sessions about to start – get your rig on! microsoft office 365 security, privacy, and compliance...
TRANSCRIPT
Sessions aboutto start – Get your RIG on!
Microsoft Office 365 Security, Privacy, and Compliance OverviewAaron DinnageBen Fletcher
OSS203
Office 365 Trust Center• Answer key questions of
Security Compliance Officers
• Dynamic engaging content that is refreshed every two weeks
www.trust.office365.com
Office 365 security, privacy and compliance
It’s your dataYou own it, you control it
We run the service for youWe are accountable to you
Privacy by design
ContinuousCompliance
Built inSecurity
Transparent service operation
Encrypted Shredded Storage in SharePoint
Online
Microsoft Security Engineering Center -
Security Development Lifecycle (SDL)
Exchange Hosted Services (part of
Office 365)
Hotmail
SSAE-16
U.S.-EU Safe Harbor
European Union Model Clauses
(EUMC)
HIPAA BAA
Active Directory
Microsoft Security Response Center (MSRC)
Global Foundation
Services (GFS)
ISO 27001 Certification
Microsoft Security
Essentials
1st Microsoft
Data Center
Trustworthy Computing
Initiative (TwC)
Microsoft experience and credentials
Xbox Live
MSN
Bill Gates Memo
Windows Azure
FISMA
Windows Update
Malware Protection
Center
SAS-70
Microsoft Online
Services (MOS)
One of the world’s largest cloud providers & datacenter/network operators
CJIS Security Policy
Agreement
2005 2010 2013 2014
Bing/MSN Search
Outlook.com
Message EncryptionDLP Fingerprinting
Article 29Working
Committee
1989 1995 2000
Making Sense of ThreatsOutsider
End User
Insider
Prevent Breach
Customer Controls
Secure DesignSecure CodeProtections against attacks
Assume BreachContain AttackersDetect Attackers Remediate Attacks
Built controlsDLP, Encryption, etc.Auditing
Security
Customer controlsBuilt-in service capabilities
Physical and data security with access control, encryption and strong authentication
Unique customer controls with Rights Management Services to empower customers to protect information
Security best practices like penetration testing, Defense-in-depth to protect against cyber-threats
Service level security capabilities
Facility
Internal network
Host
Application
Admin
Data
Defense in depthmulti-dimensional approach to customer environmentPhysical controls, video surveillance, access control
Edge routers, firewalls, intrusion detection, vulnerability scanning
Dual-factor authentication, intrusion detection, vulnerability scanning
Access control and monitoring, anti-malware, patch and configuration management
Secure engineering (SDL), access control and monitoring, anti-malware
Account management, training and awareness, screening
Threat and vulnerability management, security monitoring, and response, access control and monitoring, file/data integrity, encryption
Physical Security
Perimeter security
FireSuppression
Multi-factorauthentication
Extensivemonitoring
Seismic bracing
24x7 onsite security staff
Days of backup power
Tens of thousands of servers
Network
Backend serverand storage
Front end server storage
FirewallLayer of
separationEdge router protection
User
Host / Application
Patching/Malware protection
Auditing of all operator access and
actions
Security Development Lifecycle
Automated tooling for routine
activities
Zero standing permissions in the
service
‘Lock Box’Zero access privilege & role based access
Grants least privilege required to complete the task.Verify eligibility by checking if:
1. Background check completed
2. Fingerprinting completed
3. Security training completed
Request
Approve
Request with reasonZero standing privileges
Temporaryaccessgranted
Manager
Just in time accessHigh entropy passwords
Account Management
Automatic account deletionUnique accountsZero access privileges
Training, policies and awareness
Personnel
Security Development CycleAnnual training
Background checksScreening
Administrators
Customer data
isolation
Data encryption
Operational best
practices
Data
Customer data isolation
Customer A
Designed to support logical isolation of data that multiple customers store in same physical hardware.
Intended or unintended mingling of data belonging to a different customer/tenant is prevented by design using Active Directory organizational units
Customer B
Data in-transitSSL/TLS EncryptionClient to ServerServer to ServerData centre to Data centre
Data at RestDisks encrypted with BitLockerEncrypted shredded storage
User
Encryption
Encrypted Shredded Storage
A B C D
Key Store A
B
C
D
Content DBA
B
C
D
E
crypto
The mindset shift
Assume BreachWargameexercises Red
teaming
Blue teaming
Monitor emerging threats
Executepost breach
Insider attack simulation
Summary: Defense in depth multi-dimensional approach to customer environment
Physical controls, video surveillance, access control
Edge routers, firewalls, intrusion detection, vulnerability scanning
Dual-factor authentication, intrusion detection, vulnerability scanning
Access control and monitoring, anti-malware, patch and configuration management
Secure engineering (SDL), access control and monitoring, anti-malware
Account management, training and awareness, screening
Threat and vulnerability management, security monitoring, and response, access control and monitoring, file/data integrity, encryption
Physical Layer
Data Layer
Customer security controls
Information protection using RMS
Data protection at rest
Data protection at rest
Data Protection in motion Data Protection in motion
Information can be protected with RMS at rest or in motion
Data protection at rest
RMS can be applied to any file type using RMS app
S/MIME
Office 365 Message Encryption
Transport Layer Security Exchange serverData disk
Exchange server
Data disk
S/MIME protected
Message Delivery
User
Office 365 Message Encryption
SMTP to partners: TLS protected
Encryption features
Comprehensive protection
Easy to use
Granularcontrol
Anti Spam/ Anti Virus
Multi-engine antimalware protects against 100% of known virusesContinuously updated anti-spam protection captures 98%+ of all inbound spamAdvanced fingerprinting technologies that identify and stop new spam and phishing vectors in real time
Preconfigured for ease of useIntegrated administration console
Mark all bulk messages as spamBlock unwanted email based on language or geographic origin
Identity Management
Federation
Password Hash Sync
2FA
User AccessIntegrated with Active Directory, Azure Active Directory and Active Directory Federation Services
• Federation: Secure SAML token based authentication
• Password Synchronization: Only a one way hash of the password will be synchronized to the cloud such that the original password cannot be reconstructed from it.
Enables additional authentication mechanisms:• Two-Factor Authentication – including phone-based 2FA
• Client-Based Access Control based on devices/locations
• Role-Based Access Control
Federated Identity
Single federated identity and credentials suitable for medium and large organizations
Windows Azure Active Directory
On-premises identity
FederationDirectory/
password sync
Mobile Apps
Enterprise authentication using any phone
Text MessagesPhone Calls
Push NotificationOne-Time-Passcode
(OTP) Token
Out-of-Band Call TextOne-Time Passcode
(OTP) by Text
Compliance
What does compliance mean to customers?
What standards do we meet?
What is regulatory compliance and organizational
compliance?
ComplianceCommitment to industry standards and organizational compliance
Built-in capabilities for global compliance
Customer controls for compliance with internal
policiesEnable customers to meet global compliance standards in ISO 27001, EUMC, HIPAA, FISMA
Contractually commit to privacy, security and handling of customer data through Data Processing Agreements
Admin Controls like Data Loss Prevention, Archiving, E-Discovery to enable organizational compliance
What customer issues does this address?Independent verification
Regulatory compliance
Peace of mind
Standards & Certifications
SSAE/SOCISO27001EUMCFERPAFISMAHIPAAHITECHITARHMG IL2CJIS
GlobalGlobalEuropeU.S.U.S.U.S.U.S.U.S.UKU.S.
FinanceGlobalEurope Education Government Healthcare Healthcare DefenseGovernment Law Enforcement
Standards Certifications
Market Region
ISOSOC
HIPAA FedRAMP FERPA HMGIL2 EUMC TC260
MLPS
Physical Security
Security Best Practices
Secure Network Layer
Data Encryption
Office 365 Service | Master GRC Control Sets | Certifications
DLP
OME
SMIME
RBAC
RMS
New Cert’s and
more…
Account Mgmt.
Incident Monitoring
Data Encryption
Encryption of stored data and
more…
Data Minimization & Retention
Access Control
Offi
ce 3
65
Serv
ices A
ud
its
Office 365 has over 950
controls Today!
Built-in Capabilities
Customer Controls
How Office 365 Controls meet Compliance?
Compliance customer controls
Helps to identifymonitorprotect
Sensitive data through deep content analysis
Identify
Protect
Monitor
End user education
Compliance controls
Data Loss Prevention (DLP)
Prevents sensitive data from leaving organizationProvides an Alert when data such as Social Security & Credit Card Number is emailed.
Alerts can be customized by Admin to catch Intellectual Property from being emailed out.
Empower users to manage their compliance• Contextual policy education• Doesn’t disrupt user workflow• Works even when disconnected• Configurable and customizable• Admin customizable text and actions• Built-in templates based on common
regulations • Import DLP policy templates from security
partners or build your own
Protect sensitive documents from being accidently shared
outside your organization
No coding required; simply upload sample documents to
create fingerprints
Scan email and attachments to look for patterns that
match document templates
DLP document fingerprinting
Preserve Search
Secondary mailbox with separate quota
Managed through EAC or PowerShell
Available on-premises, online, or through EOA
Automated and time-based criteria
Set policies at item or folder level
Expiration date shown in email message
Capture deleted and edited email messages
Time-Based In-Place Hold
Granular Query-Based In-Place Hold
Optional notification
Web-based eDiscovery Center and multi-mailbox search
Search primary, In-Place Archive, and recoverable items
Delegate through roles-based administration
De-duplication after discovery
Auditing to ensure controls are met
In-Place Archive Governance Hold eDiscovery
Email archiving and retention
Resources• Answer key questions of
Security Compliance Officers
• Dynamic engaging content that is refreshed every two weeks
www.trust.office365.com
Privacy by design means that we do not use your information for anything
other than providing you services
No Advertising Transparency Privacy controls
No advertising products out of Customer Data
No scanning of email or documents to build analytics or mine data
Various customer controls at admin and user level to enable or regulate sharing
If the customer decides to leave the service, they get to take to take their data and delete it in the service
Access to information about geographical location of data, who has access and when
Notification to customers about changes in security, privacy and audit information
Privacy
We do not mine your data for advertising purposes. It is our policy to not use your data for purposes other than providing you productivity services.
We design our Office 365 commercial services to be separate from our consumer services so that there is no mixing of data between the two.
Who owns the dataI put in your service?
Will you use my data to build advertising
products?You own your data and retain the rights, title, and interest in the data you store in Office 365. You can take your data with you, whenever you want.
No Advertising
Transparency
Microsoft notifies you of changes in data center locations and any changes to compliance.
Core Customer Data accessed only for troubleshooting and malware prevention purposes Core Customer Data access limited to key personnel on an exception basis.
How to get notified?
Who accesses and What is accessed?
Clear Data Maps and Geographic boundary information provided‘Ship To’ address determines Data Center Location
Where is Data Stored?
At Microsoft, our strategy is to consistently set a “high bar” around privacy practices that support global standards for data handling and transfer
Microsoft Online Services Customer Data Usage DataAccount and
Address Book Data
Customer Data (excluding
Core Customer data)
Core
Customer Data
Operating and Troubleshooting the Service Yes Yes Yes Yes
Security, Spam and Malware Prevention Yes Yes Yes Yes
Improving the Purchased Service, Analytics Yes Yes Yes No
Personalization, User Profile, Promotions No Yes No No
Communications (Tips, Advice, Surveys, Promotions) No No/Yes No No
Voluntary Disclosure to Law Enforcement No No No No
Advertising No No No No
We use customer data for just what they pay us for - to maintain and provide Office 365 Service
Usage Data Address Book Data Customer Data (excluding Core Customer Data)
CoreCustomer Data
Operations Response Team (limited to key personnel) Yes Yes, as needed Yes, as needed Yes, by exception
Support OrganizationYes, only as required in response
to Support Inquiry
Yes, only as required in responseto Support Inquiry
Yes, only as required in responseto Support Inquiry No
Engineering YesNo Direct Access. May Be Transferred During Trouble-shooting
No Direct Access. May Be Transferred During Trouble-shooting
No
PartnersWith customer permission.See Partner for more information
With customer permission. See Partner for more information
With customer permission. See Partner for more information
With customer permission. See Partner for more information
Others in Microsoft NoNo (Yes for Office 365 for small business Customers for marketing purposes)
No No
How Privacy of Data is Protected?
Security – key risksType of Risk Protection mechanismsMalicious or unauthorized physical accessto data center / server / disks
BitLockerFacility access restrictions to servers/ datacenter
External malicious or unauthorized accessto service and customer data
Zero standing access privilegesAutomated operationsAuditing of all access and actionsNetwork level DDOS / intrusion detection and preventionThreat management / Assume breach
Gaps in software that make the data & service to be vulnerable
Security Development Lifecycle (SDL)
Rogue administrators / employees in the service or data center
Zero standing access privilegesAutomated operations, Auditing of all access and actionsTrainingBackground checks / screeningThreat management / Assume breach
Microsoft Admin credentials get compromised
Multi factor authenticationZero standing access privilegesRequires trusted computers to get onto management serversThreat management / Assume breach
Type of Risk Protection mechanismsEncryption keys get compromised Secure key management processes
Access to key is limited or removed for people BYOK
Administrator’s computer gets compromised/lost
BitLocker on the computerRemote desktop sessionZero standing access privilegesSeparate credentials to login to the service
Law authorities accessing customer data
Redirect request to customerThreat management and assume breach
Service and customer data becomes inaccessible due to an attack.
Network level DDOS / intrusion detection and prevention
Malware Anti Malware
Malfunction of software which enables unauthorized access
Security Development LifecycleConfiguration management
Security – key risks
Type of Risk Protection mechanisms
Interception of email to partners over Internet
SMTP session to partners could be protected using opportunistic or forced TLS
Interception of client / server communication
SSL / TLS is implemented in all workloads.
Interception of communication between datacenters or between servers
Office 365 applications use SSL / TLS to secure various server-server communication.
All communication is on Microsoft owned networks.
Interception or access of content in transit or at rest by other people
Rights Management could be applied to the content.
Interception of email in transit or rest between users within organization
S/MIME could be implemented and applied to emails
Interception of email in transit and rest to an external user*
Office 365 Message Encryption may be applied to messages
Security – key risks
Related content
OSS304 -Regulatory Compliance and Microsoft Office 365
OSS307 -Highly Available Cloud-based SSO for Office365
Track resources
Ignite - Ignite.office.com
FastTrack - fasttrack.office.com
Office Blogs – blogs.office.com
Office 365 Trust Centre - trustoffice365.com
Office 365 Customer Success Centre – success.office.comRegister for Office 365 Ignite - aka.ms/ausignite
Please complete your session/speakerevaluation
Go to: aka.ms/mytechedsyd
Q&A