Harald Leitenmüller | DSGVO - globaler, zeitgemäßer Datenschutzstandard für Microsoft
-
Upload
microsoft-oesterreich -
Category
Business
-
view
74 -
download
0
Transcript of Harald Leitenmüller | DSGVO - globaler, zeitgemäßer Datenschutzstandard für Microsoft
DSGVO - globaler, zeitgemäßerDatenschutzstandard für Microsoft
DI. Harald LeitenmüllerChief Technology Officer
Microsoft Österreich GmbH.
GDPR Infographics
How to get started?
CybersecurityReference Architecture
Digitalization
Secure Growth & Trust
DSGVO & Microsoft Secure Operations Strategy
APPENDIX ..AGENDA
Digitalization – Secure Exponential Growth
Standardization Automation Self Service
t
https://servicetrust.microsoft.com
Microsoft Cyber Defense Operations Center
Malware Protection Center Cyber Hunting Teams Security Response Center Digital Crimes Unit
Industry Partners
Antivirus Network
CERTs
Intelligent Security Graph
https://servicetrust.microsoft.com/
Readable customer data disclosed to a third party
Customer data disclosed to a third party
Accidental data spillage
1
1.1.1
1.1
Customer data is readable
1.2
AND
Data disclosure due to law enforcement /
intelligence request
1.1.2
Deliberate compromise leading to disclosure of
customer data
1.1.3
Cloud service provider (CSP) infrastructure
compromised
1.1.3.1
Customer infrastructure compromised
1.1.3.2
Compromise of systems outside cloud provider
or customer control
1.1.3.3
Customer data permanently lost
2
Disruption of cloud service
3
Threat Tree 1 : Overview
Threat Tree 3
Threat Tree 2
Threat Tree 4 Threat Tree 5
Threat Tree 6
Threat Tree 7
Root Risk Event
Conditions
Technical Controls
Process Controls
Legend:
Consumer Applied Control
Customer data is readable
1.2
Data is not encrypted
1.2.1
Encryption keys become known
1.2.2
Data is weakly encrypted
1.2.3
Encryption keys lost by the cloud provider
1.2.2.1
Encryption keys lost by the customer
1.2.2.2
Customer infrastructure compromised
1.2.2.2.1
Breakdown in key management enabling attacker access to keys
1.2.2.2.2
AND
Link: 1.1.3.2Threat Tree 5
Cloud provider infrastructure compromised
1.2.2.1.1
Breakdown in key management enabling attacker access to keys
1.2.2.2.2
AND
Link: 1.1.3.1Threat Tree 4
Protected Key Storage
Key Management
Practices
Protected Key Storage
Key Management
Practices
Encryption at Rest
Data Classification
Encryption in Transit
Cryptographic standards
Policy on Use of Cryptographic
Controls
Threat Tree 1.2 : Customer Data is Readable
Local Data Encryption
Root Risk Event
Conditions
Technical Controls
Process Controls
Legend:
Consumer Applied Control
HIPAA /
HITECH ActFERPA
GxP
21 CFR Part 11
Singapore
MTCS
UK
G-Cloud
Australia
IRAP/CCSL
FISC Japan
New Zealand
GCIO
China
GB 18030
EU
Model Clauses
ENISA
IAF
Argentina
PDPA
Japan CS
Mark Gold
CDSAShared
Assessments
Japan My
Number Act
FACT UK GLBA
Spain
ENS
PCI DSS
Level 1MARS-E FFIEC
China
TRUCS
Canada
Privacy Laws
MPAA
Privacy
Shield
India
MeitY
Germany IT
Grundschutz
workbook
Spain
DPA
HITRUST IG Toolkit UK
China
DJCP
ITARSection 508
VPATSP 800-171 FIPS 140-2
High
JAB P-ATOCJIS
DoD DISA
SRG Level 2
DoD DISA
SRG Level 4IRS 1075
DoD DISA
SRG Level 5
Moderate
JAB P-ATO
GLO
BA
LU
S G
OV
IND
US
TR
YR
EG
ION
AL
ISO 27001
SOC 1
Type 2ISO 27018CSA STAR
Self-AssessmentISO 27017SOC 2
Type 2SOC 3ISO 22301
CSA STAR
Certification
CSA STAR
AttestationISO 9001
March 2017
Next Generation Privacy (NGP) is…
a comprehensive companywide framework,
including policies, processes, technical
infrastructure and customer experiences,
for consumer and commercial segments,
that inventories and standardizes the way we
treat our customers’ personal data,
bringing Microsoft into compliance with the
GDPR and other privacy regulations,
and provides Microsoft’s commercial
customers with privacy solutions.
Inventories
Privacy Dashboard
User Experience
ISO 19944 Adaption
What if?
SecureScore
SecureScore Actions
Compliance managerManage your compliance from one place
• Real-time risk assessmentAn intelligent score shows your compliance posture
against evolving regulations
• Actionable insightsRecommended actions to improve your data
protection capabilities
• Simplified complianceStreamlined workflow and audit-ready reports
Risk assessment on Microsoft cloud servicesUnparalleled details on implementation, and testing of Microsoft service side controls
• Microsoft implementation detailsGet technical implementation details on how
Microsoft protects your data.
• Test plan detailsUnderstand how 3rd party auditors are testing
Microsoft implemented controls.
• Unparalleled detailsFor any control findings, understand how
Microsoft mitigates the risks to keep your data
secure.
Simplified complianceStreamlined workflow and audit-ready reports
• Control managementQuickly assign tasks and efficiently collaborate
across teams.
• Audit-ready reportingReduce efforts in managing your audits by
generating reports with detailed evidence.
Sign up for public preview Visit the tech community blog
More…Microsoft Cloud Assurance: http://www.microsoftcloudassurance.com/
Trust-Center: https://www.microsoft.com/en-us/TrustCenter/default.aspx
Trust-Portal: http://servicetrust.microsoft.com https://trustportal.office.com
SecureScore: https://securescore.office.com; https://aka.ms/SecureScore
(https://youtu.be/h__nxWlm5Nc)
Security & Compliance Center – Audit Controls: https://protection.office.com
Security Reference Architecture https://mva.microsoft.com/en-us/training-
courses/cybersecurity-reference-architecture-17632?l=sa3b33xtD_404300474
GDPR
aka.ms/GDPRblogpost
Microsoft.com/GDPR
Beginning your GDPR Journey (Whitepaper)
http://download.microsoft.com/download/B/4/D/B4D3A286-499F-4DF2-A502-
14CE54281323/Beginning_your_GDPR_Journey.pdf
Find more in the APPENDIX….
GDPR Infographics How to get started? CybersecurityReference Architecture
Danke
Be Safe!