Upload
axi
View
44
Download
0
Tags:
Embed Size (px)
Citation preview
Brad Smith, Executive Vice-President and General Counsel, Microsoft Corporation
© 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or
other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation.
Security, Compliance, Privacy & Regulatory AspectsMyths and Reality about Risk and Compliance
Patrick Van Asch – Product Marketing Manager Office 365mailto: [email protected]
Thursday, 28th May 2015
© 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and
represents the current view of Microsoft Corporation as of the date of this presentation.
© 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and
represents the current view of Microsoft Corporation as of the date of this presentation.
© 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and
represents the current view of Microsoft Corporation as of the date of this presentation.
© 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and
represents the current view of Microsoft Corporation as of the date of this presentation.
Key ROLES in the processing of personal data
DATA SUBJECT DATA CONTROLLER DATA PROCESSOR
EMPLOYEE or CUSTOMER
o/t CLOUD CUSTOMER
Individual
who is the subject of PII
(Personal Identifiable Information)
• Determines purposes & means in which any PII is processed
• Legally responsible for compliance
• May require audit or similar rights from a processor
• Processes PII only on the Data Controller ’s instructions
• Not considered a 3rd party
• Must implement appropriate technical & security organizational measures
CUSTOMER MICROSOFT
Privacy by DesignThis means that Microsoft does not use YOUR information
for anything other than providing you services
Legal Obligation to Store Data
© 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and
represents the current view of Microsoft Corporation as of the date of this presentation.
Generally NO specific legal framework for Cloud in Belgium
EU Data
Protection Directive
National Data
Protection Laws
Finance & Insurance
(Regulated Market)
& HealthCare
Additional
Regulations
Data Protection
Authorities
Recommendations
(Art. 29 Working Party)
Cloud Provider
& Cloud Customers
Contractual
Terms & Conditions
Belgian
Data Processing Act
• HealthCare: outsourcing directive for “medical” files
• FSI: no Law, NBB/BNB issues directive
MSFT DPA for O365
Reviewed + Endorsed
(EU Clauses, …)
Mutual Rights & Obligations in MSFT DPA
Customers as Data Controllers are legally responsible for the processing of their data,
even when a third party data processor is involved.
Why should this
be a concern
for customers?
What are
Microsoft’s
commitments?
Microsoft complies with the Safe Harbor principles & signs a Data Processing Agreement with EU Model Clauses, specifying how data is being processed.(Microsoft is the only cloud provider to meet strict EU standards for international data transfers -> “Art. 29 Working Party” endorsement letter – blog)
Does Microsoft Comply with Regulations?
© 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and
represents the current view of Microsoft Corporation as of the date of this presentation.
DATA LOCATION & TRANSFER
“SAFE HARBOR”
SELF-CERTIFICATION
SUFFICIENT
CONTRACTUAL BASIS
e.g. EU MODEL CLAUSES
EU Data Protection Directive
The transfer of PII to any country outside the EU/EEA (European Economic Area)
is prohibited, unless it is “adequately protected”
ADEQUATE REGULATIONS IN RECEIVING COUNTRY RECOGNIZED BY EU
COMMISSION AS OFFERING SUFFICIENT PROTECTION
(e.g. CH, CAN, ISL)
Responsibility On-Prem IaaS PaaS SaaS
Data classificationand accountability
Client & end-pointprotection
Identity & accessmanagement
Applicationlevel controls
Network controls
Host Security
Physical Security
Cloud Customer Cloud Provider
Risks a provider can help reduce
Physical | Networking
Shared risks
Identity & access management
Risk customers must manage
Data Classification | End Point Devices
Your Cloud Provider is Your Partner
© 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and
represents the current view of Microsoft Corporation as of the date of this presentation.
We don’t : provide any government with
direct, unfettered access to your data;
We don’t: assist any government’s efforts to
break our encryption or provide any
government with encryption keys;
We don’t: engineer back doors into our
products & we take steps to ensure
governments can independently verify this. here
© 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and
represents the current view of Microsoft Corporation as of the date of this presentation.
Clearing the Air
If we receive a government demand for any enterprise
customer’s data: “In short, when governments seek
information from Microsoft
relating to customers, we strive to
be principled, limited in what we
disclose, and committed to
transparency.”
Our Commitment
CUSTOMERS (= DATA CONTROLLER) REMAIN RESPONSIBLE
FOR DETERMINATION IF THE DATA MAY BE PROCESSED
The joint EU privacy regulators (Article 29 Working Group) have confirmed that the EU Model Clauses in Microsoft’s cloud contracts are implemented in line with EU laws and
regulations in the field of privacy and data exchange.
AS OF JULY 1, 2014 BUSINESS CUSTOMERS WILL GET STANDARD EU MODEL CLAUSES IN O365, WINDOWS AZURE, WINDOWS
INTUNE, DYNAMICS CRM ONLINE
Written validations today?Microsoft is the only cloud provider
to meet strict EU standards for international data transfers
“Art. 29 Working Party” endorsement letter – blog
Microsoft Certification StatusCERT MARKET REGION
Relevant Certification by Region
Certifications
Art. 29 Working Party – Validation Letter
Perimeter security
Premises monitoring
Multi-factor authentication
Fire suppression
Transparency
24-hour security monitoring of data centers
TransparencyCenters
• Disclosing government
data requests
• Opposing gag orders
• Challenging egregious
demands for data
• Ability to review source code
• Assurance there are no back
doors
Security Process& Technology
• Secure Development (SDL)
• Secure Operations (OSA)
GovernmentData Requests
Transparency in actionTransparency
Customer Risk Assessment
Comparative Risk Assessment is key
It starts with Data Classification and business impact
Start Early!
Customer Risk Management
Your Privacy Matters
Leadership in Transparency
Relentless on Security
Independently Verified
Service Continuity
We respect your privacy
You know ‘where’ data resides, ‘who’ can access it and ‘what’ we do with it
Excellence in cutting edge security practices
Compliance with Industry Standards verified by 3rd parties
We financially back our guarantee of 99.9% uptime.
Summary
Resources 1/2
Latest innovations in Office 365 compliancehttp://blogs.office.com/2015/02/16/latest-innovations-office-365-compliance/
Office 365 offers greater privacy, security and regulatory compliancehttp://blogs.office.com/2014/11/20/office-365-offers-greater-privacy-security-regulatory-compliance/
Office 365—Our latest innovations in security and compliancehttp://blogs.office.com/2014/10/28/office-365-latest-innovations-security-compliance/
Cloud Services you can trust: Security, Compliance, and Privacy in Office 365http://blogs.office.com/2013/10/23/cloud-services-you-can-trust-security-compliance-and-privacy-in-office-365/
Resources 2/2
The Microsoft transparency reporthttp://www.microsoft.com/about/corporatecitizenship/en-us/reporting/transparency/
Article 29 Working Party letters to suppliers Compare Suppliers at:
http://ec.europa.eu/justice/data-protection/article-29/documentation/other-document/index_en.htm
02/04/2014
Letter from the Article 29 Working Party to Microsoft on a new version of the Enterprise Enrollment Addendum Microsoft Online Services Data Processing Agreement” and its Annex I
22/09/2014
Letter for the Article 29 Working Party to Microsoft on the Microsoft Service Agreement
ISO/IEC 27018:http://www.iso.org/iso/home/store/catalogue_tc/catalogue_detail.htm?csnumber=61498
Visit Microsoft.be/enterprise and
Enterprise newsletter.
Join the Conversation: aka.ms/CIOAB.
What’snext? Visit http://blogs.office.com and be
part of the Office innovation
Office 365 Pro Plus Workshop (free)”Executive Briefing Center, Brussels, 10th of June 2015)
Office 365 Community Day “Office 365 Club” (free)”Executive Briefing Center, Brussels, 11th+12th of June 2015)
- How to provide Quality of Service with premium networking options: do we really need a private connection to the Office 365 datacenter to support my SLA or would Internet connectivity be enough, how do I plan that ? (ExpressRoute for Office 365, Hermien Heveraet (Microsoft) and Annick Vanmeulder(BT)
- Roadmap & Vision: what Office365 announcements made at the Microsoft Ignite conference (Chicago) are relevant to me as a customer ? (Ilse Van Criekinge, Patrick Van Asch)
- Sway for Office 365, our newest member of Office – a hands-on experience (Koen Daems)- How to protect your data end-end when considering public cloud – data classification
o Legal aspect you should now - Van Gyseghem JM (laywer) in tandem with Sigrid Windmolders (LCA) o Data classification “why and how” with Bruno Schröder (CTO Microsoft BeLux) with Foletti Adèle (Trasys)o Field experiences by Devoteam (Arnold De Ploey, Olivier Potmans)o WHAT: capabilities are available in Office365 to use and enforce data classification based policies in mind
o Are you using the big data of your Office 365 environment (Miranda Felix)