The trust questions… Is cloud computing secure? Are Microsoft Online Services secure? Security...
-
Upload
leilani-buller -
Category
Documents
-
view
214 -
download
2
Transcript of The trust questions… Is cloud computing secure? Are Microsoft Online Services secure? Security...
1. Trusting Office 365 2. Overview of Office 365 for Government
Bob BallardChief IT StrategistPublic SectorMicrosoft [email protected]
The trust questions…
Is cloud computing secure?
Are Microsoft Online Services secure?
Security
Where is my data?
Who has access to my data ?
TransparencyWhat does privacy at Microsoft mean?
Are you using my data to build advertising products?
Privacy
What certifications and capabilities does Microsoft hold?How does Microsoft support customer compliance needs?Do I have the right to audit Microsoft?
Compliance
Choices to keep Office 365 Customer Data separate from consumer services.
Office 365 Customer Data belongs to the customer. Customers can export their data at any time.
At Microsoft, our strategy is to consistently set a “high bar” around privacy practices that support global standards for data handling and transfer
Privacy at Office 365
No Mingling
Data Portability
No advertising products out of Customer Data. No scanning of email or documents to build analytics or mine data.
No Advertising
Transparency
Microsoft notifies you of changes in data center locations.
Core Customer Data accessed only for troubleshooting and malware prevention purposes Core Customer Data access limited to key personnel on an exception basis.
How to get notified?
Who accesses and What is accessed?
Clear Data Maps and Geographic boundary information provided‘Ship To’ address determines Data Center Location
Where is Data Stored?
At Microsoft, our strategy is to consistently set a “high bar” around privacy practices that support global standards for data handling and transfer
Service Security – Defense in DepthA risk-based, multi-dimensional approach to safeguarding services and dataSecurity Management
Network perimeter
Internal network
Host
Application
Data
User
Facility
Threat and vulnerability management, monitoring, and response
Edge routers, intrusion detection, vulnerability scanning
Dual-factor authentication, intrusion detection, vulnerability scanning
Access control and monitoring, anti-malware, patch and configuration management
Secure engineering (SDL), access control and monitoring, anti-malware
Access control and monitoring, file/data integrity
Account management, training and awareness, screening
Physical controls, video surveillance, access control
Compliance update
ISO 27001 All customers Available
EU Safe Harbor EU customers Available
SSAE 16 (Statement on standards for Attestation Engagement) SOC 1 (Type I & Type II) compliance
Primarily US customers Available
FISMA US Government Available
HIPAA/BAA All Customers Available
EU Model Clauses EU Customers Available
Data Processing Agreement All Customers Available
FERPA EDU Customers Available
Compliance with key standards
Office 365 for GovernmentGovernment community cloud
Why a US Government community cloud?
Given the strong sense of affinity and community
within many government agencies, there has been a strong demand for a cloud made specifically for the
government
In response to this demand, Microsoft has added Office 365 for Government to the
portfolio of our Cloud offerings
Why a US Government community cloud?
Office 365 For Government will be built to the same Enterprise
security standards that the Office 365 For Enterprise
offering has today
Physically segmented core customer data
Public Trust Medium Govt. adjudicated BI’s
Why a US Government community cloud?
Multi-Tenant Cloud
Dedicated Cloud
Multi-TenantPublic Cloud
• Microsoft offering for all world wide customers• US Government data stored in US data centers• FISMA ATO with 1 agency & submitted for ATO with several
agencies• Microsoft background investigations
Office 365 For Government
• Microsoft offering for qualifying US Govt. customers • US Govt. tenants segregated from Enterprise cloud
tenants• Based on NIST definition of community cloud• FISMA package to be submitted for ATO with first
customer • Public Trust Moderate Background InvestigationsEnterprise-Dedicated
Cloud • Dedicated infrastructure for each customer • Microsoft background investigations
Dedicated -ITAR • Dedicated infrastructure for each qualifying customer• Isolated & separate from Dedicated Public Cloud in caged
env.• FISMA-Moderate ATO from USDA• Support for customers complying with ITAR regulatory
controls• Public Trust High Background Investigations
GCC: Integral part of Microsoft cloud vision
Availability Tenant Community
Customer Data Location
At Rest
ITAR Regulatory
Support
Position Of Public
Trust
FISMAPackage
FISMA ATO
Multi-TenantPublic Cloud Anyone Public
communityRegionally Located No
Microsoft Background
CheckFISMA Moderate Yes
GCCUS Govt. entities
with *.GOV or *.MIL domain extensions
US Govt. Community
US Located & Community Segregated
No Moderate FISMA ModerateSecurity package
ready for customer review
ITAR US Govt. entities & qualifying commercial
entities
Individual customer
US Located & Customer
SegregatedYes High FISMA Moderate Yes
1 Details of FISMA Moderate package will vary by environment.2 The FISMA package includes a list of control implementations, operational procedures and testing that shows how the service complies with NIST requirements.
The FISMA ATO (Authority To Operate) indicates that a Federal entity has reviewed and approved the FISMA Package .
1 2
What you will find in each cloud?
Core Customer data is segregated
• Exchange – Separate Forest
• SharePoint – Separate Farm
“Core Customer Data” refers to data generated by the customer in the course of their business and provided to O365 teams to hold in the course of providing services, defined as “Core Customer Data” in the O365 Asset Classification* policy.
Core Customer Data is located in US Soil
Other data classes are handled according to existing O365 MT standards as described in the Trust Center. (E.G. existing regional controls for PII.)
Core Customer Data
• Email body• SharePoint files body• SharePoint site content• Blob or structured storage
data
Data segregation
1. What is IPv6 (Internet Protocol version 6) is a version of the Internet Protocol intended to succeed IPV4, which is the protocol currently used to direct almost all Internet traffic
• Data Transfer in Internet happens via packets that are routed across networks by routing protocols. Packets require an addressing scheme (IPv4/IPv6), to specify source & destination addresses.
• Each host, computer or other device on the Internet requires an IP address in order to communicate.
2. Depletion of IPV4 Addresses: Last block of ipv4 addresses was assigned in February 2011.
• Perception: Office 365 needs to be seen as supporting ipv6. This perception decides RFP wins. Below objections to ipv6 may don’t matter.
• There may be unused ipv4 blocks that can be re-released.
• Current ipv4 addresses should be enough. No one really uses ipv6.
3. Industry Trend: Industry Trend IPv6 solves the problem of IPv4 address depletion by offering a virtually limitless pool of IP addresses that can be used by computers, smartphones, home appliances, gaming devices and all sorts of sensors and actuators that have yet to be invented.
4. Primary reason to use ipv6: IPv4 uses 32-bit addresses and can support 4.3 billion devices connected directly to the Internet. IPv6, on the other hand, uses 128-bit addresses and supports 2 to the 128th power devices (greater than billion devices per human being on planet).
What is the next big Government initiative? IPv6
Office 365 Trust Center
Clear messaging with plain English
Details for security experts
Links videos, whitepapers
http://trust.office365.com