security, protection, compliancy and gdprsecurity, protection, compliancy and gdpr neil downing...
TRANSCRIPT
Security, Protection, Compliancy and GDPR
Neil Downing General Manager EMEA SaaSplazaMartin Vliem National Security Officer MicrosoftDennis Schut CTO SaaSplaza
June 26, 2018
1
AGENDA
Microsoft Security and Compliancy
Take Aways
SaaSplaza Securing NAV
3
4
5
6
Security Challenges2
Introduction1
Questions
3
View the recording of Webinar 1 Be a 'Cloud First' Company at:https://www.webinartv.nl/agenda/be-a-cloud-first-company-futureproof-your-dynamics-nav-business/
Webinar Series for Dynamics NAV Partners
Keep my old installs safe from born in the Cloud attacks
4
Great 24 x 7 customer support
Secure and Private
Follow my customers globally
Total Solution > NAV
100% guaranteed to work
Cheaper and better than DIY
Trusted Advisor
Stay compliant with training requirements
Be Profitable and grow
Transform to Total Cloud Provider Register my customer adds Rewrite my solution into
Extensions
Avoid Data leaks
Our Partners tell us managing a wide workload is a major challenge
5
ON PREMISE
CLOUD POWERED
CLOUD ACCELERATED
Step into Cloud – Power Up your NAV
Amsterdam
Munich
Shanghai
Sydney
Virginia
Singapore
Hong KongNew Delhi
Toronto
6
SaaSplaza: Global Indirect CSP for Dynamics partners
SaaSplazaGlobal Presence
Headquarters Offices Azure Datacenters Hosting Platforms
270 active (Dynamics) ISV and VAR partners across
the globe trust SaaSplaza.
Passionate Cloud and Dynamics
experts with >180 certificates
Running > 800 Dynamics enterprise
customers on 11 Azure DC’s.
Global staff providing 24 x 7
FTS support from 5 global offices.
8 years commitment to security
(ISAE/SSAE/ ITIL/CISO)
CloudCARE is SaaSplaza’s unique approach to deliver and run of enterprise grade cloud services, secure and
consistent around the globe.
Silver Cloud Productivity
Sao Paulo
San Diego
Cape Town
AGENDA
Microsoft Security and Compliancy
Take Aways
SaaSplaza Securing NAV
3
4
5
6
Security Challenges2
Introduction1
Questions
.
.
8
Facing the facts about cyber attacks
MOTIVATIONS BEHIND ATTACKSAPRIL 2018
Cyber Crime
Cyber Espionage
Hacktivism
Cyber Warfare
80.8%
11.1%
5.1%
3%
Hackmageddon.com
9
EU GDPR AND CYBER SECURITY REGULATIONS
10
Zooming in on EU and SMB
DISTRIBUTION OF TARGETSAPRIL 2018
25%
18%
15%
9%
5%
4%
4%
4%
4%
3%
2% 1% 1%1% 1% 1% 1%
Individual
Multiple Industries
Public Administration/defence/compulsory social security
Human health and social work actitivities
Education
Accomodation and food service activities
Information and communication
Transportation and storage
Arts entertainment and recreation
Financial and insurance activities
Fintech
Electritcity/gas steam/air conditioning supply
Other service activities
Manufacturing
Administrative and support service activities
wholesale retail trade
Professional scientific and technical activities
Hackmageddon.com
11
IDENTITY IS THE NEW PERIMETER
12
AGENDA
Microsoft Security and Compliancy
Take Aways
SaaSplaza Securing NAV
3
4
5
6
Security Challenges2
Introduction1
Questions
.
.
Security & Compliance in the cloudshared responsibilities…
Martin Vliem CISSP, CISA, CCSPNational Security Officer
[email protected]://www.linkedin.com/in/mvliem
Digital Transformation Supported through technology & cloud
AgilityCostTransformationModernization
Data lossDown time
PrivacySecurity
Compliance
Information security & risk management guidelines• ISO19086 Cloud Due Diligence• Frameworks & standards & baselines (ISO 27002, NIST 800-53r4,
CSA CCM)• Risk templates (ISO27001, NIST 800-37, NIST CSF/RMF, ENISA)• GDPR certifications & CoC’s, EUCOC & CISPE? • Data Processing Impact Analysis templates
Opportunityversus risk
https://cloudsecurityalliance.org/download/top-threats-cloud-computing-plus-industry-insights/https://www.enisa.europa.eu/publications/cloud-computing-risk-assessmenthttps://www.microsoft.com/en-us/security/Intelligence-reporthttps://www.verizonenterprise.com/resources/reports/rp_DBIR_2018_Report_en_xg.pdfhttps://www.ncsc.nl/binaries/content/documents/ncsc-nl/actueel/cybersecuritybeeld-nederland/cybersecuritybeeld-nederland-2017/1/CSBN2017.pdf
Insights into threatsCloud Security Alliance, ENISA, threat intelligence (reports), …CSA Treacherous 121. Data Breaches2. Weak Identity, Credential and Access Mgmt3. Insecure APIs 4. System and Application Vulnerabilities5. Account Hijacking6. Malicious Insiders7. Advanced Persistent Threats (APTs) 8. Data Loss 9. Insufficient Due Diligence 10. Abuse and Nefarious Use of Cloud Services 11. Denial of Service 12. Shared Technology Issues
Risk management and computing modelsCloud enabled security
CloudOn premises
Van Dale (Dutch dictionary): Trust = “hope with assurance”
Evaluation
3
CUSTOMER AS CLOUD SERVICE CONSUMER(Controller)
MICROSOFT AS CLOUD SERVICE PROVIDER(Processor)
RISK MANAGEMENT & COMPLIANCE PROCESS
Requirements:• GDPR;…• ISO270XX; NIST; …
INTEGRATED CONTROLS
Managed by provider
1
2
ADDITIONAL TECHNICAL AND ORGANIZATIONAL MEASURES
Managed by customer56 Audit (internal / external)
Verification…
4ASSURANCES CONTRACTING
INDEPENDANTLY VERIFIED
DESCRIPTIVE INFORMATION
INTERACTIVE INFORMATIONOPTIONAL CONTROLS AND SUPPORT
SOLUTION PROVIDER
(processor)(SubProcessor)
A partnership…
Source available here: Microsoft Cloud Security for Legal and Compliance Professional
Your responsibility for security is based on the type of cloud service. The chart summarizes the balance of responsibility for both Microsoft and the customer.
Responsibility SaaS PaaS IaaS On-Prem
Data governance and rights managementClient endpoints
Account and Access management
Identity and directory infrastructure
Application
Network controls
Operating system
Physical hosts
Physical network
Physical datacenterCloud service provider, Microsoft operatesCustomer, Microsoft & Partner helps
Trusted CloudMicrosoft operates
Infrastructure as a ServiceAzure - IaaS
Platform as a ServiceAzure - PaaS
Software as a ServiceOffice 365 - SaaS
On Premises Security Dependencies
1. Security strategy, governance, and operationalization: Provide clear vision, standards, and guidance for your organization
2. Administrative control: Defend against the loss of control of your cloud services and on-premises systems
3. Data: Identify and protect your most important information assets
4. User identity and device security: Strengthen protection for accounts and devices
5. Application security: Ensure application code is resilient to attacks
6. Network: Ensure connectivity, isolation, and visibility into anomalous behavior
7. Operating system and middleware: Protect integrity of hosts
8. Private or on-premises environments: Secure the foundation
Customer managed activities
MICROSOFT CLOUD SOVEREIGN
Customer Datacenter
Deployed on customer-dedicated resources with Microsoft products and technologies. Benefit from cloud experiences on your own premises.
Partner Datacenter
Cloud services deployed on dedicated resources, hosted or operated by a Microsoft partner. Provides integrated or industry-specific service offerings.
PARTNER
Microsoft CloudGermany
Rare, non-standard deployment of Microsoft cloud resources that meet the unique requirements of certain markets
Microsoft DatacentersUK, France, Germany
Local datacenters enable customers to address local data residency requirements.
Microsoft DatacentersEurope
Hyper-scale, globally connected cloud services deployed from regional Microsoft datacenters.
MICROSOFT CLOUD GLOBALCUSTOMER
Freedom of choicecloud services Europe options
Example: Dynamics with hoster Microsoft Dynamics 365, …
Assurance documentations & toolinghttps://aka.ms/stp
Compliance toolingshared responsibilities…
1. Descriptive:Microsoft trustcenter: https://www.microsoft.com/en-us/TrustCenter/default.aspx
2. Independently verified: Microsoft Service Trust portal: https://servicetrust.microsoft.com
3. Contractual:Microsoft online service terms & SLA: https://www.microsoft.com/en-us/Licensing/product-licensing/products.aspx
Microsoft On the Issues: https://blogs.microsoft.com/on-the-issues/
Microsoft Data & Law: https://blogs.microsoft.com/datalaw/
Microsoft Transparency reports: https://www.microsoft.com/en-us/about/corporate-responsibility/reports-hub
Microsoft Cloud IT Architecture resources: https://docs.microsoft.com/en-us/office365/enterprise/microsoft-cloud-it-architecture-resources
Cloud Services Due Diligence Checklist (ISO 19086 based): https://www.microsoft.com/en-us/trustcenter/Compliance/Due-Diligence-Checklist
SAFE Handbook: http://aka.ms/safehandbook
Microsoft Cyber Trust Blog: https://blogs.microsoft.com/cybertrust
Microsoft Secure: https://www.microsoft.com/en-us/security/default.aspx
A Data driven security defense: https://gallery.technet.microsoft.com/Fixing-the-1-Problem-in-2e58ac4a
Enterprise Cloud strategy e-book: https://info.microsoft.com/enterprise-cloud-strategy-ebook.html
Microsoft Security Intelligence Report: https://www.microsoft.com/security/sir/default.aspx
ReferencesMicrosoft assurance information
© Copyright Microsoft Corporation. All rights reserved.
Thank you!
AGENDA
Microsoft Security and Compliancy
Take Aways
SaaSplaza Securing NAV
3
4
5
6
Security Challenges2
Introduction1
Questions
..
30
PLATFORM
PROCESS
PEOPLE
31
What is on the customers’ mind when it comes to the security of NAV?
CUSTOMERS WONDER
How can I securely publish my ERP solution across multiple channels to my end-users?
Is the NAV solution compliant with my policies?
How do you (NAV Partner) guarantee security and compliancy?
How to align my ERP environment with my current
security landscape?
Can you offer (other) security and protection services?
How can I be sure that only the right people have access to
business critical and company sensitive information?
Is our on-prem ERP application compliant with
our policies?
32
PLATFORM
PROCESS
PEOPLE
33
During the assessment and design phase, all necessary information is
gathered and the solution will be detailed to finalise the scope of work
for the deployment phase
Assessment & Design
In the deployment phase the designed and approved solution will be
implemented and after testing the solution will be hand over to the
partner or directly to the customer
Deployment
SaaSplaza’s commitment is to keep there solutions up-to-date in close cooperation with Microsoft. During the monthly Service Delivery management calls practical improvements will be discussed to ensure the best possible cloud experience
Continuous Improvement
When the solution is accepted by the customer the operate and support phase starts, meaning the solutions with pro-actively being managed, monitored and supported 24/7 ensure the quality of service as defined in the CloudCARE SLA
Operation & Support
SaaSplaza CloudCARE Methodology
34
SPOC for Escalation Management Microsoft
24/7 support in case of any availability issue
24/7 monitoring
Incident Management
Problem Management
24/7 support for urgent changes
Capacity Management
Patch Management
Version Control
Change ManagementAzure Consumption Management
L.O.B. Dashboards
Service and Usage Reporting
Monthly Health Checks
Azure Cost optimization
Service Management
Incident Management
Problem Management
Change Management
Project Management
Service Management
Security
Dev Ops, Continuous Delivery (One Virtual Team)
Implementation of New Service Requirements
Project Management
Case Management
Root Cause Analysis
Security
Enterprise Security
Advanced Treat Protection
Mobile Security
Operation & Continuous Improvement
CIA
35
36
PLATFORM
PROCESS
PEOPLE
IDENTITY IS THE NEW PERIMETER
SECURITY COUNCIL
37
AGENDA
Microsoft Security and Compliancy
Take Aways
SaaSplaza Securing NAV
3
4
5
6
Security Challenges2
Introduction1
Questions .
.
39
Confidentiality, Integrity, AvailabilityWe take care of the day to day protection of
your customers’ data – on your behalf
Global Security Council 24/7/365
SaaSplaza uses Azure as the default secure platform
Externally ISAE 3402 & SSAE 16 audited – on annual basis
Leveraging 10 years of expertise in cloud with certified experts
Designing, operating and monitoring with security in mind (SaaSplaza CloudCARE Methodology)
Questions
41
Be Competitive against Born in the
Cloud and DIY
1
Choice for you and your customer
Full Microsoft Cloud portfolio and Support
Successful with Microsoft Cloud Solutions
42
Are you registered for our next webinar?July 3 – “Gives and Gets” of Partnering with SaaSplaza
www.saasplaza.com/events
Reach out to our team on [email protected]
Next Steps