Upload
others
View
2
Download
0
Embed Size (px)
Citation preview
A cloud you can trust
“Businesses and users are
going to embrace technology
only if they can trust it.”
At Microsoft, we never take your
trust for granted
• We are serious about our
commitment to protect customers
in a cloud first world.
• We live by standards and practices
designed to earn your confidence.
• We collaborate with industry and
governments to build trust in the
cloud ecosystem.– Satya Nadella
The cloud operating model prioritizes speed and empowers developers. Hybrid cloud allows the
model to be utilized consistently across public, partner, and private cloud environments, providing
ultimate flexibility.
Cloud services deployed on
dedicated resources, hosted
or operated by a Microsoft
partner. Provides
integrated or industry-
specific service offerings.
Partner datacenter
Global:Hyper-scale, globally
connected cloud services
deployed from regional
Microsoft datacenters. Local
datacenters enable
customers to address local
data residency requirements.
Sovereign:
Hyper-scale cloud services,
isolated from global cloud
services. Deployed from
local datacenters to meet
unique requirements of
specific markets.
Microsoft datacenter
Public
Deployed on customer-
dedicated resources with
Microsoft products and
technologies. Benefit from
cloud experiences on your
own premises.
Customer datacenter
Private
Hybrid
5
36 datacenter locations worldwide1
Central US
West USEast US
North Central US
Brazil South
West Europe
Japan East
South India
SE Asia
Australia South East
Australia East
India Central
West India
Japan West
East Asia
China West*
North Europe Germany
Northeast**Canada East
Canada Central
South Central US
China East*
Germany Central**
West US 2
Korea South
East US 2
Korea Central
100 + datacenters
One of 3 largest networks in the world
United Kingdom West
United Kingdom
South
West Central US
Chile
Asia
Vienna
Finland
https://www.microsoft.com/security/sir/default.aspx
30 Days CTIP Infection Map 1-30 September 2017 Belgium Overview
Belgium Overview 1-30 September 2017
Belgium Top 25 Cities by Threat 9-15 October 2017
Brussels Overview 1-30 September 2017
Unique IPs by Threat by Day in Belgium 01 – 16 October 2017
June 2014
Malware using Dynamic DNS
for command. It involved
password and identity theft,
webcam and other privacy
invasions.
Over 200 different types of
malware impacted by the take
down.
Identity Theft /
Financial Fraud /
Privacy Invasion
Bladabindi &Jenxcus4 482
Conficker5 205
February 2010
Botnet Worm
Sirefef483
December 2013
ZeroAccess hijacked search
results, taking victims to
dangerous sites. It costs
online advertisers upwards of
$2.7 million each month.
Advertising Click Fraud
Most Common CTIP Malware Threats in Belgium 1-30 September 2017
Trusted Cloud Principles
Security
Compliance
Transparency
Privacy Other
Top 20 Customer Requirements Related to Trust
Compliance was ranked the
second in regards to
importance to cloud trust
3000 customers were asked
to rank their top 20
requirements related to
cloud trust
1 2 3
Security and privacy are stated most important considerations while compliance drives behavior
Microsoft: Trusted Cloud Survey, 2016
Hybrid cloud support
Private Cloud
Consolidate data center operations
MICROSOFT SOLUTIONS
Public Cloud
Achieve scale, agility and lower cost
MICROSOFT SOLUTIONS
Hybrid Cloud
Migrate less sensitive data
MICROSOFT SOLUTIONS
Consistent platform and tools | Single management console
Migrate at your own pace
What we’re doing about it• We lead the industry in pursuing compliance with the latest standards for data privacy and
security, such as ISO 27018.
• Our global infrastructure investments enables us to meet unique data residency,
sovereignty and compliance requirements.
• We regularly undergo independent audits to certify our compliance.
• We collaborate with our partners, when requested, to work with their customers and
regulators to help them meet their compliance requirements.
Customers expect• Cloud services to enable compliance by adhering to international standards, certifications
and applicable regulatory requirements.
• Ability to see the certifications for each of their cloud provider’s cloud service.
Regulatory and
Compliance Domain
Broadly Applicable
ISO 27018:2014
ISO 27001:2013
SOC 1 Type 2 (SSAE 16/ISAE 3402)
SOC 2 Type 2 (AT Section 101)
CSA STAR 1 No
United States
Government
FedRAMP Moderate No
CJIS Security Policy, Version 5.3 No
DISA SRG Level 2 P-ATO No
FDA 21 CFR Part 11 No
ITAR No No
IRS 1075 No No
Industry Specific
HIPAA BAA
PCI DSS Level 1 N/A N/A N/A
FERPA N/A
CDSA N/A N/A N/A
Region/Country
Specific
EU Model Clauses
UK G-Cloud v6
Australia Gov ASD No
Singapore MTCS No
Japan FISC No No
New Zealand GCIO
EU-US Privacy Shield
China (MLPS, TRUCS, GB 18030) No No No
Microsoft Cloud Compliance Certifications and Attestations Sept 2016
Un
ited
Sta
tes
Ind
ust
ryR
eg
ion
al
ISO
27001PCI DSS
Level 1
SOC 1
Type 2SOC 2
Type 2ISO
27018
Cloud Controls
Matrix v3.0.1Content Delivery and
Security Association
Shared
AssessmentsSOC 3 MPAA
Singapore
MTCS Level 3
United Kingdom
G-Cloud
Australian Signals
Directorate
New Zealand
GCIO
China GB
18030
European Union
Model Clauses
Argentine Data
Protection Act 25.326
China
TRUCS
Canadian
Privacy Laws
FISMAHIPAA /
HITECH
FIPS
140-2
DISA
Level 2
(DIACAP)
FERPAFedRAMP
JAB
P-ATO
21 CFR
Part 11IRS
1075
Section
508
VPATs
NIST
800-171
MARS-E GxP DIACAP
Japan My
Number Act
Japan
Financial Services
ENISA
IAFCloud Security
Mark Gold
Spain
ENS
FACT EU-US
Privacy Shield
ISO/IEC
27017
China Multi Layer
Protection Scheme
ISO 22301
Germany IT
Grundschutz
workbook
Compliance assurancesThird party validation, Azure
https://aka.ms/O365PenTest17.
https://news.microsoft.com/cloudforgood/resources.html
https://www.gov.uk/government/news/two-thirds-of-large-uk-businesses-hit-by-cyber-breach-or-attack-in-past-year
https://www.gov.uk/government/publications/cyber-security-breaches-survey-2016
The Cyber Security Breaches Survey
found that while one in four large
firms experiencing a breach did
so at least once a month, only
half of all firms have taken any
recommended actions to identify
and address vulnerabilities. Even
fewer, about a third of all firms, had
formal written cyber security
policies and only 10% had an
incident management plan in
place.
Our survey reveals that 57% have had a recent significant cybersecurity incident.
Nearly half (48%) cited outdated information security controls or architecture as their
highest vulnerability – an increase from 34% in the 2015 survey.
http://www.ey.com/gl/en/services/advisory/ey-global-information-security-survey-2016
http://www.ey.com/gl/en/newsroom/news-releases/news-global-organizations-better-prepared-to-predict-and-resist-cyber-attacks-
but-struggle-to-recover-from-them-ey-survey-finds
Maturity levels are still too low in many
critical areas.
Percentage who would rate these
information security management
processes as mature:
•Software security: 29%
•Security monitoring: 38%
•Incident management: 38%
•Identity and Access Management: 38%
•Network security: 52%