5/29/2018 6:22 AM THR2267 ABN AMRO use case to secure and manage their Azure infrastructure and applications Joël Blaauw – ABN AMRO Security Architect Nico Brandt – Microsoft ATS © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
5/29/2018 6:22 AM The scenery © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
ABN AMRO Group NV. Is the third largest bank in the Netherlands Counting all major and smaller banks that over the years have been our current banks predecessors, roots go back some 300 years (1762) Strongly regulated by Dutch National Bank and European Central Bank Principal bank for over 21% of the Dutch population Present in 11 countries with more then 50 branches. 22.000 Employees Operating Income 8.588 Billion Euros* Net Profit 2076 Million Euros* Products: Asset Management, Commercial Banking, Investment Banking, Private Banking, Retail Banking *2016 Financial disclosure report © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
5/29/2018 6:22 AM © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
Standards for Cloud Risk Control Cloud security is a partnership between ABN AMRO and Cloud Service Providers (CSP) Secure use of the cloud service platform is the responsibility of ABN AMRO Security of the cloud service platform itself is the responsibility of the CSP ABN AMRO owns the data and identities and the responsibility for protecting them. ABN AMRO owns the security of on-premises resources and cloud components ABN AMRO controls (varies by service type) ABN AMRO CSP cloud services are built on a foundation of trust and security. CSP provides security controls and capabilities to help ABN AMRO to protect data and applications. CSP
Standards for Cloud Risk Control Strategy Employ risk-based, multi-dimensional integrated approach to safeguarding services and data Minimum controls are applied on all layers (does not apply to NETWORK PERIMETER and FACILITY layers) Leverage controls top down (layers dependent on service model). Use complementary lower layer controls only when controls on higher layers are not possible Data Protection - Access control, encryption, key management DATA & KEYS SaaS PaaS Admin Access - Identity management, Dual-factor authentication, training and awareness, screening, Least and Temporary Privilege USER APPLICATION IaaS Application Security - Access control, monitoring, anti-malware, vulnerability scanning, patch and configuration management ABN AMRO Security Monitoring and Response Host Protection - Access control, monitoring, anti-malware, vulnerability scanning, patch and configuration management ABN AMRO Well-Formed Risk Statement HOST SYSTEM INTERNAL NETWORK Network Security - Segmentation, intrusion detection, vulnerability scanning NETWORK PERIMETER Network Security - Edge ACLs, DDoS protection, intrusion detection, vulnerability scanning FACILITY Physical Security - Physical controls, video surveillance, access control
Our challenges How to maintain agility, and innovative services available for development teams, while not lowering the security How to avoid losing business, due to lengthy risk assessments and formal procedures How to enable agile teams to perform changes, while maintaining compliant (Dutch regulator needs to be informed about projects concerning critical data, and the results of risk assessments performed on those projects)
Security Blueprint approach WHAT HOW IMPLEMENT Workload Specific Workload Specific DATA & KEYS Accountability Application Owner Application Control Solution Design Implement on application level SaaS USER PaaS CSP Agnostic APPLICATION IaaS Standards for Cloud Risk Control control integration HOST SYSTEM CSP Specific CSP Specific Generic Controls Solution Design Implement on platform level Responsibility CBSP INTERNAL NETWORK NETWORK PERIMETER FACILITY Identify and map applicable controls, leverage controls top down Design Solution Implement Solution
5/29/2018 6:22 AM © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
5/29/2018 6:22 AM © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
5/29/2018 6:22 AM © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
5/29/2018 6:22 AM © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
5/29/2018 6:22 AM Our verdict Better security becomes feasible Several very costly solutions are now ‘plug, play and pay’ Fully automated Fully monitored Centralized monitoring and security incident reporting © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
Goals reached The Azure team is now working on HOW the services will be delivered to the teams needing them, following the ‘requirements’ (security built-in) The CISO team easily reviews the ‘features’, and provides an ‘approved by CISO’ status Development teams using ‘standard features’ only need to worry about how the features are used, not how they are configured or deployed CISO only needs to review how the features are used, which is much easier and faster (gained agility) The blueprint enables to deliver new features fast while incorporating security by design – Pascal Platteel, Product Development Manager Cloud at ABN AMRO
Lessons learned Awareness and understanding of ‘cloud’ is an ongoing issue Involve CISO from the start Translate ‘old’ policies towards new terminology Leverage CSP capabilities to mitigate possible incompliances Get the teams to adopt PaaS, which means less work for the engineers but also CISO The collaboration and finding each other is ‘impressive’ – Jaap Crum, Head of IT Technology Development & Portfolio Management at ABN AMRO
Please evaluate this session Tech Ready 15 5/29/2018 Please evaluate this session From your Please expand notes window at bottom of slide and read. Then Delete this text box. PC or tablet: visit MyIgnite https://myignite.microsoft.com/evaluations Phone: download and use the Microsoft Ignite mobile app https://aka.ms/ignite.mobileapp Your input is important! © 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
5/29/2018 6:22 AM © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.