Transcript Summit: ITP02 - Office 365 security, privacy, and compliance

Common Question
Who can benefit from Cloud?
Every enterprise today can benefit
from Cloud
Looking for a
certain feature?
If we answer a question stating “feature
not available today”, revisit the question
again in few months and the answer
could be different.
http://office.com/roadmap
http://aka.ms/o365sd
Unspoken Concern
Will public cloud platform make my
administrators lose their job?
In long run your administrators role will
change. But it will be a much more
Strategic higher value roles evaluating
various innovations and managing
relationships with CSPs.
Availability Question?
Will cloud datacenter be available?
Public cloud provider datacenter will
be at least as good as your own
datacenter if not better. You should
look at your provider promised SLA
and historical SLA at
http://trust.office365.com
Security Question?
Can public cloud platform keep my data
safe?
a) Identify a provider who made public
cloud strategic to their company
b) This is a journey we are both on – We
want to earn your trust
c) You are also responsible for your data
and we want to put you in control as well
Security best practices like penetration testing,
Defense-in-depth to protect against cyber-threats
Social media giants Facebook, LinkedIn, among others, get hacked… repeatedly.
Service-level security
capabilities
Physical Security
Network
Host
Host
Application
Admin
Data
Engineers must have current background check, fingerprinting, security training.
System grants least privilege required to complete task.
A
B
C
D
A
A
Key Store
Content DB
B
CC
E
DD
E
Video
Customer security controls
Federated identity model
Password hashes
User accounts
Sign-on
AAD Sync
Authentication
User
• SAML token based
authentication
• Password Synchronization
• Two-factor authentication
• Client-based access control
On-premises
directory
Authentication
Conditional
Access
Device
Management
Selective
Wipe
LoB
app
Built-in
Built-In
Microsoft
Intune
Microsoft
Intune
Browser
RMS, S/MIME protected
Message Delivery
Data disk
Exchange server
Data disk
Exchange server
Secondary mailbox
with separate quota
Automated and
time-based criteria
Capture deleted and
edited email messages
Managed through EAC
or PowerShell
Set policies at item
or folder level
Time-based in-place hold
Available on-premises,
online, or through EOA
Expiration date shown
in email message
Granular query-based
in-place hold
Optional notification
Web-based eDiscovery
center and multi-mailbox
search
Search primary, in-place
archive, and recoverable
items
Delegate through rolesbased administration
De-duplication
after discovery
Auditing to ensure
controls are met
What does compliance mean
to customers?
What standards do we meet?
What is regulatory compliance
and organizational
ISO
SOC
…
If we receive a government demand for any enterprise customer’s data:
• We will only disclose customer data when legally required, and only after attempting
to redirect the request to the customer.
• We will notify the customer and provide a copy of the demand unless legally
prohibited from doing so.
• We will resist government demands that are invalid.
We back up these commitments in our contracts, and will go to court if necessary when
government orders seeking customer data do not comply with applicable laws.
Privacy terms
Security terms
EU Model Clauses
Response to government demands
Core service features and simpler, stable
terms during a subscription
Standard Online
Service Terms apply to
every cloud
customer—no
amendments or
negotiations required.
Microsoft is demonstrating our commitment to protect customer data from government
demands in court actions.
• U.S. Warrant Case. Microsoft is in litigation with the U.S. government to resist a criminal
search warrant seeking customer data stored outside the United States. The case is on
appeal. It raises important questions about the ability of the U.S. government to issue
search warrants for data outside the U.S., given that the government clearly cannot
search homes or business premises abroad.
• National Security Letters. Microsoft resisted a National Security Letter non-disclosure
order, which prohibited Microsoft from notifying the customer of a government demand
to disclose its data. The FBI withdrew the demand.
• Government Requests Transparency. Microsoft filed a lawsuit against the U.S.
government to permit greater disclosure about government demands for customer data.
The U.S. government settled, allowing Microsoft and others to share broader information
with customers.
Roadmap items
Timelines
Value
Volume level encryption (BitLocker) in
Exchange (includes IM conversations
stored in Exchange folders)
Implemented
Data encryption at rest of messaging content.
Volume level encryption (BitLocker) in
SharePoint
H2 2014
Continuous evolution to encrypt data at rest
File level encryption at rest in SharePoint
Feature rolled out
(99.7% of customer data
encrypted)
Continuous evolution to encrypt data at rest
DLP for content in SharePoint
Started in August 2014
More in CY2015
Extending DLP capabilities to data in SharePoint. Continuous evolution.
http://blogs.office.com/2014/10/28/expanding-data-loss-prevention-dlpsharepoint-online-onedrive-business-windows-file-share-office-clients/
MDM in Office 365
Q1 2015
http://blogs.office.com/2014/10/28/introducing-built-mobile-devicemanagement-office-365/
Compliance Center in Office 365
Q1 2015
Single view for all customer controlled compliance functions
MFA improvements in Office 365
H2 2014
Native MFA in non-browser clients
http://blogs.office.com/2014/10/28/office-365-latest-innovations-security-compliance/
For the Public Roadmap go to http://office.microsoft.com/roadmap
Two resources you should know
Office 365 Trust Center http://trust.office365.com
Office 365 Blog http://blogs.office.com/
New Whitepapers on the trust center
http://aka.ms/securitywhitepaper
Overview of Security and Compliance in Office 365
Customer controls for Information Protection in Office 365 http://aka.ms/customercontrols
Overview of Security and Compliance controls in Office 365
http://aka.ms/fitc
http://aka.ms/fitc4wp
Video
Article 29 Working Party – collection of data
protection authorities in Europe regulating
world’s toughest privacy laws
Validation by EU Data Protection Authorities for Microsoft’s
commercial commitments for DPA/EU Model clauses (covering
Office 365, Azure, CRM Online, and Intune)
• Microsoft is the only provider to have received this validation
• Standard part of contracts as of July 1st
http://www.tgdaily.com/enterprise/100136-microsoft-gains-eu-security-approval
data portability
how we use your data