Ken EwertPrincipal Group Program Manager / Compliance ManagerMicrosoft Corporation

Dude! Where’s my Data ???A trust overview for LyncOnline

ONLI204

Session Overview

Why is this Important

The Office 365 Trust narrative and details

Positioning Our Future Investments

Why this is important• Security, Privacy and Compliance are differentiators for

Office 365

• Political landscape due to PRISM resulting in greater attention to Security and Privacy

• Large organizations need confidence and trust which means deeper engagement in these important topics

Security Best-in-class security with over a decade of experience building Enterprise software & Online services

• Physical and data security with access control, encryption and strong authentication

• Security best practices like penetration testing, defense-in-depth to protect against cyber-threats

• Unique customer controls with Rights Management Services to empower customers to protect information

The Office 365 Trust narrative

Compliance Commitment to industry standards and organizational compliance

• Enable customers to meet global compliance standards in ISO 27001, EUMC, HIPAA, FISMA

• Contractually commit to privacy, security and handling of customer data through Data Processing Agreements

• Admin Controls like Data Loss Prevention, Legal Hold, E-Discovery to enable organizational compliance

Privacy Privacy by design with commitment to use customers’ information only to provide services

• No mining of data for advertising

• Transparency with the location of customer data, who has access and under what circumstances

• Privacy controls to regulate sharing of sites, libraries, folders and communications with external parties

Exchange Hosted Services (part of

Office 365)

Hotmail

SSAE-16

U.S.-EU Safe Harbor

European Union Model Clauses

(EUMC)

Health Insurance Portability and Accountability Act

Business Associate Agreement (HIPAA BAA)

Data Processing Agreement (DPA)Active Directory

Microsoft Security Response Center (MSRC)

Global Foundation

Services (GFS)

ISO 27001 Certification

Microsoft Security

Essentials

1st Microsoft

Data Center

Trustworthy Computing

Initiative (TwC)

Microsoft Security Engineering Center -

Security Development Lifecycle (SDL)

Microsoft experience and credentials

Xbox Live

MSN

Bill Gates Memo

Windows Azure

FISMA

Windows Update

Malware Protection

Center

SAS-70

Microsoft Online

Services (MOS)

One of the world’s largest cloud providers & datacenter/network operators

CJIS Security Policy

Agreement

2005 2010 2013

Bing/MSN Search

1989 1995 2000

Outlook.com

Security

Security

Security best practices like penetration testing, Defense-in-depth to protect against cyber-threats

Built in CapabilitiesFlexible Customer

Controls• Physical and data security with access

control, encryption and strong authentication

• Unique customer controls with Rights Management Services to empower customers to protect information

Built in Security Capabilities

Defense in depthmulti-dimensional approach to customer environment

Security Management

Network perimeter

Internal network

Host

Application

Data

User

Facility

Threat and vulnerability management, security monitoring, and response, access control and monitoring, file/data integrity, encryption

Edge routers, firewalls, intrusion detection, vulnerability scanning

Dual-factor authentication, intrusion detection, vulnerability scanning

Access control and monitoring, anti-malware, patch and configuration management

Secure engineering (SDL), access control and monitoring, anti-malware

Account management, training and awareness, screening

Physical controls, video surveillance, access control

Facility

Seismic bracing

24x7 onsite security staff

Days of backup power

Tens of thousands of servers

Perimeter security

Extensive monitoring

Multi-factor authentication

Fire suppression

11

• Microsoft disallows removable media and wireless devices in our data centers, but for emergency reasons (such as in case of fire) and to enable people to do their jobs, mobile phones are allowed. However, if such a device were to be attached to physical hardware, this action would trigger a security alert.

• Data center access is also checked and validated for each individual before entry.

Removable Media

Network perimeter

Internal Network

13

Physical separation between backend and public facing interfaces

Edge router security / firewalls implemented to secure network edge

Port scanningPerimeter Vulnerability scanning Network level DDOS & intrusion detection and prevention

• Ability to recognize DoS traffic patterns• Automatic traffic shaping kicks in when

spikes exceed normal• Mitigates: • Non-malicious excessive use• Buggy clients (BYOD)• Admin actions• DoS attacks

Throttling to Prevent DoS attacks

Internal network

15

Network level DDOS & intrusion detection and prevention

Networks within the Office 365 data centers are segmented

2FA for service access

Microsoft Corporate Network

Isolation between corporate environment and production access environment for all employees

Host/Application

Zero standing permissions in the service

Automated tooling for routine activities

Auditing of all operator access and actions

Security Development Lifecycle

Patching/Malware protection

Office 365

Microsoft Admin (user)

Account managementAutomatic account deletionUnique accountsZero access privileges

Training, policies and awareness

Background checks, screening

Zero access privilege & automated operations

18

Office 365 Datacenter Network

Microsoft Corporate Network

Lock Box: Role Based

Access Control

Grants least privilege required to complete task.Verify eligibility by checking if1. Background Check

Completed2. Fingerprinting

Completed3. Security Training

Completed

O365 AdminRequests Access

Grants temporary Privilege

Microsoft Admin (user)

Account managementAutomatic account deletionUnique accountsZero access privileges

Training, policies and awareness

Background checks, screening

Isolated Customer Data

DATA in Server

Multi-tenant environment is designed to support logical isolation of data that multiple customers store in same physical hardware.

Intended or unintended access of data belonging to a different customer/tenant is prevented by data isolation.

`

20

Backend:

Customer side

Encryption: BitLockerAvailable in Windows servers and clients

128 bit or 256 bit AES

Protects against the following scenariosUnauthorized physical access to servers / hardware in datacentersA disk or server not getting recycled appropriately

Windowscomputer

Windows server

Data disk

BitLocker protected

BitLocker protected

Customer

Encryption in Transit

SSL/TLS Encryption

Client to Server

Server to Server

Data center to Data

center

Windows PC

server server

Client server: SSL/TLS protected

Data disk Data disk

Server to server:SSL/TLS protected

Summary: Defense in depthmulti-dimensional approach to customer environment

Security Management

Network perimeter

Internal network

Host

Application

Data

User

Facility

Threat and vulnerability management, monitoring, and response

Edge routers, intrusion detection, vulnerability scanning

Dual-factor authentication, intrusion detection, vulnerability scanning

Access control and monitoring, anti-malware, patch and configuration management

Secure engineering (SDL), access control and monitoring, anti-malware

Access control and monitoring, file/data integrity, encryption

Account management, training and awareness, screening

Physical controls, video surveillance, access control

Security Development LifecycleReduce vulnerabilities, limit exploit severity

Ongoing Process Improvements

Training Requirements Design Implementation Verification Release Response

Education

Administer and track security training

Process

Guide product teams to meet SDL requirements

AccountabilityEstablish release criteria & sign-off as part of FSR

IncidentResponse (MSRC)

Core SecurityTraining

Est. SecurityRequirements

Create Quality Gates / Bug Bars

Security & Privacy Risk Assess.

Establish DesignRequirements

Analyze AttackSurface

ThreatModeling

Use Approved Tools

Deprecate UnsafeFunctions

Static Analysis

Dynamic Analysis

Fuzz Testing

Attack Surface Review

Incident Response Plan

Final Security Review

Release Archive

Execute IncidentResponse Plan

24

Beyond industry best practices- Assume breach- security incident notification..

26

• Assume Breach

War game exercises (NEW)

Live site pentest (NEW)

Centralized securitylogging & monitoring (NEW)

Prevent BreachThreat model

Code review

Security development lifecycle (SDL)

Security testing

Assume breach identifies & addresses significant gaps: Detect attack & penetration Respond to attack & penetration Recover from data leakage or tampering

Scope ongoing live site testing of security response plans to drastically improve mean time to detection & recovery

Reduce exposure to internal attack (once inside, attackers have broad access)

Periodic environment post breach assessment & clean state

Prevent Breach and Assume Breach

Examples of vuln detection

Wargameexercises

Assume Breach

Redteaming

Blueteaming

Monitor emerging threats

Executepost breach

Insider attack simulation

Penetration TestingWe do our own penetration testing which is quite effective as we can test a number of rogue admin scenarios

Red Team / Blue Team war games

We also provide auditors with reports and communications to keep them apprised of the status of the system.

Furthermore, we validate the external surface of the service using third party penetration testing based upon the OWASP top ten.

• Outside In PEN testing• Weekly port scanning

Only protocol ports open to the world (over SSL)• Daily perimeter vuln scanning• OS Patching• Message hygiene

Antispam, Antivirus through FOPE• Network level DDOS detection and prevention

Arbor Peakflow• 0-human set engineer passwords

No weak/reused passwords

Outsider Attacks

Insider Attacks (ie Rogue Admin, disgruntled employee)

• 2FA required for service access• Auditing of all operator access and actions• 0-standing permissions in the service

Just in time elevations Automatic rejection of non-background check employees to high privilege

access Scrutinized manual approval for background checked employees

• Automatic account deletion When employee leaves When employee moves groups Lack of use

• Automated tooling for routine activities Deployment, Debugging, Diagnostic collection, Restarting services

• Passwords encrypted in password store Automation has access to passwords Highly scrutinized, manually approved access for humans

Security Incident Notification

31

DETECTION

RESPONSE

Breach

• A malicious act against the environment that results in unauthorized disclosure, or alteration and/or denial of data or service

• Initiate Breach Response procedures Declaration of Breach

Communication Remediation

Executive Reporting

Media Relations

Privacy

Containment

Eradication Recovery

Closure

Post mortem Documentation Process Improvem

ent

Customer Notification

User AccessIntegrated with Active Directory, Azure Active Directory and Active Directory Federation Services• Federation: Secure SAML token based authentication• Password Synchronization: Only a one way hash of the password

will be synchronized to WAAD such that the original password cannot be reconstructed from it.

Enables additional authentication mechanisms:• Two-Factor Authentication – including phone-based 2FA• Client-Based Access Control based on devices/locations• Role-Based Access Control32

Security – Key RisksType of Risk Protection mechanisms Implementation

Malicious or unauthorized physical access to data center / server / disks

BitLocker implemented on servers.

Facility access restrictions to servers/ datacenter

Backend control implemented in the service.

External malicious or unauthorized access to service and customer data

Zero standing access privilegesAutomated operationsAuditing of all access and actionsNetwork level DDOS / intrusion detection and preventionThreat management / Assume breach

Backend control implemented in the service.

Gaps in software that make the data & service to be vulnerable

Security Development Lifecycle Backend control implemented in the service.

Rogue administrators / employees in the service or data center

Zero standing access privilegesAutomated operationsAuditing of all access and actionsTrainingBackground checks / screeningThreat management / Assume breach

Backend control implemented in the service.

Microsoft Admin credentials get compromised

Multi factor authenticationZero standing access privilegesRequires Microsoft trusted computers to get onto management serversThreat management / Assume breach

Backend control implemented in the service.

Security – Key RisksType of Risk Protection mechanisms Implementation

Encryption keys get compromised

Secure key management processesAccess to key is limited or removed for people

Backend control implemented in the service.

Administrator’s computer gets compromised/lost

BitLocker on the disks of the computer.Remote desktop sessionDifferent credentialsZero standing access privileges

Backend control implemented in the service.

Law authorities accessing customer data.

Redirect request to customerThreat management and assume breach

Backend control implemented in the service.

Service and hence customer data becomes inaccessible due to an attack.

Network level DDOS / intrusion detection and prevention

Backend control implemented in the service.

Malware Anti Malware at host, application and transient data layers

Backend control implemented in the service.

Malfunction of software which enables unauthorized access to other user’s data in the tenant / other tenant / with no authentication

Security Development LifecycleConfiguration management

Backend control implemented in the service.

Security – Key RisksType of Risk Protection mechanisms Implementation

Interception of email to partners over Internet*

SMTP session to partners could be protected using opportunistic or forced TLS

Control available to customers.

Interception of client / server communication

SSL / TLS is implemented in all workloads.

Backend control implemented in the service.

Interception of communication between datacenters or between servers

Office 365 applications use SSL / TLS to secure various server-server communication.

All communication is on Microsoft owned networks.

Backend control implemented in the service.

Interception or access of content in transit or at rest by other people.**

Rights Management could be applied to the content.

Control available to customers.

Interception of email in transit or rest between users within organization*

S/MIME could be implemented and applied to emails

Control available to customers.

Interception of email in transit and rest to an external user*

Office 365 Message Encryption may be applied to messages

Control available to customers

Privacy

PrivacyPrivacy by design means that we do not use your information

for anything other than providing you services

No Advertising Transparency Privacy controls

• No advertising products out of Customer Data

• No scanning of email or documents to build analytics or mine data

• Various customer controls at admin and user level to enable or regulate sharing

• If the customer decides to leave the service, they get to take to take their data and delete it in the service

• Access to information about geographical location of data, who has access and when

• Notification to customers about changes in security, privacy and audit information

No Advertising

We do not mine your data for advertising purposes. It is our policy to not use your data for purposes other than providing you productivity services.

We design our Office 365 commercial services to be separate from our consumer services so that there is no mixing of data between the two.

You own your data and retain the rights, title, and interest in the data you store in Office 365. You can take your data with you, whenever you want.

Learn more about data portability and how we use your data.

Who owns the data I put in your service?

Will you use my data to build advertising products?

Transparency

Microsoft notifies you of changes in data center locations and any changes to compliance.

Core Customer Data accessed only for troubleshooting and malware prevention purposes Core Customer Data access limited to key personnel on an exception basis.

How to get notified?

Who accesses and What is accessed?

Clear Data Maps and Geographic boundary information provided‘Ship To’ address determines Data Center Location

Where is Data Stored?

At Microsoft, our strategy is to consistently set a “high bar” around privacy practices that support global standards for data handling and transfer

How Privacy of Data is Protected?Microsoft Online Services Customer Data1 Usage Data Account and

Address Book Data

Customer Data (excluding Core Customer data)

CoreCustomer Data

Operating and Troubleshooting the Service Yes Yes Yes Yes

Security, Spam and Malware Prevention Yes Yes Yes Yes

Improving the Purchased Service, Analytics Yes Yes Yes No

Personalization, User Profile, Promotions No Yes No No

Communications (Tips, Advice, Surveys, Promotions) No No/Yes No No

Voluntary Disclosure to Law Enforcement No No No No

Advertising5 No No No No

We use customer data for just what they pay us for - to maintain and provide Office 365 Service

Usage Data Address Book Data Customer Data (excluding Core Customer Data*) Core Customer Data

Operations Response Team (limited to key personnel only)

Yes. Yes, as needed. Yes, as needed. Yes, by exception.

Support Organization Yes, only as required in response to Support Inquiry.

Yes, only as required in response to Support Inquiry.

Yes, only as required in response to Support Inquiry. No.

Engineering Yes. No Direct Access. May Be Transferred During Trouble-shooting.

No Direct Access. May Be Transferred During Trouble-shooting.

No.

PartnersWith customer permission. See Partner for more information.

With customer permission. See Partner for more information.

With customer permission. See Partner for more information.

With customer permission. See Partner for more information.

Others in Microsoft No.No (Yes for Office 365 for small business Customers for marketing purposes).

No. No.

Compliance

Compliance

What does compliance mean to customers?

What standards do we meet?

What is regulatory compliance and organizational

compliance?

• Enable customers to meet global compliance standards in ISO 27001, EUMC, HIPAA, FISMA

• Contractually commit to privacy, security and handling of customer data through Data Processing Agreements

• Admin Controls like Data Loss Prevention, Archiving, E-Discovery to enable organizational compliance

Compliance Commitment to industry standards and organizational compliance

Built-in Capabilities for Global Compliance

Customer controls for compliance with internal

policies

What customer issues does this address

Independent

verification

Regulatory

compliance

Peace of mind

Standards & Certifications

45

SSAE/SOCISO27001EUMCFERPAFISMAPCIHIPAAHITECHITARHMG IL2CJIS

GlobalGlobalEuropeU.S.U.S.GlobalU.S.U.S.U.S.UKU.S.

FinanceGlobalEurope Education Government CardData Healthcare Healthcare DefenseGovernment Law Enforcement

Standards Certifications

Market Region

ISOSOC

HIPAA FedRAMP FERPA HMGIL2 EUMC TC260

MLPS

How Office 365 Controls meet Compliance?

Physical SecuritySecurity

Best PracticesSecure Network

LayerData

Encryption

Office 365 has over 900 controls Today!

Built-in Capabilities

Office 365 Service | Master GRC Control Sets | Certifications

DLP

OME

SMIME

RBAC

RMS

Account Mgmt.

Incident Monitoring

Data EncryptionEncryption of stored data and more…

Data Minimizatio

n & Retention

New Cert’s and

more…

Access Control

Offi

ce 3

65

Serv

ices A

UD

ITS

Approach to Compliance

47

Market & Competitive Intelligence

Compliance Manageme

nt Framework

Regulatory Impact

Analysis (RSIA)

Define Security,

and Privacy controls

Determine Implementatio

n Requirements

Implement Controls

Document Implementati

on

Continuous Monitoring

Independent

verification (Audits)

Remediation

Prioritize

Responsibilities in the Services worldMicrosoft is the Data Custodian/Processor

Customer is the Data Controller

Customers are involved in complying with regulationsWe satisfy various requirements for security, privacy and handling of customer dataExamples are DPAs with EU Model clauses, ISO, FISMA etc.

Customers would still have to do their part for components that run on-premisesClient side / desktop security and encryption standardsPhysical accessEnd user secret management

The elephant in the room…..

NSA, PRISM & Privacy

Trust and Confidence

We take privacy seriously and provide customer data only in response to specific, targeted lawful demands.

Trust that private information customers share with others or store in the cloud will remain private

Trust that governments will respect the privacy of users

Government Snooping

By default, no one has access to a customer’s data without authorization. We provide contractual guarantees concerning how access requests are handled.

We’re obligated to comply with applicable governmental laws i.e. we respond to legal demands for customer data and do not provide any government with direct and unfettered access to our customer’s data

We only pull/provide the specific data mandated by the relevant legal demand i.e. we must be served with a court order or subpoena for content or account information

We only respond to requests for specific accounts and identifiers

All requests are explicitly reviewed by the Microsoft compliance team, who ensures that the requests are valid, rejects

For more information, please see the official Microsoft blog, " Protecting customer data from government snooping"

Clearing the Air To be clear, here’s what we do, and what we don’t do:• We don’t provide any government

with direct, unfettered access to your data.

• We don’t assist any efforts to break our encryption or provide any government with encryption keys.

• We don’t engineer back doors

• We aren’t involved in any surveillance programs

• For business and government customers we can be even more specific: Microsoft has never provided data in response to a national security order.

The volume of information Microsoft provides to the U.S. Government has been significantly exaggerated

Microsoft publishes a Law Enforcement Requests Report Every Six Months here

Any requests we receive relate to specific accounts within the enterprise and not to all of the accounts or data within a particular enterprise

Microsoft only discloses customer data when it is served with a valid legal demand, and we only comply with orders for specific accounts or identifiers

Monday, February 17th

Exhibit Hall Hours 6:00pm – 8:00pm

6:00pm – 8:00pm Welcome Reception

Tuesday, February 18th

Exhibit Hall Hours 8:00am – 9:00am (Breakfast), 10:30am – 5:00pm

8:00am – 9:00am Breakfast (Exhibit Hall) 9:00am –10:30am General Session10:30am – 5:00pm Expo Hall Hours11:00am – 12:15pm Sessions & Hands-on Labs12:15pm – 2:00pm Lunch2:00pm – 5:00pm Sessions & Hands-on Labs5:00pm – 7:00pm Ask the Experts

Wednesday, February 19th

Exhibit Hall Hours 10:30am – 4:30pm

7:30am – 8:30am Breakfast8:30am – 11:30am Sessions & Hands-on Labs10:30am – 4:30pm Expo Hall Hours11:30am – 1:00pm Lunch1:00pm – 5:45pm Sessions & Hands-on Labs6:30pm – 9:30pm Attendee Party

Thursday, February 20th

Exhibit Hall Hours 9:00am – 12:00pm

8:00am – 9:00am Breakfast9:00am – 12:00pm Expo Hall Hours9:00am – 12:15pm Sessions & Hands-on Labs12:15pm – 1:30pm Lunch and Departures

Ask the ExpertsLocation: Meal Hall located on Level 1 in Pinyon Ballroom 4-8 Tuesday, February 18

TABLE TOPICS:Best Practices, Business Value, Clients & Mobility, Lync Meetings and Video, Lync Online, Networking, Platform, Server & Manageability, Voice, Lync Feedback Sessions

Meet face-to-face with the foremost experts in the Lync field and ask them the questions that have you stumped.

Location: Breakout rooms located on Level 1 5:00pm-7:00pm

GROUPS INCLUDE:Manageability – Pinyon 2Meetings & Web Experiences – Bluethorn 4-6Mobility – Bluethorn 7-9Presence & Chat – Pinyon 1Voice & Video – Bluethorn 1-3

Come participate in targeted Feedback Sessions to hear about the high-priority feature asks and help us improve the next release!

Lync Feedback

These sessions are meant to be informational, providing an understanding of the workload and conversational, to discuss your user scenarios and desired improvements.

Birds of a FeatherBirds of a Feather flock together! Join daily breakfast discussions of relevant topics by sitting in the separately designated areas of the Meal Hall. Seating will be sorted in a different way for each Birds of a Feather breakfast:Wednesday, February 19:Where are you from? Asia/Pacific, Eastern & Central Europe, Latin America, Middle East & Africa, US (West, Central & East) and Canada, Western Europe

Thursday, February 20:What is your interest?Best Practices, Business Value, Clients & Mobility, Lync Meetings and Video, Lync Online, Networking, Platform, Server & Manageability, Voice

#LyncConf14

/msftLYNC

/microsoft-lync

/MSFTLync

Lync Launch PadYou’ve launched Lync. Now Launch this.MS Pavilion – Expo Hall

Fill out evaluations to win prizesFill out evaluations on MyLync or MyLync Mobile.Prizes awarded daily.

© 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.