first off all, thank you for taking your time out ofyour lunch to join us here. i appreciate you guys spendingthe time here with us today. my name is ken,this is my colleague om. we come from the office365 trust team. so our team is basically designed toessentially private transparency and view into what we do tomany of our contractual and regulatory obligations thatultimately help you guys deal with your issues around security andcompliance.
and ultimately gain a level oftrust with office 365 with you or your customer's data. so when you think about what wedo here, there are a number of investments that we made in office365 around our trust investments. around transparencyaround our trust. and you should really expectthese from any cloud offering. so while we're really gonnabe talking about o 365 here, a lot of what we talk abouthere applies to azure, it applies to dynamics crmin the cloud.
so this is a very common narrativethat you should be seeing across all of our enterprise cloud properties. so if you think about how youwanna start with your principles, you gotta think about whatwe're trying to protect here. you want principles that are worthyof the data that's actually being stored in the cloud service. you've trusted us with your data,you want us to compute over it. you want us to provideinferences and things on top of that data to giveit back to you in a value state.
so we need to respect that data andhow we handle it. so when you think about sort ofthe pillars of a trust narrative, it first starts with security. all right,how do we secure the system? how is the infrastructureproviding an environment to where your data can be handled properly,safely, and securely? both from internal andexternal forces. then you wanna think aboutprivacy and control. who sees the data, what are thecontrols on top of that data?
and even what are the privacycontrols that you as a tenant or a user have on the system. think about things like, features, like dlp, features like the rmsrights management servers, right? how do you have the controlsin order to, as a tenant or a user, share or not share yourdata in a very appropriate manner? when you think aboutthe term compliance, compliance is a prettyoverloaded term. you can swap out the termgovernance, you could swap out
the term policy, compliance meansa lot of things to a lot of people. the way i look at it is, as a cloud service provider we makea number of commitments just at the infrastructure level that allowyou to build on top of, right. so we go off and obtain our externalcertifications iso, sox, fisma. makes things around hepa commitment,e model clauses. that's the foundation on whichother things can then be built, and the layers upon which the trustnarrative can then be shared. finally, after we do all this
we just need to betransparent about it. right, not a day goes by thata customer doesn't ask somebody, where's my data? how do you handle my data? where does the datago in this scenario? i'm in the middle east buti have a user roaming in europe. what happens to that data? so, there's no end of discussionabout where does the data flow and who has access to it?
what we try to do isthen take all of that and make it transparent to you. right, so you can answerthose questions yourself. when people ask or if it's your question, the resourcesare right there available to you. in order foryou to get the answers you need. so now when you have that sort ofthose pillars, you look at our sort of trust narrative thatwe lay on top of that. when you think about it, againstarting with security, right, and
this goes all the way downto the physical layer, we talk about buildings. we talk about hard drives. we talk about whogets into the cage. when the the network cardgoes off on a machine, how do you get that fixed, right? so all of those have got a securityimplication to the system, right? when you start lookingfurther up that stack, what's the security ofthe application layer?
what's the security ofthe administrative plane that we have into those applications? so every one of thoselayers upon one another. and then again,you take the next step up and go right to the end user experience, the administrator experience,how do you secure your data? data, a sharepoint library,what controls are available for you to make sure that data is onlyseen by the financial controller and the president, right.
there's the salesnumbers are there or maybe it's an hr system thatyou implemented on top. so all of those layers of controlmake sure that your data is secure. we talked a bit about compliance. our layers of compliancefundamentally start with industry standard, internationalcertifications, and regulations, right. so we basically do those thingsin order to answer your chief risk officer or your complianceofficer that says every one of my
cloud service providers need tohave the following certifications. and we layer those up on top andso we run all the way from some very simple ones like the iso,to some very deep ones on the fisma fedramp site forfederal government capabilities. you've heard about some ofthe go-locals that we do. so i think we just announcedthe other day, moving into germany, there was a sessionyesterday on that. well for every one of thoseregions that we go into, we get a laundry list of all thecertifications that have to be met,
by certain verticals, by certainindustries in those countries. and so we start to work on that. and so before we make that stepinto any market, we have to tackle all of the obligations thatcome with that market. in order to make sure that whenthe doors are opened up and we can sell you our first mailbox, your first sharepoint site,it's all set ready to go. then we look at privacy. privacy, the thing thatis dramatically changing.
all right, it changes every day. the primitives that we look at is,who has access to your data, do you know who has collected yourdata and how's it being used? so you're gonna see things likeour privacy statements sprinkled everywhere. there are optional things thatyou can do sometimes where we've integrated little bitsof bing into office 365. you will know when that happens. you will make a conscious choice andyou'll understand what
bing's privacy statement is whenthat data is used in those services. so all of this together means you'llhave a clear vision about what we will do if your data andhow it'll be protected. so take a quick look at security. kind of look at thisconcentric pie shaped model. all right we're not gonna gothrough every one of these, but if you think about it, that innerred circle are all the things that we will do in order toprovide a basis for security. isolate the customer data,it's in one place.
we don't sprinkle it out everywhere,right. the data is encrypted. if you're familiar with,we call it the brad smith memo. about a year anda half ago, brad smith, made a very pronounced announcementsaying all your customer data's going to be encrypted at rest,in transit, and in processing. so, those type of commitments, wherethe data is being fully encrypted. you wind up with a fullmonitoring system. everything about our operationsmodel is monitored 24 hours a day.
intrusion detection,malicious behavior detection, all of those things thatyou layer on top of that, that help you find somethingthat just doesn't look right. it might be okay, but we wanna makesure that it's just an anomaly and not some maliciousactivity happening. you look at all of that and you seethat next sort of darker circle, these are some of the thingsyou can do yourself, right? this is where we begin to lookat what the customer's able to do, right?
you have you owncompliance obligations. if you're a doctor,if you're a dentist, there are things that youare required to do all for yourself. for your own obligationsto report out. we're here to help you support thatwith the underlying feature set. you know you have hygieneactivities, your anti spam, your anti malware activities thatare all part of the service. so, again how you lockdown your work stations, how you're responsible for
managing your side of the compliantequation falls out to there. now when you look at sort of, whenyou put those two pieces together, that's where the third party and industry standardcertifications come in. that's where your isos and your soxand your fismas all come together. they're the frameworks that actuallyguide companies like microsoft and cloud service providers and say, here's what accesscontrol should look like. here's how you evaluate it, here'show you test it, here's the evidence
that you have to prove and showthat it's actually up and working. all right,those third party certifications, independently audited,independently verified. so we just can't say we thinkwe're iso today, all right? we have auditors yearly coming in,validating our processes, validating our people. and so, we obtain thosecertifications year upon year upon year, and they're all validated. so when you think about a defense indepth from a security perspective
think about if we're gonna buildthis up from the bottom up. this is just your standardstack discussion, right? what do we do at the base level? there's a piece of a cement livingout in the desert somewhere that we call a data center, right? how do we protect that? what's the security? what's the physical access? you walk down that hallway,what cameras are on?
what racks? and sort of who can get in? what's the escort policy ofpeople coming into that facility? all of that is just controlledat the facility level, right? network perimeter security. routers, firewalls,malicious behavior detectors, right? so if you're seeing 90,000connections from this one ip address, might be a little butsuspicious do the throttle so the evasive maneuvers,protect the service, right?
there are so many tenants in here wecan't allow a single attack to bring down an entire set of tendencies orthe server itself. now you talk aboutthe internal network. this is our networkinto the service. multifactor off, right? making sure that no oneperson can just get into the service withoutgoing through approvals and providing at least two piecesof authentication to get in. so very, very difficult to get in.
look at the host now,that's the boxes that we run. right, access control monitoring. making sure that our boxes, whichare in our cloud are malware free. don't get polluted by, maybe,sloppy operation code. anything like that gets cleaned out,right? so, we make sure that the boxesthemselves maintain their level of health. now, we're talking one step up. we're talking about o365 now,exchange online,
sharepoint online beingdeployed on these boxes, right? so now we have an entireengineering process that microsoft is famously known for. how do we develop software? what are the processes? every code check-in hasa number of peer code reviews, may even need to go, depending onthe level of the change, may even need a very specific security reviewand/or sign off by a senior manager. so we have this process by whichwe can then assert the code itself
is actually well engineered. now we talk aboutaccount management. this is where essentiallynow we track the users. what is the activity that's goingon with each individual user? do we actually know thatthey've been trained? if you are given permissioninto office 365, you go through background screenings,you go through privacy training. a number of things are contingenton you getting access to the system prior to you gettingaccess to the system.
and finally we get up to the data. you've jammed enoughdata into office 365, this is how we are gonnaprotect that data, right? we do threat vulnerability. how would you do sequelinjection on customer data? every input that youare allowed through o365, we have a threat validatedthat input and the output. real quick, isolated customer data, in a multi tenantservice like office 365,
you've gotta think about that moreas a logical isolation, right? the only way you get toscale is to actually share. so essentially, we have the datain the cloud, in multi-tenant environment it is designed tosupport logical isolation. so, your data is maybe physicallysitting on the ox site next to somebody else. but from an application layer,there's no way those two pieces of data are gonna be co-joinedin any way, shape, or form. so, it's there toprotect the intended and
unintended bleeding of data, right? we don't want a processto come over and say, well, we're doing thiscompute over data but somehow we have two tenant'sdata combined together to count the number of meetings thatsomebody has, for instance, right? so we wanna make sure those twopieces of data are kept separate. and then secure media handling. this goes back to that downto that facility level. what happened when thathard drive becomes old,
needs to be swapped out,showing intermittent failures? how do you determine whenthat needs to happen and the process by which thatcan be done securely, right? all of our systems are bitlockered. so soon as that drive comesout of the server hardware, it's completely encrypted forany other use. so the data in thereis completely dead. but we don't stop there, we havea physical destruction protocol. we have a number of
deprovisioning protocols thatare all part of the certifications that this hardware has togo through on its way out. encryption at rest, in transit,we talked about this briefly. two simple slides here. if you think aboutwhat we do in transit, we do encryption transit in a tls,we have a hierarchy of ciphers, you'll hear us say quite often werequire a fips 140-2 set of ciphers. while we still have a wide range ofciphers that fit into that category, we have a very strict ordering thathave been reviewed by the government
staff which says the highestorder ciphers will be used first. so if you come in with a weakercipher, we can still support it, but it will not be the first of choice. so as we walk down our security, we will hit the highest ciphersfirst and challenge you. so if you do support a higher levelcipher, even though it may not be higher on your side, we will ask forthat first from you. so, in transit and at rest, wetalked a little bit about bitlocker, bitlocker doing the core disk level,but
at the application layer,customer data is also encrypted at the application layer beforeit's committed to storage. you'll also notice that both in transit that encryptionis also from the client. so client to server as well,needs to be encrypted. [blank audio] now that weactually have your data, how do we talk about ouraccess to your data? what we have is thisthing called lockbox. nobody has standing kinetic accessto the production environment.
you have potential access becauseyou've gone through background screenings. you've gone through trainings, and that gives you just the abilityto ask for permission to go in. we have multiple clouds, right? we have a government cloud, we have o365 public,we opened the ones in germany. so each of those could potentiallyhave their own unique requirements. so as those requirementsare absorbed,
that predicates your accessinto that environment. if you're gonna access anythingto do with customer data, you go through our lockbox. a lockbox essentially is somethingthat grants you temporary access into the environment. the environment then says, you'd like to make a requestto go into the data center? logically, you manager approves and potentially your manager's managermay have to approve as well.
there is an offering called customerlockbox, which for an extra add on, as a customer, you can beinserted into that approval path. so if you make a request formicrosoft to look at or fix your pieces of data that mightbe causing problems, you are part of that approval path for us tohandle the data on your behalf. you notice that we come in from the microsoftcorporate campus or the network. that again requires encryption,secure access and multi factor auth. all right, so a couple of modelsthat we have on the security side.
first one is,we try to prevent breach. and this all the way we design anddevelop the system, right? this is the network routings that wedo, this is the data isolations and network isolations, every pieceof code is threat modeled code reviewed, and there's a set ofgames that go on to validate that we've done the best we can from acode and infrastructure perspective. then we assume breach. we just assume that there'ssomeone in the network. we assume that there someone outthere so we're constantly looking.
in fact some on of thosepeople are our own people. we have a red team blue team. people familiar with redteam blue team semantics? we have an internal people,we have attack for some defenders. they represent, essentiallya malicious person in the company who has access to the resourcesof the company, and then they basically,they try to break in. they wind up telling you,hey, there's a guy out there with a password sittingin text file somewhere.
there's a guy out here doing this,so we attack ourselves internally and then we defend, becauseour reaction isn't evaluated. how long did it takeus to find them? what did it take to get thatperson out of the environment? so we play these continual set ofwar games against the servers itself internally. so if you think about whatthe assume breach does, it validates our attack vectors,our penetration ability, it looks at our response times andwe're measured each and
every day against ourability to react. it also measures some ofour isolation techniques. so if you think about an attack, oneof the things that typically happens is you break into the weakestpoint and then you try to pivot. once i'm here, can i get there? and once i'm there can i get there? so we put in multiple layers andlayers of defense and depth that preventthat from pivoting. so for instance, if somebodywere to get into exchange,
they shouldn't get into sharepoint. or if they get into thisserver in exchange, they're locked onto that server. they don't have the abilityto pivot off of it. it's all about a containment model. to minimize any typeof attack activity. that comes at a huge cost tothe engineering development teams, right? there are layers upon layers.
if you want to get into that server, you might need one of 19 accountsto get into there, right? so you don't havea separate identity for every one of these logicalthings in order to get into it. all right, privacy, again,it's all about transparency. we wanna make sure that we alwayshit that high bar that you feel good about, you know thatwhat data of yours we have, what we do with it afterwe collect it, right? so we wanna make sure that whenyou think about microsoft,
you trust us that we are just gonnado the right thing with your data. and that starts withwhere the data is stored. if you look at and orin will showyou this i think a little bit later. on our website we actuallyhave a data map that will say if you are a user inthis region provisioned this way, your planner data is here. your exchange data is here. your sharepoint data is here. so you have a clear visibility todayof where your data lives, right,
who can access it and then againwe make contractual obligations to you and the lockbox and all theother things that we talked about, about who can actually at anygiven time access your data. for the most part no onetouches customer data. it's only upon escalation where yousay, i got a sharepoint problem. this email is not traveling, where we in fact get your permissionand we say, okay, you know, through a support ticket or customersupport engagement, let's go and look at this thing together, and youcan approve our access to that data.
and then how you get notifiedwhen things change, right? we add data centers all the time. we're adding newfeatures all the time. so there's a level of notification that is just ongoing that you needto make sure you're consuming. things like planner just shows up. what does that mean to me? is it on by default,how do i deal with this? if i have certain obligations, maybei'm a hipaa obligated customer.
what does that mean to me,how do i deal with that? so if you look at the privacy inthe service world this is kind of a thing that a lot of peopleask us is what role do we play in data privacy. there's a couple of key terms here. the data subject isactually the person or the user entering their data. so, think of its as the end user. and there is somecalled data controller.
this is the person or the company who decides howthe data will be used, right? so think about like we're going toput excel spreadsheets up there we're gonna put financialinformation in them and this is how we're gonnashare the data out. that is the data controller and then you have this thingcalled the data processor. this is the person thatactually processes that data on behalf of the data controller.
so the data controller only hascertain rights to process and view that data. so as you can obviously see in anenterprise world users are the data subjects the customer, the tenant,is the data controller, and microsoft in this caseis the data processor. which is kind of different whenyou think about what happens in a consumer world. in a consumer world microsoftbecomes both the controller and the processor.
so you are the hotmail mailbox,outlook.com mailbox owner, the onedrive consumer, user. your data, you are essentiallythe admin of yourself. you're a single userof a single tenancy. we then still becomeboth the controller and the processor in order to processthat data on your behalf. so a slight differencebetween the two, more in the weeds about privacylaw and who can do what but key terms if your reallyinterested in privacy concepts
something you should understandthe roles that we play. international privacy laws andregulations iso 2718, microsoft had a huge part in helpingdefine this industry standard. we were reviewed as one ofthe people who had a very stringent privacy program in place and so wewere able to work with the industry standards and help guidethe international version of those. european model clausesnow being replaced by this thing called privacy shieldbut this is actually the ability to bring data from europe into northamerica for storage and processing.
essentially it says wecommit to handling that data the exact same way and to the samestandards as it would be in europe. and if we can do that then it'ssafe to bring that data into the united states for processing. that has gone the way it was struckdown by the eu privacy boards and there's a new one coming outthat's called privacy shield. we may have seen that recently. microsoft was the very firstcompany to actually sign up and a test to meeting privacy shield.
so we're very proud of that. all right,i'm gonna hand this over to al now. he's gonna walk you through the moreof the compliance side of things. and essentially walk you through howwe make that a transparent activity. >> thanks ken and so continuing our discussion, wetalked about security and privacy. in terms of compliance,we are focused on three things. one, we want to make surethat we as a service, are being compliant withregulations that matter to you.
you are almost 90%there to be compliant. there are certain controlsthat you still need to do or implement, butwe will take you there. if you use microsoft cloud services,we will take you up to that point. we are also making sure that we are providing you the features thatwill help you to stay compliant. so i at the end of thisday i've added slides which has various differenttracks that you can look into. into office 365 security andcompliance center.
we have a lot of different featureswhich help you to stay compliant with your regulations. and we will talk more about in ourcurrent session about what are some of the security considerationsworkbook that we are giving you, which you can use to makesure your identity's secured. now, you will say okay, how we manage to complywith all these regulations? so this is our kind of compliancelife cycle, if you will. and let me quicklywalk you through that.
so what we what is withmarket intelligence. what it means that microsoft hasdedicated teams who are focus on looking into what regulationsare upcoming in various regions, various industries. they understand how thoseregulations will impact us as a microsoft,as a service provider. and how it will impact our currentand possible new customers. by doing the deep analysis,they come up with mapping of how those controls aremapped over existing office 365 and
other cloud servicescontrol central. we then define what controlswe may need to add. let's say if we are satisfyingthe new chinese regulation. and those controls are then again,we sit down with the engineering teams and define how thosecontrols will be implemented. we document thoseimplementation details and once we implement those controls wetake those controls as well as our existing controls in two hourrigorous top body all later testing. so, we jog that there isalways some already written in
microsoft or reading us. so with that happens oncontinuous basis and what we do is that out ofthese audit, confidings and we quickly understandwhat those findings are, what is the risk of those findingsand then we prioritize and kind of a remedy those findings andtime demands. and then we continued to workon this compliance life cycle. so this is kind of an eye chart but this will give you a good view ofhow we've evolved over the years.
so if you see we studied just39 security and privacy and compliance controls in 2008. then we quickly scale to morethan hundred controls, and we achieve our iso27001 certification. but at that point we kindof started thinking that even though iso is globallyrecognized standard. we need something which ismuch deeper and detailed. so, we change our control frameworkbased on iso to control framework based on nist 800-53.
and you will see overthe years we have increased our controls implemented to morethan thousand controls now. and what has that done is that, thathas given us the foundational piece of complying with allthe global regulations we have. so when global regulations come,new global regulation come. we do mapping and we find out most of the controlshave already satisfied. there are controls here andthere, let me say four or five controls per year that we needto add but most of our controls
are satisfying all those new andupcoming revelations. so we get one leg up. and then, based on all this work. we have had achieve thisfoundational compliance piece where these are most recognized controlframeworks that we have attested to like fedramp, iso 2701, iso 2718,but we don't stop there, we understand that you who are comingfrom regulated industries, like finance, government, or healthcare,or education, for that matter. we'll also map all the requirementsthat you in your regular industry
have to our work control frameworkand we have certified against those. and then, last, but not least,we also understand that you come from different regions anddifferent countries. and each of those have their ownregular requirements, so we have mapped those regular requirementsinto our control framework, so that vr comply with those as well. so that's kind ofour thought process. now, peering to service assurance. so two years ago we starteddiscussing with our customers that
hey we have done so much security,compliance and privacy investments. but there was a disconnect. in fact if you needed to request onesingle report, you had to contact our support team, then in turncontact our compliance teams. and then complianceteam will contact you, find out whether you have nd or not. and then at end of all these processsend you a one single pdf with the one report. we said we need to stop that.
so we said what we can do,we sat down with 250 plus customers, partners, and regulators. and we started listeningto these questions of, they want to know more details. they want to know more insights, but when we kind of deep dive with themwe came up two distilled questions. one, how microsoft protects my data? they wanted to know that, andtwo, how can i protect my tenant? and we said, okay,we're going to provide you answer
in a self-service model todo these two questions. and that's how we created what wecall service assurance platform. and in service assuranceplatform we have two focus areas. one, we want to gain yourtrust with transparency. all these things thatken talked about and i touched upon securitycompliance and privacy. we want to make sure that youare able to seamlessly see that what we're going to do, so we are makingthose things available to you. and as i talk more as i do the demo,
we want to be best in classin terms of transparency. and also we want to make surethat you get information to stay secure andmake sure your tenant. so after answering these question,in service assurance, one additional thing that you get to do, is thatyou get to give us data feedback. and we really reallywant your feedback, we just started as a feature andi will demo it pretty quick now. but in each of ourservice assurance pages, you get to give us a data feedback,okay.
does this meet your need? do you need something more? we are missing something. whatever, good, bad,ugly whatever feedback you have, we want that becausewe want to improve. and our hope is that,through using service assurance, you're able to performon-demand risk assessment. whether you are evaluatingus as microsoft cloud. whether you have alreadybought seats but
you are not using it because youhave some regulatory needs and you want to do this assessment. or you have your own annual or internal audit thatyou need to satisfy. we want you to able to cometo service assurance and get information very seamlessly. and then combining that with abilityto give information around securing your tenant. we want to make sure that you areable to leverage all the investment
you have done in microsoft cloudwithout worrying about security and compliance and privacy blockers. so how we have providingyou information through service sessions,we have three pillars. one is discovery andservice assurance is delivered through office 365security and compliance center. so, in office 365 security andcompliance center, you will get to see a lot of features that youcan implement like ediscovery, dlp, alerts, anti-malware,anti-phishing, controls.
but at the same time in the serviceassurance you get to know how we are protecting your data. service assurance also knows whatindustry and geography you are from. so let's say if you are fromfinancial service industry, we will provide youcustomized data for that. if you are from healthcare, we provide you customized data forthat. if you are from government, and then most importantly,
even though you are let'ssay office 365 customer. we understand that office 365 ona cloud stack that microsoft has, which is azure, dynamics crm andour data center lm. all those reports you can getit from service assurance. you no longer have to goto three different places to get anything that youneed around microsoft cloud. and then in terms of deep insights, in deep insights we reallystart going more technical. so let's say if youhave a tenant admin,
we have a feature calledcustomer security considerations. that workbook that you can downloadand you get detailed listing of what controls you as a tenantadmin control can implement. we have given you the links to goto those configuration screen and configure those controls. and where available we have givenyou powershell scripts to run those. and then we also have someother faqs and whitepapers that talk about how we do encryption,how we do data isolation. so ken talked about those, but
if you want deep dive onhow actually technically we achieve those things, you are ableto get that information here. and last but not least, as i said we wanted to betransparent beyond our competitors. so we come up with featurecalled audited controls. in this feature not only will tellyou what controls are implemented, but will tell you how weimplemented those controls. and how our third-party auditorshave tested those controls. so for example, let's say if yougo want to dig into standard.
you get to see what controlswe have implemented under the. what each control area has interms of number of controls. and for each of the control, youget to see how we implemented it. and how we tested it, who tested it,when it was tested, and whether it has passed or failed. we also want to give you abilityto just look for a keyword. let's say, if you are interestedin data deletion policies or encryption. you just put that keyword andwe will give you focus
controls around the areathat you are interested in, you can quickly lookinto those controls. but more importantly, we want to betransparent completely with you. so for example, if we havefindings for any of our standards, we will make those available to you,what those findings are. so you can quickly go andunderstand what just findings are. and for each of the findings, alongwith the implementation details and testing plan will also tellyou our management response. and we will tell you three thingsin that management response.
one, what was the riskof that finding? so you understand okay,it is a minor finding or it is a major finding. two, we will tell you what are someof the compensating controls that mitigate that finding? and three, we'll tell youwhat we are doing about it. whether we have mitigated it,whether we have remediated it. or what we are going to do, andwhen we are going to do it. so as you see,we want to be completely transparent
to make sure you get to getinformation that you need. so in summary, we wanted to makesure that service assurance gives you ability to doon-demand risk assessment. it gives you ability to understandwhat controls microsoft has implemented aroundyour cloud services. it gives you ability tounderstand how you can secure and compliant in your tenancy. and it is your one-stop shop toget the information that you need. now i'll go in to quickly the demos,if you will.
so this is the onboarding links forour service assurance and service trust portal. only difference being,if you are office 365 customer or a trial tenant, you're able toget access to service assurance. same information is availablein service trust portal for customers who are from azure ordynamics crm. so let's see how it looks like,i've already logged in here. so let me bring it here. so this is what the office 365security and compliance center looks
like, and one of the featureis service assurance. and i probably have to login again real quick if, okay i'm still logged in. so as you see in compliance reports, you get to see various reportsacross microsoft cloud. so these are the various [inaudible]assessment reports from azure, intune, office 365. then you get to see iso reports,for again, azure, dynamic crm, mcio,which is our data center layer.
and office 365 andyammer at one place. you can download this report. we have soc reports over here, and then what we havecalled trust documents. and trust documents again acrossthe microsoft cloud stack you get to know things like howwe do the encryption. how we do the data resiliency,how we manage privacy in office 365, how we achieve tenant isolation. and i talked about thiscustomer security configuration
preview document. so let me bring that document. so this is the documentthat you can download and we have mapped variouscontrols according to various control considerations,as well as risk assessments. so let's say if you are worriedabout access control, you click here, and you get detailed controls thatyou can implement in your tenant. and you get to seehow you can go and
configure that by directlygoing to those screens. or wherever possible we havepowershell script for to run so you can quicklyimplement those controls. because we understandthat compliance and security is joint efforton cloud service provider. we as a cloud service provider havecommitments and deliver the controls to make sure that our servicedelivery is secure and compliant. but you, as the tenant admins,have some controls that are owned by you andwe want to make sure it's easy for
you understand what those are andhow you go about it. and then i talked aboutaudited controls, right? so this is audited control in live. you can simply download all of ourcontrol set around iso 27001 and iso 27018 andjust in excel sheet and then you can munchthat data as you like. but, then as i said, you can gointo a particular standard and look into what controlswe have implemented. and for each of that controlsyou get to see how these were
implemented by microsoft, how it wastested by our third party auditors and when they were tested,whether they have passed or not. so, we're hoping by providingyou this level of transparency, we can earn your trust. so, going back to the presentation. three things you can do tostay secure and compliant. one, please log in andon-board to service assurance. and again, the links are here. two, you have teamswithin an organization,
like information security team,risk team, compliance team, that you can give accessto in service assurance. and our on-boarding documenttalks about how you can do that. once they get access,if you are admin, you don't have to worry aboutproviding them the reports. they themselves come anddo the self service and get access to all information. and then, we'll go backto the service assurance. each of the page havethis feedback loop.
if you use service assurance,please give us feedback. again, good, bad, ugly, all welcome, because this feedback directlycomes to our engineering teams. and we are obligated tounderstand how we can improve. so having said that, we have some giveaways withsome question and answer. but we will stop here and kind oftake any questions that you have. any questions that we can answer,yes? >> so you went real fast
from slides that i would have likedto have seen, but it doesn't matter. one thing i did not see there, we have a particularchallenge from korea. korea has very stringentpii regulations,etc. and they get down to the levelof seeing read controls. i didn't see on your list ofcertifications anything from korea. is there anything thatyou guys know about and are particularly doingwith regard to korea? >> so in terms of koreancertifications, we are working
closely with our teams who do theregular [inaudible] back analysis. and we are at this point evaluatinghow that standard impacts to us and how we can map it. so that process is ongoing,but if you see in general, our control framework is sobroad that most of the requirements we haveare kind of already baked into it. we continually assess thingslike in korea and others. so in short term, we were able tokind of guide you in terms of more detail about, okay, whether we arecomplying with that standard or not.
but that process is at this point,is ongoing. >> the short answer is not yet. >> not yet, yes. >> we saw that, okay. >> yes? >> i saw that you had the safehardware on one of your slides. >> yep. >> is the privacy shield the onethat's replacing- >> yes. >> yes, yeah.so privacy shield already replaced,
and as ken said,that was one of the, we were one of the first party whokind of worked on privacy shield. so, yes,we are already working on that and we are working on gdpr requirements. those are not due to implement. but we're not only understandingwhat the requirements are, we are working closely with thatworking group so that we can come up with the good gdpr requirements,which will be finalized pretty soon. >> there's a wind down wind upperiod between u-model clauses and
the, [laugh] sowere in the wind down phase. it's still in effect. but the other one is nowbeing ramped up for you. we're already attached to doing it, just all the documentationstill needs to be brought over. >> any other questions? okay, so we have our own questions,we have two giveaways so you have probably one insix chance to get it. so let me ask you a question, whatyou will use service assurance for?
a for risk assessment, b for helping you in your internal audit,or c all of both? here you go. second question. for accessing service assurance,you need to have a paid tenant. true or false? >> false. maybe i will give,try to somebody else. >> false, there you go.
>> [laugh]>> so you can have a trial tenant. >> [laugh]>> so, thank you so much for coming, we really appreciate it. we hope that you will able toon-board to service assurances if you're not already on-boarded. and give us feedback,we like to improve. if you have no other questions,thanks again for coming, and hopefully you will enjoythe rest of the week. >> we'll be happy to meet peopledown here if you wanna ask your
questions privately. >> yeah, thank you. >> [applause]
