Javier Salido, CIPP Sr. Program Manager Trustworthy Computing Group Microsoft Corporation SESSION CODE: SIA337

*Source: Ponemon study, “Cost of a Data Breach,” January

*Source: Joshua Gómez, Travis Pinnick and Ashkan Soltani, “KnowPrivacy,” June

*Source: Joshua Gómez, Travis Pinnick and Ashkan Soltani, “KnowPrivacy,” June

People Executive management commitment Engaged management team Integrated governance organization Trained, aware, and accountable DGPC “Aware ” Culture Process Structured and repeatable processes Practical and enforceable policies Harmonized frameworks and standards Effective internal control environment DGPC Embedded in Processes Technology Secure infrastructure Identity and access control Information protection Auditing and reporting DGPC Enabled in Technology DGPC Framework

Manage DGPC Organization Manage DGPC Requirements Manage DGPC Strategy & Policies Manage DGPC Control Environment Integrated GRC Authority Documents Requirements Business Data Data Compliance Harmonized GRC Guidance (e.g. UCF) DGPC Controls Manual Controls Technical Controls DGPC Strategy Data Privacy & Confidentiality Principles DGPC Policies (Data Classification) GRC Authority Documents External regulations Control Frameworks Security & Privacy Standards Business Strategy

Transfer (New Lifecycle) Collect UpdateDelete Process Transfer

Safeguards against malware Safeguards against unauthorized access to sensitive info Protect systems from evolving threats Protect personal information from unauthorized access or use Provide management controls for identity, access and provisioning Protect sensitive personal information in structured databases Protect sensitive personal information in unstructured documents, messages and records, through encryption Protect data while on the net Monitor to verify integrity of systems and data Monitor to verify compliance with business processes Information Protection Auditing and reporting Secure Infrastructure Identity and Access Control

Information Protection Auditing and reporting Secure Infrastructure Identity and Access Control Manual Controls 1.Honor policies throughout the information lifecycle 2.Minimize risk of data misuse 3.Minimize impact of data loss 4.Demonstrate effectiveness of data protection policies and measures

Establish a context for analysis Identify (model) potential threats Analyze risks Determine risk treatment Evaluate effectiveness Clearly define the business purpose of the flow Identify privacy, security and compliance objectives for the flow Identify systems using the data

Log Storage Application Server Cloud Provider Customer

Establish a context for analysis Identify (model) potential threats Analyze risks Determine risk treatment Evaluate effectiveness Diagram of flow Threat Identification Data Flow Diagrams (DFD) Data stores & Data Flows Place Trust Boundaries!

Log Storage Application Server Cloud Provider Customer Trust Boundary

Establish a context for analysis Identify (model) potential threats Analyze risks Determine risk treatment Evaluate effectiveness Diagram of flow Threat Identification How to do this without being an expert? Use a method to step through Get specific about threats

Choice and Consent Options have to be displayed clearly in order to obtain appropriate consent Access and Correction Customer not able to view/modify personal information Accountability Customer PII is not properly classified Compliance Compliance reports not defined, escalation path to business owners is not specified Information Protection Customer information is sent in the clear, over unauthenticated channel Data Quality Quality depends on customer, no threat See Microsoft’s Application Privacy Assessment:

See Microsoft’s IT Infrastructure Threat Modeling Guide:

Establish a context for analysis Identify (model) potential threats Analyze risks Determine risk treatment Evaluate effectiveness Build the Risk/Gap analysis matrix Apply existing mitigations Identify residual risk

Servers are on regular OS and App. Patch cycle, and up- to-date in malware signatures (2) Incoming data is correctly classified and tagged as per customer choice and consent (1,2) Choices are displayed and consent obtained as per MPSD guide (1) Transaction log data is encrypted in transit and at rest (3,4) All material transactions are to be logged as per logging framework (3,4) Communications channel to, and log servers are monitored. Failover process to local log servers in processor facilities is up and running (4) Information Protection Auditing and reporting Secure Infrastructure Identity and Access Control Manual Controls

Establish a context for analysis Identify (model) potential threats Analyze risks Determine risk treatment Evaluate effectiveness Identify additional mitigations Determine risk treatment Mitigate Transfer Assume

Servers are on regular OS and App. Patch cycle, and up- to-date in malware signatures Incoming data is correctly classified and tagged as per customer choice and consent All transactions to take place on authenticated communications channel (2) Choices are displayed and consent obtained as per MPSD guide Transaction log data is encrypted in transit and at rest All material customer transactions arrive over encrypted comms channel (2) All material transactions are to be logged as per logging framework Communications channel to, and log servers are monitored. Failover process to local log servers in processor facilities is up and running Alerts and alert recipients defined and operational (3,4) Set of access and use reports, along with recipients and deliver schedules are defined (3,4) Define escalation path for issues (3,4) Information Protection Auditing and reporting Secure Infrastructure Identity and Access Control Manual Controls

Establish a context for analysis Identify (model) potential threats Analyze risks Determine risk treatment Evaluate effectiveness Ensure you are covering the entire data lifecycle Examine each trust boundary Have you made a clear decision of how each risk will be treated? Are mitigations done right?

Trustworthy Computing

Network Storage Server Application Virtual Machine Application Server Storage Network Application Virtual Machine Server Storage Network Server Storage Network Virtual Machine Application Mather, Kumaraswamy and Latif, “Cloud Security and Privacy,” O’Reilly 2009

Ask to see independent third party audits and attestations Understand what exactly what the certification/attestation is verifying ISO SAS 70 Type I and Type II Understand what is covered and what is not covered Coverage of the platform does not imply coverage of applications

Safeguards against malware (filtering: spam, antivirus, firewalls) Protect systems from evolving threats (patching and testing) Virtualization how is it used (depends on service type) PaaS development process from security/privacy perspective Roles and responsibilities between you and provider Provisioning and administration of accounts Model: Role/group based, least privilege Monitoring and auditing of accounts Provider access to your data Roles and responsibilities between you and provider Information Protection Auditing and reporting Secure Infrastructure Identity and Access Control Encryption of data while in storage and in transit Key management Data integrity and backups, data disposal methods Data collection and retention by provider Data loss/leakage prevention Roles and responsibilities between you and provider What can be monitored and reported by provider? How does that meet your compliance needs? Roles and responsibilities between you and provider

Sign up for Tech·Ed 2011 and save $500 starting June 8 – June 31 st You can also register at the North America 2011 kiosk located at registration Join us in Atlanta next year