Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Seguridad en SQL Azure Windows azure
1. Dr. Eduardo Castro Martínez
Microsoft MVP
ecastro@mswindowscr.org
http://comunidadwindows.org
http://tiny.cc/comwindows
http://ecastrom.blogspot.com
2.
3.
4.
5.
6. Saugatuck Insight:
Saugatuck believes
that many users will
find that changes
required in internal
organization and
politics for moving
from dedicated to
shared resources
pose significant
challenges to the
adoption of Cloud
Computing.
Source: Saugatuck Technology Inc., 2009 Cloud Infrastructure Survey (Julne09), WW N=670
7. Security Privacy
Is your service secure? Are you HIPAA compliant?
Are you ISO 27001 How do you ensure data
certified? isolation?
Questions
Jurisdiction? Data retention?
Have you ever had a
service outage?
Do you have an incident response plan?
Do you have performance
Do you have SAS Type II Report?
SLA?
Do you provide 24*7 support?
Reliability Business Practice
11. SaaS
Software as a Service
PaaS
Platform as a Service
IaaS
Infrastructure as a Service
Public Hybrid Private
12. Tampering & Denial of Elevation of
Spoofing Disclosure Service Privilege
VLANs
VM switch Load-balanced
Top of Rack hardening Infrastructure
Switches Partial Trust
Certificate Network Runtime
Custom packet Services bandwidth
filtering throttling Hypervisor
Shared-Access custom
Port Scanning/ Signatures CiscoGuard sandboxing
Service enabled on
Enumeration HTTPS Storage nodes Virtual Service
Service Definition Accounts
file, Windows Sidechannel Configurable
Firewall, VM switch protections scale-out
packet filtering
13.
14.
15.
16. Physical Attacks
Central Admin On Servers
Customer Admin Users
Windows Azure
Customer Tenant
External Web Site
17. Physical Attacks
On Servers
Customer Admin Users
Windows Azure
Customer Tenant
23. Managed Code
Access Security:
partial trust
Windows Account:
running with least
privileges
Windows FW (VM):
rules based on service
model
Virtual Machine: fixed
CPU, memory, disk
resources
Root Partition Packet
Filter: defense in
depth against VM
“jailbreaking”
Network ACLs:
dedicated VLANS for
tenant nodes
23
24.
25.
26. R G G G G G G G
o u u u u u u u
o e e e e e e e
t s s s s s s s
t t t t t t t
V
M V V V V V V V
M M M M M M M
Hypervisor
Network/Disk
27.
28.
29.
30.
31.
32.
33.
34.
35.
36. World-Class
Security
Service security starts with the data center
Data center within a data center
Motion sensors
24×7 secured access
Biometric controlled access systems
Video camera surveillance
Security breach alarms
37. World-Class
Security
Security
Data
Risk
Privacy
Management
40. Customer and
Partner Requests
and Feedback
Competitive Market
Position Size
Recommendatio
n
Compliance Landscape
US Govt Banking Investing Healthcare Energy
Federal and State
PCI DSS frequently mentioned • ITAR • BASE II • BASE II • HIPAA • NERC 1300
too.
• FISMA • NASD Vertical Specific
Even without PCI DSS, it is • FIPS-140
possible for customers to write
PCI compliant apps, although PCI DSS Credit Card Processing
this is not viable for some
Sarbanes Oxley Financial Reporting
EU Privacy Directive 1995/46 General Process and Security
ISO27001 and SAS70 were
PCI-DSS specification not
the most frequently
“cloud aware”. New spec
discussed by customers,
coming in 14 months
ISO 27001 General Process and Security
partners, and field
SAS Type II General Process and Security
Provides assurance
Required by law when performing certain tasks
41. ISO 27001 SAS 70 Type 2 PCI DSS Level 1
Datacenters GFS X X X
Microsoft
Rackspace X X X
Although they have
SAS70, AWS does
Terrecloud (hoster of X X -- not share contents of
VMWare vCloud) In Europe audit with public
PaaS / IaaS Windows Azure -- -- --
Microsoft
AWS -- X --
GAE -- -- -- BPOS has achieved
distinct certifications
Force.com / X X -- on top of GFS
VMForce.com
Saas BPOS X X --
Microsoft
Google App -- X --
Engine
Salesforce.com X X --