Protection elements Access control: No change. StorSimple appliance appears like a NAS (via iSCSI) Encryption: Automatic. StorSimple protects all data that it writes to Azure with AES-256 + SHA-256. Keys stay on-premises. Logs: StorSimple emits audit logs. Availability: Azure takes care of this automatically. … StorSimple Virtual Machine with custom app Key Manager e.g. HSM Active Directory Users, machines … Storage Virtual Machine with custom app Key Manager e.g. HSM Active Directory Users, machines … Storage Virtual Machine with custom app Key Manager e.g. HSM Active Directory Users, machines Protection elements Access control: Stays on-premises, no change. Encryption: Use TDE. You have choice of crypto algorithm. Keys stay on-premises, and can be offloaded to HSM of your choice. Logs: SQL Server audit log, no change. Availability: Azure takes care of this automatically. … Storage Virtual Machine with custom app Key Manager e.g. HSM Active Directory Users, machines … Storage Virtual Machine with custom app Key Manager e.g. HSM Active Directory Users, machines … Storage Virtual Machine with custom app Key Manager e.g. HSM Active Directory Users, machines Protection elements Access control: No change, same as on-premises SQL server. Encryption: Use TDE. Keep key in Azure or install optional EKM provider to offload to an on-premises HSM. Logs: No change. SQL Server audit log. Availability: Azure takes care of this automatically. … Storage Virtual Machine with custom app Key Manager e.g. HSM Active Directory Users, machines … Storage Virtual Machine with custom app Key Manager e.g. HSM Active Directory Users, machines Azure SQL DB Protection elements Access control: Username/password per server, controlled by Azure subscriber who created server. Encryption: N.A. Logs: Azure SQL DB audit feature, now in preview. Availability: Azure takes care of local redundancy automatically. You can optionally make it geo-redundant. … Storage Virtual Machine with custom app Key Manager e.g. HSM Active Directory Users, machines … Storage Virtual Machine with custom app Key Manager e.g. HSM Active Directory Users, machines Azure storage Virtual Machine Protection elements Access control: BitLocker key protector. Encryption: Bitlocker. Multiple “protectors” available to protect key – password, certificate, AD group, … Logs: Windows event log. Availability: VHD is stored in Azure storage, which automatically replicates it. … Storage Virtual Machine with custom app Key Manager e.g. HSM Active Directory Users, machines … Storage Virtual Machine with custom app Key Manager e.g. HSM Active Directory Users, machines Virtual Machines Virtual Machine boot volume encryption and pre-boot authorization … Storage Virtual Machine with custom app Key Manager e.g. HSM Active Directory Users, machines Virtual Machine in Azure Protection elements Access control: Storage access key + custom Encryption: Custom Logs: Azure Storage logs Availability: Azure takes care of this automatically. … Storage Virtual Machine with custom app Key Manager e.g. HSM Active Directory Users, machines … Storage Virtual Machine with custom app Key Manager e.g. HSM Active Directory Users, machines … Storage Virtual Machine with custom app Key Manager e.g. HSM Active Directory Users, machines App/device outside your organization … Storage Virtual Machine with custom app Key Manager e.g. HSM Active Directory Users, machines App/device outside your organization … Storage Virtual Machine with custom app Key Manager e.g. HSM Active Directory Users, machines Protection elements Access control: Publisher (user/app) sets permissions, which then travel with the data. Apps licensed to use RMS are contractually required to enforce these. Encryption: RMS SDK encrypts data with symmetric key, encrypts the symmetric key with master key. Master key can be optionally protected by HSMs. Logs: RMS Server logs. App/device outside Availability: Azure RMS is responsible for high availability of keys. Application is your organization responsible for high availability of data, and can use Azure storage for the same. … Storage Virtual Machine with custom app Key Manager e.g. HSM Active Directory Users, machines http://azure.microsoft.com/en-us/pricing/free-trial/ http://azure.microsoft.com/en-us/support/trust-center/ http://azure.microsoft.com/en-us/services/active-directory/ http://azure.microsoft.com/en-us/documentation/articles/role-based-access-control-configure http://www.microsoft.com/en-us/server-cloud/products/storsimple/ http://msdn.microsoft.com/en-us/library/bb934049.aspx http://blogs.msdn.com/b/alwaysonpro/archive/2014/01/28/how-to-enable-tdeencryption-on-a-database-in-an-availability-group.aspx http://azure.microsoft.com/en-us/services/sql-database/ http://technet.microsoft.com/en-us/library/jj647767.aspx http://msdn.microsoft.com/en-us/library/System.Security.Cryptography(v=vs.110).aspx http://www.microsoft.com/rms http://channel9.msdn.com/Events/TechEd www.microsoft.com/learning http://microsoft.com/technet http://developer.microsoft.com http://technet.microsoft.com/library/dn765472.aspx http://technet.microsoft.com/en-us/library/hh546785.aspx http://www.microsoft.com/en-us/server-cloud/products/ windows-azure-pack http://azure.microsoft.com/en-us/
© Copyright 2026 Paperzz