information security in office 365 a shared responsibility - antonio maio
TRANSCRIPT
Internal Audit, Risk, Business & Technology Consulting
INFORMATION SECURITY IN OFFICE 365:
A SHARED RESPONSIBILITY
March 2017
Antonio MaioProtiviti | Senior SharePoint ArchitectMicrosoft Office Server and Services MVP
Email: [email protected]: www.trustsharepoint.comSlide share: http://www.slideshare.net/AntonioMaio2Twitter: @AntonioMaio2
© 2016 Protiviti Inc. An Equal Opportunity Employer M/F/Disability/Veterans. Protiviti is not licensed or registered as a public accounting firm and
does not issue opinions on financial statements or offer attestation services. All registered trademarks are the property of their respective owners.
SHARED RESPONSIBILITY
2
• Understand Cloud Provider Responsibilities
• Understand Your Responsibilities
In a cloud environment, security and information protection
must be a Shared Responsibility.
Understanding how your responsibilities are managed
requires strong Information Governance policies &
procedures.
SAAS = Office 365
PAAS = Azure Web Services, Azure Functions
IAAS = Azure VMs
© 2016 Protiviti Inc. An Equal Opportunity Employer M/F/Disability/Veterans. Protiviti is not licensed or registered as a public accounting firm and
does not issue opinions on financial statements or offer attestation services. All registered trademarks are the property of their respective owners.
• SharePoint Permissions
• Information Rights Management/Azure RMS
• External Sharing Controls
• OneDrive for Business Sharing Controls
• (built in) TLS 1.2 Communication
• (built in) Encrypted Data at Rest
• Multi-Factor Authentication
• Modern Authentication (ADAM)
• Retention Policies
• Site Classification
• Office 365 Trust Center
• Secure Score
• Security and Compliance Center
− Activity Monitoring/Audit Log Search
− Automatic Alerts
− Security Roles & Permissions
− Data Loss Prevention
− Advanced Security Management
− eDiscovery
− Mail Filtering/Anti-Malware/DKIM
− Advanced Threat Protection (ATP for email)
− Compliance Reports/Trust Documents/Audit Controls
• Customer Lockbox
• Threat Intelligence (preview)
• Advanced Data Governance (preview)
• Azure Information Protection
• Azure Key Fault/Bring your Own Key (BYOK)
OFFICE 365 SECURITYCapabilities & Features
3
Internal Audit, Risk, Business & Technology Consulting
DEMONSTRATIONExternal Sharing Controls
OneDrive for Business Sharing Controls
© 2016 Protiviti Inc. An Equal Opportunity Employer M/F/Disability/Veterans. Protiviti is not licensed or registered as a public accounting firm and
does not issue opinions on financial statements or offer attestation services. All registered trademarks are the property of their respective owners.
• SharePoint Permissions
• Information Rights Management/Azure RMS
• External Sharing Controls
• OneDrive for Business Sharing Controls
• (built in) TLS 1.2 Communication
• (built in) Encrypted Data at Rest
• Multi-Factor Authentication
• Modern Authentication (ADAM)
• Retention Policies
• Site Classification
• Office 365 Trust Center
• Secure Score
• Security and Compliance Center
− Activity Monitoring/Audit Log Search
− Automatic Alerts
− Security Roles & Permissions
− Data Loss Prevention
− Advanced Security Management
− eDiscovery
− Mail Filtering/Anti-Malware/DKIM
− Advanced Threat Protection (ATP for email)
− Compliance Reports/Trust Documents/Audit Controls
• Customer Lockbox
• Threat Intelligence (preview)
• Advanced Data Governance (preview)
• Azure Information Protection
• Azure Key Fault/Bring your Own Key (BYOK)
OFFICE 365 SECURITYCapabilities & Features
5
Internal Audit, Risk, Business & Technology Consulting
DEMONSTRATIONOffice 365 Security and Compliance Center
© 2016 Protiviti Inc. An Equal Opportunity Employer M/F/Disability/Veterans. Protiviti is not licensed or registered as a public accounting firm and
does not issue opinions on financial statements or offer attestation services. All registered trademarks are the property of their respective owners.
• SharePoint Permissions
• Information Rights Management/Azure RMS
• External Sharing Controls
• OneDrive for Business Sharing Controls
• (built in) TLS 1.2 Communication
• (built in) Encrypted Data at Rest
• Multi-Factor Authentication
• Modern Authentication (ADAM)
• Retention Policies
• Site Classification
• Office 365 Trust Center
• Secure Score
• Security and Compliance Center
− Activity Monitoring/Audit Log Search
− Automatic Alerts
− Security Roles & Permissions
− Data Loss Prevention
− Advanced Security Management
− eDiscovery
− Mail Filtering/Anti-Malware/DKIM
− Advanced Threat Protection (ATP for email)
− Compliance Reports/Trust Documents/Audit Controls
• Customer Lockbox
• Threat Intelligence (preview)
• Advanced Data Governance (preview)
• Azure Information Protection
• Azure Key Fault/Bring your Own Key (BYOK)
OFFICE 365 SECURITYCapabilities & Features
7
© 2016 Protiviti Inc. An Equal Opportunity Employer M/F/Disability/Veterans. Protiviti is not licensed or registered as a public accounting firm and
does not issue opinions on financial statements or offer attestation services. All registered trademarks are the property of their respective owners.
• SharePoint Permissions
• Information Rights Management/Azure RMS
• External Sharing Controls
• OneDrive for Business Sharing Controls
• (built in) TLS 1.2 Communication
• (built in) Encrypted Data at Rest
• Multi-Factor Authentication
• Modern Authentication (ADAM)
• Retention Policies
• Site Classification
• Office 365 Trust Center
• Secure Score
• Security and Compliance Center
− Activity Monitoring/Audit Log Search
− Automatic Alerts
− Security Roles & Permissions
− Data Loss Prevention
− Advanced Security Management
− eDiscovery
− Mail Filtering/Anti-Malware/DKIM
− Advanced Threat Protection (ATP for email)
− Compliance Reports/Trust Documents/Audit Controls
• Customer Lockbox
• Threat Intelligence (preview)
• Advanced Data Governance (preview)
• Azure Information Protection
• Azure Key Fault/Bring your Own Key (BYOK)
OFFICE 365 SECURITYCapabilities & Features
9
• Customer must approve access request, before Microsoft engineer gets any access to Customer tenant
Customers can control whether Microsoft Office 365 engineers may have access to their tenant.
© 2016 Protiviti Inc. An Equal Opportunity Employer M/F/Disability/Veterans. Protiviti is not licensed or registered as a public accounting firm and
does not issue opinions on financial statements or offer attestation services. All registered trademarks are the property of their respective owners.
FINAL THOUGHTS
•Understand your Responsibilities
• Learn about Office 365 Security Capabilities
−Understand which are relevant to you and your business
•Develop a Security Role Out Plan
• Ensure the selected security procedures (and capabilities) line up with
your Information Governance Plan
13