Cloud Governance. - info.microsoft.com

[Pages:146]Microsoft Western Europe May 2021 English Version 4.0

Cloud Governance.

Guidance on assessing security, privacy, compliance, and risk when adopting Microsoft Cloud Services.

This paper provides guidance on what is named Hyper Scale Cloud Computing (HSCC) and it is important to distinguish this from other variations of Cloud Computing offered to organizations today ? for marketing purposes providers will name their offering Cloud Computing, while the actual platform will lack many of the scalability, operational and economic benefits compared to HSCC.

Contents

Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4 Introduction and Reading Guide. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6

Legal Framework for cloud . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9 Cloud roles & shared responsibilities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19 Risk Based Evaluation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22

Putting it all together . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30 Cloud Governance ? best practices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30

Cloud Governance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31 Good questions for the cloud provider . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37

Sustainability. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 88 Good questions for your organisation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 94 Further perspective . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 105 Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 106

Disclaimer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 107 Appendix. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 108

A. Cloud computing ? service and delivery models . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 110 B. Total Cost of Ownership comparison . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 113 C. European Data Protection Board draft recommendations of November 11th, 2020 .. . . . 119 D. Specific National Regulation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 120 E. Risk-based Approach ? further details . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 129 F. Microsoft Cloud Assurance - process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 131 G. Other whitepapers referenced in this document . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 138 H. Previous versions of this document. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 143 I. List of questions & answers. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 144

3 Cloud Governance /

Table of Contents

List of Q&A

00 /

Summary

Over the course of the past 5-10 years, most organizations, including in public sector and other regulated industries, have at some point evaluated if and to what extent they can benefit from using cloud-based solutions and technologies. Governments and regulators around the world have recognized the potential of utilizing this technology paradigm, introducing "Cloud First" legislation1, and overall providing guidance for how best to evaluated and implement cloud-based solutions. To some extend cloud computing has already become the norm, not the exception, when organisations choose platforms and solutions to support and secure their ability to do business in an efficient and resilient manner today and in the years to come.

Cloud computing is defined as follows:

"Cloud computing is a model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources (e.g. networks, servers, storage, applications and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction"2

This paper provides guidance on what is named Hyper Scale Cloud Computing (HSCC) and it is important to distinguish this from other variations3 of Cloud Computing offered to organizations today ? for marketing purposes providers will name their offering Cloud Computing, while the actual platform will lack many of the scalability, operational and economic benefits compared to HSCC.

Over the past years, concerns in the European Union, about how to establish and maintain an adequate level of data protection, and trust in the providers of the Hyper Scale Cloud Computing platforms, has been growing. EU legislation in the form of General Data Protection Regulation (GDPR) is however still quite clear, laying out the mandatory steps for any data controller and processor to follow, to protect and process Personal Data. The GDPR together with additional national Data Protection laws and the CJEU Schrems II verdict on July 16th, 2020 (Schrems II) and the EU Standard Contractual Clauses (EU SCC) form the legal foundation, on which all processing of Personal Data can be based. This paper will provide the detailed information needed,

1 New Zealand Cloud First strategy as an example: cloud-services

2For more detail on the definition of cloud computing, see Mell, Peter and Grance, Timothy, 2011: The NIST Definition of Cloud Services Computing, NIST Special Publication 800-145:

3 For more detail on the variations, see the Appendix A of this paper.

4 Cloud Governance / Summary

Table of Contents

List of Q&A

allowing all organizations to assess if and how the Microsoft HSCC Services (e.g., Azure, O365, M365, D365, Power Platform) can be utilized, configured and controlled, while remaining in full compliance with laws and regulations in the EU/EEA. We believe the conclusions to be very clear ? The Microsoft Hyper Scale Cloud Computing Services can be (and are already) used for processing and adequate protection of Personal Data within the EU/EEA.

It is natural to question if and how HSCC customers in their role as a data controller can retain adequate control of the Personal Data entrusted in them by data subjects and this white paper aims at describing a generic process towards the assurance evaluation of adequate privacy, data security, legal and regulatory compliance.

It is no trivial task to establish the proper use of Cloud Computing services in all scenarios. Adequate assessments of risks, supplementary measures and governance structures must be executed and maintained over time ? however the benefits awaiting far outweighs the resources needed for due diligence, both in terms of easy access to innovative new technology, virtually endless scalability, beneficial cost structure and vastly improved resilience against a fast-developing Cyber threat environment.

Furthermore, solid risk management practices are not new or specific to the adoption of Cloud Computing, but always have been necessary for the adoption and assessment of the lawful and adequate security and protection in both new and existing on-premises systems.

Not only does this white paper describe models for how to establish the informed and documented foundation for this adequate protection, risk management and trust, also it provides guidance on how best to execute on required legal and security due diligence process, establish solution designs and governance best practices, that will ensure secure and compliant use of HSCC.

5 Cloud Governance / Summary

Table of Contents

List of Q&A

Introduction and Reading Guide

Digital transformation is happening every day, everywhere around the world. It allows organizations to engage with their customers or partners in new ways and to transform, adapt and innovate their products, services, and business models. They can optimize their operations whilst empowering their employees. Advancing technologies in the digital workplace, business applications, data, machine learning and artificial intelligence provide the means for organizations of all sizes to do things fundamentally differently or to do fundamentally different things. Because of the impact of digital transformation on our economy, society, governments and culture, the World Economic Forum4 described this as the fourth industrial revolution.

Digital transformation translates into many different scenarios in which an increasing amount of data needs to be processed. Especially in areas like the Internet of Things (IoT), big data, artificial intelligence and machine learning, large volumes of events and data are generated, stored, processed, and analyzed, which requires scalable datacenter capacity and dynamic access to resources like computation, storage, and networking. Business innovation is empowered by the ability to rapidly test and deploy new functionality without incurring the cost of setting up an expensive infrastructure. As organizations transform to more digitalized businesses, technology becomes increasingly fundamental and critical to support the processes within the organization, and the resulting need for capacity, agility and financial benefits drive a strong demand for and adoption of cloud computing. On-demand availability of large quantities of resources and innovative services accommodated by `pay-as-you-go' financing models ? the core attributes of cloud computing ? provides attractive options.

However, concerns about perceived loss of control, privacy, compliance, security, and reliability may still slow down organizations from fully embracing the potential of public online services.

Clearly, organizations become more dependent on their IT infrastructure and its providers and the types of data being processed become more critical or sensitive, e.g. intellectual property, PII, financial data or health records. Consequently, many non-functional requirements on IT such as availability, quality, privacy, and security become pervasive:

"Businesses and users are going to use technology only if they can trust it."5

Therefore, it is essential that organizations practice due diligence by evaluating and assessing these nonfunctional requirements, typically through a thorough risk assessment process of which many elements in general are already in place, as the assessment of IT risk is nothing new in itself.

4 See: 5

6 Cloud Governance / Summary

Table of Contents

List of Q&A

Trust

Trust is a state of mind, and without trust our society does not function. When using cloud services, one effectively engages in a partnership with the cloud service provider and ? as with any relationship ? it is imperative that the responsibilities of both parties in that relationship are clearly defined and that this trust can be verified.

So to build this trusted relationship, customers need insights and assurance into the reliability of the cloud, to establish that the cloud service is designed and operated securely, adhering to all applicable laws and regulations. The required level of assurance is for the most part clearly defined and enforced by legal and regulatory requirements (e.g., GDPR) and may be guided by security control frameworks such as ISO 27001 and audited by 3rd parties using an international standard such as SSAE/SOC 2.

At the same time, running a business without taking any risk is not feasible, but organizations must have a solid understanding of these risks, so they can make informed decisions about their risk mitigation strategy: i.e. accepting risk, transferring risk or reducing risk to acceptable levels, as defined by the business, by selecting the appropriate mitigating controls.

Reading guide

The starting point for this white paper is how Microsoft, as a cloud service provider, handles the processing responsibilities that result from customers choosing to use our cloud-based services, specifically:

Online Service

Microsoft Trust Center

Microsoft 365: (incl. O365)



Dynamics 365: (incl. the Power Platform)



Microsoft Azure:



Further details in service specific whitepaper

Paper To be released H1-2021

Paper To be released H1-2021



An overall description of Microsoft Cloud Compliance, including a detailed whitepaper, can be found at

7 Cloud Governance / Summary

Table of Contents

List of Q&A

The content in this paper is selected based on experiences gained through numerous dialogues with private and public organisations throughout Europe. Thus, the information in the document is relevant to both public and private organisations that are considering or already are using Microsoft Online Services as delivered through the Microsoft Hyper Scale Cloud Computing offering.

The remainder of the white paper is divided into the following seven main sections:

01 / Legal Framework

02 / Cloud roles & shared responsibilities

03 / Risk Based evaluations

04 / Cloud Governance ? best practices

05 / Questions for the cloud provider: 6 1 elected questions on contracts, audits, data processing

agreements, security controls, subcontractor management, sustainability, contingency plans, etc.

06 / Questions for your own organisation: 18 selected questions on strategy, business plans, risk assessment, general compliance, organisation, competencies & implementation plans

07 / Appendix: Details on Total Cost of Ownership, Cloud Computing ? Service and Delivery Models, EDPB Draft recommendations, Specific National Regulations, Risk Assessment & Microsoft Cloud Assurance process, list of whitepapers referenced and an overview of the 79 questions and answers.

This paper is certainly voluminous and attempts to cover all scenarios and topics that might be of interest. The reader should not be discouraged by the sheer amount of information, but instead use it as a reference tool, by simply searching for the specific topic of interest. E.g. a PDF search for the term "Subprocessors", will guide directly to two Q&A's dealing with documentation and guidance on this term.

8 Cloud Governance

................
................

In order to avoid copyright disputes, this page is only a partial summary.

Google Online Preview   Download