data security and compliancy in office 365

Office 365

Data Security & Compliancy Jethro Seghers

MVP Office 365MCITP SharePoint 2010ITILv3 Certified

@jseghers – http://www.j-solutions.be/blog

Blogger

Twitter: @jseghersE-mail: [email protected]: http://www.j-solutions.be/blog

Consultant

Jethro Seghers

Trainer


J-Solutions.be Located in Belgium Provides IT Business Consultancy - Evangelism

SharePoint 2010/2013 and Online Cloud Services – Office 365, Windows Intune & Azure IT as a service – MOF and ITIL v3


Agenda Terminology Infrastructure settings Exchange Online Lync Online SharePoint Online Sources of Information

Data Security

The protection of data from unauthorized (accidental or intentional) modification, destruction, or disclosure

Data Compliance

Compliance is either a state of being in accordance with established guidelines, specifications, or legislation or the process of becoming so

BRINGING TOGETHER CLOUD VERSIONS OF OUR MOST TRUSTED COMMUNICATIONS AND COLLABORATION PRODUCTS WITH THE LATEST

VERSION OF OUR DESKTOP SUITE FOR BUSINESSES OF ALL SIZES.

Infrastructure


Overview Microsoft Datacenters & their locations DataFlow Privacy Encryption Identity Protection Password Policies


Microsoft Datacenters . Physical Security

Secure physical access for authorized personnel only State of the Art datacenters

Hosted Applications Security Anti SPAM Encryption Mail

Security Development Lifecycle Potential threats while running a service Exposed aspects of the service that are open to attack


Microsoft Datacenters .. Secured Office 365 Services Infrastructure

Server Monitoring via System Center Secure Remote Access via RDS Intrusion Detection

Network-level Security Measures Customer Access via SSL Uptime 99,9 %

Identity & Access Management Access control follows the separation of duties

principle and granting least privilege.


Where is our data stored: Example: EMEA A primary data center is where the application

software and the customer data running on the application software are hosted.

A backup data center is used for failover purposes Data center Dublin: Primary for F.O.P.E. Data center The Netherlands: SharePoint Online Dublin + The Netherlands: interchangeably

Exchange Online + Lync Online


What is stored in the US: EMEA Customer Information Microsoft Online Portal Routing Lync Online Communications Office 365 Authentication

Additionally, Microsoft abides by the Safe Harbor Framework for transfer of data between the European Union and the United States.


Privacy .Microsoft Online Services Customer Data

Usage Data Account andAddress Book Data

Customer Data(excluding CoreCustomer Data)

CoreCustomer Data

Operating and Troubleshooting the Service

Yes Yes Yes Yes

Security, Spam and Malware Prevention

Yes Yes Yes Yes

Improving the Purchased Service, Analytics

Yes Yes Yes No

Personalization, User Profile Promotions

No Yes No No

Communications (Tips, Advice, Surveys, Promotions)

No Yes No No


Privacy ..Microsoft Online Services Customer Data

Usage Data Account andAddress Book Data

Customer Data(excluding CoreCustomer Data)

CoreCustomer Data

Voluntary Disclosure to Law Enforcement

No No No No

Advertising No No No No


Encryption HTTPS Communication with

portal.microsoftonline.com HTTPS Communication between clients and

Exchange Online for all protocols PGP: Transportation and storage of Exchange

Online Messages Lync Online: Instant Messaging, IM Federation SharePoint Online: HTTPS Connection (only for

Enterprise & Academic)


Identity Protection Identity stored in Microsoft Online Identity federation via SSO Granular Licenses Different Administrator Roles

Identity options comparison1. MS Online IDs

• Authentication is done by Microsoft

Pros• Bound to the SLA of 99,9% of MSFT.• Users and groups mastered on-premise

Cons• 2 sets of credentials that need to be

maintained• Different Password policies

2. Federated IDs + Dir Sync

• Authentication is done by Corporate Infrastructure

• Larger enterprise organizations with AD on-premise

Pros• SSO with corporate cred• Users and groups mastered on-premise• Password policy controlled on-premise• Enables co-existence scenarios

Cons• High availability server deployments required


Password Policy Password Restriction: 8 characters minimum and

16 characters maximum Values allowed:

A-Z a-z 0-9 ! @ # $ % ^ & * - _ + = [ ] { } | \ : ‘ , . ? / ` ~ “ < > ( ) ; No UNICODE

Cannot contain the username alias (part before @ symbol) Password expiry duration:

This is set to 90 days and is not configurable


Password Policy Password expiry:

Can be enabled/disable via powershell at user level Password strength

Strong passwords require 3 out of 4 of the following: Lowercase characters Uppercase characters Numbers (0-9) Symbols (see password restrictions above)

Password history Last password cannot be used again


Password Policy Account Lockout

After 10 unsuccessful logon attempts (wrong password), the user will need to solve a CAPTCHA dialog as part of logon.

Is this Independently Verified?


MS Online Certification and Compliance Finder Certified for ISO 27001 EU Safe Harbor HIPAA-Business Associate Agreement Data Processing Agreement FISMA

Exchange Online


Exchange Online . Archiving Moderation Security/Distribution Groups Item Level Recovery Transport Rules Retention Policies – Managed Folder Assistent Deleted Mailbox Recovery


Exchange Online .. Journaling F.O.P.E in Current Version, Built-In in EXO Wave 15 Auditing Retention Hold Litigation Hold Mobile Device

Lync Online


Lync Online Privacy Settings External Communications User Defined Settings

Sending files via IM Make audio and video calls Record Call and conferences Federation with Lync users in other organizations Federation with Users of public IM service providers Dial-in Conferencing

SharePoint Online


SharePoint Online . Information Management Policy – Records Use Of Term Store & Required Fields – Content

Types Drop Off Library Audit Blocked File Types Security Versioning Recycle Bin Backup: 14 days


Sources Of Information Office 365 Trust Center : http://

www.microsoft.com/en-us/office365/trust-center.aspx

Service Description Office 365 Password Policy Security White Paper Data Boundaries

http://www.microsoft.com/en-us/office365/trust-center.aspx



Questions

data security and compliancy in office 365

Documents

jseghers http

data security

promotions http

wrong password

password restrictions

password history

protection of data

data compliance