Compliance and Cloud:a Shared Responsibility

Sandra Miranda FerreiraChief Technology Officer –Microsoft Portugal

Protecting customer

privacy with GDPR

How can I get started?

Identify what personal data you have and

where it residesDiscover1

Govern how personal data is used

and accessedManage2

Establish security controls to prevent, detect,

and respond to vulnerabilities & data breachesProtect3

Keep required documentation, manage data

requests and breach notificationsReport4

The major drivers ofIT governance

Keep risk at acceptable levels

Maintain availability to systems

and services

Comply with relevant laws

and regulation

Protect customer and company

data

Managing compliance is

increasingly difficult, due to the

amount of standards and

regulations and international

differences

Compliance is even more of a

challenge for regulated industries

such as healthcare or financial

services

Standards and regulations are

constantly changing making it

even more difficult for a business

to keep abreast of electronic data

handling laws.

Managing

compliance

is complex

On demand self-service

Users can provision services on their own

Resource pooling

Multiple users and dynamic access to pooled resources

Rapid elasticity

Resources can expand or contract as quickly as they are used or freed

Measured service

Services are charged based on what is used

Infrastructureinvestments

Highly-regulatedindustries

Globalrequirements

Local & regionalcompliance requirements

Futurerequirements

Compliance frameworkWe look for commonality in compliance controls and implement scalable solutions that either a

customer can manage via Azure, or we can manage via internal tooling.

Compliance

program

Controls Azure solutions Internal tooling

Our role in compliance engineering is to take these standards and actualize them to controls that

Microsoft needs to implement.

HIPAA /

HITECH ActFERPA

GxP

21 CFR Part 11

Singapore

MTCS

UK

G-Cloud

Australia

IRAP/CCSL

FISC Japan

New Zealand

GCIO

China

GB 18030

EU

Model Clauses

ENISA

IAF

Argentina

PDPA

Japan CS

Mark Gold

CDSAShared

Assessments

Japan My

Number Act

FACT UK GLBA

Spain

ENS

PCI DSS

Level 1MARS-E FFIEC

China

TRUCS

Canada

Privacy Laws

MPAA

Privacy

Shield

India

MeitY

Germany IT

Grundschutz

workbook

Spain

DPA

HITRUST IG Toolkit UK

China

DJCP

GLO

BA

LIN

DU

ST

RY

REG

ION

AL

ISO 27001

SOC 1

Type 2ISO 27018CSA STAR

Self-AssessmentISO 27017SOC 2

Type 2SOC 3ISO 22301

CSA STAR

Certification

CSA STAR

AttestationISO 9001

Azure has the most comprehensive compliance coverage in the industry

ITARSection 508

VPATSP 800-171 FIPS 140-2

High

JAB P-ATOCJIS

DoD DISA

SRG Level 2

DoD DISA

SRG Level 4IRS 1075

DoD DISA

SRG Level 5

Moderate

JAB P-ATO

A two-way partnership with our customers

It’s more complex than

just meeting a check

list of standards and

regulations.

Clearly defined roles and responsibilities are essential

Partnership between the customer who owns the

data along with the legal obligations for the handling

of the data…

…and the cloud vendor who acts as the data

processor and must also handle the data

in compliance with regulations.

Provider management of riskPhysical | Networking

Customer management of riskData Classification and data accountability

Shared management of riskIdentity & access management | End Point Devices

Cloud Customer Cloud Provider

Responsibility On-Prem IaaS PaaS SaaS

Data classification

and accountability

Application

level controls

Network controls

Host Infrastructure

Physical Security

Client & end-point

protection

Identity & access

management

aka.ms/stp

Lower costs for achieving compliance

Assurance of adherence to international privacy and security standards

Respect for the rules of highly regulated industries

Decreased overall risk for your data and your business

Microsoft’s commitment to compliance

Compliance is aShared Responsibility

We are committing to GDPR compliance

across our cloud services when

enforcement begins on May 25, 2018.

• Microsoft.com/GDPR

Sandra.Ferreira@microsoft.com

Obrigada