Data CentersSecurity and PrivacyClient Requirements

1

Cloud Principles

AGENDA

• Microsoft Cloud Principles• Security and Privacy

The Inevitable Questions

3

Is cloud computing secure?

Are Microsoft Online Services secure?

Security

Where is my data?

Who has access to my data ?

TransparencyWhat does privacy at Microsoft mean?

Are you using my data to build advertising products?

Privacy

What certifications and capabilities does Microsoft hold?How does Microsoft support customer compliance needs?Do I have the right to audit Microsoft?

Compliance

Office 365 - Foundation

Excellence in cutting edge

security practices

Relentless on Security

Compliance with World Class Industry standards verified by 3rd

parties

Independently Verified

We Respect your

Privacy

Your Privacy

Matters

You know ‘where’ data resides, ‘who’ can access it and ‘what’ we do

with it

Leadership in Transparency

Microsoft Online Services Trust Center

5

http://trustoffice365.com

•Office 365 Privacy Whitepaper

•Office 365 Security Whitepaper and Service Description

•Office 365 Standard Responses to Request for Information

•Office 365 Information Security Management Framework

Microsoft Office 365 – Cloud Principles Services are highly configurable and scalable without customization.

Services are under the Microsoft Security Policy.

We provide transparency in data location and transfers.

We audit on your behalf and provide certification reports.

Microsoft’s liability is capped, consistent with industry standards.

Office 365 is an evergreen service. Customers need to stay current.

Our solution evolves rapidly with a documented roadmap.

We provide services offers to help you migrate to the cloud efficiently.

12345678

Configurable Services.Services are highly configurable and scalable without customization.

7

1

Office 365 is a highly standardized service that Microsoft offers under highly standardized contractual terms and condition.

Customers can mix and match services to meet their requirements.

Benefits exist because we take this approach: i.e. built in upgrades, reliability, availability and price

Office 365 is A HIGHLY CONFIGURABLE, but not a customizable solution.

8

Services are highly configurable and scalable without customization

Security.Services are under the Microsoft Security Policy.

2

Compliance

Privacy and

Regulations

Security

Security

10

Establish SecurityRequirements

Create Quality Gates / Bug Bars

Security & Privacy Risk Assessment

Microsoft Security development lifecycleReduce vulnerabilities, limit exploit severity

Training Requirements

Education

Administer and track

security training

Core SecurityTraining

Design Implementation Verification

Process

Guide product teams to meet SDL requirements

Establish DesignRequirements

Analyze AttackSurface

ThreatModeling

Use Approved Tools

Deprecate Unsafe

Functions

Static Analysis

Dynamic Analysis

Fuzz Testing

Attack Surface Review

Incident Response Plan

Final Security Review

Release Archive

Execute Incident

Response Plan

Ongoing Process Improvements

Release Response

IncidentResponse (MSRC)

Establish release

criteria and sign-off as part of FSR

Accountability

Service Security – Defense in DepthA risk-based, multi-dimensional approach to safeguarding services and dataSecurity Management

Network perimeter

Internal network

Host

Application

Data

User

Facility

Threat and vulnerability management, monitoring, and response

Edge routers, intrusion detection, vulnerability scanning

Dual-factor authentication, intrusion detection, vulnerability scanning

Access control and monitoring, anti-malware, patch and configuration management

Secure engineering (SDL), access control and monitoring, anti-malware

Access control and monitoring, file/data integrity

Account management, training and awareness, screening

Physical controls, video surveillance, access control

Industry-recognized security improvements

https://www.cert.org/blogs/certcc/2011/04/office_shootout_microsoft_offi.html

Privacy

14

Choices to keep Office 365 Customer Data separate from consumer services.

Office 365 Customer Data belongs to the customer. Customers can export their data at any time.

At Microsoft, our strategy is to consistently set a “high bar” around privacy practices that support global standards for data handling and transfer

Privacy at Office 365

No Mingling

Data Portability

No advertising products out of Customer Data. No scanning of email or documents to build analytics or mine data.

No Advertising

How Privacy of Data is Protected?

Microsoft Online Services Customer Data1 Usage Data Account andAddress Book Data

Customer Data (excluding Core Customer data)

CoreCustomer Data

Operating and Troubleshooting the Service Yes Yes Yes Yes

Security, Spam and Malware Prevention Yes Yes Yes Yes

Improving the Purchased Service, Analytics Yes Yes Yes No

Personalization, User Profile, Promotions No Yes No No

Communications (Tips, Advice, Surveys, Promotions) No No/Yes No No

Voluntary Disclosure to Law Enforcement No No No No

Advertising5 No No No No

We use customer data for just what they pay us for - to maintain and provide Office 365 Service

Usage Data Address Book Data Customer Data (excluding Core Customer Data*) Core Customer Data

Operations Response Team (limited to key personnel only)

Yes. Yes, as needed. Yes, as needed. Yes, by exception.

Support OrganizationYes, only as required in response to Support Inquiry.

Yes, only as required in response to Support Inquiry.

Yes, only as required in response to Support Inquiry. No.

Engineering Yes.No Direct Access. May Be Transferred During Trouble-shooting.

No Direct Access. May Be Transferred During Trouble-shooting.

No.

PartnersWith customer permission. See Partner for more information.

With customer permission. See Partner for more information.

With customer permission. See Partner for more information.

With customer permission. See Partner for more information.

Others in Microsoft No.No (Yes for Office 365 for small business Customers for marketing purposes).

No. No.

Compliance

17

Office 365 compliance

Address privacy, security and handling of Customer Data.

Going above and beyond the EU Model Clauses to address additional requirements from individual EU member states

Enables customers to comply with their local regulations.

Office 365 is the first major business productivity public cloud service provider willing to sign EU Model Clauses with all customers.

EU Model Clauses a set of stringent European Union wide data protection requirements

Data Processing Agreement

EU Model Clauses

ISO27001 is one of the best security benchmarks available across the world.

Office 365 first major business productivity public cloud service to implement rigorous ISO security controls on physical, logical, process and management

ISO27001

We are the first and only major cloud based productivity to offer the following

Office 365 compliance

EU generally prohibits personal data from crossing borders into other countries except under circumstances in which the transfer has been legitimated by a recognized mechanism, such as the "Safe Harbor" certification

Microsoft was first certified under the Safe Harbor program in 2001, and we recertify compliance with the Safe Harbor Principles every twelve months

EU Safe Harbor

HIPAA is a U.S. law that requires HIPAA covered entities to meet certain privacy and security standards with respect to individually identifiable health information

Microsoft is offering to sign the Business Associate Agreement (BAA) for any Microsoft Enterprise Agreement customer. The BAA helps enables our customers to comply with HIPAA concerning protected health information.

US Health Insurance Portability and Accountability Act

Comply with additional industry leading standards

Office 365 Compliance With Key Standards

ISO 27001 All customers Available

EU Safe Harbor EU customers Available

SSAE 16 (Statement on standards for Attestation Engagement) SOC 1 (Type I & Type II) compliance

Primarily US customers Available

FISMA US Government Available

HIPAA/BAA All Customers Available

EU Model Clauses EU Customers Available

Data Processing Agreement All Customers Available

FERPA EDU Customers Available

Transparency.We provide transparency in data location and transfers.

3

Transparency

Microsoft notifies you of changes in data center locations.

Core Customer Data accessed only for troubleshooting and malware prevention purposes Core Customer Data access limited to key personnel on an exception basis.

How to get notified?

Who accesses and What is accessed?

Clear Data Maps and Geographic boundary information provided‘Ship To’ address determines Data Center Location

Where is Data Stored?

At Microsoft, our strategy is to consistently set a “high bar” around privacy practices that support global standards for data handling and transfer

Audits.We audit on your behalf and provide certification reports.

4

This saves customers time and money, and allows Microsoft to provide assurances to customers at

scale.

Microsoft provides transparency

• Alignment and adoption of industry standards ensure a comprehensive set of practices and controls in place to protect sensitive data.

• While not permitting audits, we provide independent third-party verifications of Microsoft security, privacy, and continuity controls.

“I need to know Microsoft is doing the right things…”

24

Auditing on Your Behalf

Compliance Management Framework

Policy

Control Framework

Standards

Operating Procedures

Business rules for protecting information and systems which store and process information

A process or system to assure the implementation of policy

System or procedural specific requirements that must be met

Step-by-step procedures

Liability.Microsoft’s liability is capped, consistent with industry standards.

26

5

Liability represents aggregate amount.

Liability is limited to direct damages.

Microsoft’s liability is capped at 12 months’ services fees.

27

Microsoft’s liability is capped, consistent with industry standard.

Evergreen.Office 365 is an evergreen service. Customers need to stay current.

6

29

Office 365 is an evergreen service.

• As a result, software update cycles of the on-premises part of the overall solution ideally should be in sync (or at least N-1 for the client software) to avoid integration and compatibility issues.

• For major upgrades the deployment window is roughly 18 months from announcement to enforcement.

• One of the great benefits of the service is that it is evergreen, meaning always up to date when it comes to security patches, updates and upgrades.

Rapid Evolution.Our solution evolves rapidly with a documented roadmap.

7

31

Our solution evolves rapidly with a documented roadmap.

• Features like enterprise search will be delivered from the cloud in a foreseeable future and customization via Azure integration extends the capabilities of the platform.

• Another great benefits of the service is that there is a clear roadmap towards feature parity with on-premises solutions.

Deployment.We provide services offers to help you migrate to the cloud efficiently.

8

• Offering Essential, Standard or Enterprise Cloud Vantage Services Offerings from Microsoft.

• Leveraging Microsoft Online or 3rd party tools

• End-to-end migration or resource augmentation

• End-to-end migration

Recommended PartnerMicrosoft Cloud Vantage

We provide services offers to help you migrate to the cloud efficiently.

Delivering a “Business Ready” Cloud PlatformCloud Vantage Services helps you

realize business value from your

Office 365 investments by providing

deep expertise and collaboration

across the full lifecycle to smoothly

transition to Office 365, and make the

most out of your cloud investments.

Cloud Vantage ServicesDeep Expertise

• Single point of accountability for Office 365 across the lifecycle

• Global network of technical and operations experts

• Broad industry expertise

Collaboration• Partner for smooth program orchestration

• Increase IT agility through change management and roadmap planning

• Align on measurable business value results

Full lifecycle• Enable end-users and IT team for transition to cloud

• Prepare IT environment for Office 365 consumption

• Deliver on time deployment

• Provide enterprise grade support

Microsoft Online Services Trust Center

35

http://trustoffice365.com

•Office 365 Privacy Whitepaper (New!)

•Office 365 Security Whitepaper and Service Description

•Office 365 Standard Responses to Request for Information

•Office 365 Information Security Management Framework

36

© 2013 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentations. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.