Office 365 Trust Center Answer key questions of Security Compliance Officers Dynamic engaging...
-
Upload
lucinda-hoover -
Category
Documents
-
view
212 -
download
0
Transcript of Office 365 Trust Center Answer key questions of Security Compliance Officers Dynamic engaging...
Office 365 Trust OverviewVijay Kumar & Jeff McDowell
OFC-B217
Office 365 Trust Center• Answer key
questions of Security Compliance Officers
• Dynamic engaging content that is refreshed every two weeks
www.trust.office365.com
Office 365 security, privacy and compliance
It’s your dataYou own it, you control it
We run the service for youWe are accountable to you
Transparent service operation
Privacy by design
ContinuousCompliance
Built inSecurity
Today’s Security LandscapeSocial media giants Facebook, LinkedIn, among others, get hacked… repeatedly.
Article 29Working
Committee
Encrypted Shredded Storage in SharePoint
Online
Microsoft Security Engineering Center -
Security Development Lifecycle (SDL)
Exchange Hosted Services (part of
Office 365)
Hotmail
SSAE-16
U.S.-EU Safe Harbor
European Union Model Clauses
(EUMC)
HIPAA BAA
Active Directory
Microsoft Security Response Center (MSRC)
Global Foundation
Services (GFS)
ISO 27001 Certification
Microsoft Security
Essentials
1st Microsoft
Data Center
Trustworthy Computing
Initiative (TwC)
Microsoft experience and credentials
Xbox Live
MSN
Bill Gates Memo
Windows Azure
FISMA
Windows Update
Malware Protection
Center
SAS-70
Microsoft Online
Services (MOS)
One of the world’s largest cloud providers & datacenter/network operators
CJIS Security Policy
Agreement
2005 2010 2013 2014
Bing/MSN Search
1989 1995 2000
Outlook.com
Message EncryptionDLP Fingerprinting
Making Sense of ThreatsOutsider
End User
Insider
Prevent Breach
Customer Controls
Secure DesignSecure CodeProtections against attacks
Assume BreachContain AttackersDetect Attackers Remediate Attacks
Built controlsDLP, Encryption, etc.Auditing
Security
Customer controlsBuilt-in service capabilities
Physical and data security with access control, encryption and strong authentication
Unique customer controls with Rights Management Services to empower customers to protect information
Security best practices like penetration testing, Defense-in-depth to protect against cyber-threats
Service level security capabilities
Defense in depthmulti-dimensional approach to customer environment
Physical controls, video surveillance, access control
Edge routers, firewalls, intrusion detection, vulnerability scanning
Dual-factor authentication, intrusion detection, vulnerability scanning
Access control and monitoring, anti-malware, patch and configuration management
Secure engineering (SDL), access control and monitoring, anti-malware
Account management, training and awareness, screening
Threat and vulnerability management, security monitoring, and response, access control and monitoring, file/data integrity, encryption
Facility
Network perimeter
Internal network
Host
Application
Admin
Data
Physical Security
Perimeter security
FireSuppression
Multi-factorauthentication
Extensivemonitoring
Seismic bracing
24x7 onsite security staff
Days of backup power
Tens of thousands of servers
Network
Backend server
and storage
Front end server storage
FirewallLayer of
separation
Edge router protection
User
Host/Application
Patching/Malware protection
Auditing of all operator access
and actions
Security Development Lifecycle
Automated tooling for routine
activities
Zero standing permissions in the
service
‘Lock Box’Zero access privilege & role based access
Request
Approve
Request with reason Zero standing privileges
Temporaryaccessgranted
Grants least privilege required to complete task.Verify eligibility by checking if
1. Background check completed
2. Fingerprinting completed
3. Security training completed
Manager
Just in time accessHigh entropy passwords
Administrators
Account Management
Automatic account deletionUnique accountsZero access privileges
Training, policies and awareness
Personnel
Security Development CycleAnnual training
Background checksScreening
Data
Customer data
isolation
Data encryption
Operational best
practices
Customer data isolation
Customer A
Designed to support logical isolation of data that multiple customers store in same physical hardware.
Intended or unintended mingling of data belonging to a different customer/tenant is prevented by design using Active Directory organizational units
18
Customer B
Data at RestDisks encrypted with Bitlocker
Encrypted shredded storage
Data in-transitSSL/TLS EncryptionClient to ServerServer to ServerData center to Data center
User
Encryption
Encrypted Shredded Storage
A B C D
Key Store A
B
C
D
Content DBA
B
C
D
E
crypto
The mindset shift
Assume BreachWargameexercises Red
teaming
Blue teaming
Monitor emerging threats
Executepost breach
Insider attack simulation
Demo
Summary: Defense in depth multi-dimensional approach to customer environment
Physical controls, video surveillance, access control
Edge routers, firewalls, intrusion detection, vulnerability scanning
Dual-factor authentication, intrusion detection, vulnerability scanning
Access control and monitoring, anti-malware, patch and configuration management
Secure engineering (SDL), access control and monitoring, anti-malware
Account management, training and awareness, screening
Threat and vulnerability management, security monitoring, and response, access control and monitoring, file/data integrity, encryption
Physical Layer
Logical Layer
Data Layer
Customer security controls
Information protection using RMS
Data protection at rest
Data protection at rest
Data Protection in motion Data Protection in motion
Information can be protected with RMS at rest or in motion
Data protection at rest
RMS can be applied to any file type using RMS app
S/MIME
Office 365 Message Encryption
Transport Layer Security
Exchange serverData disk
Exchange server
Data disk
S/MIME protected
Message Delivery
User
Office 365 Message Encryption
SMTP to partners: TLS protected
Encryption features
Anti Spam/ Anti VirusComprehensive protection
Multi-engine antimalware protects against 100% of known viruses
Continuously updated anti-spam protection captures 98%+ of all inbound spam
Advanced fingerprinting technologies that identify and stop new spam and phishing vectors in real time
Easy to use
Preconfigured for ease of use
Integrated administration console
Granularcontrol
Mark all bulk messages as spam
Block unwanted email based on language or geographic origin
Identity Management
Federation
Password Sync
2FA
User AccessIntegrated with Active Directory, Azure Active Directory and Active Directory Federation Services
• Federation: Secure SAML token based authentication
• Password Synchronization: Only a one way hash of the password will be synchronized to the cloud such that the original password cannot be reconstructed from it.
Enables additional authentication mechanisms:
• Two-Factor Authentication – including phone-based 2FA
• Client-Based Access Control based on devices/locations
• Role-Based Access Control
Federated Identity
Single federated identity and credentials suitable for medium and large organizations
Windows Azure Active Directory
On-premises identity
FederationDirectory/
password sync
Mobile Apps
Enterprise authentication using any phone
Text MessagesPhone Calls
Push NotificationOne-Time-Passcode
(OTP) Token
Out-of-Band* Call TextOne-Time Passcode
(OTP) by Text
*Out of band refers to being able to use a second factor with no modification to the existing app UX.
Compliance What does compliance mean to customers?
What standards do we meet?
What is regulatory compliance and organizational
compliance?
ComplianceCommitment to industry standards and organizational compliance
Built-in capabilities for global compliance
Customer controls for compliance with internal policies
Enable customers to meet global compliance standards in ISO 27001, EUMC, HIPAA, FISMA
Contractually commit to privacy, security and handling of customer data through Data Processing Agreements
Admin Controls like Data Loss Prevention, Archiving, E-Discovery to enable organizational compliance
What customer issues does this addressIndependent verification
Regulatory compliance
Peace of mind
Standards & Certifications
SSAE/SOCISO27001EUMCFERPAFISMAHIPAAHITECHITARHMG IL2CJIS
GlobalGlobalEuropeU.S.U.S.U.S.U.S.U.S.UKU.S.
FinanceGlobalEurope Education Government Healthcare Healthcare DefenseGovernment Law Enforcement
Standards Certifications
Market Region
ISOSOC
HIPAA FedRAMP FERPA HMGIL2 EUMC TC260
MLPS
How Office 365 Controls meet Compliance?
Physical Security
Security Best Practices
Secure Network Layer
Data Encryption
Office 365 Service | Master GRC Control Sets | Certifications
DLP
OME
SMIME
RBAC
RMS
New Cert’s and
more…
Account Mgmt.
Incident Monitoring
Data Encryption
Encryption of stored data and
more…
Data Minimization & Retention
Access Control
Offi
ce 3
65
Serv
ices A
udits
Office 365 has over 950
controls Today!
Built-in Capabilities
Customer Controls
Compliance customer controls
Compliance controlsHelps to identifymonitorprotect
Sensitive data through deep content analysis
Identify
Protect
Monitor
End user education
Data Loss Prevention (DLP)
Prevents sensitive data from leaving organization
Provides an Alert when data such as Social Security & Credit Card Number is emailed.
Alerts can be customized by Admin to catch Intellectual Property from being emailed out.
Empower users to manage their compliance• Contextual policy education• Doesn’t disrupt user workflow• Works even when disconnected• Configurable and customizable• Admin customizable text and actions• Built-in templates based on common
regulations • Import DLP policy templates from security
partners or build your own
DLP document fingerprinting
Protect sensitive documents from being accidently
shared outside your organization
No coding required; simply upload sample documents
to create fingerprints
Scan email and attachments to look for
patterns that match document templates
Email archiving and retention
Preserve Search
Secondary mailbox with separate quota
Managed through EAC or PowerShell
Available on-premises, online, or through EOA
Automated and time-based criteria
Set policies at item or folder level
Expiration date shown in email message
Capture deleted and edited email messages
Time-Based In-Place Hold
Granular Query-Based In-Place Hold
Optional notification
Web-based eDiscovery Center and multi-mailbox search
Search primary, In-Place Archive, and recoverable items
Delegate through roles-based administration
De-duplication after discovery
Auditing to ensure controls are met
In-Place Archive Governance Hold eDiscovery
PrivacyPrivacy by design means that we do not use your information for
anything other than providing you services
No Advertising Transparency Privacy controls
No advertising products out of Customer Data
No scanning of email or documents to build analytics or mine data
Various customer controls at admin and user level to enable or regulate sharing
If the customer decides to leave the service, they get to take to take their data and delete it in the service
Access to information about geographical location of data, who has access and when
Notification to customers about changes in security, privacy and audit information
Resources• Answer key
questions of Security Compliance Officers
• Dynamic engaging content that is refreshed every two weeks
www.trust.office365.com
Security – key risksType of Risk Protection mechanisms
Malicious or unauthorized physical access to data center / server / disks
BitLockerFacility access restrictions to servers/ datacenter
External malicious or unauthorized access to service and customer data
Zero standing access privilegesAutomated operationsAuditing of all access and actionsNetwork level DDOS / intrusion detection and preventionThreat management / Assume breach
Gaps in software that make the data & service to be vulnerable Security Development Lifecycle (SDL)
Rogue administrators / employees in the service or data center Zero standing access privilegesAutomated operations, Auditing of all access and actionsTrainingBackground checks / screeningThreat management / Assume breach
Microsoft Admin credentials get compromised Multi factor authenticationZero standing access privilegesRequires trusted computers to get onto management serversThreat management / Assume breach
Security – key risksType of Risk Protection mechanisms
Encryption keys get compromised Secure key management processesAccess to key is limited or removed for people BYOK
Administrator’s computer gets compromised/lost
BitLocker on the computerRemote desktop sessionZero standing access privilegesSeparate credentials to login to the service
Law authorities accessing customer data Redirect request to customerThreat management and assume breach
Service and customer data becomes inaccessible due to an attack.
Network level DDOS / intrusion detection and prevention
Malware Anti Malware
Malfunction of software which enables unauthorized access
Security Development LifecycleConfiguration management
Security – key risksType of Risk Protection mechanisms
Interception of email to partners over Internet*
SMTP session to partners could be protected using opportunistic or forced TLS
Interception of client / server communication SSL / TLS is implemented in all workloads.
Interception of communication between datacenters or between servers
Office 365 applications use SSL / TLS to secure various server-server communication.
All communication is on Microsoft owned networks.
Interception or access of content in transit or at rest by other people.**
Rights Management could be applied to the content.
Interception of email in transit or rest between users within organization*
S/MIME could be implemented and applied to emails
Interception of email in transit and rest to an external user*
Office 365 Message Encryption may be applied to messages
No Advertising
We do not mine your data for advertising purposes. It is our policy to not use your data for purposes other than providing you productivity services.
We design our Office 365 commercial services to be separate from our consumer services so that there is no mixing of data between the two.
Who owns the data I put in
your service?
Will you use my data to build advertising
products?You own your data and retain the rights, title, and interest in the data you store in Office 365. You can take your data with you, whenever you want.
Learn more about data portability and how we use your data.
Transparency
Microsoft notifies you of changes in data center locations and any changes to compliance.
Core Customer Data accessed only for troubleshooting and malware prevention purposes Core Customer Data access limited to key personnel on an exception basis.
How to get notified?
Who accesses and What is accessed?
Clear Data Maps and Geographic boundary information provided‘Ship To’ address determines Data Center Location
Where is Data Stored?
At Microsoft, our strategy is to consistently set a “high bar” around privacy practices that support global standards for data handling and transfer
How Privacy of Data is Protected?
Microsoft Online Services Customer Data1 Usage Data Account andAddress Book Data
Customer Data (excluding Core Customer data)
CoreCustomer Data
Operating and Troubleshooting the Service Yes Yes Yes Yes
Security, Spam and Malware Prevention Yes Yes Yes Yes
Improving the Purchased Service, Analytics Yes Yes Yes No
Personalization, User Profile, Promotions No Yes No No
Communications (Tips, Advice, Surveys, Promotions) No No/Yes No No
Voluntary Disclosure to Law Enforcement No No No No
Advertising5 No No No No
We use customer data for just what they pay us for - to maintain and provide Office 365 Service
Usage Data Address Book Data Customer Data (excluding Core Customer Data*) Core Customer Data
Operations Response Team (limited to key personnel only)
Yes. Yes, as needed. Yes, as needed. Yes, by exception.
Support Organization Yes, only as required in response to Support Inquiry.
Yes, only as required in response to Support Inquiry.
Yes, only as required in response to Support Inquiry.
No.
Engineering Yes.No Direct Access. May Be Transferred During Trouble-shooting.
No Direct Access. May Be Transferred During Trouble-shooting.
No.
PartnersWith customer permission. See Partner for more information.
With customer permission. See Partner for more information.
With customer permission. See Partner for more information.
With customer permission. See Partner for more information.
Others in Microsoft No.No (Yes for Office 365 for small business Customers for marketing purposes).
No. No.
Resources
Learning
Microsoft Certification & Training Resources
www.microsoft.com/learning
msdn
Resources for Developers
http://microsoft.com/msdn
TechNet
Resources for IT Professionals
http://microsoft.com/technet
Sessions on Demand
http://channel9.msdn.com/Events/TechEd
Complete an evaluation and enter to win!
Evaluate this session
Scan this QR code to evaluate this session.
© 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.