WEBVTT 00:00:00.000 --> 00:00:02.992 [MUSIC] 00:00:13.343 --> 00:00:16.530 Everybody, welcome to another exciting episode of Data Exposed. 00:00:16.530 --> 00:00:18.990 I'm your host Scott Klein, and with me today is Alice, 00:00:18.990 --> 00:00:19.900 from the big data team. 00:00:19.900 --> 00:00:21.090 Alice, how are you? 00:00:21.090 --> 00:00:22.180 >> Hi, I'm fine, how are you? 00:00:22.180 --> 00:00:23.685 >> Good, so before we get started, 00:00:23.685 --> 00:00:26.130 cuz we're going to talk about HDInsight compliance. 00:00:26.130 --> 00:00:27.498 Before we get started, why don't you take a second and 00:00:27.498 --> 00:00:28.077 introduce yourself? 00:00:28.077 --> 00:00:32.032 >> Okay, my name is Alice Kupcik, and I'm a program manager in 00:00:32.032 --> 00:00:35.459 HDInsight, and I work on security and compliance. 00:00:35.459 --> 00:00:40.798 >> All right, so compliance is a big topic in any product, right? 00:00:40.798 --> 00:00:44.250 So why don't you tell us about compliance in terms of HDInsight, 00:00:44.250 --> 00:00:45.640 why do we have that? 00:00:45.640 --> 00:00:46.589 So you've go some slides for us. 00:00:46.589 --> 00:00:48.560 >> Yeah. >> Why don't we just jump right in? 00:00:48.560 --> 00:00:52.240 >> So, the big question is always, how is compliance different from 00:00:52.240 --> 00:00:56.220 security, or how is it the same, or how does it overlap and intersect? 00:00:56.220 --> 00:00:59.110 So I wanted to start with a quick overview of the enterprise 00:00:59.110 --> 00:01:02.590 level security features that we have in the service. 00:01:02.590 --> 00:01:05.980 And that is authentication, it's authorization, 00:01:05.980 --> 00:01:09.610 it's the perimeter level security that customers can put in place. 00:01:09.610 --> 00:01:13.160 And then the last and big one is data security, which is, of course, 00:01:13.160 --> 00:01:15.700 in the forefront of everybody's mind, and that's encryption. 00:01:15.700 --> 00:01:16.480 >> Yup. >> So 00:01:16.480 --> 00:01:19.250 looking at those you could think, okay, the thing is secure, 00:01:19.250 --> 00:01:22.207 we're fine, but- >> [LAUGH] Well it's interesting, 00:01:22.207 --> 00:01:25.222 cuz we had, I'm gonna draw a blank on this name, 00:01:25.222 --> 00:01:28.860 he's in your group, >> Soren? 00:01:28.860 --> 00:01:30.830 >> Yeah, Soren in here to talk about- 00:01:30.830 --> 00:01:32.580 >> These features, yeah. 00:01:32.580 --> 00:01:36.670 >> Yeah these actual features and how we secure HDInsight, right? 00:01:36.670 --> 00:01:37.651 >> Mm-hm. >> So it was actually 00:01:37.651 --> 00:01:38.398 an interesting one. 00:01:38.398 --> 00:01:40.357 >> Yeah, so this will build on it. 00:01:40.357 --> 00:01:40.999 >> Okay, good. >> So just 00:01:40.999 --> 00:01:43.627 assume this has already been discussed and is talked about. 00:01:43.627 --> 00:01:47.440 And, how do we take it from here to being compliant? 00:01:47.440 --> 00:01:48.673 >> Yeah, cuz I think you're right, 00:01:48.673 --> 00:01:50.588 there's what is the difference between security and 00:01:50.588 --> 00:01:51.405 compliancy, right? 00:01:51.405 --> 00:01:53.165 >> Mm-hm, yeah. >> Okay. 00:01:53.165 --> 00:01:58.220 >> So let's look at the definitions of compliance. 00:01:58.220 --> 00:02:01.540 So the first in the cloud security world where 00:02:01.540 --> 00:02:05.110 the service provider hosts the data for the customer, 00:02:05.110 --> 00:02:07.340 data is, of course, what people are most concerned about. 00:02:07.340 --> 00:02:08.270 >> Yep. >> Because that's 00:02:08.270 --> 00:02:09.792 their important asset. 00:02:09.792 --> 00:02:14.255 So cloud security is defined as CIA, 00:02:14.255 --> 00:02:17.075 which is confidentiality, so who is accessed to the data? 00:02:17.075 --> 00:02:18.821 >> Okay >> And when you operate a service, 00:02:18.821 --> 00:02:21.195 there's of course, service operators that could access it. 00:02:21.195 --> 00:02:23.475 So that needs to be addressed and compliance. 00:02:23.475 --> 00:02:27.385 There is integrity, who can delete data, who can modify data, 00:02:27.385 --> 00:02:30.800 who can download data and sell it to somebody? 00:02:30.800 --> 00:02:33.990 And of course availability, that data is available at all times. 00:02:33.990 --> 00:02:34.660 >> Okay. >> So 00:02:34.660 --> 00:02:38.820 those are the important issues, and then risk management. 00:02:38.820 --> 00:02:40.250 How do we assess and 00:02:40.250 --> 00:02:43.190 identify vulnerabilities and threats in the system? 00:02:43.190 --> 00:02:48.250 And how do we put policies and processes in place to mitigate risk? 00:02:48.250 --> 00:02:49.390 >> Okay. 00:02:49.390 --> 00:02:53.144 >> And- >> So is just securing- 00:02:53.144 --> 00:02:53.811 >> Yeah. 00:02:53.811 --> 00:02:56.980 >> The data, we're saying isn't enough, right? 00:02:56.980 --> 00:03:00.740 Cuz we go back, we talked about authorization and authentication. 00:03:00.740 --> 00:03:04.520 But just making it secure doesn't solve some of these 00:03:04.520 --> 00:03:07.039 confidentiality and integrity issues, is that correct? 00:03:07.039 --> 00:03:07.775 >> Yes. >> Is that the way we wanna think 00:03:07.775 --> 00:03:09.644 about that? It's mostly because we're hosting 00:03:09.644 --> 00:03:10.250 the service. 00:03:10.250 --> 00:03:13.350 It's not like we give the service with the features to a customer and 00:03:13.350 --> 00:03:16.810 they deploy it on-prem, and they can put their own wall around it. 00:03:16.810 --> 00:03:20.236 It's like we are the custodians of the data in some way, so- 00:03:20.236 --> 00:03:20.943 >> Yeah there is a level of trust. 00:03:20.943 --> 00:03:21.554 >> Yes. 00:03:21.554 --> 00:03:24.318 >> Because we're saying, we are giving you our data to host. 00:03:24.318 --> 00:03:25.270 >> Yeah. >> We wanna make sure, 00:03:25.270 --> 00:03:27.820 not only is it secure but beyond that. 00:03:27.820 --> 00:03:28.830 >> How do we operate it, yeah. 00:03:28.830 --> 00:03:29.930 >> How do we operate on that data? 00:03:29.930 --> 00:03:31.140 >> Yeah. >> Okay. 00:03:31.140 --> 00:03:34.940 >> And compliance is the part where we say we can demonstrate we do 00:03:34.940 --> 00:03:35.630 these things. 00:03:37.134 --> 00:03:39.020 >> Okay, security is show me. 00:03:39.020 --> 00:03:40.695 >> Yeah. >> Compliancy is the show me 00:03:40.695 --> 00:03:41.820 state, right? 00:03:41.820 --> 00:03:43.090 Show me that it's secure. 00:03:43.090 --> 00:03:46.290 >> So, can an independent third party come in, and 00:03:46.290 --> 00:03:50.760 I can demonstrate that the risk mitigation is in place? 00:03:50.760 --> 00:03:52.670 For the specific threats and 00:03:52.670 --> 00:03:55.065 vulnerability that are unique to an industry. 00:03:55.065 --> 00:03:58.310 >> Okay, so I've secured this, but now compliance comes in and 00:03:58.310 --> 00:04:01.020 says there certain a level of, how do we say that? 00:04:01.020 --> 00:04:04.134 Is there certain level of, I guess compliancy to say you meet these 00:04:04.134 --> 00:04:06.691 security, we run these tests, you pass these tests, 00:04:06.691 --> 00:04:07.730 to make sure that- >> Yeah. 00:04:07.730 --> 00:04:08.439 You actually are secure. 00:04:08.439 --> 00:04:10.080 >> And we can look at some- >> Okay. 00:04:10.080 --> 00:04:13.270 >> Concrete examples to see more what that means, and 00:04:13.270 --> 00:04:17.290 that's operational security, is how I usually summarize it. 00:04:17.290 --> 00:04:19.500 As opposed to the features in the service itself. 00:04:19.500 --> 00:04:20.560 >> Uh-huh, okay. 00:04:20.560 --> 00:04:22.247 >> So, one is of course, access controlled, 00:04:22.247 --> 00:04:23.295 If we operate the service, 00:04:23.295 --> 00:04:25.812 people push to who has access while they're in. 00:04:25.812 --> 00:04:27.940 RIght, who can look at the data. 00:04:27.940 --> 00:04:31.470 Is that logged, is that monitored, can we audit it? 00:04:31.470 --> 00:04:32.050 >> Yeah, okay. 00:04:32.050 --> 00:04:33.770 >> It's big questions. 00:04:33.770 --> 00:04:36.520 And then, secure development lifecycle. 00:04:36.520 --> 00:04:37.800 How do we develop the software? 00:04:37.800 --> 00:04:40.100 Do you follow these practices that have been in place? 00:04:40.100 --> 00:04:42.010 And can we demonstrate? 00:04:42.010 --> 00:04:44.142 >> Okay. >> Do we have a paper trail to show 00:04:44.142 --> 00:04:47.166 an auditor that we followed this process. 00:04:47.166 --> 00:04:48.765 Physical security is a big one, and 00:04:48.765 --> 00:04:51.078 it was one of the first that customers asked about. 00:04:51.078 --> 00:04:52.730 >> [LAUGH] >> It's like, are your doors locked? 00:04:52.730 --> 00:04:53.570 >> Can anybody walk in, yeah. 00:04:53.570 --> 00:04:54.730 >> Yeah are your doors locked? 00:04:54.730 --> 00:04:56.990 Do you have a security camera pointing at the door? 00:04:56.990 --> 00:04:58.640 Can we have footage from the camera? 00:04:58.640 --> 00:04:59.560 And then we say no, no, no, 00:04:59.560 --> 00:05:02.200 you can't start running around our data centers. 00:05:02.200 --> 00:05:05.380 We show you with this compliance cert that somebody did that. 00:05:05.380 --> 00:05:05.980 >> Okay. 00:05:05.980 --> 00:05:09.369 >> So that's kind of this step we take away. 00:05:09.369 --> 00:05:12.820 And human resources is a big issue, 00:05:12.820 --> 00:05:15.660 of course, with a large corporation less so. 00:05:15.660 --> 00:05:19.200 But imagine you had a small company, do they have to processes in place 00:05:19.200 --> 00:05:21.135 to screen people before they hire them? 00:05:21.135 --> 00:05:25.870 Do they have process in place to deal with a malicious insider? 00:05:25.870 --> 00:05:28.410 How fast can you get somebody out of the system before 00:05:28.410 --> 00:05:30.348 Active Directory does it? 00:05:30.348 --> 00:05:32.840 >> Yeah, okay. >> Can you get somebody 00:05:32.840 --> 00:05:34.970 out of it before that? 00:05:34.970 --> 00:05:39.650 So those are all these risks that are being mitigated. 00:05:39.650 --> 00:05:40.540 And then there's, of course, 00:05:40.540 --> 00:05:42.930 regulatory and contractual compliance. 00:05:42.930 --> 00:05:45.480 A, are we meeting the laws? 00:05:45.480 --> 00:05:48.660 And B, when we set up contracts with our customers and 00:05:48.660 --> 00:05:50.595 we say we handle data in a certain way, 00:05:50.595 --> 00:05:53.790 did every engineer know that, and actually implement that way? 00:05:53.790 --> 00:05:55.620 So that needs to be checked on, too. 00:05:55.620 --> 00:05:59.972 >> Right, so it looks like there's a lot of, not only software, but 00:05:59.972 --> 00:06:02.960 kinda internal and external- >> Yeah. 00:06:02.960 --> 00:06:03.570 >> Type of scenarios. 00:06:03.570 --> 00:06:07.405 Not just, cuz when we think about, as a software developer data guy, 00:06:07.405 --> 00:06:10.710 we don't think about the actual physical. 00:06:10.710 --> 00:06:12.496 Can someone walk in or- >> Yeah. 00:06:12.496 --> 00:06:16.120 >> The process of, Bob just got out of jail for fraud, but yet 00:06:16.120 --> 00:06:18.400 he's applying to be a- >> He works here now, yeah. 00:06:18.400 --> 00:06:19.470 >> He works here, yeah. 00:06:19.470 --> 00:06:21.500 Who missed that type of scenario, right? 00:06:21.500 --> 00:06:22.260 >> Yeah. >> So we don't 00:06:22.260 --> 00:06:23.670 think about kinda those things. 00:06:23.670 --> 00:06:26.685 And so this is apparently a lot of external things that it's 00:06:26.685 --> 00:06:27.419 good to know. 00:06:27.419 --> 00:06:30.570 So to make sure that yes, we do meet these requirements. 00:06:30.570 --> 00:06:33.776 >> And of course, for example, a bank does care about these things. 00:06:33.776 --> 00:06:36.030 [LAUGH] >> Yeah especially, 00:06:36.030 --> 00:06:37.500 depending on the type of data you're holding, right? 00:06:37.500 --> 00:06:39.079 >> Yes. >> Financial information, 00:06:39.079 --> 00:06:39.915 things like that. 00:06:39.915 --> 00:06:42.020 >> And that's actually the next slide already. 00:06:42.020 --> 00:06:44.285 What are the sources for these concerns, right? 00:06:44.285 --> 00:06:45.778 >> Yeah. >> One of course is the law, and 00:06:45.778 --> 00:06:47.064 that varies by location. 00:06:47.064 --> 00:06:52.220 And one piece that comes from the law is breach notification. 00:06:52.220 --> 00:06:54.780 Those are all state laws, so if you had a data breach, 00:06:54.780 --> 00:06:58.010 you have to be able to notify and do the right thing. 00:06:58.010 --> 00:06:58.840 >> Interesting, okay. 00:06:58.840 --> 00:07:00.090 >> Yeah. >> You said that's by state, so 00:07:00.090 --> 00:07:01.050 it might be different? 00:07:01.050 --> 00:07:01.740 >> Yeah, yeah, yeah. 00:07:01.740 --> 00:07:02.305 >> My goodness. 00:07:02.305 --> 00:07:02.924 [LAUGH] >> Yeah, and then 00:07:02.924 --> 00:07:03.890 of course country, so. 00:07:03.890 --> 00:07:04.440 >> Yeah. [LAUGH] 00:07:04.440 --> 00:07:05.881 >> Right, we have a wonderful 00:07:05.881 --> 00:07:07.203 team that manages that. 00:07:07.203 --> 00:07:08.962 >> [LAUGH] Yeah, that manages that. >> We just have to bring them in, 00:07:08.962 --> 00:07:11.700 but I mean, that's a source of one of these controls. 00:07:11.700 --> 00:07:12.940 >> Sure. >> Then of course there's 00:07:12.940 --> 00:07:16.089 industry-specific requirements, like the financial industry, banks, or 00:07:16.089 --> 00:07:16.658 health care. 00:07:16.658 --> 00:07:17.858 >> Yeah. >> They all have their own. 00:07:17.858 --> 00:07:21.740 Then there's standard-setting organizations, like ISO, 00:07:21.740 --> 00:07:24.580 which sets up security standards that then become a baseline. 00:07:24.580 --> 00:07:28.140 And many companies just ask for it, and want to have that implemented. 00:07:28.140 --> 00:07:30.420 And then there is internal governance, where 00:07:31.480 --> 00:07:35.170 industries set certain standards, or for example, the government. 00:07:35.170 --> 00:07:38.440 US federal government sets a lot of internal 00:07:38.440 --> 00:07:41.010 standards that they require us to meet. 00:07:41.010 --> 00:07:41.960 >> Okay. 00:07:41.960 --> 00:07:44.070 >> So those are the sources for these requirements. 00:07:44.070 --> 00:07:47.000 And then certifications that we have, 00:07:47.000 --> 00:07:51.250 I just listed the three really big ones that HDInsight has achieved. 00:07:51.250 --> 00:07:53.660 And that's SOC, which is of interest for 00:07:53.660 --> 00:07:57.270 any company that does public reporting and accounting. 00:07:57.270 --> 00:07:59.855 They need to be auditable, so they need to follow certain processes. 00:07:59.855 --> 00:08:00.920 >> Okay. 00:08:00.920 --> 00:08:03.224 One of their requirements is, if you put data on the cloud, 00:08:03.224 --> 00:08:04.665 it has to be handled in a certain way. 00:08:04.665 --> 00:08:05.668 >> In a certain way, yeah. 00:08:05.668 --> 00:08:06.867 >> So that we have integrity in place and- 00:08:06.867 --> 00:08:09.623 >> Yeah, okay. 00:08:09.623 --> 00:08:10.230 >> And so forth. 00:08:10.230 --> 00:08:14.170 So that's a big certification that enables us to sell to 00:08:14.170 --> 00:08:15.776 the enterprise. 00:08:15.776 --> 00:08:16.520 >> Interesting, okay. 00:08:16.520 --> 00:08:18.570 >> Yeah, so then the next one is ISO, 00:08:18.570 --> 00:08:21.065 it's an international security standard. 00:08:21.065 --> 00:08:22.680 >> Yep, and I like the fact where it says, 00:08:22.680 --> 00:08:25.384 enables, cuz people will be going, hey are you HIPAA compliant? 00:08:25.384 --> 00:08:26.532 >> Yeah. >> Or just compliancy, right? 00:08:26.532 --> 00:08:29.972 And I like the fact that hey, certain of these certifications 00:08:29.972 --> 00:08:31.812 allow us to reach these- >> Yes. 00:08:31.812 --> 00:08:34.137 >> Compliancies, right? 00:08:34.137 --> 00:08:34.847 >> So for ISO, 00:08:34.847 --> 00:08:38.769 we use that internally in Microsoft as a stepping stone to HIPAA. 00:08:38.769 --> 00:08:39.910 >> Okay. 00:08:39.910 --> 00:08:43.665 >> Then we can sign a contract with customers that allows customers that 00:08:43.665 --> 00:08:46.134 have health care data to be HIPAA compliant. 00:08:46.134 --> 00:08:47.086 >> Okay. >> We, ourselves, 00:08:47.086 --> 00:08:50.160 are not HIPAA compliant because we don't handle health information. 00:08:50.160 --> 00:08:54.120 But a customer would, so we show them that yes, if you use our 00:08:54.120 --> 00:08:58.130 platform, or HDInsight specifically, you can be HIPAA compliant. 00:08:58.130 --> 00:09:01.660 And handle the patient health information in the correct way. 00:09:02.780 --> 00:09:06.640 And it also enables us to meet the European Union data transfer 00:09:06.640 --> 00:09:07.960 regulations, and 00:09:07.960 --> 00:09:12.730 other requests like model clauses we can sign with specific customers. 00:09:12.730 --> 00:09:14.180 >> Okay. >> That say we don't ever look at 00:09:14.180 --> 00:09:17.180 your data for advertising, or we don't ever use it for 00:09:17.180 --> 00:09:19.520 anything other than providing you the service. 00:09:19.520 --> 00:09:22.487 Okay, yeah, that would be good to know for them. 00:09:22.487 --> 00:09:26.952 All right, and PCI is even a big one within Microsoft, right? 00:09:26.952 --> 00:09:27.870 >> Yes. >> Because every year we have to 00:09:27.870 --> 00:09:30.115 take these things go, hey do we understand PCI, right? 00:09:30.115 --> 00:09:32.096 >> Yeah. >> We have to take that every year. 00:09:32.096 --> 00:09:35.714 [LAUGH] And so this is a big one for, not only us, but for 00:09:35.714 --> 00:09:38.480 our customers as well to go yes, we- >> Yeah. 00:09:38.480 --> 00:09:39.970 >> Are PCI, right? 00:09:39.970 --> 00:09:42.680 >> So those are the three- >> Okay. 00:09:42.680 --> 00:09:43.870 >> Big ones. 00:09:43.870 --> 00:09:50.150 >> How hard is it to reach these levels? 00:09:50.150 --> 00:09:52.475 I know you said there is a whole team that works on this. 00:09:52.475 --> 00:09:57.130 And not only for HDInsight, cuz the same thing for 00:09:57.130 --> 00:09:59.530 any data that we put in the cloud, or any service that we have, 00:09:59.530 --> 00:10:03.335 like Azure SQL Database, or SQL Data Warehouse, things like that. 00:10:03.335 --> 00:10:05.660 That we have to go through the same things for these? 00:10:05.660 --> 00:10:09.230 And how difficult, really, is it to get to this level of compliancy? 00:10:09.230 --> 00:10:12.495 >> It was quite a bit of work when you start from scratch. 00:10:12.495 --> 00:10:15.033 >> [LAUGH] >> When you service a whole new 00:10:15.033 --> 00:10:18.230 cloud infrastructure into this mode. 00:10:18.230 --> 00:10:19.560 >> Okay. >> It's an ongoing process. 00:10:19.560 --> 00:10:21.910 I mean, we're still making it better, it's not done. 00:10:21.910 --> 00:10:22.900 >> Sure. >> It's never done. 00:10:22.900 --> 00:10:23.650 >> Yeah. >> [LAUGH] 00:10:23.650 --> 00:10:24.470 >> Is there things, 00:10:24.470 --> 00:10:27.800 we had to wait for, if you go back to that first slide where we had 00:10:27.800 --> 00:10:29.740 authorization and authentication. 00:10:29.740 --> 00:10:33.645 Is that like hey, before we even talk about these certifications and 00:10:33.645 --> 00:10:36.540 compliancy, we have to have these things in there? 00:10:36.540 --> 00:10:39.570 I mean, is there some prerequisites before we even get to this? 00:10:39.570 --> 00:10:42.778 >> Yeah, especially for the federal government- 00:10:42.778 --> 00:10:43.465 >> Okay. 00:10:43.465 --> 00:10:48.430 Requirements, some of the earlier certs, like the ISO or 00:10:48.430 --> 00:10:50.590 for HIPAA, we could say, but 00:10:50.590 --> 00:10:53.650 encryption is a customer responsibility, we don't provide it. 00:10:53.650 --> 00:10:55.322 It's a customer responsibility, and 00:10:55.322 --> 00:10:57.502 theoretically the customer can encrypt the data, 00:10:57.502 --> 00:10:59.996 even though blob storage doesn't give it to you for free. 00:10:59.996 --> 00:11:00.870 >> Right. 00:11:00.870 --> 00:11:02.042 >> Now of course, we caught up and 00:11:02.042 --> 00:11:04.612 now we can say yeah, it's all gonna be encrypted end-to-end, so 00:11:04.612 --> 00:11:06.250 you don't have to worry about it anymore. 00:11:06.250 --> 00:11:10.005 So we made it just a bit more- >> Easy. 00:11:10.005 --> 00:11:11.800 >> Yeah, yeah, we made it- >> [LAUGH], 00:11:11.800 --> 00:11:13.200 >> It makes more sense, 00:11:13.200 --> 00:11:15.965 it didn't make a whole lot of sense, but we had to start somewhere. 00:11:15.965 --> 00:11:17.860 >> Okay. >> And get there. 00:11:17.860 --> 00:11:21.240 >> What's the comfort level now, or what are we hearing from customers, 00:11:21.240 --> 00:11:22.150 what's the comfort level? 00:11:22.150 --> 00:11:24.340 They're going okay, yes. 00:11:24.340 --> 00:11:27.870 I mean, are we hearing kind of the feedback that okay, great, 00:11:27.870 --> 00:11:31.120 you guys reach these, we're good to go or, I mean? 00:11:31.120 --> 00:11:33.052 >> It actually seems from what I'm hearing, 00:11:33.052 --> 00:11:34.933 is the encryption is the biggest one. 00:11:34.933 --> 00:11:36.891 >> Okay. >> That everybody loves, and 00:11:36.891 --> 00:11:37.910 especially the, 00:11:37.910 --> 00:11:41.410 have your own key encryption where the customer holds onto the key. 00:11:41.410 --> 00:11:42.880 That was a big step. 00:11:42.880 --> 00:11:43.660 >> Really, okay. 00:11:43.660 --> 00:11:44.790 >> That's one of the biggest. 00:11:44.790 --> 00:11:47.610 Especially, of course, when you're in the data world and 00:11:47.610 --> 00:11:48.572 data is what- >> Yep, yeah. 00:11:48.572 --> 00:11:50.490 [LAUGH] >> What customers worry about, so 00:11:50.490 --> 00:11:52.640 having the encryption was a huge step forward. 00:11:52.640 --> 00:11:54.604 And then for HDInsight specifically, 00:11:54.604 --> 00:11:57.221 the next step are gonna be the security features that 00:11:57.221 --> 00:11:59.620 Soren talked about, that's- >> Okay, yep. 00:11:59.620 --> 00:12:02.679 Those two together are really going to make a difference. 00:12:02.679 --> 00:12:05.543 >> Really put us over the hill for yes, we're now enterprise ready. 00:12:05.543 --> 00:12:06.329 >> Yes. 00:12:06.329 --> 00:12:07.406 >> Right, type of thing. 00:12:07.406 --> 00:12:08.262 >> Yes, and we can prove it, and 00:12:08.262 --> 00:12:09.510 we can show that we have our operations in- 00:12:09.510 --> 00:12:10.465 >> Yeah. 00:12:10.465 --> 00:12:11.717 >> Good order too. 00:12:11.717 --> 00:12:14.496 >> And it's good to know that compliancy is more of a show-me 00:12:14.496 --> 00:12:15.435 a scenario right? 00:12:15.435 --> 00:12:17.271 >> Yes. >> Because a lot of us don't, for 00:12:17.271 --> 00:12:20.754 even working on SQL Server, it's hey, let me authenticate, 00:12:20.754 --> 00:12:23.135 let me authorization, authentication. 00:12:23.135 --> 00:12:26.950 But we never really think of the external show-me scenarios, right? 00:12:26.950 --> 00:12:30.414 And I think, hopefully, people that watch this will go, 00:12:30.414 --> 00:12:34.162 we really need to start thinking about, more realistically, 00:12:34.162 --> 00:12:36.015 the show-me scenario right? 00:12:36.015 --> 00:12:36.843 >> Yeah. 00:12:36.843 --> 00:12:38.025 And how we reach that compliancy. 00:12:38.025 --> 00:12:38.525 >> Yeah. 00:12:39.670 --> 00:12:42.479 >> Right, cuz we tend not to think about that. 00:12:42.479 --> 00:12:44.660 But hopefully customers are going, okay, finally, yes, 00:12:44.660 --> 00:12:46.814 we're that enterprise-ready type of scenario, right? 00:12:46.814 --> 00:12:47.651 >> Yeah. 00:12:47.651 --> 00:12:49.973 >> So you have this whole list, I think the next, 00:12:49.973 --> 00:12:52.320 you have this whole list of certifications. 00:12:52.320 --> 00:12:53.674 This is where the whole, woo! 00:12:53.674 --> 00:12:54.222 The whole crowd. 00:12:54.222 --> 00:12:56.930 [LAUGH] >> I only picked the highlights out 00:12:56.930 --> 00:13:00.160 for the slide, but this is actually the list that we have in the whole 00:13:00.160 --> 00:13:04.030 federal US government part that's in progress as we speak. 00:13:04.030 --> 00:13:06.209 So it's a pretty long list, and if anybody has questions, 00:13:06.209 --> 00:13:06.914 please reach out. 00:13:06.914 --> 00:13:08.480 >> [LAUGH] Right. 00:13:08.480 --> 00:13:10.095 >> And it's, of course, getting longer too. 00:13:10.095 --> 00:13:11.655 >> Yeah. >> This is just the list today. 00:13:11.655 --> 00:13:12.710 [LAUGH] >> Well, 00:13:12.710 --> 00:13:14.910 you said this is just a subset of everything, right? 00:13:14.910 --> 00:13:17.090 >> No this is- >> That's a pretty significant 00:13:17.090 --> 00:13:18.180 list, right? 00:13:18.180 --> 00:13:18.680 >> Yeah. 00:13:19.800 --> 00:13:20.900 >> Yeah. >> But it can grow, 00:13:20.900 --> 00:13:22.520 I mean it is growing, there's more. 00:13:22.520 --> 00:13:25.765 And there's, of course, more of these coming out, and 00:13:25.765 --> 00:13:27.950 constantly new requirements. 00:13:27.950 --> 00:13:30.970 And that's actually something that I would hope for from SQL Server. 00:13:30.970 --> 00:13:33.776 You might know, there was common criteria where all the countries 00:13:33.776 --> 00:13:36.580 worldwide kind of organized themselves. 00:13:36.580 --> 00:13:40.285 And said, here's our combined set of requirements, and 00:13:40.285 --> 00:13:42.910 any country can do the show-me- >> Yep. 00:13:42.910 --> 00:13:45.210 >> Part, and then everybody else will accept it. 00:13:45.210 --> 00:13:47.130 And for the cloud, it's a long list. 00:13:47.130 --> 00:13:50.070 It's 200 different certs that overlap, and they're not the same, 00:13:50.070 --> 00:13:51.260 they're similar. 00:13:51.260 --> 00:13:53.150 So that's why it's so much work. 00:13:53.150 --> 00:13:55.720 >> So the cloud really made us think a little bit more about 00:13:55.720 --> 00:13:56.830 security didn't it? 00:13:56.830 --> 00:13:58.380 >> Yes, because we host the data. 00:13:59.430 --> 00:14:02.970 >> Yeah, and it's kind of a new step, kind of a new realm of, man, 00:14:02.970 --> 00:14:05.600 you got SQL Server had to do all this work. 00:14:05.600 --> 00:14:10.330 But now that we're moving to the cloud, this is, how do I say this? 00:14:10.330 --> 00:14:13.773 This is more of a trust- >> It is, because a company can say, 00:14:13.773 --> 00:14:16.639 you don't scribble your password on a sticky note and 00:14:16.639 --> 00:14:17.793 put it on the screen. 00:14:17.793 --> 00:14:19.065 >> [LAUGH] >> But 00:14:19.065 --> 00:14:20.485 do they know we're not doing it? 00:14:20.485 --> 00:14:21.485 >> Right. >> And how do they know? 00:14:21.485 --> 00:14:22.078 >> Right. >> Right, 00:14:22.078 --> 00:14:23.495 how do we prove we don't do this? 00:14:23.495 --> 00:14:24.945 >> And it goes back to the show me- >> Yes. 00:14:24.945 --> 00:14:25.819 >> That you're not writing or 00:14:25.819 --> 00:14:27.308 scribbling your password on the sticky note. 00:14:27.308 --> 00:14:29.295 >> Yeah, do you have a policy for it? 00:14:29.295 --> 00:14:31.565 Do you have a process when somebody does it? 00:14:31.565 --> 00:14:34.223 So then that's how all this gets- >> Okay, this is fantastic. 00:14:34.223 --> 00:14:37.734 So this is really good to know, because I think this is, 00:14:37.734 --> 00:14:41.992 not only for HDInsight, but if it applies to HDInsight a lot of these 00:14:41.992 --> 00:14:45.830 compliancies will also apply to a lot of our other services. 00:14:45.830 --> 00:14:47.300 So they can say- >> Yes, this is all Azure area. 00:14:47.300 --> 00:14:47.800 >> All Azure, right? >> Yes. 00:14:47.800 --> 00:14:50.383 >> So people go okay look, cuz we've 00:14:50.383 --> 00:14:53.981 talked about security before. We've had you on the show, and 00:14:53.981 --> 00:14:57.465 other places, hey we're secure. But it's nice to have you come 00:14:57.465 --> 00:15:00.893 in and go look it's real, right? And here's how it's real, so 00:15:00.893 --> 00:15:02.328 this is the show-me of the show-me. [LAUGH] 00:15:02.328 --> 00:15:02.922 >> Yeah. 00:15:02.922 --> 00:15:03.627 >> Right, it's real. 00:15:03.627 --> 00:15:04.827 So I appreciate you coming in, 00:15:04.827 --> 00:15:05.900 this is fantastic. 00:15:05.900 --> 00:15:06.750 Alice, thank you. 00:15:06.750 --> 00:15:08.005 >> Thank you, Scott. >> This is really good. 00:15:08.005 --> 00:15:09.090 Hey everybody, this is great. 00:15:09.090 --> 00:15:11.973 So hopefully this answers a lot of your questions around hey, 00:15:11.973 --> 00:15:14.050 we actually are compliant, right? 00:15:14.050 --> 00:15:15.570 So great, Alice thanks for coming in. 00:15:15.570 --> 00:15:16.584 Everybody thanks for watching and we'll see you next time. 00:15:16.584 --> 00:15:17.705 >> Thank you. 00:15:17.705 --> 00:15:27.705 [MUSIC]