CLM USE GUIDE FOR MICROSOFT TRUSTED CLOUD Microsoft Trusted Cloud Version 1 February 2016 CLM USE GUIDE FOR MICROSOFT TRUSTED CLOUD Customer profile Customer is considering going to the cloud but has concerns over putting their data in the cloud. Work with your customer to overcome security objections and sell Microsoft cloud services Did you Know? On behalf of Office 365, Microsoft are willing to sign with each customer data processing terms, a HIPAA business associate agreement, and EU model clauses. We also comply with standards like ISO 27001, ISO 27018, FISMA, and FedRAMP. For more information please visit the continuous compliance section of the Office 365 trust center. Upselling opportunities Understanding customers key concerns over security and the cloud and knowing how to overcome these objections will help you sell Microsoft cloud services Microsoft Trusted Cloud – Eliminate Customer Security Concerns Security Privacy Compliance Transparency COMMON SECURITY CONCERNS I want to know that my data is safe and secure when it is in the cloud I know where my data is when it is physically sitting on a server in my office. I want to be able to control my data I need peace of mind that there are regulatory controls about how my data is managed/protected in the cloud I want to be able to know how my data is being handled when it is in the cloud TOP BUSINESS NEEDS For your data to be kept safe and secure You own and control your data Ensure cloud service provider conforms to global standards To have visibility into cloud service providers practices WHY ENTRUST YOUR DATA TO MICROSOFT CLOUD? We help ensure that the Microsoft Cloud is protected at the physical, network, host, application, and data layers so that our online services are resilient to attack: **Watch Tour of Microsoft datacenter under resources below Physical security. 24-hour monitoring, and all employees must use multifactor authentication, including biometric scanning, to enter them Network security. Provides infrastructure necessary to securely connect services Logical security. Port scanning, perimeter vulnerability scanning, and intrusion by preventing or detecting cyberattacks. Dedicated threat management teams proactively hunt for, prevent, and mitigate malicious attacks Data security. Customer data encrypted when stored on servers and when it is being transmitted. Customer data is protected from tampering by threat management, security monitoring and files and data integrity Encryption. The Microsoft cloud uses encryption to safeguard customer data Identity. Azure Active Directory helps secure to your data in on-premises and cloud application, and simplifies the management of users and groups Threat management. Microsoft Antimalware is built for cloud and additional antimalware protections for specific services Microsoft Azure, Exchange Online, Dynamics CRM Online, and Microsoft Intune Our time-tested approach to privacy and data protection is grounded in our commitment to give you control of the collection, use, and distribution of your information. With the Microsoft Cloud, you are the owner of your customer data You are in control of you data. In the Microsoft cloud, you know where your customer data is located, who can access it and under what circumstances, and how it is responsibility protected, transferred, and deleted. You control access to your customer data and you control your customer data if you leave the service. You have options to control the security of your customer data We do not use customer data for advertising We use logical isolation to segregate each customer’s data from that of others We do not offer direct access to customer data. We believe that you should control your own data. Microsoft does not give any third party (including law enforcement, other government entity, or civil litigant direct or unfettered access to customer data except as you direct We build privacy into the features and services of the Microsoft cloud. Microsoft contractual commitments back our privacy best practices Privacy protections in the Microsoft Cloud are grounded in the Microsoft Privacy Standard which includes addressing privacy requirements in the process of developing software Services within the Microsoft Cloud meet key international and industry-specific compliance standards, such as ISO/IEC 27001 and ISO/IEC 27018, FedRAMP, and SOC 1 and SOC 2. Health Insurance Portability and Accountability Act (HIPAA): HIPAA imposes on our customers that may be “covered entities" under the law security, privacy, and reporting requirements regarding the processing of electronic protected health information Health Information Trust Alliance (HITRUST): standard by U.S. healthcare organizations, HITRUST has established the Common Security Framework (CSF), a certifiable framework for organizations that create, access, store, or exchange personal health and financial information Federal Information Security Management Act (FISMA) requires U.S. federal agencies to develop, document, and implement controls to secure their information and information systems Federal Risk and Authorization Program (FedRAMP) is a federal risk management program that provides a standardized approach for assessing and monitoring the security of cloud products and services. European Union (EU) Model Clauses: a key instrument of EU privacy and human rights law, requires our customers in the EU to legitimize the transfer of personal data outside of the EU ISO 27001: ISO 27001 is one of the best security benchmarks available in the world. Office 365 has been verified to meet the rigorous set of physical, logical, process and management controls You must know, through clearly stated and readily available policies and procedures, where your customer data is stored and how we help secure it, as well as who can access it and under what circumstances You know what we do to help secure your data: We start by building security into software code using the Security Development Lifecycle. This company-wide, mandatory development process embeds security requirements into the entire software lifecycle, from planning through deployment You know where your data is stored and how it is used: Microsoft Cloud customers know the location, in our datacenters around the globe, where their customer data is stored. Each Microsoft cloud service has its own location policies for customer data: You know who can access you data and under what conditions: The Online Services Terms offer contractual commitments that govern access to your data in the Microsoft Cloud, including the use of subcontractors and disclosure of data We are transparent about how we respond to government requests for data: When a government or law enforcement make a lawful demand for customer data from Microsoft, we are committed to transparency and limit what we disclose You can review the standards certifications for Microsoft cloud services: To demonstrate that Microsoft Cloud controls deliver compliance that you can rely on, our enterprise cloud services are independently validated through certifications and attestations, as well as third-party audits. COMMON QUESTIONS AND OBJECTIONS Who owns the data we store in your service? Will you use our data to build advertising products? Can we get our data out of your service? You own and control your data. We do not use your data for anything other than providing you with the service that you have subscribed for. As a service provider, we do not scan your email or documents for advertising purposes. You own your data and retain all rights. During and for 90 days after your subscription, you can download a copy of all your data at any time and for any reason Do we have visibility into where you store our data? Are you transparent with the way you use and access our data? We are transparent about where your data is located. You can visit: Where is my data in the Office 365 Trust Center. We also share important aspects of data storage, such as where your data resides in terms of geographic location, who at Microsoft can access it, and what we do with that information internally. You can visit: Who can access your data section of the Office 365 Trust Center What is your approach to security and which security features do you offer to protect your service from external attacks? When it comes to security features, there are broadly two types of categories: 1) built-in security and 2) customer controls. Built-in security represents all the measures that Microsoft takes on behalf of all Office 365 customers to protect your information and run a highly available service. Customer controls are features that enable you to customize Office 365 to meet the specific needs of your organization. You can get details about both types of security features in the Security section of the Office 365 Trust How do you ensure that your service is reliable and what are your commitments here? We apply best practices in design and operations, such as redundancy, resilience, distributed services, and monitoring to name a few. We recently started publishing our quarterly uptime numbers for the service. The uptime number for the most recent quarter exceeds 99.9%. We offer 99,9% uptime via a financially backed service level agreement. If a customer experiences monthly uptime that is less than 99.9% we compensate that customer through service credits RESOURCES Microsoft Trust Center **Tour of Microsoft Datacenter. Watch this video Microsoft Azure Trust Center Office 365 Trust Center Microsoft Dynamics Online Trust Connect to Information Remotely Enable Mobile Workforce Track all customer interactions Understand customers/the business Respond quickly to customers needs