Brings together cloud versions of our most trusted communications and collaboration products with the latest version of our desktop suite.
Download ReportTranscript Brings together cloud versions of our most trusted communications and collaboration products with the latest version of our desktop suite.
Brings together cloud versions of our most trusted communications and collaboration products with the latest version of our desktop suite • Pay-as-you-go, per-user licensing • IM & Presence across firewalls • Complete Office experience with services integration • GAL/Skill search in SharePoint • Always the latest version of Office and Office Web Apps • Online meeting with desktop sharing • Familiar Office user experience • Windows Live federation • My Sites to manage and share documents • 25Gb mailbox with voicemail & unified messaging • Access documents offline • Integrated personal archiving • Document-level permissions • Retention policies and legal hold • Share documents securely with Extranet Sites • Free/busy coexistence Key Concerns • Privacy • Loss of Control • Regulatory • Physical/Logical Security 5 Privacy • What does privacy at Microsoft mean? • Where is my data? • Are you using my data to build advertising products? • Who has access to my data ? Compliance Security • What certifications and capabilities does Microsoft hold? • Is cloud computing secure? • How does Microsoft support customer compliance needs? • Are Microsoft Online Services secure? • Do I have the right to audit Microsoft? 6 Transparency • Clear and understandable • Details for security experts • Links videos, whitepapers • http://trust.office365.com Cohesive Process Combining 4 Pillars Your Privacy Matters 8 Leadership in Independently Relentless on You know ‘where’ data resides, ‘who’ can access it and ‘what’ we do with it Compliance with World Class Industry standards verified by 3rd parties Excellence in Cutting edge security practices Transparency Verified Security PRIVACY SECURITY PII Controls Elevation of Privilege Denial of Service Spoofing Tampering Repudiation Information Disclosure Notice and Consent Breach Response Data Minimization Transnational Data Flows At Microsoft, our strategy is to consistently set a “high bar” around privacy practices that support global standards for data handling and transfer No Advertising • No advertising products out of Customer Data. • No scanning of email or documents to build analytics or mine data. Data Portability • Office 365 Customer Data belongs to the customer. • Customers can export their data at any time. No Mingling • Choices to keep Office 365 Customer Data separate from consumer services. 11 We use customer data for just what they pay us for - to maintain and provide Office 365 Service Microsoft Online Services Customer Data1 Usage Data Account and Address Book Data Customer Data (excluding Core Customer data) Core Customer Data Operating and Troubleshooting the Service Yes Yes Yes Yes Security, Spam and Malware Prevention Yes Yes Yes Yes Improving the Purchased Service, Analytics Yes Yes Yes No Personalization, User Profile, Promotions No Yes No No Communications (Tips, Advice, Surveys, Promotions) No No/Yes No No Voluntary Disclosure to Law Enforcement No No No No Advertising5 No No No No Usage Data Address Book Data Customer Data (excluding Core Customer Data*) Core Customer Data Operations Response Team (limited to key personnel only) Yes. Yes, as needed. Yes, as needed. Yes, by exception. Support Organization Yes, only as required in response to Support Inquiry. Yes, only as required in response to Support Inquiry. Yes, only as required in response to Support Inquiry. No. Engineering Yes. No Direct Access. May Be Transferred During Trouble-shooting. No Direct Access. May Be Transferred During Trouble-shooting. No. Partners With customer permission. See Partner for more information. With customer permission. See Partner for more information. With customer permission. See Partner for more information. With customer permission. See Partner for more information. Others in Microsoft No. No (Yes for Office 365 for small business Customers for marketing purposes). No. No. At Microsoft, our strategy is to consistently set a “high bar” around privacy practices that support global standards for data handling and transfer Where is Data Stored? • Clear Data Maps and Geographic boundary information provided • ‘Ship To’ address determines Data Center Location Who accesses and What is accessed? • Core Customer Data accessed only for troubleshooting and malware prevention purposes • Core Customer Data access limited to key personnel on an exception basis. How to get notified? • Microsoft notifies you of changes in data center locations. 14 Reduce vulnerabilities, limit exploit severity Education Process Administer and track security training Guide product teams to meet SDL requirements Training Requirements Establish Security Requirements Core Security Training Create Quality Gates / Bug Bars Security & Privacy Risk Assessment Design Implementation Establish Design Requirements Use Approved Tools Analyze Attack Surface Threat Modeling Deprecate Unsafe Functions Static Analysis Accountability Establish release criteria and sign-off as part of FSR Verification Dynamic Analysis Fuzz Testing Attack Surface Review Ongoing Process Improvements Release Incident Response (MSRC) Response Incident Response Plan Final Security Review Release Archive Execute Incident Response Plan Unique Security Issues Reported Office XP Office 2007 111 83 Office 2003 Office 2010 32 9 Office XP Office 2003 Office 2007 Office 2010 • A method to identify previously unknown vulnerabilities in file formats • Office teams fuzzed millions of files 10’s of millions of times • Led to hundreds of new bugs being fixed • Used to create XML Schema Definitions (XSD) for binary Office files • XSDs allow binary files to be quickly scanned for potential problems DATA USER APPLICATION HOST INTERNAL NETWORK NETWORK PERIMETER FACILITY • 24x7 guarded facility • 700,000 square feet • 10s of 1000s of servers • Days of backup power Communicate and collaborate more securely using Exchange, SharePoint, Lync, and Office Comprehensive Protection 21 Information Security Visibility and Control • Multi-layered protection against spam and malware • Policy rules that inspect emails in transit • Integrated administration, reporting, and auditing • Effectiveness guaranteed by 5 financially-backed SLAs • Integration with AD RMS to safeguard sensitive data • Granular control over user access and permissions • In-product controls that help protect users from threats • End-to-end encryption of communications • Mobile security policies and remote device wipe Customer data at rest is not encrypted • For “sensitive” data, implementation of Active Directory Rights Management Services (RMS) • Encryption impacts service functionality (e.g. search and indexing) • For “sensitive” externally sent/received e-mail, customers employ S/MIME • Identity/key management issues The customer makes the decision 22 Alignment and adoption of industry standards ensure a comprehensive set of practices and controls in place to protect sensitive data While not permitting audits, we provide independent third-party verifications of Microsoft security, privacy, and continuity controls Microsoft provides transparency This saves customers time and money, and allows Office 365 to provide assurances to customers at scale 24 Business rules for protecting information and systems which store and process information Policy Control Framework Standards A process or system to assure the implementation of policy System or procedural specific requirements that must be met Step-by-step procedures Operating Procedures 25 We are the first and only major cloud based productivity to offer the following: ISO27001 • ISO27001 is one of the best security benchmarks available across the world. • Office 365 first major business productivity public cloud service to implement rigorous ISO security controls on physical, logical, process and management EU Model Clauses • Office 365 is the first major business productivity public cloud service provider willing to sign EU Model Clauses with all customers. • EU Model Clauses a set of stringent European Union wide data protection requirements Data Processing Agreement • Address privacy, security and handling of Customer Data. • Going above and beyond the EU Model Clauses to address additional requirements from individual EU member states • Enables customers to comply with their local regulations. 26 Comply with additional industry leading standards US Health Insurance Portability and Accountability Act (HIPPA) • HIPAA is a U.S. law that requires HIPAA covered entities to meet certain privacy and security standards with respect to individually identifiable health information • Microsoft is offering to sign the Business Associate Agreement (BAA) for any Microsoft Enterprise Agreement customer. The BAA helps enables our customers to comply with HIPAA concerning protected health information. EU Safe Harbor • EU generally prohibits personal data from crossing borders into other countries except under circumstances in which the transfer has been legitimated by a recognized mechanism, such as the "Safe Harbor" certification • Microsoft was first certified under the Safe Harbor program in 2001, and we recertify compliance with the Safe Harbor Principles every twelve months 27 ISO 27001 All customers Available Now EU Safe Harbor EU customers Available Now SSAE 16 (Statement on standards for Attestation Engagement) Type I compliance Primarily US customers Available Now FISMA US Government Available Now HIPAA/BAA EA Customers Available Now EU Model Clauses EU Customers Available Now Data Processing Agreement EA Customers Available Now What is it? • What does it cover? • • • • Who and how to get it? • 31 http://trust.office365.com http://www.gobalfoundationservices.com 35