Embed Size (px)
Citation preview
Data protection in Microsoft AzureDevendra TiwariSumedh BardeThomas Knudson
CDP-B216
Pre-adoption concern
60%cited concerns around data security as a barrier to adoption
45%concerned that the cloud would result in a lack of data control
Cloud makes you nervous?
SECURITY
• Design/Operation
• Infrastructure• Network• Identity/access• Data
PRIVACY
COMPLIANCEBarriers to Cloud Adoption study, ComScore, September 2013
Organizations have told usYou want to GAIN these by moving data to the cloud
Reduce cost
You want to RETAIN these when you move data to the cloud
High assurance that your
data is safe
Meet compliance requiremen
ts
Central control over all assets
Move incremental
lyto Azure
Let your apps
reason over data
Deploy quickly
Scale infinitely
Make your data highly available
Will your security investment keep up?
2010 2014
Number of breaches, cost and resolution time have doubled
in 4 years.
Source: Ponemon Institute, Oct 2014
BYODs and cross-org collaboration are forcing more apps
into the DMZ.
For many orgs, their on-premises staff will
get stretched thin very fast.
Let us help you!Your DMZ is THE
cloud.
The question on your mind
Will Microsoft share my data?
Microsoft policy for business services
Microsoft VP of LCA Brad SmithRead more at http://blogs.microsoft.com/on-the-issues/2013/07/16/responding-to-government-legal-demands-for-customer-data/
If we receive a government demand for data held by a business customer, we take steps to redirect the government to the customer directly, and we notify the customer unless we are legally prohibited from doing so.
In the first half of 2014, Microsoft only received five requests from law enforcement for five users associated with an enterprise customer. In all five cases, the requests were rejected or law enforcement was successfully redirected to the customer.
Microsoft report on law enforcement requests
Statistics for your common threatsGraph shows percent of companies that experienced each type of threat.
Source: Ponemon Institute study sponsored by HP
These are your biggest threats. Microsoft Azure can help you there.
We can help you with security too!What you GAIN by moving data to the cloud
Reduce cost
What you RETAIN when you move data to the cloud
High assurance that your
data is safe
Meet compliance requiremen
ts
Central control over all assets
Move incremental
lyto Azure
Let your apps
reason over data
Deploy quickly
Scale infinitely
Make your data highly available
Elements of Microsoft’s solution
Economies of scale
Pay-for-use pricing
Azure platform
certificationsEU Model Clauses, UK
G-Cloud, FedRAMP, SOC, ISO27001, PCI
DSS, HIPAA
Unified identity
management
Ease to deploy, and
to scale
Great HYBRID options
Huge investment in security
Strong built-in security controls
Optional security
controls for customers
Virtually infinite storage
Elements of Microsoft’s solution
Economies of scale
Pay-for-use pricing
Unified identity
management
Ease to deploy, and
to scale
Great HYBRID options
Optional security
controls for customers
Virtually infinite storage
Part 1 of this presentation: Built-in controls in Azure Azure
platform certificationsEU Model Clauses, UK
G-Cloud, FedRAMP, SOC, ISO27001, PCI
DSS, HIPAA
Huge investment in security
Strong built-in security controls
Elements of Microsoft’s solution
Economies of scale
Pay-for-use pricing
Azure platform
certificationsEU Model Clauses, UK
G-Cloud, FedRAMP, SOC, ISO27001, PCI
DSS, HIPAA
Ease to deploy, and
to scale
Huge investment in security
Strong built-in security controls
Virtually infinite storage
Part 2 of this presentation: Controls available for Azure customers
Unified identity
management
Great HYBRID options
Optional security
controls for customers
Part 1Built-in data protection controls in AzureOn by default
This talk is focused on key points of our whole security story.Must see session for security/privacy/compliance professionals:
CDP-B230 Microsoft Azure Security and Compliance Overview (10/30 12:00)
Azure Security, Privacy, and Compliance
Built in data protectionCompliance certifications
Security research & development
Physical access controls
Geo constraints & redundancy
Data destruction
Operator access & logging
Encryption In Transit
Antimalware integration
OS vulnerability management
Microsoft investment in cloud security
100+ Data
Centers
Trustworthy ComputingInitiative
Security Development
LifecycleGlobal Data Center
Services
Malware Protection
Center
Microsoft SecurityResponse Center
Windows Update
1st Microsoft
Data Center Active
DirectorySOC 1
CSA Cloud Controls Matrix
PCI DSS Level 1
FedRAMP/FISMAUK G-Cloud
Level 2
ISO/IEC 27001:2005
HIPAA/HITECH
Digital Crimes Unit
SOC 2
E.U. Data Protection Directive
Operations Security
Assurance
1989 1995 2000 2005 2010
IT’S HUGE!
100+ Data
Centers
Trustworthy ComputingInitiative
Security Development
LifecycleGlobal Data Center
Services
Windows Update
1st Microsoft
Data Center Active
DirectorySOC 1
CSA Cloud Controls Matrix
PCI DSS Level 1
FedRAMP/FISMAUK G-Cloud
Level 2
ISO/IEC 27001:2005
HIPAA/HITECH
Digital Crimes Unit
SOC 2
E.U. Data Protection Directive
Operations Security
Assurance
1989 1995 2000 2005 2010
Malware Protection
Center
Microsoft SecurityResponse Center
Security Centers of Excellence:Groups to monitor and respond to vulnerabilities and incidents on a global scale.
Microsoft investment in cloud security
100+ Data
Centers
Trustworthy ComputingInitiative
Security Development
LifecycleGlobal Data Center
Services
Malware Protection
Center
Microsoft SecurityResponse Center
Windows Update
1st Microsoft
Data Center Active
DirectorySOC 1
CSA Cloud Controls Matrix
PCI DSS Level 1
FedRAMP/FISMAUK G-Cloud
Level 2
ISO/IEC 27001:2005
HIPAA/HITECH
SOC 2
E.U. Data Protection Directive
Operations Security
Assurance
Digital Crimes Unit
1989 1995 2000 2005 2010
Microsoft investment in cloud security
Digital Crimes Unit:Actively defending attacks that only few organizations can.
100+ Data
Centers
Trustworthy ComputingInitiative
Security Development
LifecycleGlobal Data Center
Services
Malware Protection
Center
Microsoft SecurityResponse Center
Windows Update
1st Microsoft
Data Center Active
Directory
Digital Crimes Unit
SOC 1
CSA Cloud Controls Matrix
PCI DSS Level 1
FedRAMP/FISMAUK G-Cloud
Level 2
ISO/IEC 27001:2005
HIPAA/HITECH
SOC 2
E.U. Data Protection Directive
1989 1995 2000 2005 2010
Compliance Standards:Investing heavily in robust compliance processes, including ISO 27001 and EU Data Protection Directive.
Operations Security
Assurance
Microsoft investment in cloud security
Defense in depth strategy
DataApplicationNetwork Host Security
Identity & Access ManagementPhysical
24x7x365 Incident Response
Shared responsibilityREDUCE SECURITY COSTS + MAINTAIN FLEXIBILITY, ACCESS, & CONTROL
Customer Microsoft
On-Premises IaaS PaaS SaaS
Storage
Servers
Networking
O/S
Middleware
Virtualization
Data
Applications
Runtime
Data locationCustomer Choice• Chooses region where data
resides• Configures data replication
options
Microsoft• Creates multiple copies of
data in the datacenter• Geo-replication in a
datacenter 400+ miles away• Does not transfer Customer
Data outside of a geo
Security guards and camerasBiometric access controls
Physical data protections
Data Deletion
Data retention and destruction
Wiping is NIST 800-88 compliant
Defective disks are destroyed at the datacenter
Index immediately removed from primary location
Geo-replicated copy of the data (index) removed asynchronously
Customers can only read from disk space they have written to
Disk Handling
Data Retention
Data retained for 90 days and available if customer comes back within 90 days
Protect data in transitWe work to protect your data across all communication stages.
• Secured by TLS best practices
• Perfect forward secrecy
• 2048-bit keys
• Strong ciphers are used / FIPS 140-2 support
• Import / Export Service (Physical Media Shipment)
• Only accepts BitLocker encrypted data disks
• Datacenter to Datacenter
• Encrypts customer data transfer between Azure datacenters by EOY
Data in transit between a user and the serviceProtects user
from interception of their communication and helps ensure transaction integrity
Data in transit between data centers
Protects from bulk interception of data
1 2
Microsoft operator access & logging
Operatorrequests access
Grants temporary privilege on
specific asset• No standing access to Customer Data• Grants least privilege required to complete a task• Multi-factor authentication required for all
administration• Locked down admin console used for operator
access• Access is audited, logged, and analyzed
Just in Time &
Role Based Access
Microsoft Network
Azure
Virtual Machines
Cloud Services
Storage
Microsoft Anti-malware integratedDeployed by Azure Infrastructure and its servicesAntimalware solution available for Azure Cloud Services and Virtual Machines including 3rd party offering for Virtual MachinesProvide basic configuration, management and service monitoring to help Azure and its customers meet security & compliance commitment
Vulnerability managementOS images updated and made available so you have the latest updates.Cloud services automatically updated on regular basis (customer choice).
OS Protection
Built in data protectionCompliance certifications
Security Research & Development
Physical access controls
Geo constraints & redundancy
Data destruction
Operator access & logging
Encryption In Transit
Antimalware integration
OS vulnerability management
Built-in controls for all of your apps and data enables you to focus on your business and sensitive data controls.
Part 2Security controls available for Azure customers
Elements of Microsoft’s solution
Economies of scale
Pay-for-use pricing
Azure platform
certificationsEU Model Clauses, UK
G-Cloud, FedRAMP, SOC, ISO27001, PCI
DSS, HIPAA
Ease to deploy, and
to scale
Huge investment in security
Strong built-in security controls
Virtually infinite storage
Part 2 of this presentation: Controls available for Azure customers
Unified identity
management
Great HYBRID options
Optional security
controls for customers
Structure of the next few slides
Virtual Machine with
custom app
Storage
For each data repository below, we describeThe choices you have for how much of Azure you want to leverage.
For each choice, we describe how toControl access to your dataEncrypt your data at rest and manage keys, where relevantView access logsMake data highly available
Active Directory
Users, machines
Key Managere.g. HSM
…
Common data repositories on-premises Supporting components
Strong access control requires strong, centralized, identity management.
Active Directory (AD) helps you with that on-premises.
Azure Active Directory (AAD) helps you in Azure…and in Office 365, and in 1200+ apps.
AD and AAD are tightly integrated, to allow single sign-on, a single directory, and centralized management.
But first, a quick detour into Identity
Active Directory
■■■■■■@microsoft.com
I sign in to Azure with the ID assigned to me by my organization.
Azure sign-in with Azure Active Directory
Notice it is redirecting to my organization’s on-premises sign-in page.
Azure sign-in with Azure Active Directory
This is my organization’s on-premises sign-in page.
Azure sign-in with Azure Active Directory
My organization requires multi-factor sign-in. This carries through to Azure.
Users must sign in to Azure with an AAD account (or a Microsoft account.)
Azure uses the signed-in user’s account to determine which subscriptions, resource groups, and resources they can manage.
Tip: Access to use those resources is subsequently authorized by resource-specific mechanisms, but can be reset by whoever can manage the resource.
The AAD administrator thus indirectly controls which users and applications can access the organization’s assets in Azure.
Tip: If your employees create subscriptions with a Microsoft account (Live ID), they are treated as their personal subscriptions. They will NOT be in your organization’s control.
Azure Active Directory role in Azure
First step – set up your Azure AD
Virtual Machine with
custom app
Storage
…
Active Directory
Users, machines
Key Managere.g. HSM
Rest of this deck will assume you have done this.
Scenario 1: Tier 2 storage in Azure
Virtual Machine with
custom app
Storage
…
Active Directory
Users, machines
Key Managere.g. HSM
Make your on-premises storage automatically grow as your data explodes.
Solution: Use StorSimple. It uses Azure as Tier 2 storage.
Benefits: Cost-effective, 100 TB storage. Your apps stay on-premises, unmodified .
Scenario 1: Tier 2 storage in Azure
Virtual Machine with
custom app
StorSimple
…
Active Directory
Users, machines
Key Managere.g. HSM
Protection elements
Access control: No change. StorSimple appliance appears like a NAS (via iSCSI)
Encryption: Automatic. StorSimple protects all data that it writes to Azure with AES-256 + SHA-256. Keys stay on-premises.
Logs: StorSimple emits audit logs.
Availability: Azure takes care of this automatically.
Scenario 2: SQL database/logs in AzureOffload SQL DB data + logs to Azure storage. But Keep SQL server and apps on-premises.Case 1: Offload just backup copies of your database to Azure storage.
Case 2: Move the live copy of your database to Azure storage.
Benefits: Cheap, virtually infinite storage. No change to on-premises applications.
Virtual Machine with
custom app
Storage
…
Active Directory
Users, machines
Key Managere.g. HSM
Virtual Machine with
custom app
Storage
…
Active Directory
Users, machines
Key Managere.g. HSM
Scenario 2: SQL database/logs in Azure
Transparent Data Encryption
(TDE)
Virtual Machine with
custom app
Storage
…
Active Directory
Users, machines
Key Managere.g. HSM
Scenario 2: SQL database/logs in Azure
Transparent Data Encryption
(TDE)
Protection elements
Access control: Stays on-premises, no change.
Encryption: Use TDE. You have choice of crypto algorithm. Keys stay on-premises, and can be offloaded to HSM of your choice.
Logs: SQL Server audit log, no change.
Availability: Azure takes care of this automatically.
Scenario 3: SQL Server in AzureMove both SQL database AND server to Azure VM.Case 1: As a standalone server
Case 2: As an “ Always On” replica of an on-premises SQL Server
Benefits: Cheap, virtually infinite storage. Pay as you go compute. On-premise applications work as is, with just new connection string.
Virtual Machine with
custom app
Storage
…
Active Directory
Users, machines
Key Managere.g. HSM
Scenario 3: SQL Server in AzureTransparent
Data Encryption (TDE)
Option 2: Key is in on-premises Hardware Security Module.
Connect via VPN.
Option 1: Key stays locally in VM (Protected by Azure)
Optional: Always On replication
Virtual Machine with
custom app
Storage
…
Active Directory
Users, machines
Key Managere.g. HSM
Transparent Data Encryption
(TDE)
Scenario 3: SQL Server in AzureSQL Server TDE
(Transparent Data
Encryption)
Option 2: Key is in on-premises Hardware Security
Module
Option 1: Key stays locally in VM (Protected by Azure)
Optional: Always On replication
Virtual Machine with
custom app
Storage
…
Active Directory
Users, machines
Key Managere.g. HSM
Protection elements
Access control: No change, same as on-premises SQL server.
Encryption: Use TDE. Keep key in Azure or install optional EKM provider to offload to an on-premises HSM.
Logs: No change. SQL Server audit log.
Availability: Azure takes care of this automatically.
Scenario 4: Azure SQL DB in AzureUse SQL Server as a service. No more servers to manage!
Benefits: Easy to get started, zero upfront cost, pay for what you use.
Reduced management cost.
Very easy to set up geo-redundant databases.
Virtual Machine with
custom app
Storage
…
Active Directory
Users, machines
Key Managere.g. HSM
Azure SQL DB
Scenario 4: Azure SQL DB
Virtual Machine with
custom app
Storage
…
Active Directory
Users, machines
Key Managere.g. HSM
Protection elements
Access control: Username/password per server, controlled by Azure subscriber who created server.
Encryption: N.A.
Logs: Azure SQL DB audit feature, now in preview.
Availability: Azure takes care of local redundancy automatically. You can optionally make it geo-redundant.
Scenario 5: Windows VM, data volume
Virtual Machine with
custom app
Storage
…
Active Directory
Users, machines
Key Managere.g. HSM
You want to run your application in an Azure VM. You want data volumes encrypted at rest.
Solution: Use BitLocker, or partner solution.
Benefits: BitLocker is included with Windows. Helps you meet ‘checkbox’. For additional controls, use partner solution.
Scenario 5: Windows VM, data volume
Virtual Machine
Virtual Machine with
custom app
Storage
…
Active Directory
Users, machines
Key Managere.g. HSM
Protection elements
Access control: BitLocker key protector.
Encryption: Bitlocker. Multiple “protectors” available to protect key – password, certificate, AD group, …
Logs: Windows event log.
Availability: VHD is stored in Azure storage, which automatically replicates it.
Boot volume
Data volumeAzure storage
Multiple options to protect key
Scenario 6: VM boot volume
Virtual Machine with
custom app
Storage
…
Active Directory
Users, machines
Key Managere.g. HSM
You want to run your application in an Azure VM. You want the boot volume encrypted at rest.Or you want the data volume encrypted, but the VM runs Linux.
Solution: Microsoft does not offer this out of the box, but some partners do, like CloudLink.
Azure VM encryption with CloudLink
Virtual Machine boot volume encryption and pre-boot authorization
Virtual Machines
Key manager
HSM
Policy, Orchestration,Management
Scenario 7: Custom app storing in Azure
Virtual Machine with
custom app
Storage
…
Active Directory
Users, machines
Key Managere.g. HSM
You want to use Azure storage (blobs, tables, files) in your application, and want more protection than the default.
Solution: Encrypt using one of many libraries. .Net SDK includes basic cryptographic primitives.
Scenario 7: Custom app storing in Azure
Virtual Machine with
custom app
Storage
…
Active Directory
Users, machines
Key Managere.g. HSM
Protection elements
Access control: Storage access key + custom
Encryption: Custom
Logs: Azure Storage logs
Availability: Azure takes care of this automatically.
Virtual Machine in
Azure
Scenario 8: Sharing via Azure storage
Virtual Machine with
custom app
Storage
…
Active Directory
Users, machines
Key Managere.g. HSM
You want to share data across multiple apps and/or devices, some outside your organization.
Solution: Use Microsoft Rights Management services.
Benefits: Identity-based access control, end-to-end encryption in transit and at rest.
Virtual Machine with
custom app
Storage
…
Active Directory
Users, machines
Key Managere.g. HSM
Scenario 8: Sharing via Azure storage
Encrypted data
Key Exchange
RMS SDK
Consult AAD before distributing keyMicrosoft
Rights Management
Virtual Machine with
custom app
Storage
…
Active Directory
Users, machines
Key Managere.g. HSM
Scenario 8: Sharing via Azure storage
Encrypted data
Key Exchange
Consult AAD before distributing keyMicrosoft
Rights Management
App/device outside your organization
RMS SDK
Virtual Machine with
custom app
Storage
…
Active Directory
Users, machines
Key Managere.g. HSM
Scenario 8: Sharing via Azure storage
Encrypted data
Key Exchange
Consult AAD before distributing key
App/device outside your organization
RMS SDK
Highly scalable Hardware
Security Modules
MicrosoftRights Management
BYOK (bring your own key)
via HSM-to-HSM secure tunnelAccess
logs, reports
Virtual Machine with
custom app
Storage
…
Active Directory
Users, machines
Key Managere.g. HSM
Scenario 8: Sharing via Azure storage
Encrypted data
Key Exchange
Consult AAD before distributing key
App/device outside your organization
RMS SDK
Hardware Security Modules
MicrosoftRights Management
BYOK (bring your own key)
via HSM-to-HSM secure tunnel
Protection elements
Access control: Publisher (user/app) sets permissions, which then travel with the data. Apps licensed to use RMS are contractually required to enforce these.
Encryption: RMS SDK encrypts data with symmetric key, encrypts the symmetric key with master key. Master key can be optionally protected by HSMs.
Logs: RMS Server logs.
Availability: Azure RMS is responsible for high availability of keys. Application is responsible for high availability of data, and can use Azure storage for the same.
We provide built-in controls for protecting all data stored in Azure.
We provide customers with app-level controls to enforce organization-specific policies.
You can migrate to Azure incrementallyLeveraging data protection investments you have already made on-premises
Try these scenarios out now and provide feedbackFree Trial: http://azure.microsoft.com/en-us/pricing/free-trial/
Data Protection in Microsoft Azure
CDP-B230 Microsoft Azure Security and Compliance Overview
CDP-B226 Introduction to Microsoft Azure Infrastructure-as-a-Service
CDP-B312 Microsoft Azure Active Directory Premium, in Depth
EM-B328 Azure Rights Management: What It Is, New Features, and a View into the Roadmap
Related content
Find Us Later At Ask The Experts (Hall 5)
Azure Trust Center (security and privacy): http://azure.microsoft.com/en-us/support/trust-center/
Azure Active Directory: http://azure.microsoft.com/en-us/services/active-directory/
Azure RBAC: http://azure.microsoft.com/en-us/documentation/articles/role-based-access-control-configure
StorSimple: http://www.microsoft.com/en-us/server-cloud/products/storsimple/
SQL Server TDE: http://msdn.microsoft.com/en-us/library/bb934049.aspx
Always On with TDE: http://blogs.msdn.com/b/alwaysonpro/archive/2014/01/28/how-to-enable-tde-encryption-on-a-database-in-an-availability-group.aspx
Azure SQL DB: http://azure.microsoft.com/en-us/services/sql-database/
BitLocker tools: http://technet.microsoft.com/en-us/library/jj647767.aspx
Encrypting with .Net: http://msdn.microsoft.com/en-us/library/System.Security.Cryptography(v=vs.110).aspx
Microsoft Rights Management services: http://www.microsoft.com/rms
Learning references
Resources
Learning
Microsoft Certification & Training Resources
www.microsoft.com/learning
Developer Network
http://developer.microsoft.com
TechNet
Resources for IT Professionals
http://microsoft.com/technet
Sessions on Demand
http://channel9.msdn.com/Events/TechEd
Come visit us in the Microsoft Solutions Experience (MSE)!Look for the Cloud and Datacenter Platform area TechExpo Hall 7
For more informationWindows Server Technical Previewhttp://technet.microsoft.com/library/dn765472.aspx
Windows Server
Microsoft Azure
Microsoft Azurehttp://azure.microsoft.com/en-us/
System Center
System Center Technical Previewhttp://technet.microsoft.com/en-us/library/hh546785.aspx
Azure Pack Azure Packhttp://www.microsoft.com/en-us/server-cloud/products/windows-azure-pack
Azure
Implementing Microsoft Azure Infrastructure Solutions
Classroomtraining
Exams
+
(Coming soon)Microsoft Azure Fundamentals
Developing Microsoft Azure Solutions
MOC
10979
Implementing Microsoft Azure Infrastructure Solutions
Onlinetraining
(Coming soon)Architecting Microsoft Azure Solutions
(Coming soon)Architecting Microsoft Azure Solutions
Developing Microsoft Azure Solutions
(Coming soon)Microsoft Azure Fundamentals
http://bit.ly/Azure-Cert
http://bit.ly/Azure-MVA
http://bit.ly/Azure-Train
Get certified for 1/2 the price at TechEd Europe 2014!http://bit.ly/TechEd-CertDeal
2 5 5MOC
20532
MOC
20533
EXAM
532EXAM
533EXAM
534
MVA MVA
Please Complete An Evaluation FormYour input is important!TechEd Schedule Builder CommNet station or PC
TechEd Mobile appPhone or Tablet
QR code
Evaluate this session
© 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
