OFFICE 365 GOVERNANCE: Top FAQ’s & Best Practices O365... · YOUR JOURNEY TO THE CLOUD 18 Next...
Transcript of OFFICE 365 GOVERNANCE: Top FAQ’s & Best Practices O365... · YOUR JOURNEY TO THE CLOUD 18 Next...
Internal Audit, Risk, Business & Technology Consulting
OFFICE 365 GOVERNANCE:
Top FAQ’s & Best Practices
© 2017 Protiviti Inc. An Equal Opportunity Employer M/F/Disability/Veterans. Protiviti is not licensed or registered as a public accounting firm and
does not issue opinions on financial statements or offer attestation services. All registered trademarks are the property of their respective owners.
CLOUD ADOPTION
2
• Very latest versions of apps that enhance collaboration and productivity
• Cloud Computing Power (cloud elasticity, built-in machine learning)
• Increased Security and Compliance
• Built-in Business Continuity (backup/recovery, disaster recovery)
• More Predictable Costs (subscription based, more operational, less capital)
Business demands faster, more agile and less costly
solutions to achieve digital transformation – Cloud
computing offers a compelling way to meet ever increasing
user needs.
How does Governance change when moving to the cloud?
© 2017 Protiviti Inc. An Equal Opportunity Employer M/F/Disability/Veterans. Protiviti is not licensed or registered as a public accounting firm and
does not issue opinions on financial statements or offer attestation services. All registered trademarks are the property of their respective owners.
1. SHIFTING ROLE OF IT
NO… however IT Professionals need to embrace and enable moving to the cloud!
• The IT professional’s role is changing to one of service management.
• IT is becoming more strategic in their role and moving to focus on initiatives that benefit the business from a higher
level .
• IT professionals are being measured on their contributions to business results.
3
I’m an IT Professional… Will I be out of a job as
my company moves to the cloud?
What are the administrative roles in Office 365?
© 2017 Protiviti Inc. An Equal Opportunity Employer M/F/Disability/Veterans. Protiviti is not licensed or registered as a public accounting firm and
does not issue opinions on financial statements or offer attestation services. All registered trademarks are the property of their respective owners.
SHIFTING ROLE OF ITShifting From Managing Servers to Managing Services
4
• Old Focus: Managing Servers,
Security Patches, Perpetual
Upgrades…
• New Focus
• Managing Services
• People Focus
• Driving Service Adoption
• Change Management
• Communication and Readiness
Frameworks
• Shift to More Frequent Updates of
Capabilities to End Users
• Consider impacts to Roles &
Responsibilities in How You Govern
IT Solutions
DEMONSTRATIONOFFICE 365 MESSAGE CENTER, FIRST RELEASE,
CHANNEL RELEASES & ROADMAP
Features to Help Manage Change
© 2017 Protiviti Inc. An Equal Opportunity Employer M/F/Disability/Veterans. Protiviti is not licensed or registered as a public accounting firm and
does not issue opinions on financial statements or offer attestation services. All registered trademarks are the property of their respective owners.
2. SECURITY CONTROLS
In all cloud environments, security in a cloud environment is a shared responsibility!
• Understand the built-in security controls
• Understand which security controls are available to you
• Understand which licenses you need to access the security controls that you require
• Understand your security responsibilities in the cloud
6
Does Office 365 solve my security issues?
What security controls should I use?
How secure is my data in Office 365?
© 2017 Protiviti Inc. An Equal Opportunity Employer M/F/Disability/Veterans. Protiviti is not licensed or registered as a public accounting firm and
does not issue opinions on financial statements or offer attestation services. All registered trademarks are the property of their respective owners.
IN THE CLOUD – SECURITY IS A SHARED RESPONSIBILITY
7
• Understand Cloud Provider Responsibilities
• Understand Your Responsibilities
• Understanding how your responsibilities are managed requires
strong Information Governance policies & procedures
In all cloud environments, security and information
protection must be a Shared Responsibility
SAAS = Office 365
PAAS = Azure Web Services, Azure Functions, etc.
IAAS = Azure VMs
© 2017 Protiviti Inc. An Equal Opportunity Employer M/F/Disability/Veterans. Protiviti is not licensed or registered as a public accounting firm and
does not issue opinions on financial statements or offer attestation services. All registered trademarks are the property of their respective owners.
OFFICE 365 SECURITY CONTROLSFeatures & Capabilities
8
• SharePoint Permissions
• Information Rights Management/RMS
• External Sharing Controls
• OneDrive for Business Sharing Controls
• Encrypted Communication (TLS)
• Encrypted Data at Rest
• Multi-Factor Authentication
• Modern Authentication (ADAL)
• Retention Policies
• Site Classification
• Office 365 Trust Center
• Office 365 Secure Score
• Customer Lockbox
• Security and Compliance Center
Security Roles & Permissions
Activity Monitoring/Audit Log Search
Automatic Alerts
Advanced Security Management
Classification Labels & Label Policies
Data Loss Prevention
eDiscovery
Mail Filtering/Anti-Malware/DKIM
Advanced Threat Protection
Compliance Reports/Trust Documents
• Exchange Online Protection
• Exchange Mailbox Auditing
• Threat Intelligence
• Advanced Data Governance
• Active Directory Federation Services
• AD Pass Through Authentication
• AD Seamless Single Sign On
• Azure B2B
• Azure Information Protection
• Azure Conditional Access
• Azure Identity Protection
• Azure Privileged Identity Management
• Advanced Threat Analytics
• Microsoft Intune MDM
• Cloud App Security
• Azure Security Center
• Azure Key Vault/Bring your Own Key (BYOK)
© 2017 Protiviti Inc. An Equal Opportunity Employer M/F/Disability/Veterans. Protiviti is not licensed or registered as a public accounting firm and
does not issue opinions on financial statements or offer attestation services. All registered trademarks are the property of their respective owners.
ENTERPRISE MOBILITY + SECURITY PLANSUpgrade to an Enterprise Mobility + Security Plan for Advanced Security Controls
9
© 2017 Protiviti Inc. An Equal Opportunity Employer M/F/Disability/Veterans. Protiviti is not licensed or registered as a public accounting firm and
does not issue opinions on financial statements or offer attestation services. All registered trademarks are the property of their respective owners.
3. ADMINISTRATOR ACCESS CONTROL
Understanding Microsoft Administrator access and tracking your own administrators is a key aspect of
governing your cloud solutions!
• Microsoft administrators have no standing access to Office 365 tenants
• Microsoft administrators must request access to tenants, specifying the purpose & specific activities they will perform
• All end user AND administrator activities are logged in the unified audit log – log entries cannot be deleted
10
What about Microsoft system administrators?
Can they access my data in Office 365?
Can I audit my administrators?
© 2017 Protiviti Inc. An Equal Opportunity Employer M/F/Disability/Veterans. Protiviti is not licensed or registered as a public accounting firm and
does not issue opinions on financial statements or offer attestation services. All registered trademarks are the property of their respective owners.
OFFICE 365 CUSTOMER LOCKBOX
• Microsoft Administrators/Support have zero standing access to the Office 365 servers
• To gain access to a customer’s data, Microsoft support must go through an internal process called “Lockbox”:
• Customer administrator logs a support request
• Microsoft engineer must submit a “Lockbox” request to access a Customer tenant
• Microsoft IT manager must validate access request and duration (will lower duration) and approve request (max 4 hrs)
• Customer must approve access request, before Microsoft engineer gets any access to Customer tenant
• Microsoft support may then access the Customer tenant to investigate issue
Customers can control whether Microsoft Office 365 engineers may have access to their tenant.
11
DEMONSTRATIONOFFICE 365 SECURITY & COMPLIANCE CENTER
OFFICE 365 AUDIT LOGS
Features to Help Secure and Monitor Your Environment
© 2017 Protiviti Inc. An Equal Opportunity Employer M/F/Disability/Veterans. Protiviti is not licensed or registered as a public accounting firm and
does not issue opinions on financial statements or offer attestation services. All registered trademarks are the property of their respective owners.
4. ROADMAP YOUR JOURNEY TO OFFICE 365
Creating an Office 365 roadmap allows you to plan your journey to the cloud!
• Don’t try to move all your workloads into Office 365 at once
• Plan out and prioritize the workloads you need to migrate to Office 365
• Ensure you have business buy-in to migrate each workload to Office 365
• Plan adoption strategies as you build out your Office 365 roadmap
13
Do I need to move all my IT services at once to
Office 365? Which workloads do I move first?
How do I figure out which Office 365 services or
plans are right for us?
© 2017 Protiviti Inc. An Equal Opportunity Employer M/F/Disability/Veterans. Protiviti is not licensed or registered as a public accounting firm and
does not issue opinions on financial statements or offer attestation services. All registered trademarks are the property of their respective owners.
OFFICE 365 ROADMAP EXAMPLE
14
Create Office
365 Tenant +
Initial Config
Register
Domains
Sync AD +
Setup Auth
Exchange
Cutover (MX Record)
Initialize
OD4B
Plan
OD4B
Migration
Active
Directory
AD Clean up
& Prep
Phase 1: Tenant Phase 2: Active Directory Phase 3: Email Phase 4: OneDrive for Business
Deploy
AD Connect
Deploy/Config
SSO
Setup Modern
Auth
Setup MFA
Initialize
Exchange
Free/Busy
Status
Shared
Address List
Mailbox
Inventory
Plan
Exchange
Migration
Migrate
Exchange
Mailboxes
Content
Inventory
(file shares)
Identify + Fix
Problem Files
Migrate
File
Shares
Mailbox
Migration
Contacts
Pre-Stage
Mailboxes
Validation
+
Mailbox
Cutover
Calendar
File Share
Migration
Validation +
Incremental
Migration
Content Cleanup
Make
File Share
Read Only
Migrate
File Share
Data
ODFB
Training
Licensing
Pre-create
OD4B Site
Re-Direct
MyDocuments
Eval. 3rd Party
Tools
Licensing
(pre-create
mailboxes)
Eval. 3rd Party
Tools
Security Controls Implementation
Office 365 Adoption Program…
© 2017 Protiviti Inc. An Equal Opportunity Employer M/F/Disability/Veterans. Protiviti is not licensed or registered as a public accounting firm and
does not issue opinions on financial statements or offer attestation services. All registered trademarks are the property of their respective owners.
5. INFORMATION GOVERNANCE POLICIES & TOOLS
Information governance policies, procedures and tools require updating as you move workloads to the cloud!
• How do roles and responsibilities change when moving to the could?
• What types of sensitive data you have and can they live in the cloud?
• Will you permit external sharing, from SharePoint Online or from OneDrive?
• How is new hire provisioning and employee de-provisioning impacted?
• Do you have data residency requirements and what is the impact?
• Consider your regulatory compliance obligations - how are you audit programs or assessments impacted?
15
How does moving to the cloud affect our
information governance policies?
© 2017 Protiviti Inc. An Equal Opportunity Employer M/F/Disability/Veterans. Protiviti is not licensed or registered as a public accounting firm and
does not issue opinions on financial statements or offer attestation services. All registered trademarks are the property of their respective owners.
ADMINISTRATIVE ROLES & RESPONSIBILITIES IN OFFICE 365Office 365 has 12 administrative roles with specific responsibilities
16
Global Administrator
Billing Administrator
Exchange Administrator
SharePoint Administrator
Skype for Business Administrator
Password Administrator
Security & Compliance Administrator
Service Administrator
User Management Administrator
Dynamics 365 Administrator
Dynamics 365 Service Administrator
Power BI Administrator
*Other administrative roles can be configured within Permissions in the Security & Compliance center – for example: eDiscovery Manager
© 2017 Protiviti Inc. An Equal Opportunity Employer M/F/Disability/Veterans. Protiviti is not licensed or registered as a public accounting firm and
does not issue opinions on financial statements or offer attestation services. All registered trademarks are the property of their respective owners.
COMPLIANCE IN THE MICROSOFT CLOUD
17
Microsoft has the deepest and most comprehensive compliance coverage in the industry
© 2017 Protiviti Inc. An Equal Opportunity Employer M/F/Disability/Veterans. Protiviti is not licensed or registered as a public accounting firm and
does not issue opinions on financial statements or offer attestation services. All registered trademarks are the property of their respective owners.
RESOURCES & NEXT STEPS
YOUR JOURNEY TO THE CLOUD
18
Next Steps
• Develop an Office 365/Cloud Roadmap to begin your Digital Transformation
• Plan how IT Roles will shift in your organization as you move to the Cloud
• Understand your security responsibilities and Learn about the security
controls available in Office 365
• Ensure your governance policies & tools evolve as you move to the Cloud
References
• Microsoft Whitepaper on Shifting IT Roles:
https://www.microsoft.com/itshowcase/Article/Content/958/From-systems-to-
people-rethinking-service-management
• Microsoft reference on Office 365 Administrative Roles:
https://support.office.com/en-us/article/About-Office-365-admin-roles-
da585eea-f576-4f55-a1e0-87090b6aaa9d
• Office 365 Compliance Offerings: https://www.microsoft.com/en-
us/trustcenter/compliance/complianceofferings
© 2017 Protiviti Inc. An Equal Opportunity Employer M/F/Disability/Veterans. Protiviti is not licensed
or registered as a public accounting firm and does not issue opinions on financial statements or
offer attestation services. All registered trademarks are the property of their respective owners.