Microsoft Trusted Cloud - Security Privacy & Control, Compliance, Transparency

  • View
    175

  • Download
    2

Embed Size (px)

Transcript

Microsoft Trusted Cloud

09:51Mittwoch, 15. Juni 2016Microsoft Trusted CloudSecurity, Privacy & Control, Compliance, Transparency

DI. Harald LeitenmllerChief Technology OfficerMicrosoft sterreich GmbH.

#fdAustria

1

Sind meine Daten sicher?Gehren meine Daten mir?

Hab ich die Kontrolle?

Man fragt sichWas bedeutet das Ende von Safe Harbor?

2

SituationThe court of justice declares that the Commissions US Safe Harbor Decision is invalidPress Release No 117/15

EU-US Privacy Shield

3

Private CloudKonsolidierte Daten OperationenMICROSOFT SOLUTIONSWindows ServerSystem CenterWindows Azure PackMicrosoft Cloud Portfolio - EUROPE4Konsistente Platformen und Anwendungen | Eine einzige Management Konsole

Public Cloud EuropaHohe Skalierung, Flexibilitt und KosteneffizienzMICROSOFT SOLUTIONSMicrosoft Azure Office 365Dynamics CRM Online

Public Cloud DeutschlandHohe Skalierung, Flexibilitt und Deutsche DatentreuhandMICROSOFT SOLUTIONSMicrosoft Azure DeutschlandOffice 365 DeutschlandDynamics CRM Online Deutschland

Hybrid CloudSchritt in die CloudMICROSOFT SOLUTIONSRisk Assessment and Data Governance services

4

Security

Privacy & Control

Transparency

Compliance

5Unsere Trust Principles

New: https://trustportal.office.com

5

6/15/2016 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Readable customer data disclosed to a third partyCustomer data disclosed to a third party Accidental data spillage11.1.11.1Customer data is readable1.2AND

Data disclosure due to law enforcement / intelligence request1.1.2Deliberate compromise leading to disclosure of customer data1.1.3Cloud service provider (CSP) infrastructure compromised1.1.3.1Customer infrastructure compromised1.1.3.2Compromise of systems outside cloud provider or customer control1.1.3.3Customer data permanently lost2Disruption of cloud service3

Threat Tree 1 : OverviewThreat Tree 3Threat Tree 2Threat Tree 4Threat Tree 5Threat Tree 6Threat Tree 7

Root Risk EventConditionsTechnical ControlsProcess ControlsLegend:Consumer Applied Control

Customer data is readable1.2Data is not encrypted1.2.1Encryption keys become known1.2.2Data is weakly encrypted1.2.3Encryption keys lost by the cloud provider1.2.2.1Encryption keys lost by the customer1.2.2.2Customer infrastructure compromised1.2.2.2.1Breakdown in key management enabling attacker access to keys1.2.2.2.2AND

Link: 1.1.3.2Threat Tree 5Cloud provider infrastructure compromised1.2.2.1.1Breakdown in key management enabling attacker access to keys1.2.2.2.2ANDLink: 1.1.3.1Threat Tree 4

Protected Key StorageKey Management PracticesProtected Key StorageKey Management PracticesEncryption at RestData ClassificationEncryption in TransitCryptographic standardsPolicy on Use of Cryptographic ControlsThreat Tree 1.2 : Customer Data is ReadableLocal Data Encryption

Root Risk EventConditionsTechnical ControlsProcess ControlsLegend:Consumer Applied Control

Microsoft Cloud as the trusted cloud Ihre Daten sind sicherIhre Daten gehren IhnenSie haben die Kontrolle

Encryption of all data at restEncryption of all data in transitEnhanced event and admin / service access loggingAdvanced security monitoring and threat managementClear guidelines on data locationGreater transparency and simplicity of data use policies and choicesData accessed only to improve customer experienceLaw enforcement requests redirected to the customerNotification of customers of lawful requests for information; challenging of gag ordersAbility of customers to hold encryption key and revoke Microsoft copyComplete deletion of data on customer request and on contract terminationCustomer choice of data locationCustomer option to limit Microsoft access to dataMicrosoft Trusted Cloud

#

Microsoft Cloud VertrgeMIOL(Microsoft Irland)Kunde in sterreichMicrosoft Corporation(USA)

European Economic Area (EEA)

EU Model Clauses*

Safe Harbor

AuftraggeberDienstleister

OST(Online Services Terms)

EU-US Privacy Shield

Betroffene* vorab genehmigungspflichtigArticle 29 WP Letter: http://ec.europa.eu/justice/data-protection/article-29/documentation/other-document/files/2014/20140402_microsoft.pdf

EEA = EU Member States + Iceland, Norway, LiechtensteinArticle 29 WP Letter:http://ec.europa.eu/justice/data-protection/article-29/documentation/other-document/files/2014/20140402_microsoft.pdf

Internationaler Datenverkehr - DSG 200010Zulssige Datenverarbeitung: Zweck und Inhalt gedeckt, keine schutzwrdigen Interessen verletztInnerhalb EWRAuerhalb EWRNur Abschluss Dienstleistervertrag ntig (zB Vertrag mit Cloud-Anbieter)Keine Genehmigungspflicht durch DatenschutzbehrdeGrundstzlich Genehmigung durch Datenschutzbehrde erforderlichAusnahmetatbestnde:Gleichgestellte DrittstaatenEU-StandardvertragsklauselnBinding Corporate RulesZustimmung

2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.6/15/201610

EMEA Data Mapshttp://o365datacentermap.azurewebsites.net/

Standardvertragsklausel fr Online Dienste

12

Gibt es auch andere legale Mglichkeiten personenbezogene Daten in die USA zu senden?Quelle: http://www.dsb.gv.at/site/6218/default.aspx

Compliance

Externe Compliance- Gesetze, Verordungen, Regulierung, VerfahrenCustomer Controls:Admin Kontrollfunktionen wie RBAC, Archiving, RMS, E-Discover, Encryption

Customer Controls:Admin Kontrollfunktionen wie Data Loss Prevention, Archiving, RMS, E-Discover

Interne Compliance- Interne Regeln & ArchitekturGlobale ComplianceUntersttzung von globalen Compliance Standards wie ISO 27001, ISO 27018, Safe Harbor, EUMC, HIPAA, FISMA,..Vertraglichen Zusicherung von Privacy, Security und sorgfltige Verarbeitung von Kundendaten durch Data Processing Agreements

MicrosoftCustomer

14

Zertifizierung & EU Standardvertragsklauseln

Yes

ISO 27018 Standard fr digital Privatsphre in der Cloud6 Prinzipien fr Cloud Service Provide

Keine Datenverwendung ohne ZustimmungTransparenz: Speicherort, Nutzung Kunde behlt Kontrolle ber DatennutzungInformation ber Rckgabe und Datenlschprinzipien von KundendatenBreach Notification von personenbezogenen DatenUnabhngiger Audit

The International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC) jointly adopted ISO/IEC 27018 in July, 2014 after input from representatives from 14 countries and 5 international organizations. See the ISO/IEC 27018 Publication.

ISO/IEC 27018 builds on ISO/IEC 27001, a widely-recognized comprehensive international security standard for implementing and maintaining an information management system. But ISO/IEC 27018 enhances the existing standard in many important ways:

ISO/IEC 27018 is customized for the cloud and includes a range of cloud-specific requirements, including controls that reflect considerations specifically for processing of personally identifiable information in cloud services. For example, the ISO/IEC 27018 controls prohibit the use of customer data for advertising and marketing purposes without the customers express consent.ISO/IEC 27018 provides clear standards for cloud service providers for the return, transfer and/or secure disposal of personal information of customers leaving their service.ISO/IEC 27018 requires the cloud service provider to identify any sub-processor before customers enter into a contract, and inform customers promptly of new sub-processors, to give customers an opportunity to object or terminate their agreement. Microsoft has added all ISO/IEC 27018 controls into the scope of its ISO/IEC 27001 certification audit. http://www.iso.org/iso/home/store/catalogue_tc/catalogue_detail.htm?csnumber=61498.

ISO 27018 is a new international standard for the protection of personal data in cloud, based on EU data protection laws International standards are applicable in every WTO jurisdictionMicrosoft contributed to the development of ISO 27018, along with other industry players such as SAP and Orange, privacy experts and regulators such as French DPA (CNIL)ISO 27018 enables verification of compliance with EU regulation by non-experts in just a few secondsThrough 3rd party certification or 3rd party letter of complianceEnables quick comparison of enterprise cloud service offerings, incl. through transparency measures required by 27018 Such as the data retention period once contract has terminatedCloud ser