Addressing Cloud Computing Security ... - Iron Cove Solutions

Addressing Cloud Computing Security Considerations with Microsoft Office 365 Protect more

Contents 2

Introduction

3

Key Security

8

Identity and Access Management

Considerations

9

Service Integrity

4

Office 365 Service Stack

12

Endpoint Integrity

5

ISO Certifications for the

13

Information Protection

14

Related Reading

Microsoft Online Services Stack 6

Compliance and Risk Management

Introduction This document is based on a supplemental paper, Cloud Computing Security Considerations1, which focuses on a high-level discussion of the fundamental challenges and benefits of cloud computing security. The original paper includes questions cloud service providers and organizations using cloud services should consider as they evaluate a new move or expansion of existing services to the cloud. This document presumes the reader is familiar with the Cloud Computing Security Considerations paper, which offers high-level insight into how these considerations can be addressed using Office 365, a public cloud service. Office 365 combines the familiar Office desktop suite with cloud-based versions of next-generation communications and collaboration services, including Microsoft Office Professional, Microsoft® Exchange Online, Microsoft® SharePoint® Online, and Microsoft® Lync™ Online. Cloud service providers and organizations using cloud services should consider these two primary areas regarding security and compliance: 

Geolocation—Due to the nature of the public cloud, a customer’s data may be distributed in various geographies around the globe.



1

Multi-Tenancy—Space on a server/infrastructure is shared among tenants.

The Cloud Computing Security Considerations paper can be found here: http://go.microsoft.com/?linkid=9708479

CLOUD COMPUTING SECURITY CONSIDERATIONS: MICROSOFT OFFICE 365 | JULY 2011

2

Key Security Considerations Here is a short summary of the considerations raised in the original paper mentioned on the previous page. As with any other technological shift or change, security benefits and risks must be addressed in order to realize the full benefits of cloud computing. Considerations such as compliance and risk management, identity and access management, service integrity, endpoint integrity, and information protection should all be explored when evaluating, implementing, managing, and maintaining cloud computing solutions. These apply to the cloud provider as well as the cloud customer; both should carefully

What will you learn from this paper?

consider and evaluate these points: 

to the cloud are still responsible for compliance, risk, and security management.

This paper discusses how to address

While some of the responsibility for execution may be transferred to the cloud

cloud security considerations in an

provider, it is important to understand the overall compliance picture, as well as

Office 365 environment. It also shows how to strike the appropriate balance between customer and

the roles and responsibilities within the provider organization. 

enable collaboration across organization and country borders.

When not further specified, to both the



organization’s security management.

Global Foundation Services and Microsoft® Online Services

Service Integrity—Cloud-based services should be engineered and operated with security in mind; operational processes should be integrated into the

Microsoft®

(www.globalfoundationservices.com)

Identity and Access Management—Identities may come from different providers; providers must be able to federate from on-premises to the cloud and help

Microsoft responsibilities. the information herein applies

Compliance and Risk Management—Organizations shifting part of their business



Endpoint Integrity—As cloud-based services originate—and are then consumed—on-premises, the security, compliance, and integrity of the endpoint

(www.microsoft.com/online.com).

must be part of any security consideration. 

Information Protection—Cloud services require reliable processes for protecting information before, during, and after the transaction.

Responsibilities for the different considerations shift depending on the cloud service type consumed: Infrastructure-as-a-Service (IaaS), Platform-as-a-Service (PaaS), or Software-as-a-Service (SaaS). Careful definition of the control ownership is imperative in such environments.


3

The illustration below is based on the National Institute of Standards and Technology’s (NIST) definition of the different cloud models.

Office 365 Service Stack Office 365 is a Software-as-a-Service offering from Microsoft. In this scenario, Microsoft provides consumers the capability to use the Office 365 applications (Microsoft® Office Professional desktop suite of applications, Microsoft Exchange, Microsoft SharePoint, and Microsoft Lync) running on a cloud infrastructure and accessible from various client devices. Consumers do not manage or control the underlying cloud infrastructure, network, servers, operating systems, storage, or the individual application capabilities apart from certain configuration capabilities.


4

When evaluating the control environment in a Software-as-a-Service model, it is important to consider the whole technology stack of the provider since different teams/services may be involved in providing the infrastructure and application service elements.

ISO Certifications for the Microsoft Online Services Stack When evaluating Microsoft Online Services, it is helpful to understand that both Microsoft Online Services and Microsoft Global Foundation Services are International Standards Organization (ISO) 27001–based and –certified frameworks. Why is the ISO 27001 certification important? While Microsoft may not be able to provide customers with our detailed internal policies and procedures for security purposes, customers can review and evaluate the standards and implementation guidance in which we are certified to ensure we meet or exceed industry best practices. ISO 27001 defines how to implement, monitor, maintain, and continually improve the Information Security Management System (ISMS).


5

Compliance and Risk Management

Compliance and Risk Management Area

Microsoft

Customer

Risk

Good risk management practices are essential for any cloud

Customers are responsible for making sure they have

Management

provider. Microsoft applies its own document risk

an overall enterprise risk management process in

management process:

place and that cloud risks are included in the overall

 Identify threats and vulnerabilities to the environment.

company risk.

 Calculate risk.  Report risks across the Microsoft cloud environment.  Address risks based on an impact assessment and a business case.  Test remediation effectiveness and residual risk.  Manage risks on an ongoing basis. Risk

Microsoft Online Services are built to adhere to Microsoft

Some of the responsibilities for handling risks

Management

Online Services Privacy Standards2 and based on an

connected to the workloads moved to Office 365 are

Methodology

ISO 27001 framework to continually assess and improve our

transferred to Microsoft. Customers must understand,

services offerings. The processes to manage the risks in

however, whether or not the stated certifications allow

Microsoft’s environment are based and certified on

them to fulfill their regulatory requirements. By

ISO 27001. The services will be verified under SAS 70 Type II

providing transparency around our program, Microsoft

(to be replaced with industry standard SSAE16).

allows customers to evaluate our services against their requirements and make informed decisions.

Compliance

Microsoft holds several compliance certifications; these are

Microsoft customers around the world are subject to

publically available and updated on a regular basis.

many different laws and regulations. Legal

Microsoft®

requirements in one country or industry may be

Trust

Center3

provides an up-to-date view on

which certifications and practices are implemented by

inconsistent with applicable legal requirements

Microsoft. Current customers can also review the Global

elsewhere. As a provider of global cloud services, we

Foundation Services SAS 70 Type II report (to be replaced

run our services with common operational practices

with industry SSAE16). A link to our Trust Center is provided

and features across multiple customers and

in the Link section of this document. It is important to

jurisdictions. To help our customers comply with their

consider the entire service stack as outlined in the Office 365

own requirements, we build our services with

service stack picture. (See page 5.)

common privacy and security requirements in mind. However, it is our customers’ responsibility to evaluate our offerings against their own requirements so they can determine whether or not Microsoft services satisfy their regulatory needs.

Privacy Guidelines for Developing Software Products and Services: http://www.microsoft.com/downloads/en/details.aspx?FamilyID=c48cf80f-6e87-48f5-83ec-a18d1ad2fc1f&DisplayLang=en 3 Trust Center link: http://go.microsoft.com/fwlink/?LinkID=206613&CLCID=0x409 2


6

Compliance and Risk Management Area

Microsoft

Customer

Security

Microsoft helps comprehensively secure Office 365 services

Customers will have to manage security within their

Management

by applying the Microsoft® Security Management approach,

premises (e.g., access to customer premises from

which ensures that the security of Office 365 services is

which Office 365 is being accessed, or endpoint

vigilantly maintained, regularly enhanced, and routinely

security). They must also ensure that the environment

verified through testing. This approach provides protection

they connect to Office 365 is managed according to

at multiple levels, including:

their requirements and security standards.

 Physical layers at data centers—physical controls, video surveillance, and access control.  Logical layers—data isolation, hosted applications security, infrastructure services, network level, identity and access management, federated identity, and single sign on. Our Security Management program is built on ISO 27001 principles and attested to through the compliance program. Termination of

At the termination of a customer’s subscription or use of the

Upon expiration or termination of a customer’s

Service

service, the customer may always export its data. See the

online service subscription, the customer must

Product Use Rights4 for full details.

contact Microsoft and specify whether the customer

Other than as described in these terms, Microsoft has no

account should be disabled and subscriber data

obligation to continue to hold, export, or return the

deleted, or whether the subscriber data should be

customer subscriber data. Microsoft has no liability

retained for a limited time so the customer can

whatsoever for deleting the customer subscriber data

extract the data.

pursuant to these terms.

Following the expiration of the retention period,

Microsoft provides multiple notices prior to deletion of

Microsoft will disable the customer account, and then

customer subscription data so customers are informed and

delete all subscriber data.

reminded of the impending deletion of their data should they fail to act within the stipulated time frame. If a customer needs assistance fulfilling privacy requests as required by law, they may contact Microsoft Customer Support5 for help accessing, changing, or removing their customer data. Requests that cannot be fulfilled via standard tools and processes may be subject to additional charge.

4 5

Product Use Rights link: http://www.microsoft.com/licensing/about-licensing/product-licensing.aspx Microsoft Customer Support link: https://mocp.microsoftonline.com/Site/Support.aspx


7

Identity and Access Management Area

Microsoft

Customer

Dispute

At the end of a customer’s subscription or use of the service,

Customers are responsible for understanding the

Management

the customer may always export its data. See the Product

dispute resolution process and ensuring constant and

Use Rights for full details.

continuous access to the service in case of a dispute.

Other than as described in these terms, Microsoft has no obligation to continue to hold, export, or return the customer subscriber data. Microsoft has no liability whatsoever for deleting customer subscriber data pursuant to these terms.

Identity and Access Management Area

Microsoft

Customer

Identity

Microsoft applies strict controls over which user roles and users will be

It is important for customers to understand

Management

granted access to customer data. Users are required to complete a

that Microsoft does not manage the

form along with a business justification to request access. This must be

customer’s identities or create accounts.

approved by the user’s manager prior to gaining access. Controls

The customer must ensure that robust

related to identity and access management are formally audited

processes and procedures are in place to

annually through the SAS 70 Type II audit (to be replaced with industry

ensure an adequate level of access control

standard SSAE16).

to their own data.

We recognize the importance of our customers' non-public data. If someone—Microsoft personnel, partners, or the customer’s own administrators—accesses the user’s non-public data on the service, Microsoft can, upon request, provide a report on that access. This way, the customer will know when the data may have been accessed. To further limit the risk of unauthorized access, Microsoft does not use the same identity management platform for internal purposes as for managing the Office 365 environment. Identity

All Microsoft personnel are accountable for their handling of customer

Customers are responsible for the identity

Management

data; access to Microsoft Online Services data is granted in a manner

management processes for their identities.

Processes

that is traceable to a unique user. In other words, accountability is

Any system for identity and access control,

enforced through a set of system controls, including the use of

especially for higher value assets, should be

unique user names, data access controls, and auditing. Two-factor

based on an identity framework that uses

authentication, such as smart card logins using digital certificates or

in-person proofing, or a similarly strong

RSA tokens, is also used to further strengthen accountability.

process, and robust cryptographic

User access to data is also limited by user role, for example, system

credentials. This is the customer’s

administrators are not provided with database administrative access.

responsibility and lays the foundation for

Microsoft reviews its identity management and access controls on a regular basis for compliance to internal standards and procedures

any identity management process. Further, customers should have in place a process


8

Service Integrity Area

Microsoft

Customer

as well as external standards such as ISO 27001. The access levels are

to ensure the effectiveness of their own

reviewed on a periodic basis to ensure that only users who have

identity and access management processes.

appropriate business justification have access to the systems. Interoperability

An important attribute of cloud-based Office products is interoperability

Customers should adhere to

between applications; workers can move from desktop to web to mobile

interoperability standards that can be

without transforming or modifying their files as they go.

leveraged across different cloud providers,

One critical element is identity federation; Microsoft Office 365 uses

both on and off premises.

ADFS v2.0. Since ADFS v2.0 is based on several WS-* and SAML standards, it can federate with multiple identity providers. Ad Hoc

Microsoft® Active Directory®, Microsoft Lync6, and other products

Customers should ensure processes are in

Collaboration

support interoperability requirements. Microsoft works intensively with

place to verify new partners with whom

the standards bodies and implements these standards and protocols.

they want to collaborate on an ad hoc basis and who need to understand the technical requirements.

Service Integrity Service integrity includes two components: 1) Service engineering and development; and 2) service delivery. Service engineering and development encompass the way in which the provider incorporates security and privacy at all phases of development. Service delivery covers how the service is operated to meet contractual levels of reliability and support.

Service Engineering and Development Area

Microsoft

Customer

Secure

Microsoft has formalized the rigorous security practices employed by its

Customers should understand the

Development

development teams into a process called the Security Development Lifecycle

processes Microsoft uses to develop

(SDL). The SDL process is development methodology agnostic. It is fully

software and respond to security

integrated with the application development lifecycle, from design to

vulnerabilities. This process is

response, and it does not replace software development methodologies such

repeatable and designed to build

as Waterfall or Agile. Various phases of the SDL process emphasize education

security from the ground up.

and training and mandate the application of specific activities and processes as appropriate to each phase of software development. Microsoft makes this process available to the development industry through papers and books7, as well as via the SDL Pro Network8, which supports organizations in implementing SDL within their processes. Microsoft Lync link: http://lync.microsoft.com/en-us/Pages/default.aspx More information on SDL can be found at: http://www.microsoft.com/security/sdl/default.aspx 8 SDL Pro Network link: http://www.microsoft.com/security/sdl/adopt/pronetwork.aspx 6 7


9

Service Integrity

Service Delivery Area

Microsoft

Customer

Security

Microsoft’s security practices are multi-layered and contain:

The customer is responsible for

Practices

 Physical security (includes but is not limited to):

ensuring that the endpoint from

 Microsoft enforces physical security controls as part of a broad set of carrier-class data center operations. ―Carrier-class‖ means very high

which the service is consumed adheres to their policies.

availability, allowing for minimal downtime per year.  Physical security controls applied to our data centers include smart-cards, identification badges, delivery and loading area isolation, video surveillance, and on-premises security officers 24/7.  Only authorized staff has access to the hardware on which Office 365 is run.  Host security (includes but is not limited to):  Infrastructure assets are scanned daily.  Penetration testing by internal and external parties occurs regularly. Automation is used to deploy hardened instances of operating systems.  Automated pattern analysis of network logs identifies suspicious network activity.  Real-time health monitoring and alerting speeds investigation and mitigation.  Network security (includes but is not limited to):  Load balancers, firewalls, and intrusion-prevention devices aid in management of volume-based denial of service attacks. Auditing

Apart from ongoing internal auditing and monitoring activities, Microsoft

Customers must verify that their

provides our customers with evidence of third-party attestations to our

compliance requirements are fulfilled

best-in-class environment and has launched Trust Center as a portal for

by the certifications and audits

compliance, security, and privacy-related topics.

Microsoft provides. One of the benefits of moving to an Office 365 environment is that Microsoft will keep the environment up to date and secure.

CLOUD COMPUTING SECURITY CONSIDERATIONS: MICROSOFT OFFICE 365 | JULY 2011 10

Service Integrity Area

Microsoft

Customer

Forensics

For incident-related purposes, Microsoft performs forensic analysis on events

Customers are responsible for

that occurred. Should in-depth investigation be required, Microsoft collects

understanding what information can

content from the subject systems using best-of-breed forensic software and

be obtained from Microsoft and

industry best practices.

which processes they must follow to

If someone—Microsoft personnel, partners, or the customer’s own

legally access corresponding

administrators—accesses the user’s non-public data on the service, Microsoft

operational data. This is the basis for

can, upon request, provide a report on that access. This way, the customer

integration into the customer’s

will know when the data may have been accessed and may be able to use

forensic processes.

the information for their forensic processes. Incident

The Microsoft Online Security Incident Response process follows these phases:

Customers should incorporate the

Response

 Identification—System and security alerts are harvested, correlated, and

information they receive from

analyzed. Microsoft Online operational and security teams investigate

Microsoft into their incident response

events. If an event indicates a security issue, the incident is assigned a

processes and understand how they

severity classification and appropriately escalated within Microsoft. The

(the customer) can handle them.

escalation team includes product, security, and engineering specialists.  Containment—The escalation team evaluates the scope and impact of the incident. The escalation team’s immediate priority is to ensure the incident is contained and data is safe. The team forms the response, performs appropriate testing, and implements changes. Should in-depth investigation be required, content is collected from the subject systems using forensic software and industry best practices.  Eradication—After the situation is contained, the escalation team moves toward eradicating any damage caused by the security breach and identifies the root cause of the security issue. If it determines vulnerability, the escalation team reports the issue to product engineering.  Recovery—During recovery, software or configuration updates are applied to the system and services are returned to a full working capacity.  Lessons Learned—Microsoft analyzes each security incident to ensure we apply the appropriate mitigations to protect against future reoccurrence.


Endpoint Integrity Area

Microsoft

Customer

Business

Office 365 offerings are delivered by extremely resilient systems that help

Business Continuity is much broader

Continuity

ensure high levels of service. Office 365 leverages the Microsoft hosting

than simply moving a business

experience, as well as close ties to Microsoft product groups and support

workload to Office 365. It is

services to create a cloud service that meets our customers’ high standards.

Microsoft’s duty to ensure availability

Service continuity provisions are part of the Office 365 system design. These

to the contracted level. Customers

provisions enable Office 365 to recover quickly from unexpected events such

must understand and decide whether

as hardware or application failure, data corruption, or other incidents that

or not additional requirements for

affect users. These service continuity provisions also apply during

their business processes must be met

catastrophic outages (for example, natural disasters or a fire within a

to ensure business continuity,

Microsoft data center that renders the entire data center inoperable).

whether the service level agreed upon

Customers’ data is stored in a redundant environment with robust backup, restore, and failover capabilities to enable availability, business continuity, and rapid recovery. Multiple levels of data redundancy are implemented,

corresponds with the acceptable risks, and whether they (the customer) need to take further actions.

ranging from redundant disks to guard against local disk failure to continuous, full data replication to another data center. These measures are aligned with ISO 27001 requirements and provide a robust risk management process.

Endpoint Integrity Area

Microsoft

Customer

Endpoint

Customer access to services provided over the

Customers should ensure that the devices through which their

Internet originates from users’ Internet-enabled

users access Office 365 fulfill their needs and requirements. This

locations and ends at a Microsoft data center.

might include (but is not limited to):

These connections established between

 Hardware security considerations:

customers and Microsoft data centers are

 If the device (desktop, laptop, or mobile) stores information,

encrypted using industry-standard Transport

it should be hardware protected from unauthorized access

Layer Security (TLS)/Secure Sockets Layer (SSL).

(TPM, Microsoft® BitLocker®, and so on).

The use of TLS/SSL effectively establishes a highly secure browser-to-server connection to help provide data confidentiality and integrity between the desktop and the data center.

 Software security considerations:  Both the OS and application should be developed using a security model (SDL).  Security software must be included (firewall, antivirus, IDS, and so on).  A robust security practice process should be in place (auto update, timely patch deployment, client health checks, policy enforcement, and so on).


Information Protection

Information Protection Area

Microsoft

Customer

Data

Microsoft classifies all of its data along a common data

Data classification is a key element when considering

Classification

classification scheme. Customer-relevant data is pre-

what should and can be put into a public cloud

classified according to these guidelines and protection

environment. The customer is responsible for assessing

and security measures are pre-defined according to this

and classifying the data going into the cloud and

classification.

taking appropriate measures to protect the data from unauthorized access (e.g., encryption).

Data Location

Microsoft understands our customers’ need to know

Customers should evaluate whether or not the

where their data is located. Data is located in the region

Office 365 offering meets their requirements regarding

corresponding to the customer’s billing address, with

the geographic location of their data.

some supporting access performed from a U.S. location to ensure and monitor the system’s health and integrity. Detailed information is available on Trust Center. Encryption

Connections established over the Internet to the services

If customers require encryption, they must expect the

are encrypted using industry-standard Transport Layer

loss of certain functionality, such as search. When a

Security (TLS)/Secure Sockets Layer (SSL). The term

customer needs to encrypt data, responsibility for key

―data-at-rest‖ refers to data as it exists on a physical

management remains with the customer since the key

storage medium. Microsoft does not encrypt data-at-rest,

must be separated from the data.

but customers may implement Active Directory® Rights Management to provide a layer of control and security for their sensitive data.


Related Reading 

Cloud Computing Security Considerations white paper: http://go.microsoft.com/?linkid=9708479.



The Office 365 Security Service Description is publicly available on the Microsoft Download Center: http://www.microsoft.com/download/en/details.aspx?id=26552.



Office 365 FAQ: http://www.microsoft.com/en-us/office365/online-software.aspx.



Trust Center: http://go.microsoft.com/fwlink/?LinkID=206613&CLCID=0x409.



Office 365 Standard Response to Request for Information: Coming soon on the Microsoft Download Center.

© 2011 Microsoft Corporation. All rights reserved. Microsoft, Active Directory, BitLocker, Lync, and SharePoint are trademarks of the Microsoft group of companies.
