Learn. Connect. Explore.... · Gurmeet Singh Technology Specialist Randhir Kumar Dhawan Technology...
Transcript of Learn. Connect. Explore.... · Gurmeet Singh Technology Specialist Randhir Kumar Dhawan Technology...
Learn. Connect. Explore.Learn. Connect. Explore.
Microsoft Office 365Security, Privacy & Compliance
Gurmeet Singh
Technology Specialist
Randhir Kumar Dhawan
Technology Specialist
Built-in Security
Customer Controls
Independent Verification
Office 365 Security
24 Hour
Monitored
Physical
Hardware
Isolated
Customer Data
Secure
NetworkEncrypted Data
Automated
operations
Microsoft
security best
practices
Office 365 Built-in Security
24 Hour
Monitored
Physical
Hardware
Isolated
Customer Data
Secure
NetworkEncrypted Data
Automated
operations
Microsoft
security best
practices
24 hour monitored physical hardware
Seismic bracing
24x7 onsite security staff
Days of backup power
Tens of thousands of servers
Perimeter security
Extensive monitoring
Multi-factor authentication
Fire suppression
Isolated Customer Data
DATA in Server
Multi-tenant environment is designed to support logical isolation of data that multiple customers store in same physical hardware.
Intended or unintended access of data belonging to a different customer/tenant is prevented by data isolation.
Active Directory’s organizational units keep Customer A’s data isolated from Customer B’s data
Automated operations
Office 365 Datacenter Network
Microsoft Corporate Network
Grants least privilege required
to complete task.
Verify eligibility by checking if
1. Background Check
Completed
2. Fingerprinting Completed
3. Security Training Completed
O365 Admin
Requests Access
Grants temporary
Privilege
Secure network
Internal Network External Network
Network
Separated
Data
Encrypted
Networks within the Office 365 data centers are segmented.
Physical separation of critical, back-end servers & storage devices from public-facing interfaces.
Edge router security allows ability to detect intrusions and signs of vulnerability.
Office 365 allows encryption of data both at rest & during transit Data unreadable to unauthorized parties
• BitLocker 256bit AES Encryption on all messaging content• Includes mailbox database files, mailbox transaction log files, search content index files,
transport database files, transport transaction log files, and page file OS system disk tracing/message tracking logs
• Data Striping• Malicious access to a single physical hard drive will not yield any meaningful data
• Mailbox messages are striped, which means that the content of customer’s mail messages are distributed across drives
• Transport Layer Security (TLS)/ Secure Sockets Layer (SSL)
• Exchange Online supports S/MIME and third-party technology such as PGP
Microsoft Security Best Practices
24 Hour
Monitored
Physical
Hardware
Isolated
Customer Data
Secure Network
Encrypted
Data
Automated
operations
Microsoft security best
practices
Security Development Lifecycle
Throttling to Prevent DoS Attacks
Prevent Breach
Mitigate Breach
Reduce vulnerabilities, limit exploit severity
Ongoing Process Improvements
Training Requirements Design Implementation Verification Release Response
Education
Administer and track security training
Process
Guide product teams to meet SDL requirements
Accountability
Establish release criteria & sign-off as part of FSR
IncidentResponse (MSRC)
Core SecurityTraining
Est. SecurityRequirements
Create Quality Gates / Bug Bars
Security & Privacy Risk Assess.
Establish DesignRequirements
Analyze AttackSurface
ThreatModeling
Use Approved Tools
Deprecate UnsafeFunctions
Static Analysis
Dynamic Analysis
Fuzz Testing
Attack Surface Review
Incident Response Plan
Final Security Review
Release Archive
Execute IncidentResponse Plan
Baseline normal traffic & usage
Ability to recognize DoS traffic patterns
Automatic traffic shaping kicks in when spikes exceed normal
Mitigates: • Non-malicious excessive use
• Buggy clients (BYOD)
• Admin actions
• DoS attacks
Built-in Security
Customer Controls
Independent Verification
Office 365 Customer Control
24 Hour
Monitored
Physical
Hardware
Isolated
Customer Data
Secure
NetworkEncrypted Data
Automated
operations
Microsoft
security best
practices
Built-in Security
Customer Controls
Independent Verification
Office 365 Customer Control
Data protection at rest
Data protection at rest
Data protection at rest
Data Protection in motion Data Protection in motion
Information can
be protected
with RMS at rest
or in motion
Data protection at rest
FunctionalityRMS in
Office 365S/MIME
ACLs
(Access Control
Lists)
BitLocker
Cloud
Encryption
Gateways (CEGs)
Data is encrypted in the cloud
Encryption persists with content
Protection tied to user identity
Protection tied to Policy (edit, print, do not forward, expire after 30 days)
Secure collaboration with teams and individuals
Native integration with my services (Content Indexing, eDiscovery, BI, Virus/Malware scanning)
Lost or stolen hard disk
User Access
Integrated with Active Directory, Azure Active Directory and Active Directory Federation Services
• Federation: Secure SAML token based authentication
• Password Synchronization: Only a one way hash of the password will be synchronized to WAAD such that the original password cannot be reconstructed from it.
Enables additional authentication mechanisms:• Two-Factor Authentication – including phone-based 2FA
• Client-Based Access Control based on devices/locations
• Role-Based Access Control
Anti Spam/ Anti Virus
Comprehensive protection• Multi-engine antimalware protects against 100% of known viruses
• Continuously updated anti-spam protection captures 98%+ of all inbound spam
• Advanced fingerprinting technologies that identify and stop new spam and
phishing vectors in real time
Easy to use
• Preconfigured for ease of use
• Integrated administration console
Granular control
• Mark all bulk messages as spam
• Block unwanted email based on language or geographic origin
• Enable customers to meet global compliance
standards in ISO 27001, EUMC, HIPAA, FISMA
• Contractually commit to privacy, security and
handling of customer data through Data
Processing Agreements
• Admin Controls like Data Loss Prevention,
Archiving, E-Discovery to enable organizational
compliance
Commitment to industry standards and organizational compliance
Office 365 Independent Verification
24 Hour
Monitored
Physical
Hardware
Isolated
Customer Data
Secure
NetworkEncrypted Data
Automated
operations
Microsoft
security best
practices
Built-in Security
Customer Controls
Independent Verification
Built-in Security
Customer Controls
Independent Verification
Office 365 Customer Control
Standards & Certifications
SSAE/SOC
ISO27001
EUMC
FERPA
FISMA
PCI
HIPAA
HITECH
ITAR
HMG IL2
CJIS
Global
Global
Europe
U.S.
U.S.
Global
U.S.
U.S.
U.S.
UK
U.S.
Finance
Global
Europe
Education
Government
CardData
Healthcare
Healthcare
Defense
Government
Law Enforcement
ISOSOC
HIPAA FedRAMP FERPAHMGIL2
EUMCTC260MLPS
Relentless on Security
24 hour monitored physical datacenters
Logical isolation of data between tenants
Segregation of internal datacenter network from the external networks
Encryption at rest and in transit (AD-RMS)
Securing access to services via identity
Data loss prevention
Anti-virus/anti spam
Service Continuity
99.9% uptime
Financial guarantees on uptime
Redundancy in both functionality as well as data
Automated monitoring and recovery systems
24x7 on-call engineering team available to handle issues
Independently Verified
ISO 27001
EU Model Clauses
HIPAA-HITECH
FERPA
FISMA
U.K. G-Cloud IL2
CJIS
Data Maps Customers know where their data is stored
Role based Access Customers know who can access their data and why
Compliance Notifications Customers can stay in the know by choosing to receive updates regarding changes to security, privacy, and audit information
No advertising We don’t build advertising products out of customer data
No data mining We don’t scan the contents of customer email or documents for analytics or data mining
No co-mingling Business data and consumer data are stored separately
Data is portable Customers own the data and can remove their data whenever they choose
Office 365 Trust Center (http://trust.office365.com)
Demo1. Data Loss Prevention (DLP)
2. Two Factor Authentication
3. Information Rights Management (IRM)
4. Legal Hold & eDiscovery
ReferencesRelated references for you to expand your knowledge on the subject• <Quote related references here>
technet.microsoft.com/en-in
aka.ms/mva
msdn.microsoft.com/
Your Feedback is Important
OPTION 3: Feedback stations outside the hall
Fill out evaluation of this session and help shape future events.
OPTION 1 OPTION 2
Replace this space with the
actual QR Code
Follow us online
Facebookfacebook.com/MicrosoftDeveloper.India
twitter.com/msdevindia
Twitter: <speaker’s handle>
Email:<optional>