Compliance and Cloud: a Shared...
Transcript of Compliance and Cloud: a Shared...
![Page 1: Compliance and Cloud: a Shared Responsibilitycip.org.pt/wp-content/uploads/2017/06/Sandra-Miranda-Ferreira-Microsoft.pdf · Data Classification and data accountability. Shared management](https://reader034.fdocuments.in/reader034/viewer/2022042309/5ed5bbd786a2915dae719cbb/html5/thumbnails/1.jpg)
Compliance and Cloud:a Shared Responsibility
Sandra Miranda FerreiraChief Technology Officer –Microsoft Portugal
![Page 2: Compliance and Cloud: a Shared Responsibilitycip.org.pt/wp-content/uploads/2017/06/Sandra-Miranda-Ferreira-Microsoft.pdf · Data Classification and data accountability. Shared management](https://reader034.fdocuments.in/reader034/viewer/2022042309/5ed5bbd786a2915dae719cbb/html5/thumbnails/2.jpg)
Protecting customer
privacy with GDPR
![Page 3: Compliance and Cloud: a Shared Responsibilitycip.org.pt/wp-content/uploads/2017/06/Sandra-Miranda-Ferreira-Microsoft.pdf · Data Classification and data accountability. Shared management](https://reader034.fdocuments.in/reader034/viewer/2022042309/5ed5bbd786a2915dae719cbb/html5/thumbnails/3.jpg)
How can I get started?
Identify what personal data you have and
where it residesDiscover1
Govern how personal data is used
and accessedManage2
Establish security controls to prevent, detect,
and respond to vulnerabilities & data breachesProtect3
Keep required documentation, manage data
requests and breach notificationsReport4
![Page 4: Compliance and Cloud: a Shared Responsibilitycip.org.pt/wp-content/uploads/2017/06/Sandra-Miranda-Ferreira-Microsoft.pdf · Data Classification and data accountability. Shared management](https://reader034.fdocuments.in/reader034/viewer/2022042309/5ed5bbd786a2915dae719cbb/html5/thumbnails/4.jpg)
The major drivers ofIT governance
Keep risk at acceptable levels
Maintain availability to systems
and services
Comply with relevant laws
and regulation
Protect customer and company
data
![Page 5: Compliance and Cloud: a Shared Responsibilitycip.org.pt/wp-content/uploads/2017/06/Sandra-Miranda-Ferreira-Microsoft.pdf · Data Classification and data accountability. Shared management](https://reader034.fdocuments.in/reader034/viewer/2022042309/5ed5bbd786a2915dae719cbb/html5/thumbnails/5.jpg)
Managing compliance is
increasingly difficult, due to the
amount of standards and
regulations and international
differences
Compliance is even more of a
challenge for regulated industries
such as healthcare or financial
services
Standards and regulations are
constantly changing making it
even more difficult for a business
to keep abreast of electronic data
handling laws.
Managing
compliance
is complex
![Page 6: Compliance and Cloud: a Shared Responsibilitycip.org.pt/wp-content/uploads/2017/06/Sandra-Miranda-Ferreira-Microsoft.pdf · Data Classification and data accountability. Shared management](https://reader034.fdocuments.in/reader034/viewer/2022042309/5ed5bbd786a2915dae719cbb/html5/thumbnails/6.jpg)
On demand self-service
Users can provision services on their own
Resource pooling
Multiple users and dynamic access to pooled resources
Rapid elasticity
Resources can expand or contract as quickly as they are used or freed
Measured service
Services are charged based on what is used
![Page 7: Compliance and Cloud: a Shared Responsibilitycip.org.pt/wp-content/uploads/2017/06/Sandra-Miranda-Ferreira-Microsoft.pdf · Data Classification and data accountability. Shared management](https://reader034.fdocuments.in/reader034/viewer/2022042309/5ed5bbd786a2915dae719cbb/html5/thumbnails/7.jpg)
![Page 8: Compliance and Cloud: a Shared Responsibilitycip.org.pt/wp-content/uploads/2017/06/Sandra-Miranda-Ferreira-Microsoft.pdf · Data Classification and data accountability. Shared management](https://reader034.fdocuments.in/reader034/viewer/2022042309/5ed5bbd786a2915dae719cbb/html5/thumbnails/8.jpg)
Infrastructureinvestments
Highly-regulatedindustries
Globalrequirements
Local & regionalcompliance requirements
Futurerequirements
![Page 9: Compliance and Cloud: a Shared Responsibilitycip.org.pt/wp-content/uploads/2017/06/Sandra-Miranda-Ferreira-Microsoft.pdf · Data Classification and data accountability. Shared management](https://reader034.fdocuments.in/reader034/viewer/2022042309/5ed5bbd786a2915dae719cbb/html5/thumbnails/9.jpg)
Compliance frameworkWe look for commonality in compliance controls and implement scalable solutions that either a
customer can manage via Azure, or we can manage via internal tooling.
Compliance
program
Controls Azure solutions Internal tooling
Our role in compliance engineering is to take these standards and actualize them to controls that
Microsoft needs to implement.
![Page 10: Compliance and Cloud: a Shared Responsibilitycip.org.pt/wp-content/uploads/2017/06/Sandra-Miranda-Ferreira-Microsoft.pdf · Data Classification and data accountability. Shared management](https://reader034.fdocuments.in/reader034/viewer/2022042309/5ed5bbd786a2915dae719cbb/html5/thumbnails/10.jpg)
HIPAA /
HITECH ActFERPA
GxP
21 CFR Part 11
Singapore
MTCS
UK
G-Cloud
Australia
IRAP/CCSL
FISC Japan
New Zealand
GCIO
China
GB 18030
EU
Model Clauses
ENISA
IAF
Argentina
PDPA
Japan CS
Mark Gold
CDSAShared
Assessments
Japan My
Number Act
FACT UK GLBA
Spain
ENS
PCI DSS
Level 1MARS-E FFIEC
China
TRUCS
Canada
Privacy Laws
MPAA
Privacy
Shield
India
MeitY
Germany IT
Grundschutz
workbook
Spain
DPA
HITRUST IG Toolkit UK
China
DJCP
GLO
BA
LIN
DU
ST
RY
REG
ION
AL
ISO 27001
SOC 1
Type 2ISO 27018CSA STAR
Self-AssessmentISO 27017SOC 2
Type 2SOC 3ISO 22301
CSA STAR
Certification
CSA STAR
AttestationISO 9001
Azure has the most comprehensive compliance coverage in the industry
ITARSection 508
VPATSP 800-171 FIPS 140-2
High
JAB P-ATOCJIS
DoD DISA
SRG Level 2
DoD DISA
SRG Level 4IRS 1075
DoD DISA
SRG Level 5
Moderate
JAB P-ATO
![Page 11: Compliance and Cloud: a Shared Responsibilitycip.org.pt/wp-content/uploads/2017/06/Sandra-Miranda-Ferreira-Microsoft.pdf · Data Classification and data accountability. Shared management](https://reader034.fdocuments.in/reader034/viewer/2022042309/5ed5bbd786a2915dae719cbb/html5/thumbnails/11.jpg)
A two-way partnership with our customers
It’s more complex than
just meeting a check
list of standards and
regulations.
Clearly defined roles and responsibilities are essential
Partnership between the customer who owns the
data along with the legal obligations for the handling
of the data…
…and the cloud vendor who acts as the data
processor and must also handle the data
in compliance with regulations.
![Page 12: Compliance and Cloud: a Shared Responsibilitycip.org.pt/wp-content/uploads/2017/06/Sandra-Miranda-Ferreira-Microsoft.pdf · Data Classification and data accountability. Shared management](https://reader034.fdocuments.in/reader034/viewer/2022042309/5ed5bbd786a2915dae719cbb/html5/thumbnails/12.jpg)
Provider management of riskPhysical | Networking
Customer management of riskData Classification and data accountability
Shared management of riskIdentity & access management | End Point Devices
Cloud Customer Cloud Provider
Responsibility On-Prem IaaS PaaS SaaS
Data classification
and accountability
Application
level controls
Network controls
Host Infrastructure
Physical Security
Client & end-point
protection
Identity & access
management
![Page 13: Compliance and Cloud: a Shared Responsibilitycip.org.pt/wp-content/uploads/2017/06/Sandra-Miranda-Ferreira-Microsoft.pdf · Data Classification and data accountability. Shared management](https://reader034.fdocuments.in/reader034/viewer/2022042309/5ed5bbd786a2915dae719cbb/html5/thumbnails/13.jpg)
aka.ms/stp
![Page 14: Compliance and Cloud: a Shared Responsibilitycip.org.pt/wp-content/uploads/2017/06/Sandra-Miranda-Ferreira-Microsoft.pdf · Data Classification and data accountability. Shared management](https://reader034.fdocuments.in/reader034/viewer/2022042309/5ed5bbd786a2915dae719cbb/html5/thumbnails/14.jpg)
![Page 15: Compliance and Cloud: a Shared Responsibilitycip.org.pt/wp-content/uploads/2017/06/Sandra-Miranda-Ferreira-Microsoft.pdf · Data Classification and data accountability. Shared management](https://reader034.fdocuments.in/reader034/viewer/2022042309/5ed5bbd786a2915dae719cbb/html5/thumbnails/15.jpg)
Lower costs for achieving compliance
Assurance of adherence to international privacy and security standards
Respect for the rules of highly regulated industries
Decreased overall risk for your data and your business
Microsoft’s commitment to compliance
![Page 16: Compliance and Cloud: a Shared Responsibilitycip.org.pt/wp-content/uploads/2017/06/Sandra-Miranda-Ferreira-Microsoft.pdf · Data Classification and data accountability. Shared management](https://reader034.fdocuments.in/reader034/viewer/2022042309/5ed5bbd786a2915dae719cbb/html5/thumbnails/16.jpg)
Compliance is aShared Responsibility
We are committing to GDPR compliance
across our cloud services when
enforcement begins on May 25, 2018.
![Page 17: Compliance and Cloud: a Shared Responsibilitycip.org.pt/wp-content/uploads/2017/06/Sandra-Miranda-Ferreira-Microsoft.pdf · Data Classification and data accountability. Shared management](https://reader034.fdocuments.in/reader034/viewer/2022042309/5ed5bbd786a2915dae719cbb/html5/thumbnails/17.jpg)
• Microsoft.com/GDPR