Brings together cloud versions of our most trusted communications and collaboration products with the latest version of our desktop suite.

Download Report

Transcript Brings together cloud versions of our most trusted communications and collaboration products with the latest version of our desktop suite.

Brings together cloud versions of our most trusted communications
and collaboration products with the latest version of our desktop suite
•
Pay-as-you-go, per-user licensing
•
IM & Presence across firewalls
•
Complete Office experience with services integration
•
GAL/Skill search in SharePoint
•
Always the latest version of Office and Office Web Apps
•
Online meeting with desktop sharing
•
Familiar Office user experience
•
Windows Live federation
•
My Sites to manage and share documents
•
25Gb mailbox with voicemail & unified messaging
•
Access documents offline
•
Integrated personal archiving
•
Document-level permissions
•
Retention policies and legal hold
•
Share documents securely with Extranet Sites
•
Free/busy coexistence
Key Concerns
• Privacy
• Loss of Control
• Regulatory
• Physical/Logical Security
5
Privacy
• What does privacy at Microsoft mean?
• Where is my data?
• Are you using my data to build advertising products?
• Who has access to my data ?
Compliance
Security
• What certifications and capabilities does Microsoft hold?
• Is cloud computing secure?
• How does Microsoft support customer compliance
needs?
• Are Microsoft Online Services secure?
• Do I have the right to audit Microsoft?
6
Transparency
• Clear and understandable
• Details for security experts
• Links videos, whitepapers
•
http://trust.office365.com
Cohesive Process Combining 4 Pillars
Your
Privacy
Matters
8
Leadership in
Independently
Relentless on
You know ‘where’ data
resides, ‘who’ can access it
and ‘what’ we do
with it
Compliance with World
Class Industry standards
verified by
3rd parties
Excellence in Cutting edge
security practices
Transparency
Verified
Security
PRIVACY
SECURITY
PII Controls
Elevation of Privilege
Denial of
Service
Spoofing
Tampering
Repudiation
Information
Disclosure
Notice and
Consent
Breach
Response
Data
Minimization
Transnational
Data Flows
At Microsoft, our strategy is to consistently set a “high bar” around privacy practices that support global standards for
data handling and transfer
No Advertising
• No advertising products out of Customer Data.
• No scanning of email or documents to build analytics or mine data.
Data Portability
• Office 365 Customer Data belongs to the customer.
• Customers can export their data at any time.
No Mingling
• Choices to keep Office 365 Customer Data separate from consumer services.
11
We use customer data for just what they pay us for - to maintain and provide Office 365 Service
Microsoft Online Services Customer Data1
Usage Data
Account and
Address Book Data
Customer Data (excluding
Core Customer data)
Core
Customer Data
Operating and Troubleshooting the Service
Yes
Yes
Yes
Yes
Security, Spam and Malware Prevention
Yes
Yes
Yes
Yes
Improving the Purchased Service, Analytics
Yes
Yes
Yes
No
Personalization, User Profile, Promotions
No
Yes
No
No
Communications (Tips, Advice, Surveys, Promotions)
No
No/Yes
No
No
Voluntary Disclosure to Law Enforcement
No
No
No
No
Advertising5
No
No
No
No
Usage Data
Address Book Data
Customer Data (excluding
Core Customer Data*)
Core Customer Data
Operations Response Team
(limited to key personnel
only)
Yes.
Yes, as needed.
Yes, as needed.
Yes, by exception.
Support Organization
Yes, only as required in response to
Support Inquiry.
Yes, only as required in response to
Support Inquiry.
Yes, only as required in response to
Support Inquiry.
No.
Engineering
Yes.
No Direct Access. May Be Transferred
During Trouble-shooting.
No Direct Access. May Be Transferred
During Trouble-shooting.
No.
Partners
With customer permission. See
Partner for more information.
With customer permission. See
Partner for more information.
With customer permission. See
Partner for more information.
With customer permission. See
Partner for more information.
Others in Microsoft
No.
No (Yes for Office 365 for small
business Customers for marketing
purposes).
No.
No.
At Microsoft, our strategy is to consistently set a “high bar” around privacy practices that support global
standards for data handling and transfer
Where is Data Stored?
• Clear Data Maps and Geographic boundary information provided
• ‘Ship To’ address determines Data Center Location
Who accesses and What is accessed?
• Core Customer Data accessed only for troubleshooting and malware prevention purposes
• Core Customer Data access limited to key personnel on an exception basis.
How to get notified?
• Microsoft notifies you of changes in data center locations.
14
Reduce vulnerabilities, limit exploit severity
Education
Process
Administer and track
security training
Guide product teams to meet
SDL requirements
Training
Requirements
Establish Security
Requirements
Core Security
Training
Create Quality
Gates / Bug Bars
Security & Privacy
Risk Assessment
Design
Implementation
Establish Design
Requirements
Use Approved
Tools
Analyze Attack
Surface
Threat
Modeling
Deprecate
Unsafe
Functions
Static Analysis
Accountability
Establish
release criteria
and sign-off
as part of FSR
Verification
Dynamic
Analysis
Fuzz Testing
Attack Surface
Review
Ongoing Process Improvements
Release
Incident
Response
(MSRC)
Response
Incident
Response Plan
Final
Security
Review
Release
Archive
Execute
Incident
Response
Plan
Unique Security Issues Reported
Office XP
Office 2007
111
83
Office 2003
Office 2010
32
9
Office XP
Office 2003
Office 2007
Office 2010
• A method to identify previously unknown vulnerabilities in file
formats
• Office teams fuzzed millions of files 10’s of millions of times
• Led to hundreds of new bugs being fixed
• Used to create XML Schema Definitions (XSD) for binary Office files
• XSDs allow binary files to be quickly scanned for potential problems
DATA
USER
APPLICATION
HOST
INTERNAL NETWORK
NETWORK PERIMETER
FACILITY
• 24x7 guarded facility
• 700,000 square feet
• 10s of 1000s of
servers
• Days of backup
power
Communicate and collaborate more securely using
Exchange, SharePoint, Lync, and Office
Comprehensive
Protection
21
Information
Security
Visibility
and Control
• Multi-layered protection against
spam and malware
• Policy rules that inspect
emails in transit
• Integrated administration, reporting,
and auditing
• Effectiveness guaranteed by 5
financially-backed SLAs
• Integration with AD RMS
to safeguard sensitive data
• Granular control over user
access and permissions
• In-product controls that help protect
users from threats
• End-to-end encryption
of communications
• Mobile security policies and remote
device wipe
Customer data at rest is not encrypted
• For “sensitive” data, implementation of Active
Directory Rights Management Services (RMS)
• Encryption impacts service functionality (e.g.
search and indexing)
• For “sensitive” externally sent/received e-mail,
customers employ S/MIME
• Identity/key
management issues
The customer makes the decision
22
Alignment and adoption of industry standards ensure
a comprehensive set of practices and controls in
place to protect sensitive data
While not permitting audits, we provide
independent third-party verifications of Microsoft
security, privacy, and continuity controls
Microsoft provides transparency
This saves customers time and money, and allows Office 365 to
provide assurances to
customers at scale
24
Business rules for protecting information and systems which
store and process information
Policy
Control
Framework
Standards
A process or system to assure the implementation of policy
System or procedural specific requirements that must be
met
Step-by-step procedures
Operating Procedures
25
We are the first and only major cloud based productivity to offer the following:
ISO27001
• ISO27001 is one of the best security benchmarks available across the world.
• Office 365 first major business productivity public cloud service to implement rigorous ISO security controls on physical, logical, process
and management
EU Model Clauses
• Office 365 is the first major business productivity public cloud service provider willing to sign EU Model Clauses with all customers.
• EU Model Clauses a set of stringent European Union wide data protection requirements
Data Processing Agreement
• Address privacy, security and handling of Customer Data.
• Going above and beyond the EU Model Clauses to address additional requirements from individual EU member states
• Enables customers to comply with their local regulations.
26
Comply with additional industry leading standards
US Health Insurance Portability and Accountability Act (HIPPA)
• HIPAA is a U.S. law that requires HIPAA covered entities to meet certain privacy and security standards with respect to individually
identifiable health information
• Microsoft is offering to sign the Business Associate Agreement (BAA) for any Microsoft Enterprise Agreement customer. The BAA helps
enables our customers to comply with HIPAA concerning protected health information.
EU Safe Harbor
• EU generally prohibits personal data from crossing borders into other countries except under circumstances in which the transfer has been
legitimated by a recognized mechanism, such as the "Safe Harbor" certification
• Microsoft was first certified under the Safe Harbor program in 2001, and we recertify compliance with the Safe Harbor Principles every
twelve months
27
ISO 27001
All customers
Available Now
EU Safe Harbor
EU customers
Available Now
SSAE 16 (Statement on standards for
Attestation Engagement)
Type I compliance
Primarily US customers
Available Now
FISMA
US Government
Available Now
HIPAA/BAA
EA Customers
Available Now
EU Model Clauses
EU Customers
Available Now
Data Processing Agreement
EA Customers
Available Now
What is it?
•
What does it cover?
•
•
•
•
Who and how to get it?
•
31
http://trust.office365.com
http://www.gobalfoundationservices.com
35