12,000 anonymized surveyed results Worldwide user base Cloud Security Readiness Tool Security trends report:
38% of surveyed financial organizations do not have budgeted disaster recovery plans 37% of surveyed financial organizations do not use standardized data classification 23% of surveyed financial organizations have adequate policies and practices for secure data disposal Security trends for Banking:
51% of surveyed healthcare organizations conduct system-wide data backups that are tested regularly 31% of surveyed healthcare organizations have a disaster recovery program 23% of surveyed healthcare organizations cannot prevent a power outage from affecting their organization Security trends for Healthcare:
45% of surveyed public sector organizations do not use standardized data classification 40% of surveyed public sector organizations still use paper nondisclosure agreements (NDAs) and use them inconsistently 33% of surveyed public sector organizations do not have uniformly enforced security policies Security trends for Government:
72% of surveyed retail organizations do not have budgeted disaster recovery plans 51% of surveyed retail organizations do not have a plan for responding to security breaches 31% of surveyed retail organizations do not use role-based access control Security trends for Retail:
Security Privacy Reliability 94% experienced security benefits in the cloud that they didn’t previously have on premise 62% said that their levels of privacy protection increased as a result of moving to the cloud 75% said they experienced improved service availability since moving to the cloud Key Findings: Benefits for SMBs that use the cloud
70% Reinvested money saved with cloud in other areas of their business 50% Have pursued new opportunities because of the time they saved managing security USA Summary Key Findings: Reinvesting savings from the cloud
Problems you face Can you improve your people, processes, and technologies? What are your current IT capabilities? Can cloud reduce your risks while reducing cost?
Risks and rewards the cloud BENEFITS privacy security reliability scalability increased agility flexibility Reduced costs CONCERNS
Provider is your partner Risks a CSP can help reduce Risks a customers must manage Data ClassificationEnd point devices PhysicalNetworking Shared risks Identity and Access Management
SDL and ISO/IEC Core Security Training 2. Establish Security and Privacy Requirements 3. Create Quality Gates/ Bug Bars 5. Establish Design Requirements 6. Perform Attack Surface Analysis/ Reduction 8. Use Approved Tools 9. Deprecate Unsafe Functions 11. Perform Dynamic Analysis 12. Perform Fuzz Testing 14. Create an Incident Response Plan 15. Certify Release and Archive 17. Execute Incident Response Plan 4. Perform Security and Privacy Risk Assessments 7. Use Threat Modeling 10. Perform Static Analysis 13. Conduct Attack Surface Review 16. Certify Release and Archive TrainingRequirementsDesignImplementationVerificationReleaseResponse ISO/IEC : 2011 “Annex A” provides example alignment of an existing process based on Microsoft Simplified SDL to the framework and structures of ISO PreparationDevelopment Transition Utilization
Allows organizations to categorize their stored data by sensitivity and business impact Helps optimize data management for cloud adoption Why Data Classification Sensitivity Terminology model 1 Terminology model 2 HighConfidentialRestricted MediumFor internal use onlySensitive LowPublicUnrestricted
Solution for sensitive data
Global not-for-profit organization Provider, and User Certification Accepted global authority for trust in the cloud Cloud Security Alliance (CSA)
Control Areas security policies and procedures? security policies review process? security program is updated? personnel background checks? (NDA) requirements? physical access by role? security policies and procedures? employee change/termination process? physical security access method? equipment support contracts? data classification efforts? Who grants access to data? data retention and recovery program? destroys data? security policies and procedures? staging to production requirements? application testing using customer data? asset inventory program? conducts risk assessments? responds to an incident ? disaster recovery plan? capacity planning efforts? selects its data center location(s)? redundancy if utility service outages should occur? patch management processes? antivirus efforts? firewalls to protect data? time setting policies?
Cloud Security Readiness Tool Where are we? Where will we be?
Cyber - Security Building a Trustworthy cloud Transparency Operation Security Assurance Privacy Compliance Secure Development Lifecycle Privacy by Design
Microsoft Security Intelligence Report (SIR) Promoting Understanding of Today’s Threats
The Microsoft Security Development Lifecycle Verification Secure Design Secure Impleme ntation Final Security Review Incident Response (MSRC) Release Start Goals Protect Microsoft customers by Reducing the number of vulnerabilities Reducing the severity of vulnerabilities Key Principles Secure by design Eliminate security problems early Prescriptive yet practical approach Proactive – not just “looking for bugs”
Operational Security Assurance (OSA) Complements industry standards Builds upon Microsoft experience with operating cloud services at scale Proven, scalable methodology Internet-based threatsContinuously updated
Complementary Model
OSA Methodology
International Organization for Standardization (ISO) Cloud Security Alliance Cloud Control Matrix (CCM) European Union Data Privacy Family Educational Rights and Privacy Act (FERPA)The Gramm-Leach-Bliley Act (GLBA) UK Government accreditation for Impact Level (IL) 2 data Health Insurance Portability and Accountability Act (HIPAA) Business Associate Agreement (BAA)Federal Risk and Authorization Management Program (FedRAMP)Service Organization Control SOC 2European Union (EU) Model Clauses Federal Information Security Management Act (FISMA) Authorization to Operate (ATO) Microsoft Certifications & Attestations
CSA Security, Trust & Assurance Registry Cloud Security Alliance (CSA) The Cloud Security Alliance Cloud Controls Matrix (CCM) is specifically designed to provide fundamental security principles to guide cloud vendors and to assist prospective cloud customers in assessing the overall security risk of a cloud provider. Microsoft’s Standard Responses for STAR Specific details about Office 365, Windows Azure and Dynamics CRM controls are mapped to the CCM. Available on Microsoft trust centers.
Worldwide Public Sector Digital Crimes Unit Microsoft’s Commitment Microsoft IT Microsoft Services Criminal Law Enforcement, Government, Industry Solutions, Initiatives, Innovations Policy, Innovation, Consulting Response, Support, Risk Assessment, Cyber Security Services Trustworthy Computing Security, Reliability, Privacy Secure Development & Secure Operations TwC Network Security Microsoft Security Response Center Global Security Strategy & Diplomacy Product Life Cycle Release Conception Ecosystem & Policy Innovation InternalExternal Fundamentals Innovation Partnerships Security Development Lifecycle (SDL) Operational Security Assurance (OSA) Investigate and respond to all security concerns that affect Microsoft products and services. Identity & Access Management solutions Protect against the latest malware threats Business and IT Risk Management Remote Security Incident Reporting Policy & Advocacy Fight IP Crimes, Fraud, and Child Exploitation Provide early access to intel for security partners Advisory Services and Risk Assessments