Sessions about to start – Get your RIG on! Microsoft Office 365 Security, Privacy, and Compliance Overview Aaron Dinnage Ben Fletcher OSS203
Download ReportTranscript Sessions about to start – Get your RIG on! Microsoft Office 365 Security, Privacy, and Compliance Overview Aaron Dinnage Ben Fletcher OSS203
Sessions about to start – Get your RIG on! Microsoft Office 365 Security, Privacy, and Compliance Overview Aaron Dinnage Ben Fletcher OSS203 • Answer key questions of Security Compliance Officers • Dynamic engaging content that is refreshed every two weeks www.trust.office365.com It’s your data You own it, you control it We run the service for you We are accountable to you Built in Security Privacy by design Continuous Compliance 1st Microsoft Data Center Microsoft Security Engineering Center - Security Development Lifecycle (SDL) Hotmail 1989 Exchange Hosted Services (part of Office 365) Active Directory MSN 1995 HIPAA BAA Malware Protection Center Xbox Live 2005 2000 ISO 27001 Certification SAS-70 SSAE-16 Windows Update Microsoft Security Response Center (MSRC) Global Foundation Services (GFS) Trustworthy Computing Initiative (TwC) CJIS Security Policy Agreement Windows Azure 2010 Bill Gates Memo Bing/MSN Search Microsoft Online Services (MOS) Encrypted Shredded Storage in SharePoint Online 2013 Outlook.com Microsoft Security Essentials U.S.-EU Safe Harbor One of the world’s largest cloud providers & datacenter/network operators 2014 FISMA European Union Model Clauses (EUMC) Article 29 Working Committee Message Encryption DLP Fingerprinting Outsider Secure Design Secure Code Protections against attacks Insider Assume Breach Contain Attackers Detect Attackers Remediate Attacks End User Built controls DLP, Encryption, etc. Auditing Built-in service capabilities Security best practices like penetration testing, Defense-in-depth to protect against cyber-threats Customer controls Physical and data security with access control, encryption and strong authentication Unique customer controls with Rights Management Services to empower customers to protect information Physical controls, video surveillance, access control Facility Network perimeter Internal network Host Application Admin Data Edge routers, firewalls, intrusion detection, vulnerability scanning Dual-factor authentication, intrusion detection, vulnerability scanning Access control and monitoring, anti-malware, patch and configuration management Secure engineering (SDL), access control and monitoring, anti-malware Account management, training and awareness, screening Threat and vulnerability management, security monitoring, and response, access control and monitoring, file/data integrity, encryption Perimeter security Fire Suppression Multi-factor Extensive authentication monitoring Seismic bracing 24x7 onsite security staff Days of backup power Tens of thousands of servers Backend server and storage Firewall Layer of separation Front end server storage Edge router protection User Just in time access High entropy passwords Manager Request Approve Temporary access granted Request with reason Zero standing privileges Background checks Screening Automatic account deletion Unique accounts Zero access privileges Security Development Cycle Annual training Data Customer data isolation Data encryption Operational best practices Customer data isolation Designed to support logical isolation of data that multiple customers store in same physical hardware. Customer A Customer B Intended or unintended mingling of data belonging to a different customer/tenant is prevented by design using Active Directory organizational units Data in-transit SSL/TLS Encryption Client to Server Server to Server Data centre to Data centre Data at Rest Disks encrypted with BitLocker Encrypted shredded storage User A Content DB B C D A A Key Store B CC D D E Wargame exercises Monitor emerging threats Red teaming Execute post breach Insider attack simulation Blue teaming Physical Layer Logical Layer Physical controls, video surveillance, access control Edge routers, firewalls, intrusion detection, vulnerability scanning Dual-factor authentication, intrusion detection, vulnerability scanning Access control and monitoring, anti-malware, patch and configuration management Secure engineering (SDL), access control and monitoring, anti-malware Account management, training and awareness, screening Data Layer Threat and vulnerability management, security monitoring, and response, access control and monitoring, file/data integrity, encryption Data Protection in motion Data Protection in motion Information can be protected with RMS at rest or in motion Data protection at rest Data protection at rest Data protection at rest RMS can be applied to any file type using RMS app Encryption features S/MIME Office 365 Message Encryption Transport Layer Security SMTP to partners: TLS protected S/MIME protected Office 365 Message Encryption Message Delivery Data disk Exchange server Data disk User Exchange server Comprehensive protection Multi-engine antimalware protects against 100% of known viruses Continuously updated anti-spam protection captures 98%+ of all inbound spam Advanced fingerprinting technologies that identify and stop new spam and phishing vectors in real time Easy to use Granular control Preconfigured for ease of use Integrated administration console Mark all bulk messages as spam Block unwanted email based on language or geographic origin Identity Management Federation Password Hash Sync 2FA Integrated with Active Directory, Azure Active Directory and Active Directory Federation Services • Federation: Secure SAML token based authentication • Password Synchronization: Only a one way hash of the password will be synchronized to the cloud such that the original password cannot be reconstructed from it. Enables additional authentication mechanisms: • Two-Factor Authentication – including phone-based 2FA • Client-Based Access Control based on devices/locations • Role-Based Access Control Single federated identity and credentials suitable for medium and large organizations Mobile Apps Push Notification One-Time-Passcode (OTP) Token Phone Calls Out-of-Band Call Text Messages Text One-Time Passcode (OTP) by Text What does compliance mean to customers? What standards do we meet? What is regulatory compliance and organizational compliance? Compliance Commitment to industry standards and organizational compliance Built-in capabilities for global compliance Enable customers to meet global compliance standards in ISO 27001, EUMC, HIPAA, FISMA Contractually commit to privacy, security and handling of customer data through Data Processing Agreements Customer controls for compliance with internal policies Admin Controls like Data Loss Prevention, Archiving, E-Discovery to enable organizational compliance What customer issues does this address? Independent verification Regulatory compliance Peace of mind HIPAA ISO SOC FedRAMP FERPA HMG IL2 EUMC TC260 MLPS SSAE/SOC ISO27001 EUMC FERPA FISMA HIPAA HITECH ITAR HMG IL2 CJIS Finance Global Europe Education Government Healthcare Healthcare Defense Government Law Enforcement Global Global Europe U.S. U.S. U.S. U.S. U.S. UK U.S. Built-in Capabilities Physical Security | Master GRC Control Sets | Certifications Office 365 has over 950 controls Today! Security Best Practices Access Control Secure Network Layer Data Minimization & Retention Data Encryption Customer Controls DLP OME Account Mgmt. Incident Monitoring Data Encryption SMIME RBAC RMS Audits Office 365 Services Office 365 Service Encryption of stored data and more… New Cert’s and more… Helps to Identify Protect Monitor End user education identify monitor protect Sensitive data through deep content analysis Prevents sensitive data from leaving organization Empower users to manage their compliance Provides an Alert when data such as Social Security & Credit Card Number is emailed. • Alerts can be customized by Admin to catch Intellectual Property from being emailed out. • • • • • • Contextual policy education Doesn’t disrupt user workflow Works even when disconnected Configurable and customizable Admin customizable text and actions Built-in templates based on common regulations Import DLP policy templates from security partners or build your own Scan email and attachments to look for patterns that match document templates Protect sensitive documents from being accidently shared outside your organization No coding required; simply upload sample documents to create fingerprints Preserve Search In-Place Archive Governance Hold eDiscovery Secondary mailbox with separate quota Automated and timebased criteria Capture deleted and edited email messages Web-based eDiscovery Center and multi-mailbox search Managed through EAC or PowerShell Set policies at item or folder level Time-Based In-Place Hold Search primary, In-Place Archive, and recoverable items Available on-premises, online, or through EOA Expiration date shown in email message Granular Query-Based In-Place Hold Delegate through roles-based administration Optional notification De-duplication after discovery Auditing to ensure controls are met • Answer key questions of Security Compliance Officers • Dynamic engaging content that is refreshed every two weeks www.trust.office365.com Privacy by design means that we do not use your information for anything other than providing you services No advertising products out of Customer Data No scanning of email or documents to build analytics or mine data Access to information about geographical location of data, who has access and when Various customer controls at admin and user level to enable or regulate sharing Notification to customers about changes in security, privacy and audit information If the customer decides to leave the service, they get to take to take their data and delete it in the service Will you use my data to build advertising products? We do not mine your data for advertising purposes. It is our policy to not use your data for purposes other than providing you productivity services. We design our Office 365 commercial services to be separate from our consumer services so that there is no mixing of data between the two. Who owns the data I put in your service? You own your data and retain the rights, title, and interest in the data you store in Office 365. You can take your data with you, whenever you want. At Microsoft, our strategy is to consistently set a “high bar” around privacy practices that support global standards for data handling and transfer Where is Data Stored? Clear Data Maps and Geographic boundary information provided ‘Ship To’ address determines Data Center Location Who accesses and What is accessed? Core Customer Data accessed only for troubleshooting and malware prevention purposes Core Customer Data access limited to key personnel on an exception basis. How to get notified? Microsoft notifies you of changes in data center locations and any changes to compliance. We use customer data for just what they pay us for - to maintain and provide Office 365 Service Microsoft Online Services Customer Data Usage Data Account and Address Book Data Customer Data (excluding Core Customer data) Core Customer Data Operating and Troubleshooting the Service Yes Yes Yes Yes Security, Spam and Malware Prevention Yes Yes Yes Yes Improving the Purchased Service, Analytics Yes Yes Yes No Personalization, User Profile, Promotions No Yes No No Communications (Tips, Advice, Surveys, Promotions) No No/Yes No No Voluntary Disclosure to Law Enforcement No No No No Advertising No No No No Usage Data Address Book Data Customer Data (excluding Core Customer Data) Core Customer Data Operations Response Team (limited to key personnel) Yes Yes, as needed Yes, as needed Yes, by exception Support Organization Yes, only as required in response to Support Inquiry Yes, only as required in response to Support Inquiry Yes, only as required in response to Support Inquiry No Engineering Yes No Direct Access. May Be Transferred During Trouble-shooting No Direct Access. May Be Transferred During Trouble-shooting No Partners With customer permission. See Partner for more information With customer permission. See Partner for more information With customer permission. See Partner for more information With customer permission. See Partner for more information Others in Microsoft No No (Yes for Office 365 for small business Customers for marketing purposes) No No Type of Risk Protection mechanisms Malicious or unauthorized physical access to data center / server / disks BitLocker Facility access restrictions to servers/ datacenter External malicious or unauthorized access to service and customer data Zero standing access privileges Automated operations Auditing of all access and actions Network level DDOS / intrusion detection and prevention Threat management / Assume breach Gaps in software that make the data & service to be vulnerable Security Development Lifecycle (SDL) Rogue administrators / employees in the service or data center Zero standing access privileges Automated operations, Auditing of all access and actions Training Background checks / screening Threat management / Assume breach Microsoft Admin credentials get compromised Multi factor authentication Zero standing access privileges Requires trusted computers to get onto management servers Threat management / Assume breach Type of Risk Protection mechanisms Encryption keys get compromised Secure key management processes Access to key is limited or removed for people BYOK Administrator’s computer gets compromised/lost BitLocker on the computer Remote desktop session Zero standing access privileges Separate credentials to login to the service Law authorities accessing customer data Redirect request to customer Threat management and assume breach Service and customer data becomes inaccessible due to an attack. Network level DDOS / intrusion detection and prevention Malware Anti Malware Malfunction of software which enables unauthorized access Security Development Lifecycle Configuration management Type of Risk Protection mechanisms Interception of email to partners over Internet SMTP session to partners could be protected using opportunistic or forced TLS Interception of client / server communication SSL / TLS is implemented in all workloads. Interception of communication between datacenters or between servers Office 365 applications use SSL / TLS to secure various server-server communication. All communication is on Microsoft owned networks. Interception or access of content in transit or at Rights Management could be applied to the content. rest by other people Interception of email in transit or rest between users within organization S/MIME could be implemented and applied to emails Interception of email in transit and rest to an external user* Office 365 Message Encryption may be applied to messages Please complete your session/speaker evaluation Go to: aka.ms/mytechedsyd Q&A