Office 365 Trust OverviewVijay Kumar & Jeff McDowell

OFC-B217

Office 365 Trust Center• Answer key

questions of Security Compliance Officers

• Dynamic engaging content that is refreshed every two weeks

www.trust.office365.com

Office 365 security, privacy and compliance

It’s your dataYou own it, you control it

We run the service for youWe are accountable to you

Transparent service operation

Privacy by design

ContinuousCompliance

Built inSecurity

Today’s Security LandscapeSocial media giants Facebook, LinkedIn, among others, get hacked… repeatedly.

Article 29Working

Committee

Encrypted Shredded Storage in SharePoint

Online

Microsoft Security Engineering Center -

Security Development Lifecycle (SDL)

Exchange Hosted Services (part of

Office 365)

Hotmail

SSAE-16

U.S.-EU Safe Harbor

European Union Model Clauses

(EUMC)

HIPAA BAA

Active Directory

Microsoft Security Response Center (MSRC)

Global Foundation

Services (GFS)

ISO 27001 Certification

Microsoft Security

Essentials

1st Microsoft

Data Center

Trustworthy Computing

Initiative (TwC)

Microsoft experience and credentials

Xbox Live

MSN

Bill Gates Memo

Windows Azure

FISMA

Windows Update

Malware Protection

Center

SAS-70

Microsoft Online

Services (MOS)

One of the world’s largest cloud providers & datacenter/network operators

CJIS Security Policy

Agreement

2005 2010 2013 2014

Bing/MSN Search

1989 1995 2000

Outlook.com

Message EncryptionDLP Fingerprinting

Making Sense of ThreatsOutsider

End User

Insider

Prevent Breach

Customer Controls

Secure DesignSecure CodeProtections against attacks

Assume BreachContain AttackersDetect Attackers Remediate Attacks

Built controlsDLP, Encryption, etc.Auditing

Security

Customer controlsBuilt-in service capabilities

Physical and data security with access control, encryption and strong authentication

Unique customer controls with Rights Management Services to empower customers to protect information

Security best practices like penetration testing, Defense-in-depth to protect against cyber-threats

Service level security capabilities

Defense in depthmulti-dimensional approach to customer environment

Physical controls, video surveillance, access control

Edge routers, firewalls, intrusion detection, vulnerability scanning

Dual-factor authentication, intrusion detection, vulnerability scanning

Access control and monitoring, anti-malware, patch and configuration management

Secure engineering (SDL), access control and monitoring, anti-malware

Account management, training and awareness, screening

Threat and vulnerability management, security monitoring, and response, access control and monitoring, file/data integrity, encryption

Facility

Network perimeter

Internal network

Host

Application

Admin

Data

Physical Security

Perimeter security

FireSuppression

Multi-factorauthentication

Extensivemonitoring

Seismic bracing

24x7 onsite security staff

Days of backup power

Tens of thousands of servers

Network

Backend server

and storage

Front end server storage

FirewallLayer of

separation

Edge router protection

User

Host/Application

Patching/Malware protection

Auditing of all operator access

and actions

Security Development Lifecycle

Automated tooling for routine

activities

Zero standing permissions in the

service

‘Lock Box’Zero access privilege & role based access

Request

Approve

Request with reason Zero standing privileges

Temporaryaccessgranted

Grants least privilege required to complete task.Verify eligibility by checking if

1. Background check completed

2. Fingerprinting completed

3. Security training completed

Manager

Just in time accessHigh entropy passwords

Administrators

Account Management

Automatic account deletionUnique accountsZero access privileges

Training, policies and awareness

Personnel

Security Development CycleAnnual training

Background checksScreening

Data

Customer data

isolation

Data encryption

Operational best

practices

Customer data isolation

Customer A

Designed to support logical isolation of data that multiple customers store in same physical hardware.

Intended or unintended mingling of data belonging to a different customer/tenant is prevented by design using Active Directory organizational units

18

Customer B

Data at RestDisks encrypted with Bitlocker

Encrypted shredded storage

Data in-transitSSL/TLS EncryptionClient to ServerServer to ServerData center to Data center

User

Encryption

Encrypted Shredded Storage

A B C D

Key Store A

B

C

D

Content DBA

B

C

D

E

crypto

The mindset shift

Assume BreachWargameexercises Red

teaming

Blue teaming

Monitor emerging threats

Executepost breach

Insider attack simulation

Demo

Summary: Defense in depth multi-dimensional approach to customer environment

Physical controls, video surveillance, access control

Edge routers, firewalls, intrusion detection, vulnerability scanning

Dual-factor authentication, intrusion detection, vulnerability scanning

Access control and monitoring, anti-malware, patch and configuration management

Secure engineering (SDL), access control and monitoring, anti-malware

Account management, training and awareness, screening

Threat and vulnerability management, security monitoring, and response, access control and monitoring, file/data integrity, encryption

Physical Layer

Logical Layer

Data Layer

Customer security controls

Information protection using RMS

Data protection at rest

Data protection at rest

Data Protection in motion Data Protection in motion

Information can be protected with RMS at rest or in motion

Data protection at rest

RMS can be applied to any file type using RMS app

S/MIME

Office 365 Message Encryption

Transport Layer Security

Exchange serverData disk

Exchange server

Data disk

S/MIME protected

Message Delivery

User

Office 365 Message Encryption

SMTP to partners: TLS protected

Encryption features

Anti Spam/ Anti VirusComprehensive protection

Multi-engine antimalware protects against 100% of known viruses

Continuously updated anti-spam protection captures 98%+ of all inbound spam

Advanced fingerprinting technologies that identify and stop new spam and phishing vectors in real time

Easy to use

Preconfigured for ease of use

Integrated administration console

Granularcontrol

Mark all bulk messages as spam

Block unwanted email based on language or geographic origin

Identity Management

Federation

Password Sync

2FA

User AccessIntegrated with Active Directory, Azure Active Directory and Active Directory Federation Services

• Federation: Secure SAML token based authentication

• Password Synchronization: Only a one way hash of the password will be synchronized to the cloud such that the original password cannot be reconstructed from it.

Enables additional authentication mechanisms:

• Two-Factor Authentication – including phone-based 2FA

• Client-Based Access Control based on devices/locations

• Role-Based Access Control

Federated Identity

Single federated identity and credentials suitable for medium and large organizations

Windows Azure Active Directory

On-premises identity

FederationDirectory/

password sync

Mobile Apps

Enterprise authentication using any phone

Text MessagesPhone Calls

Push NotificationOne-Time-Passcode

(OTP) Token

Out-of-Band* Call TextOne-Time Passcode

(OTP) by Text

*Out of band refers to being able to use a second factor with no modification to the existing app UX.

Compliance What does compliance mean to customers?

What standards do we meet?

What is regulatory compliance and organizational

compliance?

ComplianceCommitment to industry standards and organizational compliance

Built-in capabilities for global compliance

Customer controls for compliance with internal policies

Enable customers to meet global compliance standards in ISO 27001, EUMC, HIPAA, FISMA

Contractually commit to privacy, security and handling of customer data through Data Processing Agreements

Admin Controls like Data Loss Prevention, Archiving, E-Discovery to enable organizational compliance

What customer issues does this addressIndependent verification

Regulatory compliance

Peace of mind

Standards & Certifications

SSAE/SOCISO27001EUMCFERPAFISMAHIPAAHITECHITARHMG IL2CJIS

GlobalGlobalEuropeU.S.U.S.U.S.U.S.U.S.UKU.S.

FinanceGlobalEurope Education Government Healthcare Healthcare DefenseGovernment Law Enforcement

Standards Certifications

Market Region

ISOSOC

HIPAA FedRAMP FERPA HMGIL2 EUMC TC260

MLPS

How Office 365 Controls meet Compliance?

Physical Security

Security Best Practices

Secure Network Layer

Data Encryption

Office 365 Service | Master GRC Control Sets | Certifications

DLP

OME

SMIME

RBAC

RMS

New Cert’s and

more…

Account Mgmt.

Incident Monitoring

Data Encryption

Encryption of stored data and

more…

Data Minimization & Retention

Access Control

Offi

ce 3

65

Serv

ices A

udits

Office 365 has over 950

controls Today!

Built-in Capabilities

Customer Controls

Compliance customer controls

Compliance controlsHelps to identifymonitorprotect

Sensitive data through deep content analysis

Identify

Protect

Monitor

End user education

Data Loss Prevention (DLP)

Prevents sensitive data from leaving organization

Provides an Alert when data such as Social Security & Credit Card Number is emailed.

Alerts can be customized by Admin to catch Intellectual Property from being emailed out.

Empower users to manage their compliance• Contextual policy education• Doesn’t disrupt user workflow• Works even when disconnected• Configurable and customizable• Admin customizable text and actions• Built-in templates based on common

regulations • Import DLP policy templates from security

partners or build your own

DLP document fingerprinting

Protect sensitive documents from being accidently

shared outside your organization

No coding required; simply upload sample documents

to create fingerprints

Scan email and attachments to look for

patterns that match document templates

Email archiving and retention

Preserve Search

Secondary mailbox with separate quota

Managed through EAC or PowerShell

Available on-premises, online, or through EOA

Automated and time-based criteria

Set policies at item or folder level

Expiration date shown in email message

Capture deleted and edited email messages

Time-Based In-Place Hold

Granular Query-Based In-Place Hold

Optional notification

Web-based eDiscovery Center and multi-mailbox search

Search primary, In-Place Archive, and recoverable items

Delegate through roles-based administration

De-duplication after discovery

Auditing to ensure controls are met

In-Place Archive Governance Hold eDiscovery

PrivacyPrivacy by design means that we do not use your information for

anything other than providing you services

No Advertising Transparency Privacy controls

No advertising products out of Customer Data

No scanning of email or documents to build analytics or mine data

Various customer controls at admin and user level to enable or regulate sharing

If the customer decides to leave the service, they get to take to take their data and delete it in the service

Access to information about geographical location of data, who has access and when

Notification to customers about changes in security, privacy and audit information

Resources• Answer key

questions of Security Compliance Officers

• Dynamic engaging content that is refreshed every two weeks

www.trust.office365.com

http://www.youtube.com/watch?v=S4QqQG8tTSg&feature=youtu.be

Security – key risksType of Risk Protection mechanisms

Malicious or unauthorized physical access to data center / server / disks

BitLockerFacility access restrictions to servers/ datacenter

External malicious or unauthorized access to service and customer data

Zero standing access privilegesAutomated operationsAuditing of all access and actionsNetwork level DDOS / intrusion detection and preventionThreat management / Assume breach

Gaps in software that make the data & service to be vulnerable Security Development Lifecycle (SDL)

Rogue administrators / employees in the service or data center Zero standing access privilegesAutomated operations, Auditing of all access and actionsTrainingBackground checks / screeningThreat management / Assume breach

Microsoft Admin credentials get compromised Multi factor authenticationZero standing access privilegesRequires trusted computers to get onto management serversThreat management / Assume breach

Security – key risksType of Risk Protection mechanisms

Encryption keys get compromised Secure key management processesAccess to key is limited or removed for people BYOK

Administrator’s computer gets compromised/lost

BitLocker on the computerRemote desktop sessionZero standing access privilegesSeparate credentials to login to the service

Law authorities accessing customer data Redirect request to customerThreat management and assume breach

Service and customer data becomes inaccessible due to an attack.

Network level DDOS / intrusion detection and prevention

Malware Anti Malware

Malfunction of software which enables unauthorized access

Security Development LifecycleConfiguration management

Security – key risksType of Risk Protection mechanisms

Interception of email to partners over Internet*

SMTP session to partners could be protected using opportunistic or forced TLS

Interception of client / server communication SSL / TLS is implemented in all workloads.

Interception of communication between datacenters or between servers

Office 365 applications use SSL / TLS to secure various server-server communication.

All communication is on Microsoft owned networks.

Interception or access of content in transit or at rest by other people.**

Rights Management could be applied to the content.

Interception of email in transit or rest between users within organization*

S/MIME could be implemented and applied to emails

Interception of email in transit and rest to an external user*

Office 365 Message Encryption may be applied to messages

No Advertising

We do not mine your data for advertising purposes. It is our policy to not use your data for purposes other than providing you productivity services.

We design our Office 365 commercial services to be separate from our consumer services so that there is no mixing of data between the two.

Who owns the data I put in

your service?

Will you use my data to build advertising

products?You own your data and retain the rights, title, and interest in the data you store in Office 365. You can take your data with you, whenever you want.

Learn more about data portability and how we use your data.

Transparency

Microsoft notifies you of changes in data center locations and any changes to compliance.

Core Customer Data accessed only for troubleshooting and malware prevention purposes Core Customer Data access limited to key personnel on an exception basis.

How to get notified?

Who accesses and What is accessed?

Clear Data Maps and Geographic boundary information provided‘Ship To’ address determines Data Center Location

Where is Data Stored?

At Microsoft, our strategy is to consistently set a “high bar” around privacy practices that support global standards for data handling and transfer

How Privacy of Data is Protected?

Microsoft Online Services Customer Data1 Usage Data Account andAddress Book Data

Customer Data (excluding Core Customer data)

CoreCustomer Data

Operating and Troubleshooting the Service Yes Yes Yes Yes

Security, Spam and Malware Prevention Yes Yes Yes Yes

Improving the Purchased Service, Analytics Yes Yes Yes No

Personalization, User Profile, Promotions No Yes No No

Communications (Tips, Advice, Surveys, Promotions) No No/Yes No No

Voluntary Disclosure to Law Enforcement No No No No

Advertising5 No No No No

We use customer data for just what they pay us for - to maintain and provide Office 365 Service

Usage Data Address Book Data Customer Data (excluding Core Customer Data*) Core Customer Data

Operations Response Team (limited to key personnel only)

Yes. Yes, as needed. Yes, as needed. Yes, by exception.

Support Organization Yes, only as required in response to Support Inquiry.

Yes, only as required in response to Support Inquiry.

Yes, only as required in response to Support Inquiry.

No.

Engineering Yes.No Direct Access. May Be Transferred During Trouble-shooting.

No Direct Access. May Be Transferred During Trouble-shooting.

No.

PartnersWith customer permission. See Partner for more information.

With customer permission. See Partner for more information.

With customer permission. See Partner for more information.

With customer permission. See Partner for more information.

Others in Microsoft No.No (Yes for Office 365 for small business Customers for marketing purposes).

No. No.

Resources

Learning

Microsoft Certification & Training Resources

www.microsoft.com/learning

msdn

Resources for Developers

http://microsoft.com/msdn

TechNet

Resources for IT Professionals

http://microsoft.com/technet

Sessions on Demand

http://channel9.msdn.com/Events/TechEd

Complete an evaluation and enter to win!

Evaluate this session

Scan this QR code to evaluate this session.

© 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.