Security, Protection, Compliancy and GDPR

Neil Downing General Manager EMEA SaaSplazaMartin Vliem National Security Officer MicrosoftDennis Schut CTO SaaSplaza

June 26, 2018

1

AGENDA

Microsoft Security and Compliancy

Take Aways

SaaSplaza Securing NAV

3

4

5

6

Security Challenges2

Introduction1

Questions

3

View the recording of Webinar 1 Be a 'Cloud First' Company at:https://www.webinartv.nl/agenda/be-a-cloud-first-company-futureproof-your-dynamics-nav-business/

Webinar Series for Dynamics NAV Partners

Keep my old installs safe from born in the Cloud attacks

4

Great 24 x 7 customer support

Secure and Private

Follow my customers globally

Total Solution > NAV

100% guaranteed to work

Cheaper and better than DIY

Trusted Advisor

Stay compliant with training requirements

Be Profitable and grow

Transform to Total Cloud Provider Register my customer adds Rewrite my solution into

Extensions

Avoid Data leaks

Our Partners tell us managing a wide workload is a major challenge

5

ON PREMISE

CLOUD POWERED

CLOUD ACCELERATED

Step into Cloud – Power Up your NAV

Amsterdam

Munich

Shanghai

Sydney

Virginia

Singapore

Hong KongNew Delhi

Toronto

6

SaaSplaza: Global Indirect CSP for Dynamics partners

SaaSplazaGlobal Presence

Headquarters Offices Azure Datacenters Hosting Platforms

270 active (Dynamics) ISV and VAR partners across

the globe trust SaaSplaza.

Passionate Cloud and Dynamics

experts with >180 certificates

Running > 800 Dynamics enterprise

customers on 11 Azure DC’s.

Global staff providing 24 x 7

FTS support from 5 global offices.

8 years commitment to security

(ISAE/SSAE/ ITIL/CISO)

CloudCARE is SaaSplaza’s unique approach to deliver and run of enterprise grade cloud services, secure and

consistent around the globe.

Silver Cloud Productivity

Sao Paulo

San Diego

Cape Town

AGENDA

Microsoft Security and Compliancy

Take Aways

SaaSplaza Securing NAV

3

4

5

6

Security Challenges2

Introduction1

Questions

.

.

8

Facing the facts about cyber attacks

MOTIVATIONS BEHIND ATTACKSAPRIL 2018

Cyber Crime

Cyber Espionage

Hacktivism

Cyber Warfare

80.8%

11.1%

5.1%

3%

Hackmageddon.com

9

EU GDPR AND CYBER SECURITY REGULATIONS

10

Zooming in on EU and SMB

DISTRIBUTION OF TARGETSAPRIL 2018

25%

18%

15%

9%

5%

4%

4%

4%

4%

3%

2% 1% 1%1% 1% 1% 1%

Individual

Multiple Industries

Public Administration/defence/compulsory social security

Human health and social work actitivities

Education

Accomodation and food service activities

Information and communication

Transportation and storage

Arts entertainment and recreation

Financial and insurance activities

Fintech

Electritcity/gas steam/air conditioning supply

Other service activities

Manufacturing

Administrative and support service activities

wholesale retail trade

Professional scientific and technical activities

Hackmageddon.com

11

IDENTITY IS THE NEW PERIMETER

12

AGENDA

Microsoft Security and Compliancy

Take Aways

SaaSplaza Securing NAV

3

4

5

6

Security Challenges2

Introduction1

Questions

.

.

Security & Compliance in the cloudshared responsibilities…

Martin Vliem CISSP, CISA, CCSPNational Security Officer

martin.vliem@microsoft.comhttps://www.linkedin.com/in/mvliem

Digital Transformation Supported through technology & cloud

AgilityCostTransformationModernization

Data lossDown time

PrivacySecurity

Compliance

Information security & risk management guidelines• ISO19086 Cloud Due Diligence• Frameworks & standards & baselines (ISO 27002, NIST 800-53r4,

CSA CCM)• Risk templates (ISO27001, NIST 800-37, NIST CSF/RMF, ENISA)• GDPR certifications & CoC’s, EUCOC & CISPE? • Data Processing Impact Analysis templates

Opportunityversus risk

https://cloudsecurityalliance.org/download/top-threats-cloud-computing-plus-industry-insights/https://www.enisa.europa.eu/publications/cloud-computing-risk-assessmenthttps://www.microsoft.com/en-us/security/Intelligence-reporthttps://www.verizonenterprise.com/resources/reports/rp_DBIR_2018_Report_en_xg.pdfhttps://www.ncsc.nl/binaries/content/documents/ncsc-nl/actueel/cybersecuritybeeld-nederland/cybersecuritybeeld-nederland-2017/1/CSBN2017.pdf

Insights into threatsCloud Security Alliance, ENISA, threat intelligence (reports), …CSA Treacherous 121. Data Breaches2. Weak Identity, Credential and Access Mgmt3. Insecure APIs 4. System and Application Vulnerabilities5. Account Hijacking6. Malicious Insiders7. Advanced Persistent Threats (APTs) 8. Data Loss 9. Insufficient Due Diligence 10. Abuse and Nefarious Use of Cloud Services 11. Denial of Service 12. Shared Technology Issues

Risk management and computing modelsCloud enabled security

CloudOn premises

Van Dale (Dutch dictionary): Trust = “hope with assurance”

Evaluation

3

CUSTOMER AS CLOUD SERVICE CONSUMER(Controller)

MICROSOFT AS CLOUD SERVICE PROVIDER(Processor)

RISK MANAGEMENT & COMPLIANCE PROCESS

Requirements:• GDPR;…• ISO270XX; NIST; …

INTEGRATED CONTROLS

Managed by provider

1

2

ADDITIONAL TECHNICAL AND ORGANIZATIONAL MEASURES

Managed by customer56 Audit (internal / external)

Verification…

4ASSURANCES CONTRACTING

INDEPENDANTLY VERIFIED

DESCRIPTIVE INFORMATION

INTERACTIVE INFORMATIONOPTIONAL CONTROLS AND SUPPORT

SOLUTION PROVIDER

(processor)(SubProcessor)

A partnership…

Source available here: Microsoft Cloud Security for Legal and Compliance Professional

Your responsibility for security is based on the type of cloud service. The chart summarizes the balance of responsibility for both Microsoft and the customer.

Responsibility SaaS PaaS IaaS On-Prem

Data governance and rights managementClient endpoints

Account and Access management

Identity and directory infrastructure

Application

Network controls

Operating system

Physical hosts

Physical network

Physical datacenterCloud service provider, Microsoft operatesCustomer, Microsoft & Partner helps

Trusted CloudMicrosoft operates

Infrastructure as a ServiceAzure - IaaS

Platform as a ServiceAzure - PaaS

Software as a ServiceOffice 365 - SaaS

On Premises Security Dependencies

1. Security strategy, governance, and operationalization: Provide clear vision, standards, and guidance for your organization

2. Administrative control: Defend against the loss of control of your cloud services and on-premises systems

3. Data: Identify and protect your most important information assets

4. User identity and device security: Strengthen protection for accounts and devices

5. Application security: Ensure application code is resilient to attacks

6. Network: Ensure connectivity, isolation, and visibility into anomalous behavior

7. Operating system and middleware: Protect integrity of hosts

8. Private or on-premises environments: Secure the foundation

Customer managed activities

MICROSOFT CLOUD SOVEREIGN

Customer Datacenter

Deployed on customer-dedicated resources with Microsoft products and technologies. Benefit from cloud experiences on your own premises.

Partner Datacenter

Cloud services deployed on dedicated resources, hosted or operated by a Microsoft partner. Provides integrated or industry-specific service offerings.

PARTNER

Microsoft CloudGermany

Rare, non-standard deployment of Microsoft cloud resources that meet the unique requirements of certain markets

Microsoft DatacentersUK, France, Germany

Local datacenters enable customers to address local data residency requirements.

Microsoft DatacentersEurope

Hyper-scale, globally connected cloud services deployed from regional Microsoft datacenters.

MICROSOFT CLOUD GLOBALCUSTOMER

Freedom of choicecloud services Europe options

Example: Dynamics with hoster Microsoft Dynamics 365, …

Assurance documentations & toolinghttps://aka.ms/stp

Compliance toolingshared responsibilities…

1. Descriptive:Microsoft trustcenter: https://www.microsoft.com/en-us/TrustCenter/default.aspx

2. Independently verified: Microsoft Service Trust portal: https://servicetrust.microsoft.com

3. Contractual:Microsoft online service terms & SLA: https://www.microsoft.com/en-us/Licensing/product-licensing/products.aspx

Microsoft On the Issues: https://blogs.microsoft.com/on-the-issues/

Microsoft Data & Law: https://blogs.microsoft.com/datalaw/

Microsoft Transparency reports: https://www.microsoft.com/en-us/about/corporate-responsibility/reports-hub

Microsoft Cloud IT Architecture resources: https://docs.microsoft.com/en-us/office365/enterprise/microsoft-cloud-it-architecture-resources

Cloud Services Due Diligence Checklist (ISO 19086 based): https://www.microsoft.com/en-us/trustcenter/Compliance/Due-Diligence-Checklist

SAFE Handbook: http://aka.ms/safehandbook

Microsoft Cyber Trust Blog: https://blogs.microsoft.com/cybertrust

Microsoft Secure: https://www.microsoft.com/en-us/security/default.aspx

A Data driven security defense: https://gallery.technet.microsoft.com/Fixing-the-1-Problem-in-2e58ac4a

Enterprise Cloud strategy e-book: https://info.microsoft.com/enterprise-cloud-strategy-ebook.html

Microsoft Security Intelligence Report: https://www.microsoft.com/security/sir/default.aspx

ReferencesMicrosoft assurance information

© Copyright Microsoft Corporation. All rights reserved.

Thank you!

AGENDA

Microsoft Security and Compliancy

Take Aways

SaaSplaza Securing NAV

3

4

5

6

Security Challenges2

Introduction1

Questions

..

30

PLATFORM

PROCESS

PEOPLE

31

What is on the customers’ mind when it comes to the security of NAV?

CUSTOMERS WONDER

How can I securely publish my ERP solution across multiple channels to my end-users?

Is the NAV solution compliant with my policies?

How do you (NAV Partner) guarantee security and compliancy?

How to align my ERP environment with my current

security landscape?

Can you offer (other) security and protection services?

How can I be sure that only the right people have access to

business critical and company sensitive information?

Is our on-prem ERP application compliant with

our policies?

32

PLATFORM

PROCESS

PEOPLE

33

During the assessment and design phase, all necessary information is

gathered and the solution will be detailed to finalise the scope of work

for the deployment phase

Assessment & Design

In the deployment phase the designed and approved solution will be

implemented and after testing the solution will be hand over to the

partner or directly to the customer

Deployment

SaaSplaza’s commitment is to keep there solutions up-to-date in close cooperation with Microsoft. During the monthly Service Delivery management calls practical improvements will be discussed to ensure the best possible cloud experience

Continuous Improvement

When the solution is accepted by the customer the operate and support phase starts, meaning the solutions with pro-actively being managed, monitored and supported 24/7 ensure the quality of service as defined in the CloudCARE SLA

Operation & Support

SaaSplaza CloudCARE Methodology

34

SPOC for Escalation Management Microsoft

24/7 support in case of any availability issue

24/7 monitoring

Incident Management

Problem Management

24/7 support for urgent changes

Capacity Management

Patch Management

Version Control

Change ManagementAzure Consumption Management

L.O.B. Dashboards

Service and Usage Reporting

Monthly Health Checks

Azure Cost optimization

Service Management

Incident Management

Problem Management

Change Management

Project Management

Service Management

Security

Dev Ops, Continuous Delivery (One Virtual Team)

Implementation of New Service Requirements

Project Management

Case Management

Root Cause Analysis

Security

Enterprise Security

Advanced Treat Protection

Mobile Security

Operation & Continuous Improvement

CIA

35

36

PLATFORM

PROCESS

PEOPLE

IDENTITY IS THE NEW PERIMETER

SECURITY COUNCIL

37

AGENDA

Microsoft Security and Compliancy

Take Aways

SaaSplaza Securing NAV

3

4

5

6

Security Challenges2

Introduction1

Questions .

.

39

Confidentiality, Integrity, AvailabilityWe take care of the day to day protection of

your customers’ data – on your behalf

Global Security Council 24/7/365

SaaSplaza uses Azure as the default secure platform

Externally ISAE 3402 & SSAE 16 audited – on annual basis

Leveraging 10 years of expertise in cloud with certified experts

Designing, operating and monitoring with security in mind (SaaSplaza CloudCARE Methodology)

Questions

41

Be Competitive against Born in the

Cloud and DIY

1

Choice for you and your customer

Full Microsoft Cloud portfolio and Support

Successful with Microsoft Cloud Solutions

42

Are you registered for our next webinar?July 3 – “Gives and Gets” of Partnering with SaaSplaza

www.saasplaza.com/events

Reach out to our team on welcome@saasplaza.com

Next Steps

Thanks!

Feel free to reach out to us

welcome@saasplaza.com