IT-Grundschutz Compliance on Dynamics 365 within Microsoft Cloud Germany

December 18, 2017 MICROSOFT DEUTSCHLAND GMBH

HiSolutions AG © 2017 Table of contents

1 Executive Summary ...... 3 2 Compliance Requirements ...... 4 2.1 Shared Responsibility Model ...... 4 2.2 Modelling of Dynamics 365 Germany ...... 6 3 Implementation of Module B 1.17 Cloud Use ...... 8 3.1 M 2.40 (A) Timely involvement of staff/factory council ...... 10 3.2 M 2.42 (A) Determination of potential communications partners ...... 11 3.3 M 2.534 (A) Drawing up a strategy for cloud use ...... 12 3.4 M 2.535 (A) Drawing up a security policy for cloud use ...... 13 3.5 M 2.536 (A) Service definition for cloud services by the user ...... 14 3.6 M 2.537 (A) Planning the secure migration to a cloud service ...... 15 3.7 M 2.538 (A) Planning the secure integration of cloud services ...... 18 3.8 M 2.539 (A) Drawing up a security concept for cloud use...... 18 3.9 M 4.459 (Z) Use of encryption when using the cloud ...... 20 3.10 M 4.461 (Z) Portability of cloud services ...... 21 3.11 M 2.540 (A) Careful selection of a cloud service provider...... 22 3.12 M 2.541 (A) Contractual arrangements with the cloud service provider ...... 24 3.13 M 2.542 (A) Secure migration to a cloud service ...... 28 3.14 M 2.543 (A) Maintenance of IT security during ongoing cloud operations ...... 28 3.15 M 2.544 (C) Auditing when using the cloud ...... 29 3.16 M 4.460 (Z) Use of Federation Services ...... 30 3.17 M 2.307 (A) Well-ordered termination of an outsourcing or cloud service relationship ...... 31 3.18 M 6.155 (A) Drawing up a business continuity concept for a cloud service ...... 33 3.19 M 6.156 (Z) Performing your organization's own data backups ...... 33 4 Microsoft’s Responsibilities as a Cloud Service Provider ...... 35 Appendix A ...... 36 Appendix B ...... 37

2 1 Executive Summary

Microsoft Cloud Germany is a public cloud that is physically based in Germany and that has a dedicated network between datacenters in Germany. Its services are targeted at customers who are either locat- ed in Europe or who are doing business that occurs in substantial part in Europe and who want a data residency solution with a European data trustee. Microsoft Cloud Germany implements a unique data trustee construct together with T-Systems International GmbH, ensuring that the data that the cus- tomer provides through the customer’s use of Microsoft Cloud Germany is only disclosed to third par- ties if either requested by the customer or required by German law.

With Dynamics 3651 Germany (as part of Microsoft Cloud Germany Services) Microsoft offers cloud services for managing customer relationships, keeping track of sales, marketing, analyzing and report- ing business data.

The German Federal Office for Information Security (Bundesamt für Sicherheit in der Informations- technik, BSI) has published (and continues to refine) the IT-Grundschutz methodology. This consists of an ISO 27001 compatible ISMS (BSI Standards 100-1 and 100-2), a dedicated risk analysis method (BSI Standard 100-3), a business continuity standard (BSI Standard 100-4) and the IT-Grundschutz Catalogues, a standard set of threats and safeguards for typical business environments.

This workbook aims to support Dynamics 365 customers on Microsoft Cloud Germany in applying the BSI IT-Grundschutz methodology within the scope of their existing or planned ISO 27001 certification based on IT-Grundschutz.

Chapter 2 provides an overview of cloud computing in the context of IT-Grundschutz. An outline of how to implement the IT-Grundschutz module B 1.17 Cloud Use2 as part of the Information Domain3 is given on a per-safeguard-basis in chapter 3. Chapter 4 discusses Microsoft’s responsibilities as a cloud ser- vice provider.

1 https://www.microsoft.com/en-us/dynamics365/what-is-crm 2 https://www.bsi.bund.de/SharedDocs/Downloads/DE/BSI/Grundschutz/International/GSK_15_EL_EN_Draft.pdf 3 See Appendix A, Glossary of IT-Grundschutz Terms for normative terms of IT-Grundschutz that have special meanings.

3 2 Compliance Requirements This workbook is based on the preceding workbook entitled IT-Grundschutz Compliance on Azure4, which broadly describes how Microsoft customers can achieve IT-Grundschutz certification with solu- tions and workloads deployed on Microsoft Azure Germany. As part of the Microsoft Cloud Germany, Azure Germany offers cloud computing services on an Infrastructure as a Service (IaaS) and Platform as a Service (PaaS) basis. Dynamics 365 Germany extends the offerings of Microsoft Cloud Germany to encompass the Software as a Service (SaaS) model.

This workbook concerning Dynamics 365 Germany is based on the 15th (2016) version of the BSI IT-Grundschutz Catalogues. Since 2014 the IT-Grundschutz Catalogues have included the module B 1.17 Cloud Use, which distinguishes between the usage of cloud services such as Dynamics 365 Germany and classic IT outsourcing.

2.1 Shared Responsibility Model

In a cloud service environment, the responsibility for implementing and maintaining security controls for IT applications is shared between the customer and the cloud service provider, in contrast to on- premises IT infrastructure. A full transfer of responsibilities can only occur when the cloud service provider includes the customers’ applications in his own certification scope (i.e., a classical outsourc- ing scenario), including an aligned risk management. It must be pointed out that according to the IT-Grundschutz methodology, final responsibility always lies with the customer (the data owner). Re- cent versions of BSI IT-Grundschutz allow a shared responsibility model that divides responsibilities between customer and cloud service provider along virtualization boundaries, ensuring that only one party is responsible for any particular aspect.

Table 1 shows a high level overview of how such partitioning may look for SaaS. The cloud computing model is divided into generalized aspects (see descriptions below). Aspects are the responsibility of the customer, the cloud service provider or both. The table also describes any available support for the customer available from Microsoft in its role as cloud service provider.

4 https://gallery.technet.microsoft.com/Azure-Germany-IT-fca4afd7

4 Aspect/Responsibility Customer Description Cloud Service Provider Security concepts are an essential part of the IT-Grundschutz meth- odology. A security concept is a documented risk analysis with a de- fined scope. It includes the resulting steps to be taken to increase the Security Concept security of the system or environment. This document helps you to establish a security concept for Dynam- ics 365 Germany. Data classification The value of data can only be determined by the customer, who should & accountability therefore identify, classify and label their data. Client & end-point Customers should clearly define the devices and clients that are per- protection mitted to access the cloud. Dynamics 365 in Microsoft Cloud Germany provides multiple options Identity and for identity and access management. Together with Azure Active Di- access rectory the customer is able to configure password guidelines and management multi-factor authentication according to their specific guidelines. Audits carried out by independent third parties help detect breaches of contract. Microsoft Dynamics 365 Germany and Microsoft Cloud Ger- Audits many will be continually audited by independent third parties due to the requirements of multiple compliance standards and certifications. Microsoft Cloud Germany has designed its services with necessary precaution. It includes the regular data backup, recovery tests and many more. Disaster recovery Customers should develop a disaster recovery plan, which should include backing up data (see also section 3.19 M 6.156 (Z) Performing your organization's own data backups. For customers of Dynamics 365 Germany the general application level Application level controls (e.g., antimalware and patch management) are provided by controls Microsoft. For customers of Dynamics 365 Germany the network is managed, Network controls configured and secured by Microsoft. The host infrastructure is provided and managed by Microsoft Cloud Host Germany. The management of host infrastructure includes for in- infrastructure stance the procurement of servers and their secure configuration. Physical security ensures that only authorized employees are granted physical access to servers, network devices etc. It also includes busi- ness continuity management to ensure the cloud service remains Physical security available in the event of serious incidents or disasters, for instance by failing over to another physical location. The geographically separate data centers that host Microsoft Cloud Germany are located in Frankfurt am Main and in Magdeburg. Table 1: Shared Responsibilities for Security in Cloud Computing (SaaS model) 5

5 cf. Simorjay, Frank: Shared Responsibilities - For Cloud Computing. Ed. Microsoft, March 2016. (https://aka.ms/sharedresponsibility)

5 2.2 Modelling of Dynamics 365 Germany

In order to remain IT-Grundschutz-compliant whilst utilizing Dynamics 365 services within Microsoft Cloud Germany, the IT Security Concept needs to be updated to include Dynamics 365 Germany in ac- cordance with BSI Standard 100-26.

The IT-Grundschutz Catalogues assign the security aspects of an information domain to individual lay- ers starting with layer 1 (Common aspects), followed by three layers that cover the “physical platform” (layer 2 Infrastructure, layer 3 IT-Systems and layer 4 Networks) and ending with layer 5, which consid- ers the applications. The three layers covering the “physical platform” are administered and controlled by Microsoft Cloud Germany.

The module B 1.17 Cloud Use covers applications provided as a cloud service as well as their admin- istration, which encompasses Dynamics 365 Germany. The BSI standard requires module B 1.17 Cloud Use to be applied “per cloud service”, without providing a strict definition for “cloud service”. This may be read as “once per cloud service provider”, “once per service model” or even, very fine-grained, “once per application”. A reasonable interpretation must be reached by the customer.

Safeguard M 2.545 Modelling how to use the cloud requires module B 5.24 Web Services to be applied in addition to B 1.17 Cloud Use when considering the management of cloud services offered by an or- ganization and managed by the organization’s own administrators. As in this workbook only the use of web services as a consumer are considered, the module B 5.24 Web Services for Dynamics 365 Ger- many is not applicable.

Figure 1 presents the general structure of Dynamics 365 Germany within an IT-Grundschutz Infor- mation Domain. The cloud services are modelled as applications running directly in the cloud (i.e., without any underlying physical system or linked server rooms). It is also necessary to model the communication links (i.e., your Internet and/or VPN connection) as part of the system with the appro- priate modules for your combination of network components and Internet service provider.

6 https://www.bsi.bund.de/SharedDocs/Downloads/EN/BSI/Publications/BSIStandards/standard_100- 2_e_pdf.pdf?__blob=publicationFile&v=1

6 Figure 1: Modelling Dynamics 365 in an IT-Grundschutz network plan (example)

For normal usage, this results in B 1.17 Cloud Use being the only module that needs to be considered. This may differ in two cases:

1. If hybrid setups connecting to on-premises systems are used, e.g., with Active Directory feder- ation. In this case, you may have to include further modules for your infrastructure and inter- faces used. Examples of this are covered the workbook IT-Grundschutz Compliance on Azure.7 2. When you use Dynamics 365 to create platforms for users outside your organization (e.g., through the portal add-on) and use extensive customization, further modules like B 5.21 Web Applications may apply.

The safeguards described in chapter 3 provide additional information such as review questions refer- enced by the module B 1.17 Cloud Use or helpful online resources provided by Microsoft.

7 https://gallery.technet.microsoft.com/Azure-Germany-IT-fca4afd7

7 Implementation of Module

3 Implement atio nB of Mod ule B 1. 17 Clou d Use 1.17 Cloud Use

The following chapter describes how all audit-relevant safeguards from Module B 1.17 Cloud Use8 can be implemented for Dynamics 365 within Microsoft Cloud Germany. Each safeguard comes with review questions that are intended as a checklist for the safeguard; where available, pointers on possible an- swers are given at the end of each section.

The following table gives an overview of the safeguards for which Microsoft can provide supporting information, regarding both implementation details and specific safeguard-related questions.

Supporting infor- Safeguard mation available Description from Microsoft? M 2.40 (A) Timely Dynamics 365 Germany specific details are provided by Mi- involvement of Yes crosoft in order to support the discussion and any necessary staff/factory actions regarding this safeguard. council Microsoft provides supporting information regarding relevant M 2.42 (A) De- contractual relationships (e.g., “Customer – Data Trustee termination of Agreement9”) as well as details of the data trustee role of potential com- Yes T-Systems International GmbH. Additional information re- munications garding privileged access to data stored within Dynamics 365 partners Germany is also made available. M 2.534 (A) Draw- This safeguard supports the proper advance planning regard- ing up a strategy No ing strategy and challenges for the security model of Dynam- for cloud use ics 365 Germany. The security requirements and procedures for the usage of M 2.535 (A) Dra- Microsoft Cloud Germany within your organization need to be wing up a securi- defined. Your organization is provided with details to aid the Yes ty policy for cloud definition of security requirements with respect to the confi- use dentiality, integrity and availability of information processed by Dynamics 365 Germany. This safeguard considers additional practical requirements M 2.536 (A) Ser- for Dynamics 365 Germany regarding secure authentication, vice definition for Yes encryption and client interoperability. Microsoft provides in- cloud services by formation on features which may be used by the customer in the user securing data.

8 The Grundschutz catalogues include safeguards without audit relevance for explanatory purposes (marked as “W”) – these are not included in the list. 9 http://www.microsoftvolumelicensing.com/DocumentSearch.aspx?Mode=3&DocumentTypeId=56

8 Supporting infor- Safeguard mation available Description from Microsoft? M 2.537 (A) Plan- Microsoft provides detailed information on security aspects to ning the secure Yes consider when migrating to Dynamics 365 Germany online migration to a services. cloud service M 2.538 (A) Plan- ning the secure This safeguard aids the secure integration of Dynamics 365 No integration of Germany into the customer's environment. cloud services While there is no generic template for each specific organiza- M 2.539 (A) Draw- tion’s requirements, Microsoft Cloud Germany addresses ing up a security Yes most of the technical threats and mitigations mentioned in concept for cloud the safeguard to support your organization in creating a se- use curity concept for Dynamics 365 Germany. Microsoft Cloud Germany has published information about M 4.459 (Z) Use of how Dynamics 365 Germany employs encryption for data in encryption when Yes transit and data at rest to meet enhanced protection re- using the cloud quirements where necessary. M 4.461 (Z) Port- Portability concerns regarding Dynamics 365 Germany are ability of cloud Yes addressed in this safeguard. services M 2.540 (A) Care- ful selection of a Microsoft offers guidance for the evaluation of Dynamics 365 Yes cloud service Germany. provider M 2.541 (A) Con- tractual ar- Detailed information concerning of the contractual arrange- rangements with Yes ments between your organization, Microsoft Cloud Germany the cloud service and the data trustee is outlined in this safeguard. provider M 2.542 (A) Se- This safeguard covers internal planning for the secure inte- cure migration to Yes gration of existing services. Microsoft provides tools to assist a cloud service with migrating current resources to Dynamics 365 Germany. M 2.543 (A) Information is made available concerning the maintenance of Maintenance of IT a high level of information security, as well as methods by security during Yes which the user may test the claims set out, especially the ongoing cloud adherence to the Dynamics 365 Germany SLAs. operations Information and guidance regarding current and past audits M 2.544 (C) Audi- and security certifications are provided, including publically Yes ting when using available reports and results, such that the customer is not the cloud required to carry out their own audit. M 4.460 (Z) Use of Federated services are provided through the Microsoft Cloud Federation Ser- Yes Germany service Azure Active Directory, which can be used vices for the management of users and groups in Dynamics 365. M 2.307 (A) Well- ordered termina- Information and guidance on exporting data stored in Dynam- tion of an out- ics 365 upon termination of a Microsoft Cloud Germany sub- sourcing or cloud Yes scription are provided, including cancellation and data dele- service relation- tion policies. ship

9 Supporting infor- Safeguard mation available Description from Microsoft? M 6.155 (A) Draw- ing up a business The disaster recovery plan must be individually developed for continuity con- No Dynamics 365 Germany and must consider the relevant ser- cept for a cloud vice levels. service M 6.156 (Z) Per- forming your This must be initiated by your organization; either directly or organization's Yes using a third-party service. Dynamics 365 Germany offers own data back- integrated functions for data backup and recovery. ups Table 2: Overview of the safeguards for which Microsoft can provide supporting information

3.1 M 2.40 (A) Timely involvement of staff/factory council

This safeguard requires the consent of the worker’s representatives/employee council to all functions and features that enable the monitoring of the behavior or performance of employees.

In Dynamics 365 Germany an evaluation of activities (e.g., logging of user access) is possible.10 Accord- ing to the Works Constitution Act11 (Betriebsverfassungsgesetz, BetrVG) as well as to the German Fed- eral Data Protection Act12 (Bundesdatenschutzgesetz, BDSG) and to the European General Data Pro- tection Regulation13 (GDPR), the usage of such monitoring features may be subject to further privacy requirements to prohibit misuse, including the involvement of the worker’s representatives/employee council (if existing) to discuss appropriate usage and adequate safeguards.

Organizations shall evaluate on a “per feature” basis the necessity and proportionality of these features and consider the implementation of safeguards and written documentation to protect sensitive infor- mation generated by them, for example:

· Policies regulating the usage of features relating to monitoring the actions and behavior of employees; · Identity and access management operational concept; · Audit logging, control and review management operational concept; · Incident management operational concept; · Defined and documented processes for accessing employee’s mailboxes during their absence.

10 https://msdn.microsoft.com/en-us/library/gg309664.aspx 11 http://www.gesetze-im-internet.de/englisch_betrvg/ 12 https://www.gesetze-im-internet.de/englisch_bdsg/ 13 https://www.microsoft.com/en-us/TrustCenter/Privacy/gdpr/default.aspx

10 3.2 M 2.42 (A) Determination of potential communications partners

Note: The content of this safeguard is mostly identical to safeguard M 2.42 (A) Determination of poten- tial communications partners discussed in the workbook IT-Grundschutz Compliance on Azure14.

This safeguard aims to ensure complete transparency about all (external) parties that have access to customers’ data. It is required primarily for reasons of data protection, in particular due to the BDSG and other applicable data privacy regulations (EU, federal states) such as the GDPR.

The extent of this safeguard depends largely on the kind of data stored in or accessible from the cloud. The customer must have already determined the protection requirements of the data, i.e.:

1. A confidentiality classification of said data. 2. A list of people permitted to receive the information.

Microsoft offers special commitments for all data stored in Microsoft Cloud Germany through the data trustee construct outlined in the Customer – Data Trustee Agreement15:

· All access to the customer data (other than access initiated by the customer or their end us- ers) is controlled by the German data trustee that operates the physical data centers. The data trustee is T-Systems International GmbH, a Germany-based, world-leading service provider in IT and communication technologies and wholly-owned subsidiary of Deutsche Telekom AG. · Demands for customer data from foreign authorities or judicial orders are handled through the data trustee model. The data trustee operates under German law and will grant third-party ac- cess to customer data only after explicit consent from the customer or when otherwise re- quired by German law. · All access to customer data by Microsoft personnel or any third party is controlled by the data trustee and will only be granted in accordance with the customer contract “Customer – Data Trustee Agreement”, in accordance with German law or as allowed by the customer. · Allowed external access is limited to the minimum amount necessary to solve the problem at hand.

· The authoritative list of parties with access to the data can be acquired from the terms outlined in the “Customer – Data Trustee Agreement”, part of the contractual agreement with the Data Trustee.

There are two notable situations in which access by Microsoft or its suppliers may occur:

1. When the data trustee grants Microsoft access to resolve immediate operational problems or to support to a customer service request to the data trustee. In this case, the access is moni- tored by the data trustee and limited to the minimum necessary to solve the problem at hand. 2. When customer sends data to Microsoft Customer Support directly (e.g., by email in a support question or by sharing the screen). In this case, the potential list of entities with access to the data is documented in the Microsoft Services Supplier List.16

14 https://gallery.technet.microsoft.com/Azure-Germany-IT-fca4afd7 15 http://www.microsoftvolumelicensing.com/DocumentSearch.aspx?Mode=3&DocumentTypeId=56 16 https://www.microsoft.com/en-us/download/details.aspx?id=50426 (Microsoft Services Supplier List)

11 The above only applies to information stored without external access offered by the customer them- selves. When implementing services that allow other forms of access, this list must be extended to include the parties allowed access by the customer.

Dynamics 365 Germany offers features for internal access through user defined privileged user roles via the Office 365 Admin Center17. Tenant information is only accessible for these privileged roles.

Review Question Answer Reference

Is it determined which commu- With Dynamics 365 in Microsoft https://gallery.technet.microsoft nications partners may receive Cloud Germany a “Customer – .com/Cloud-Germany- which information? Data Trustee Agreement” exists Compliance-4161d8df between the customer and the data trustee. The data trustee http://www.microsoftvolumelice operates under German law. nsing.com/DocumentSearch.asp x?Mode=3&DocumentTypeId=56 The data processing contract in place with the data trustee lim- https://www.microsoft.com/en- its access to your data to the us/dynamics365/contact-us data trustee and personnel as described above. https://www.microsoft.com/en- us/download/details.aspx?id=50 Any further access by other 426 (Microsoft Services Supplier parties must be authorized by List) your organization and docu- mented accordingly.

Communication channels with Microsoft for service or support questions regarding Dynam- ics 365 Germany are specified.

3.3 M 2.534 (A) Drawing up a strategy for cloud use

This safeguard is organization specific. Microsoft provides a detailed description of Dynamics 365 Ger- many18 in order to support the discussion regarding this safeguard.

The strategy for cloud usage must be drawn up sufficiently early on in order to plan the usage of Dy- namics 365 Germany and to identify in advance possible challenges for the security model. It covers strategy, interfacing, networking, administration models, data and user management.

Microsoft has produced a workbook for general support in drawing up a cloud usage strategy, which answers important questions as well as providing experience-based recommendations concerning cloud strategy, cloud services models and security considerations19. The workbook also covers different migration scenarios for Dynamics 365 Germany.

17 Dynamics 365: http://go.microsoft.com/fwlink/p/?LinkId=255444 18 https://www.microsoft.com/de-de/dynamics365/dynamics-365-deutschland (in German only) 19 https://info.microsoft.com/enterprise-cloud-strategy-ebook.html

12 The customer must decide which services are to be migrated onto Dynamics 365 Germany. This may include partial integration of services (e.g., using Dynamics 365 online but the Outlook/Exchange ser- vice on-premises) or the integration of on-premises operational services (e.g., integration of Active Directory on-premises).

Depending on the Dynamics 365 plan20 chosen, there are multiple solutions with differing levels of inte- gration and connection between cloud services, on-premises services and client applications. The most suitable strategy will likely vary between customers. The following table describes two possible vari- ants with different complexity; the optimum solution for any given customer may lie anywhere on a sliding scale between these two endpoints.

Low complexity and integration High complexity and integration Cloud-only services, fewer administration and Cloud services connected with on-premises ser- control features vices (e.g., SharePoint, Active Directory) Two-factor authentication via Microsoft features Alternate two-factor authentication available, only e.g., via smartcards High integration and synchronization between No connection and synchronization between cloud services and on-premises services, lower cloud services and on-premises services, higher administrative requirements, fine grained user administrative requirements (e.g., user manage- access management, automated application and ment) license deployment available High dependency and availability requirements Online and offline processing of business infor- for the Internet connection mation with synchronization Web based and local installation of Dynamics 365 Web based Dynamics 365 Germany applications Germany (e.g., “Dynamics 365 Cloud Add-on”21)

When matching your requirements against Microsoft Cloud Germany offerings, see Appendix B for reference information.

3.4 M 2.535 (A) Drawing up a security policy for cloud use

This safeguard ensures the clear definition of security requirements regarding the confidentiality, in- tegrity and availability of information processed by Dynamics 365 Germany and stored in Microsoft Cloud Germany.

These requirements may be met by implementing adequate safeguards, e.g., encrypting highly sensi- tive data before transferring it, making local backups or creating offline caches for high-availability information. They should be documented in the security concept (see chapter 3.8 M 2.539 (A) Drawing up a security concept for cloud use).

20 https://technet.microsoft.com/en-us/library/hh699677.aspx 21 See for example: http://download.microsoft.com/documents/en-us/dynamics365/pricing/Dynamics_365_On- premises_Enterprise_edition_Licensing_Guide_December_2016.pdf

13 Security Objective Implementation on Microsoft Solution for Dynamics 365 Germany Cloud Germany

Confidentiality To ensure confidentiality for https://technet.microsoft.com/en- business data stored within us/library/dn531199.aspx the Microsoft Cloud Germa- ny, Microsoft offers encryp- https://www.microsoft.com/en- tion features. us/trustcenter/security/encryption#Dynamics- 365

Integrity Microsoft Cloud Germany https://msdn.microsoft.com/en- provides mechanisms to us/library/gg309524.aspx support the integrity of cloud data.

Availability To ensure availability, your https://technet.microsoft.com/en- organization may wish to us/library/jj191606.aspx#Security and service consider setting up a redun- continuity dant Internet connection.

Microsoft Cloud Germany is designed as a resilient sys- tem to ensure high service levels.

Further (general) requirements are provided by the preceding workbook IT-Grundschutz Compliance on Azure22.

3.5 M 2.536 (A) Service definition for cloud services by the user

This safeguard requires your organization (as the cloud service customer) to define the desired cloud services in terms of business impact and suggests using a standardized ITIL style service template for this purpose.

Additional practical requirements in this safeguard for which Dynamics 365 Germany-specific infor- mation is available are listed here:

Compliance Requirement Implementation on Microsoft Reference Cloud Germany

Secure authentication methods, Dynamics 365 offers basic Azure https://azure.microsoft.com/en- 2-factor authentication for ad- AD features including a subset us/services/multi-factor- ministration of Azure Multi-Factor- authentication/ Authentication (MFA). https://docs.microsoft.com/en- Role-based access control is us/azure/multi-factor- available for controlling cloud authentication/multi-factor- services via the Microsoft Azure authentication-versions-plans

22 https://gallery.technet.microsoft.com/Azure-Germany-IT-fca4afd7

14 Compliance Requirement Implementation on Microsoft Reference Cloud Germany Portal.

A subscription to Microsoft Cloud Germany service Multi- Factor Authentication allows the use of further multi-factor au- thentication features.

Encryption requirements Dynamics 365 Germany offers https://www.microsoft.com/en- encryption for data at rest and in us/trustcenter/security/encrypti transit (see section 3.9 M 4.459 on#Dynamics-365 (Z) Use of encryption when using the cloud). https://technet.microsoft.com/e n-us/library/dn531199.aspx

Client software interoperability The Microsoft Dynamics 365 https://msdn.microsoft.com/en- Software Development Kit (SDK) us/library/hh547453.aspx is available for download. It helps developers write custom- ized software for Dynamics 365, for instance plug-ins, client ap- plications or integration mod- ules.

3.6 M 2.537 (A) Planning the secure migration to a cloud service

To ensure a high, constant level of security, the migration from a local or on-premises environment to Dynamics 365 Germany must be appropriately planned. The German Federal Ministry of the Interior offers guidelines for software migration in general.23 The current version touches on cloud computing mainly as a possibility for the future, but the general guidelines may already give an insight into as- pects to be considered in migration projects.

Microsoft offers a comprehensive workbook24 to support you in migration planning. The workbook combines answers to important questions with experience based recommendations concerning a mi- gration to the cloud. When planning the migration, the customer should consider security aspects across the various phases:

· Proper process of the migration, for example by o defining organizational structures, responsibilities and organizational rules o defining communication and reporting structures o planning the migration stages · Continuity of the business and IT processes within the transition to Dynamics 365 Germany, for example by

23 http://www.cio.bund.de/SharedDocs/Publikationen/DE/Architekturen-und- Standards/migrationsleitfaden_4_0_download.pdf?__blob=publicationFile (in German only) 24 https://info.microsoft.com/enterprise-cloud-strategy-ebook.html

15 o involving the relevant departments, in particular the IT department, in the migration planning o providing training to relevant employees o considering test and pilot phases o defining roll back scenarios · Completeness and integrity of the information during the data migration to Dynamics 365 Germany, for example by o considering the data or file structures of the new environment o providing training to relevant employees o appropriately planning the data transfer (for instance in stages) o considering test and pilot phases · Prevent unauthorized access to the information during the data migration or on the new envi- ronment, for example by o enforcing encryption for date in transit o ensuring appropriate security safeguards on applications, systems and networks used for potential transforming of the data o enforcing the encryption of the access to the software o ensuring the setup of appropriate access restrictions within the software o providing training to relevant employees o considering test and pilot phases o considering audits after representative migration phases or milestones This safeguard focusses on both, technical and organizational aspects of the cloud migration. When migrating from an existing on-premises Dynamics installation, the technical aspects that are neces- sary to consider are obviously much simpler than when migrating from a competing product. Especial- ly, the issues arising from the change of the existing IT landscape need be considered.

Review Question Answer Reference

Is the migration concept de- As the migration concept is http://www.cio.bund.de/SharedD signed for the cloud service based on the individual situation ocs/Publikationen/DE/Architekt defined as a part of the security of the organization, the fulfil- uren-und- concept for cloud use? ment of this requirement is the Stand- responsibility of the customer. ards/migrationsleitfaden_4_0_d own- The organization shall plan the load.pdf?__blob=publicationFile migration from internal pro- (in German only) cesses, procedures and applica- tions to Dynamics 365 Germany by defining a migration concept. It should include, amongst oth- ers, the above mentioned as- pects.

16 Review Question Answer Reference

Are organizational rules regard- As every migration is individual, http://www.cio.bund.de/SharedD ing the migration defined? the fulfilment of this require- ocs/Publikationen/DE/Architekt ment is the responsibility of the uren-und- organization. The organization Stand- should define a proper organiza- ards/migrationsleitfaden_4_0_d tional structure, responsibilities own- and further organizational rules load.pdf?__blob=publicationFile for the migration. (in German only)

Any contractual requirements http://www.microsoftvolumelice should be taken into account. nsing.com/DocumentSearch.asp x?Mode=3&DocumentTypeId=31

http://www.microsoftvolumelice nsing.com/DocumentSearch.asp x?Mode=3&DocumentTypeId=37

Have existing business process- As the existing business pro- http://www.cio.bund.de/SharedD es with respect to cloud use cesses with respect to cloud use ocs/Publikationen/DE/Architekt been identified and adjusted? are individual for each organiza- uren-und- tion, the fulfilment of this re- Stand- quirement is the responsibility ards/migrationsleitfaden_4_0_d of the customer. own- load.pdf?__blob=publicationFile In practice, the effect of the (in German only) cloud use on business process should be examined taking in consideration the protection requirements of the business processes as well as the chang- es in activities, tasks and re- sponsibilities and the training needs of the staff.

Has your organization’s own IT In every organization, the place http://www.cio.bund.de/SharedD adequately been taken into ac- of the organizational structure ocs/Publikationen/DE/Architekt count in the migration process? differs between organizations. uren-und- This requirement is therefore Stand- the responsibility of the individ- ards/migrationsleitfaden_4_0_d ual organization. own- load.pdf?__blob=publicationFile Early involvement of the IT de- (in German only) partment in the migration to Dynamics 365 Germany is rec- ommended, preferably at the planning stage. The technical feasibility should be assessed by the relevant employees.

Was a corresponding need for The need for training of different https://www.microsoft.com/en- training identified for employ- employee groups or depart- us/dynamics/crm-customer- ees? ments is specific to each organi- center/microsoft-dynamics-365-

17 Review Question Answer Reference zation. The fulfilment of this training-courses.aspx requirement is therefore the responsibility of the customer.

Microsoft offers multiple train- ings for Dynamics 365 Germany, as do numerous third party sup- pliers.

3.7 M 2.538 (A) Planning the secure integration of cloud services

In addition, to planning a secure migration (see section 3.6 M 2.537 (A) Planning the secure migration to a cloud service), the secure integration of Dynamics 365 Germany is essential for secure, continuous IT operations. This safeguard considers aspects beyond planning the migration.

Note: This safeguard is organization specific, as it covers internal planning for the secure integration of existing services.

There are various methods to prepare the integration of cloud based Dynamics 365 Germany features. The organization shall establish and document a security concept that considers the security require- ments affecting the following aspects:

· Required adaption of the existing IT landscape · Suitability of existing interfaces (e.g., proxy) for the usage of Dynamics 365 Germany · Definition of the administration model for the cloud based Dynamics 365 Germany features, e.g., usage of Azure Active Directory (Azure AD) vs. Active Directory Federation Services (ADFS) · Information management (data backup and data retention strategy) regarding information stored in the cloud and on-premises For example, Dynamics 365 Germany can be used together with Outlook25.

3.8 M 2.539 (A) Drawing up a security concept for cloud use

This safeguard considers the development of a security concept for Dynamics 365 Germany including all required security safeguards drawn from the requirements of the security policy for the cloud ser- vice. Additionally, the security concept sets out the particular configuration (customer, cloud service provider, Internet service provider, etc.) and threat model, which the concrete safeguards are devel- oped in response to.

While there is no generic template for your organizations requirements, Microsoft Cloud Germany ad- dresses most of the technical threats and mitigations mentioned in the safeguard:

25 https://www.microsoft.com/en-us/dynamics/crm-customer-center/dynamics-365-for-outlook-user-s-guide.aspx

18 Threat Mitigation available Reference

Difficult to determine where Data provided through custom- See section 3.2 M 2.42 (A) De- data is physically stored er’s use of Microsoft Cloud termination of potential com- Germany is only stored in Ger- munications partners man data centers.

Supervision of service delivery Service level monitoring https://support.office.com/en- through “Service health” mod- us/article/How-to-check-Office- ule in the Office 365 admin cen- 365-service-health-932ad3ad- ter for Dynamics 365 Germany26 533c-418a-b938-6e44e8bc33b0

https://technet.microsoft.com/e n-us/library/mt210421.aspx

Unauthorized access by third All access to the customer data See section 3.9 M 4.459 (Z) Use parties (other than access initiated by of encryption when using the the customer or their end users) cloud is controlled by the German data trustee. See section 3.2 M 2.42 (A) De- termination of potential com- Data in transit between custom- munications partners er and Dynamics 365 Germany is encrypted. The encryption of https://www.microsoft.com/onli data at rest is mandatory. ne/legal/v2/en- us/MOS_PTC_Data_Use_Limits. htm

Isolation The data of each customer is https://www.microsoft.com/en- isolated from the others. For us/trustcenter/security/dynamic instance, the data storage of s365-security Dynamics 365 Germany is logi- cally separated, i.e., tenant iso- https://technet.microsoft.com/e lation is provided by Dynamics n-us/library/dn722373.aspx 365 Germany.

Review Question Answer

Is there a security concept for Microsoft Cloud Germany’s security concept fulfills a variety of secu- cloud use based on the security rity standards. Further information is given in section 3.4 M 2.535 (A) requirements identified? Drawing up a security policy for cloud use.

Were rules regarding drawing This requirement is the responsibility of the organization. up a security concept by the network provider specified?

26 For service level definition see: http://www.microsoftvolumelicensing.com/DocumentSearch.aspx?Mode=3&DocumentTypeId=37

19 Review Question Answer

Is the existence and implemen- Microsoft Cloud Germany and Dynamics 365 Germany will be con- tation of the security concept on tinually audited, due to the requirements of multiple compliance the part of the cloud service standards and certifications. Information and guidance regarding provider reviewed by the cus- current and past audits and security certifications27 will be provided, tomer or independent third par- including publically available reports and results. ties?

3.9 M 4.459 (Z) Use of encryption when using the cloud

This additional safeguard for enhanced protection requirements strives to ensure that, where required, suitable encryption is used to secure data, both in transit and at rest. Depending on the method of en- cryption, the responsibility may lie either with the customer or with the cloud service provider. If the cloud service provider is responsible for encryption, the provided encryption service should be checked against the standards set out in the service definition.

Dynamics 365 Germany employs encryption for data in transit and for data at rest.28

Review Question Answer Reference

If encryption is performed Data in transit: https://www.microsoft.com/en- by the cloud service pro- us/trustcenter/security/encrypti vider, are there contractu- Dynamics 365 Germany encrypts con- on#Dynamics-365 al arrangements defining nections using industry-standards specifications regarding such as AES and TLS/SSL. the selection of secure encryption mechanisms Data at rest: and use of suitable key lengths to be complied The databases of Dynamics 365 Ger- with by the cloud service many are encrypted using the FIPS provider? 140-2-compliant Transparent Data Encryption (TDE) of Microsoft SQL Server (and the Azure SQL Database).

Is the implementation of a As a SaaS application, it is not possible https://technet.microsoft.com/e suitable key management to implement your own encryption n-us/library/mt492471.aspx ensured when the organi- mechanism. zation uses its own en- cryption mechanisms? The encryption key for the mandatory Dynamics 365 encryption can be cho- sen by the customer. Microsoft rec- ommends a local backup of the en- cryption key. This backup must comply with the IT-Grundschutz requirements for key management.

27 https://www.microsoft.com/en-us/trustcenter 28 https://www.microsoft.com/en-us/trustcenter/security/encryption

20 Review Question Answer Reference

Are particularities related Dynamics 365 Germany provides en- https://www.microsoft.com/en- to cloud use taken into cryption mechanisms. Further encryp- us/trustcenter/security/encrypti account with respect to tion mechanisms cannot be imple- on#Dynamics-365 the service model chosen mented by the customer whilst using when implementing en- Dynamics 365 in Microsoft Cloud Ger- cryption? many only.

3.10 M 4.461 (Z) Portability of cloud services

This additional safeguard aims to ensure a high degree of flexibility when changing cloud service pro- vider or bringing a cloud service back in-house. A number of requirements must be considered in this case, in particular concerning file formats and portability testing.

Dynamics 365 Germany support various methods of migrating data:

1. Using Dynamics 365 Germany APIs allowing access to customer data.29 2. Using the add-on service Data Export to replicate data from Dynamics 365 Germany to a Mi- crosoft Azure SQL database.30 3. Migrate from a Dynamics 365 Germany to a Microsoft Dynamics on-premises deployment.31 4. Usage of third-party tools for Dynamics 365 Germany to import/export data. The data will be exported in common formats, e.g., Microsoft Office (Word, Excel, PowerPoint, etc.) or .pst files (Exchange). The specifications of the relevant Office Open XML or the .pst file formats are freely available.32

The move to another cloud service provider or to on-premises environments should be adequately planned and tested. The following questions should be considered:

· Does the target environment offer the same features as Dynamics 365 Germany (functionality, security, performance, scalability etc.)? · Is the new platform able to process the exported data of Dynamics 365 Germany? · Are there any Microsoft or third-party tools for converting the data or file formats into the tar- get formats as needed?

29 https://msdn.microsoft.com/en-us/library/mt593051.aspx 30 https://msdn.microsoft.com/en-us/library/mt788315.aspx 31 https://www.microsoft.com/en-us/download/details.aspx?id=18039 (Microsoft Dynamics CRM Online Migration to Microsoft Dynamics CRM on-premises) 32 DOCX-Files: https://msdn.microsoft.com/en-us/library/dd773189(v=office.12).aspx XLSX-Files: https://msdn.microsoft.com/en-us/library/dd922181(v=office.12).aspx PST-Files: https://msdn.microsoft.com/en-us/library/ff385210(v=office.12).aspx

21 Review Question Answer Reference

Were all important require- The requirements for a move to See section 3.6 M 2.537 (A) ments for a move to another another provider or back to on- Planning the secure migration provider or back to on-premises premises depend on the individ- to a cloud service well defined? ual situation of the customer. Therefore, the fulfillment of this requirement is the responsibility of the customer.

Among other things, the general aspects of planning the migra- tion to a cloud service could be recognized.

Are provisions made for per- The requirements for portability See section 3.6 M 2.537 (A) forming portability tests? and portability test are individual Planning the secure migration for each customer and each use to a cloud service case. The fulfillment of this re- quirement is the responsibility of the customer.

Among other things, the general aspects of planning the migra- tion to a cloud service should be considered.

Have the specifications regard- Portability is not set out con- https://msdn.microsoft.com/en- ing the realization of the porta- tractually, however Microsoft us/library/mt593051.aspx bility been incorporated into the has made a number of provi- contractual agreements with the sions. For example, APIs can be https://msdn.microsoft.com/en- cloud service provider? used, which may be managed us/library/mt788315.aspx using the cloud service API Management. https://technet.microsoft.com/e n-us/library/mt744592.aspx

3.11 M 2.540 (A) Careful selection of a cloud service provider

The aim of this safeguard is to ensure the selection of a suitable cloud service provider. For a detailed and thorough comparison, a requirements document should be drawn up. This document should out- line what is expected and required from the cloud service, including a description of the preliminary security concept and security policies. A requirement analysis carried out beforehand may be useful in drawing up the document.

Starting from the defined requirements, a service catalog or a requirement specification can be creat- ed. This catalog can then be used to compare the competing cloud service providers and rate them using a point’s matrix. Finally, a cost-benefit analysis should be carried out to compare the remaining offers and to provide a realistic assessment of the potential cost savings from moving to a cloud ser- vice model.

22 The basic aspects listed in the table below must be investigated and appropriate answers obtained before the offers are evaluated. If the results are not satisfactory, a cloud service provider may be re- moved from further consideration.33

Microsoft provides information for a thorough evaluation of Dynamics 365 Germany.34

Review Question Answer Reference

Has a detailed requirements The detailed requirements profile https://azure.microsoft.com/en- profile for a cloud service for a cloud service provider de- us/overview/choosing-a-cloud- provider been prepared on the pends on the individual situation service-provider/ basis of the service definition of each particular organization. for the cloud service? Therefore, the fulfillment of this https://technet.microsoft.com/en- requirement is the responsibility us/library/hh699677.aspx of the customer.

Is there a service description The development of a service https://azure.microsoft.com/en- or a user requirements speci- description or a user require- us/overview/choosing-a-cloud- fication to compare and eval- ments specification is based on service-provider/ uate available offers of differ- the individual situation of an or- ent cloud service providers? ganization. The fulfillment of this https://technet.microsoft.com/en- requirement is the responsibility us/library/hh699677.aspx of the customer.

Have supplementary sources The necessary sources for an https://azure.microsoft.com/en- of information (for example appropriate evaluation are indi- us/overview/choosing-a-cloud- market analyses, contractual vidual to each organization. service-provider/ arrangements or location Therefore, the fulfillment of this chosen) been included in the requirement is the responsibility https://technet.microsoft.com/en- evaluation of a cloud service of the customer. us/library/hh699677.aspx provider?

Have the available service The examination and review of http://www.microsoftvolumelicen descriptions (SLAs or general the contract, SLAs and the gen- sing.com/DocumentSearch.aspx? terms and conditions) of the eral terms and conditions is the Mode=3&DocumentTypeId=31 cloud service provider been responsibility of the customer. carefully examined and re- http://www.microsoftvolumelicen viewed? The relevant general agreements sing.com/DocumentSearch.aspx? are the Microsoft Online Services Mode=3&DocumentTypeId=37 Terms and the SLAs of Dynamics 365 Germany between Microsoft http://www.microsoftvolumelicen and the customer. sing.com/DocumentSearch.aspx? Mode=3&DocumentTypeId=56 Microsoft has also established a contractual agreement with T-Systems International GmbH, which is not within the responsi- bility of the customer.

33 Further aspects and assistance in choosing a cloud service provider is available from Microsoft at https://azure.microsoft.com/en-us/overview/choosing-a-cloud-service-provider/ 34 https://www.microsoft.com/en-us/trustcenter/guidance/evaluate

23 3.12 M 2.541 (A) Contractual arrangements with the cloud service provider

This safeguard ensures that contractual agreements are appropriate in type, scope and level of detail for the protection requirements of the data and the applications.

The previously defined requirements must be considered, and at least the following points require an answer with respect to Microsoft Cloud Germany.

Contract documents Dynamics 365 within the Microsoft Cloud Reference Germany

Physical location of the The cloud services are run from data cen- http://www.microsoftvolumeli services and Cloud Ser- ters located in Germany. censing.com/DocumentSearc vice Provider h.aspx?Mode=3&DocumentTy All processing of customer data by the data peId=56 trustee within Dynamics 365 Germany takes place inside Germany. https://servicetrust.microsoft .com/Documents/Complianc eReports

Subcontractors and Microsoft employs subcontractors for spe- https://www.microsoft.com/e third parties involved cific, limited support tasks. n- with service delivery us/download/details.aspx?id= A German data trustee is entrusted with 50426 (Microsoft Services controlling all access to customer data. Supplier List)

http://www.microsoftvolumeli censing.com/DocumentSearc h.aspx?Mode=3&DocumentTy peId=56

Rules governing the The data centers used for Microsoft Cloud http://www.microsoftvolumeli infrastructure of the Germany are located (for redundancy) in censing.com/DocumentSearc Cloud Service Provider Frankfurt am Main and Magdeburg. They h.aspx?Mode=3&DocumentTy are connected over a private network over peId=56 which data is continuously exchanged.

The implementation of a multi-client infra- structure follows European compliance standards fulfilled by Dynamics 365 Ger- many.

Rules concerning the The personnel (both internal and external) https://servicetrust.microsoft personnel of the Cloud employed by Microsoft have all required .com/Documents/Complianc Service Provider competencies and are cleared in accord- eReports ance with internal policies.

Rules concerning pro- Dynamics 365 as a part of Microsoft Cloud http://www.microsoftvolumeli cesses, working proce- Germany includes the provision as an cens- dures and responsibili- online cloud service. A comprehensive set ing.com/DocumentSearch.as ties of rules, including information security px?Mode=3&DocumentTypeId

24 Contract documents Dynamics 365 within the Microsoft Cloud Reference Germany policies (e.g., asset management, malware =31 protection) underlies Microsoft Cloud Ger- many. http://www.microsoftvolumeli cens- The division of responsibilities, processes ing.com/DocumentSearch.as and procedures are generally defined in px?Mode=3&DocumentTypeId the particular agreements. =37

Furthermore, multiple possibilities for https://www.microsoft.com/e support, service monitoring and further n-us/dynamics/crm- information exchange are offered to the customer-center/dynamics- customer for Dynamics 365 Germany. 365-online-maintenance- and-update-schedules.aspx

Provisions for ending the Dynamics 365 Germany is offered on a http://www.microsoftvolumeli contractual agreement subscription basis. Early termination may cens- be possible. ing.com/DocumentSearch.as px?Mode=3&DocumentTypeId =31

Ensuring secure dele- Customer data is deleted within 180 days of http://www.microsoftvolumeli tion of data by the Cloud cancelling the service. censing.com/DocumentSearc Service Provider h.aspx?Mode=3&DocumentTy Physical storage media will be securely peId=56 destroyed on-site at the end of their service life. Internal Paper: On-Site Data Bearing Device Destruction The customer is additionally able to ensure Procedure the secure deletion of their data by en- crypting data stored in the cloud using the encryption offered by Microsoft Cloud Germany.

Rules concerning access Access to customer data is primarily re- http://www.microsoftvolumeli rights served for the customers themselves. Only censing.com/DocumentSearc for support and maintenance purposes, h.aspx?Mode=3&DocumentTy with continuous monitoring by the data peId=56 trustee, are Microsoft support personnel permitted to access stored customer data. Microsoft Sovereign Cloud - Compliance in the cloud for The personnel (both internal and external) German business organiza- employed by Microsoft have all required tions competencies and are cleared in accord- ance with internal policies.

Provisions for critical or Microsoft Cloud Germany has defined rules http://www.microsoftvolumeli emergency scenarios for continuation of services to the level set censing.com/DocumentSearc out by the SLA. For Dynamics 365 Germa- h.aspx?Mode=3&DocumentTy ny, specific SLAs have been drawn up. peId=37

25 Contract documents Dynamics 365 within the Microsoft Cloud Reference Germany

Corresponding measures include the geo- graphical separation of the data centers and the continuous replication of data be- tween them.

Your organization may also choose to meet any further requirements through the use of Microsoft Cloud Germany services such as Backup or Site Recovery.

Provisions regarding Microsoft complies with all laws and rules http://www.microsoftvolumeli legal requirements concerning its provision of the cloud ser- censing.com/DocumentSearc vices. h.aspx?Mode=3&DocumentTy peId=37 The data trustee also complies with all laws relating to its role in the provision of http://www.microsoftvolumeli the cloud services. cens- ing.com/DocumentSearch.as px?Mode=3&DocumentTypeId =31

http://www.microsoftvolumeli censing.com/DocumentSearc h.aspx?Mode=3&DocumentTy peId=56

Rules governing checks Microsoft Cloud Germany offers customers https://technet.microsoft.co and audits. the ability to monitor SLA compliance with m/en- the “Service Health” module in the Of- us/library/mt210421.aspx fice 365 Portal. https://www.microsoft.com/e The monitoring of Microsoft Cloud Germa- n-us/dynamics/crm- ny is governed by a number of internal customer-center/dynamics- rules. Successful and unsuccessful at- 365-online-maintenance- tempts to access customer data as well as and-update-schedules.aspx changes to data are logged and the logs stored for a year. System logs are deleted http://www.microsoftvolumeli after 90 days. censing.com/DocumentSearc h.aspx?Mode=3&DocumentTy Microsoft Dynamics 365 Germany and Mi- peId=37 crosoft Cloud Germany will be continually audited, due to the requirements of multi- ple compliance standards and certifica- tions. Information and guidance regarding current and past audits and security certi- fications will be provided, including publi- cally available reports and results.

26 Review Question Answer Reference

Are the contractual agreements Procedures ensure that Mi- http://www.microsoftvolumelicensi appropriate in type, scope and crosoft service personnel may ng.com/DocumentSearch.aspx?Mo level of detail for the protection not access customer data de=3&DocumentTypeId=56 requirements of the data and without prior customer author- the applications connected with ization and monitoring by the the cloud service usage? data trustee.

What, if any, rules govern the The cloud services are run http://www.microsoftvolumelicensi physical location of the cloud from data centers located in ng.com/DocumentSearch.aspx?Mo service provision? Germany. de=3&DocumentTypeId=56

All processing of customer data by the data trustee takes place inside Germany.

Have clear responsibilities, es- Microsoft Cloud Germany us- http://www.microsoft.com/en- calation stages and communi- ers have access to account us/dynamics/dynamics-online- cation paths been set out be- management and billing sup- support.aspx tween the contracting institution port, as well as support and and the cloud service provider? guidance offered in the Dynam- http://www.microsoftvolumelicensi ics Portal. ng.com/DocumentSearch.aspx?Mo de=3&DocumentTypeId=31 Technical support can be re- quested via the Dynamics Por- tal upon the purchase of a cor- responding support package.

Do agreements covering the Customer data is deleted with- http://www.microsoftvolumelicensi secure deletion of data by the in 180 days of cancelling the ng.com/DocumentSearch.aspx?Mo cloud service provider exist? service. The customer is able de=3&DocumentTypeId=56 to ensure the secure deletion of their data by encrypting data stored in the cloud using the encryption offered by Microsoft Cloud Germany.

Do written rules exist regarding Dynamics 365 Germany is of- https://technet.microsoft.com/en- cancellation and service termi- fered on a subscription basis. us/library/dn913653.aspx nation? Customers may terminate a Subscription at any time during http://www.microsoftvolumelicensi its term. However, they must ng.com/DocumentSearch.aspx?Mo pay all amounts due and owing de=3&DocumentTypeId=31 before the termination is effec- tive. http://www.microsoftvolumelicensi ng.com/DocumentSearch.aspx?Mo de=3&DocumentTypeId=37

27 3.13 M 2.542 (A) Secure migration to a cloud service

This safeguard looks at the actual migration to the cloud service according to the considerations given in the migration security concept discussed previously. The migration must be continuously monitored to detect and react to required changes or problems that may prevent or hinder the migration, if nec- essary the migration should be cancelled and an investigation into the issues carried out. To reduce the risk of significant issues, a test or pilot migration should first be carried out.

Note: This safeguard is organization specific, as it covers internal planning for the secure migration of existing services. Microsoft FastTrack provides a variety of tools to assist with migrating current re- sources to Dynamics 365 Germany.35

3.14 M 2.543 (A) Maintenance of IT security during ongoing cloud operations

The aim of this safeguard is to maintain a comparable or enhanced level of information security after a migration to a cloud service. Accordingly, guidelines and documentation should be kept up to date and compliance with standards should be regularly checked, both by the customer as well as the cloud service provider.

Review Question Answer Reference

Are documentation and The review and update of policies at ISO 27001 policies (for example regular intervals is part of an effec- instruction manuals and tive information security manage- BSI-Standard 100-1 procedures) updated at ment system (ISMS) based on regular intervals? ISO 27001. This process should be IT-Grundschutz catalogues, espe- implemented within the document cially M 2.1 Specification of re- management process. This require- sponsibilities and provisions ment is therefore the responsibility of the customer.

Is the rendering of ser- This requirement is the responsibility https://technet.microsoft.com/en- vices checked regular- of the customer. us/library/mt210421.aspx ly? Dynamics 365 Germany includes an https://www.microsoft.com/en- integrated SLA Monitoring system us/dynamics/crm-customer- (“Service Health”) which enables center/dynamics-365-online- checking the compliance of the ser- maintenance-and-update- vices. This includes receiving service schedules.aspx notification on a mobile device.

Have security certifi- This requirement is the responsibility https://www.microsoft.com/en- cates been supplied by of the customer. us/TrustCenter/STP/default.aspx the cloud service pro- vider?

35 http://fasttrack.microsoft.com/

28 Review Question Answer Reference

Microsoft Cloud Germany offers in https://www.microsoft.com/en- this respect a variety of publications us/TrustCenter/Compliance/defau and verifications. Microsoft Cloud lt.aspx Germany will be continually audited, due to the requirements of multiple compliance standards and certifica- tions. Information and guidance re- garding current and past audits and security certifications will be provid- ed, including publically available re- ports and results, such that the cus- tomer is not required to carry out their own audit.

Enterprise customers can get direct access to most compliance reports through the Service Trust Portal (STP).

Are regular coordination Dynamics 365 Germany offer a variety https://www.microsoft.com/en- talks held between the of options for support and gathering us/dynamics365/support cloud service provider of status information. Customers will and the organization be contacted in the event of signifi- https://www.microsoft.com/en- using the cloud? cant service disruption. us/dynamics/crm-customer- center/dynamics-365-online- maintenance-and-update- schedules.aspx

Have exercises and This requirement is the responsibility https://technet.microsoft.com/en- tests to simulate the of the customer. us/library/jj191606.aspx response to system failures been planned Microsoft Cloud Germany has defined https://technet.microsoft.com/en- and performed? rules for the continuation of services us/library/mt210421.aspx to the level set out by the SLA. http://www.microsoftvolumelicens ing.com/DocumentSearch.aspx?M ode=3&DocumentTypeId=37

3.15 M 2.544 (C) Auditing when using the cloud

This safeguard ensures both that the customer satisfies his auditing requirements and also that agreements are being upheld on both sides. This may be achieved through, for instance, on-site audits or specific questionnaires, independent of the cloud service model.

At the time of writing this workbook, Dynamics 365 Germany is not (yet) certified. Microsoft Cloud Ger- many and Dynamics 365 Germany will be continually audited due to the requirements of multiple com- pliance standards and certifications. These audits will be conducted by accredited audit firms, with additional internal audits being carried out by Microsoft. Information about these audits will be availa- ble online through the Microsoft Trust Center. In addition, contracted enterprise and government cus-

29 tomers can opt in to the Service Trust Portal (STP)36, which provides direct access to many of the com- pliance reports and attestations.

Microsoft intends to cover audit requirements arising from IT-Grundschutz with independent third- party audits.

Review Question Answer Reference

Has the right to perform Microsoft Cloud Germany and Dy- https://www.microsoft.com/en- audits been contractually namics 365 Germany will be con- us/TrustCenter/compliance assured to the organiza- tinually audited, due to the re- tion? quirements of multiple compliance https://www.microsoft.com/en- standards and certifications. us/TrustCenter/STP/default.aspx Is the implementation of the security safeguards Information and guidance regard- agreed upon with the ing current and past audits and cloud service provider security certifications will be pro- reviewed at regular inter- vided, including publically available vals in the form of audits reports and results, such that the or by answering question- customer is not required to carry naires? out their own audit. Enterprise customers can get direct access to Are the particularities of most compliance reports through the IaaS, PaaS and SaaS the Service Trust Portal (STP). service models taken into account when planning and performing audits?

3.16 M 4.460 (Z) Use of Federation Services

Note: The content of this safeguard is mostly identical to safeguard M 4.460 (Z) “Use of Federation Ser- vices” discussed in the workbook IT-Grundschutz Compliance on Azure.37

This additional safeguard for enhanced protection requirements considers the security requirements of federated cloud services. Using federated services, user information or other personal information of employees may be securely transmitted outside of the company. The key trait is the separation of au- thentication (identity provider) and authorization (service provider).

The primary security measure is to ensure that only the minimum necessary information is sent in the SAML38 ticket to the cloud service provider. Additionally, user rights and roles must be regularly checked to ensure that only authorized users have access.

Microsoft Cloud Germany offers federated services through Azure Active Directory. Active Directory (Active Directory Federation Services) can be used for the management of users and groups in Dynam- ics 365 Germany.39

36 https://www.microsoft.com/en-us/TrustCenter/STP/default.aspx 37 https://gallery.technet.microsoft.com/Azure-Germany-IT-fca4afd7 38 SAML (Security Assertion Markup Language) is a standard authentication and authorization protocol

30 Review Question Answer Reference

Is it ensured that only the re- This requirement is the responsi- https://azure.microsoft.com/en quired information in the so- bility of the customer. -us/services/active-directory/ called SAML ticket is transmit- ted to the cloud service pro- Microsoft offers federated ser- https://docs.microsoft.com/en- vider? vices with Azure Active Directory, us/azure/active- which supports the SAML 2.0 pro- directory/connect/active- tocol as well as WS-Federation directory-aadconnect- and OpenID Connect. federation-compatibility

The information contained in the https://docs.microsoft.com/en- SAML tickets can be configured us/dynamics365/customer- according to your requirements or engage- the requirements of each applica- ment/portals/configure-saml2- tion. settings

Are the user authorizations Check user authorization should IT-Grundschutz catalogues checked at regular intervals be part of a well-defined identity B 1.18 Identity and access and is it ensured that SAML and access management process. management tickets are only issued for The IT-Grundschutz module authorized users? B 1.18 Identity and access man- ISO 27001 agement offers the guidelines for implementing the necessary pro- BSI-Standard 100-1 and 100-2 cedures. IT-Grundschutz catalogues Furthermore, checking the cor- B 1.0, M 2.199 Maintaining rect issue of SAML tickets to au- information security thorized users should be part of audits and technical tests. These should be planned and conducted within the audit management as part of an ISO 27001 based ISMS. The fulfillment of this requirement is the responsibility of the cus- tomer.

3.17 M 2.307 (A) Well-ordered termination of an outsourcing or cloud ser- vice relationship

This safeguard aims to make clear that a move either to another cloud service provider or back to an on-premises infrastructure model must be planned as thoroughly as the initial integration. The plan- ning and migration concept should take into account the security concept in much the same way as in the original move to the cloud.

Dynamics 365 data can be exported or synchronized using backup features40, replication to an Azure SQL database41, an export to MS Excel42 or via API43. Dynamics 365 data can be used with a local instal-

39 https://msdn.microsoft.com/en-us/library/gg334766.aspx https://technet.microsoft.com/en-us/library/dn973004.aspx 40 https://technet.microsoft.com/en-us/library/hh699676.aspx

31 lation of Microsoft Dynamics CRM. The data can also be synchronized to an on-premises application.44 Otherwise, if a bulk export needs to be performed, third-party solutions are available.

By default, Dynamics 365 Germany data can be exported for 90 days upon contract termination. Mi- crosoft Cloud Germany, in order to protect customer data, has contracted T-Systems Internation- al GmbH to act as a data trustee. Customer data will be deleted within 180 days after the end of the agreed usage period or the cancellation of the user agreement45.

When terminating the Dynamics 365 contract as an online service, your organization should, among other things, ensure the following:

· All relevant working data has been transferred completely to the new environment. · All relevant data to be preserved on archived has been transferred to appropriate storage. · The new environment offers all necessary features and functions as required.

Review Question Answer Reference

Does the contract concluded Dynamics 365 Germany is offered http://www.microsoftvolum with the outsourcing service on a subscription basis. Early ter- elicens- provider or cloud service pro- mination may be possible. ing.com/DocumentSearch.a vider also regulate all aspects of spx?Mode=3&DocumentTyp the termination of the service eId=31 relationship? http://www.microsoftvolum eli- censing.com/DocumentSea rch.aspx?Mode=3&Docume ntTypeId=37

Is it ensured that a termination As the termination of the cloud ser- http://www.cio.bund.de/Sha of the service relationship with vice may involve a migration away red- the outsourcing service provider from a cloud service to another Docs/Publikationen/DE/Arc or the cloud service provider environment, the organization hitekturen-und- does not impair the customer's should plan and conduct the termi- Stand- business activities? nation as a migration project. Within ards/migrationsleitfaden_4_ the planning, the impact on the 0_download.pdf?__blob=pub business activities should be mini- licationFile (in German only) mized. Therefore, the fulfilment of this requirement is the responsibil- ity of the customer.

41 https://technet.microsoft.com/en-us/library/mt744592.aspx 42 https://www.microsoft.com/en-us/dynamics/crm-customer-center/export-data-to-excel.aspx 43 https://msdn.microsoft.com/en-us/library/dn932127.aspx 44 https://www.microsoft.com/en-us/download/details.aspx?id=18039 (Microsoft Dynamics CRM Online Migration to Microsoft Dynamics CRM on-premises) 45 http://www.microsoftvolumelicensing.com/DocumentSearch.aspx?Mode=3&DocumentTypeId=31 http://www.microsoftvolumelicensing.com/DocumentSearch.aspx?Mode=3&DocumentTypeId=37

32 3.18 M 6.155 (A) Drawing up a business continuity concept for a cloud ser- vice

Note: This safeguard is organization specific, as it covers internal planning for a business continuity concept.

This safeguard looks to secure cloud usage through the creation of a disaster recovery plan. This must include all technical and organizational aspects for Business Continuity Management.

This safeguard does not cover any of the specifics of disaster recovery for the cloud service itself – that is Microsoft’s task and is covered by way of the applicable service levels46. Instead, it covers the individ- ual plan for your organization in the event of the loss of the cloud service itself or a loss of access to it. It also addresses situations where the applicable service levels do not cover your requirements.

When using the online-only solutions of Dynamics 365 Germany, you should also consider the in- creased dependency on the availability of the Internet connection compared to on-premises solutions. Therefore, the disaster recovery plan should also include an agreement with your Internet service pro- vider or provision for a redundant connection.

Furthermore, business continuity plans concerning the relevant business processes which depend on Dynamics 365 Germany should emphasize the possibility of a loss of availability. This should be planned for independently of the reason for the availability loss (e.g., outage of Internet access in the local network, outage at the Internet service provider).

3.19 M 6.156 (Z) Performing your organization's own data backups

This additional safeguard for higher protection requirements aims to ensure data availability when access to Dynamics 365 Germany data stored within the Microsoft Cloud Germany is lost, the cloud services themselves are unavailable or when data is lost due to user action (e.g., inadvertent deletion of data).

Besides system backups that are initiated by Microsoft, Dynamics 365 Germany offers an on-demand data backup.47

Customers should decide if the data recovery functions and options in Dynamics 365 Germany meet their needs, e.g., legal, contractual or protection requirements, or if an additional export to local or cloud backup storage should be implemented. This should be considered in the organization’s data backup policy, which is described in the IT-Grundschutz module B 1.4 Data backup policy as a part of the IT-Grundschutz catalogues. Especially the content of safeguards M 6.33 Development of a data backup policy and M 6.34 Determining the factors influencing data backup should be considered for the decision making.

In Dynamics 365 Germany, several functions and interfaces for exporting data are implemented (see review questions below).

46 http://www.microsoftvolumelicensing.com/DocumentSearch.aspx?Mode=3&DocumentTypeId=37 47 https://community.dynamics.com/enterprise/b/dynamics365apps/archive/2017/01/10/how-to-create-a-backup-and-restore- dynamics-365-online-database and https://technet.microsoft.com/en-us/library/dn531078.aspx#BKMK_CustomerBackup

33 In deciding upon and carrying out data backups, your organization should consider the following as- pects:

· What data or files are required to be exported and individually backed up? · Which export functions are available? · Do the export functions conform to legal, contractual, protection and other requirements? · Is the backup storage medium (local or cloud) compliant with legal, contractual, protection and any other further requirements? · Can the backed up data and files be recovered?

Review Question Answer Reference

Is the decision to perform Backup plans depend on the cus- IT-Grundschutz catalogues your organization’s own tomer’s individual requirements, B 1.4 Data backup policy data backups justified and which should be defined and regu- documented? larly reviewed. The fulfilment of this requirement is the responsibil- ity of the customer.

Are there detailed re- Dynamics 365 Germany supports a https://msdn.microsoft.com/en- quirements for a backup set of Application Programming us/library/mt593051.aspx service? Interfaces (API) allowing access to the customer’s data. https://msdn.microsoft.com/en- us/library/mt788315.aspx Dynamics 365 users can use the Data Export service to replicate https://technet.microsoft.com/en- Dynamics 365 (online) data to a us/library/mt744592.aspx Microsoft Azure SQL Database store.

34 Microsoft’s Responsibilities

4 Microsof t’s Respo nsibias liti es as a Clo ud S ervice Provider a Cloud Service Provider

Microsoft is responsible for the security of the cloud environment below the virtualization layer, with access to customer information controlled by the data trustee T-Systems International GmbH. As the customer should be able to evaluate the security of the cloud without the difficulty of a complete audit of the technical infrastructure but with similar level of certainty, Microsoft has prepared a range of security related certifications for Microsoft Azure, Office 36548 and Dynamics 365 within Microsoft Cloud Germany.

At the time of writing this workbook, Dynamics 365 Germany is not (yet) certified. For Dynamics 365 Germany the following certifications are planned:

· ISO 27001 (Information Security Management System) · ISO 27017 (Code of practice for information security controls based on ISO 27002 for cloud ser- vices) · ISO 27018 (Code of practice for protection of personally identifiable information (PII) in public clouds acting as PII processors) · SOC 1 and SOC 2 (SSAE16/ISAE 3402) · BSI Cloud Computing Compliance Controls Catalogue (C5)

At the time of writing, not all of these certifications are available for Dynamics 365 Germany, but the list is constantly updated. As a customer, you can access the available certificates and compliance reports via the Microsoft Trust Center.49

Furthermore the feasibility of an “ISO 27001 certification based on IT-Grundschutz” for Microsoft Cloud Germany is currently being explored. Such a certification will greatly ease the customer’s certification, but is not required.

Requirements and recommendations from the standards CSA Cloud Controls Matrix 3.01, AICPA - Trust Services Principles Criteria 2014, ANSSI Référentiel Secure Cloud 2.0 (Draft), IDW ERS FAIT 5 04.11.2014 and BSI SaaS Sicherheitsprofile 2014 are also referred to. A feasibility study regard- ing certification according to these standards is currently being carried out.

48 https://www.microsoft.com/en-us/download/details.aspx?id=26552 (Security in Office 365 Whitepaper) 49 https://servicetrust.microsoft.com/Documents/ComplianceReports

35 Glossary of IT-Grundschutz-Terms Appendix A

English term German term Description Standard security safeguard in IT- Grundschutz. A literal translation would be Safeguard Maßnahme “measure”; often used synonymously with “control”. This term refers to everything that falls under IT-Grundschutz protection, i.e., all organiza- tional and technical systems and processes to Information Domain Informationsverbund be modelled and matched with their appropri- ate safeguards. This may refer to the entire organization or only a subset thereof, or even an individual process Analyzing a system or process to determine Modelling Modellierung the possible vulnerabilities and the required protective safeguards. Modules describe a specific item or process Module Baustein and draw together the relevant threats and applicable safeguards. Module B 1.17 Cloud use provides recommen- dations for the secure use of cloud services. It B 1.17 Cloud Use B 1.17 Cloud-Nutzung describes cloud service specific threats and safeguards to mitigate the risk associated with the impact of undesirable events. IT-Grundschutz- Official body of standard threats and security IT-Grundschutz-Kataloge catalogues safeguards in IT-Grundschutz methodology. “IT Security Concept” always describes the formal security concept according to IT- Grundschutz, the result of structure analysis, (IT) Security Concept Sicherheitskonzeption protection requirements, selection of safe- guards, basic security checks and supplemen- tary security analysis/risk analysis.

36 References to further information Appendix B

Topic Information Pointer Legal information http://www.microsoftvolumelicensing.com/DocumentSearch.aspx? Mode=3&DocumentTypeId=31 http://www.microsoftvolumelicensing.com/DocumentSearch.aspx? Mode=3&DocumentTypeId=37 http://www.microsoftvolumelicensing.com/DocumentSearch.aspx? Mode=3&DocumentTypeId=56 Compliance Information https://servicetrust.microsoft.com/ https://www.microsoft.com/en-us/TrustCenter/Compliance Dynamics 365 Germany ser- https://info.microsoft.com/enterprise-cloud-strategy-ebook.html vices, tools and further infor- mation https://azure.microsoft.com/en-us/overview/choosing-a-cloud- service-provider/ https://www.microsoft.com/en-us/dynamics365/support https://www.microsoft.com/en-us/dynamics/crm-customer- center/dynamics-365-online-maintenance-and-update- schedules.aspx https://www.microsoft.com/en-us/dynamics365/contact-us https://www.microsoft.com/en-us/dynamics/crm-customer- center/microsoft-dynamics-365-training-courses.aspx https://fasttrack.microsoft.com/ Security Aspects Dynamics 365 https://www.microsoft.com/en-us/TrustCenter/STP/default.aspx Germany https://www.microsoft.com/en-us/TrustCenter/Security/Encryption https://technet.microsoft.com/en-us/library/dn531199.aspx https://www.microsoft.com/online/legal/v2/en- us/MOS_PTC_Data_Use_Limits.htm https://azure.microsoft.com/en-us/documentation/articles/active- directory-saml-claims-customization/ https://azure.microsoft.com/en-us/services/multi-factor- authentication/ https://docs.microsoft.com/en-us/azure/multi-factor- authentication/multi-factor-authentication-versions-plans Microsoft Services Supplier List https://www.microsoft.com/en-us/download/details.aspx?id=50426

37 Topic Information Pointer BSI https://www.bsi.bund.de/SharedDocs/Downloads/DE/BSI/Grundschu tz/International/GSK_15_EL_EN_Draft.pdf https://www.bsi.bund.de/SharedDocs/Downloads/EN/BSI/Publicatio ns/BSIStandards/standard_100- 2_e_pdf.pdf?__blob=publicationFile&v=1 https://www.bsi.bund.de/EN/Topics/ITGrundschutz/ITGrundschutzC atalogues/itgrundschutzcatalogues_node.html https://www.bsi.bund.de/EN/Topics/CloudComputing/Compliance_C ontrols_Catalogue/Compliance_Controls_Catalogue_node.html

38 Inés Atug, Manuel Atug, Robert Manuel Beck, Enno Ewers, Calin Rus

HiSolutions AG Bouchéstraße 12 12435 Berlin

[email protected] www.hisolutions.com Fon +49 30 533 289-0 Fax +49 30 533 289-900

HiSolutions AG HiSolutions AG HiSolutions AG Branch Office Branch Office Branch Office Frankfurt am Main Köln Bonn Mainzer Landstraße 50 Theodor-Heuss-Ring 23 Heinrich-Brüning-Straße 9 60326 Frankfurt am Main 50688 Köln 53113 Bonn

Phone +49 30 533 289-0 Phone +49 221 77 109-550 Phone +49 228 52 268 175 Fax +49 30 533 289-900 Fax +49 30 533 289-900 Fax +49 30 533 289-900

39