Internal Audit, Risk, Business & Technology Consulting
OFFICE 365 SECURITY MACGYVER, NINJA OR SWAT TEAM?
Antonio MaioProtiviti | Senior SharePoint ArchitectMicrosoft Office Server and Services MVP
Email: [email protected]: www.trustsharepoint.comSlide share: http://www.slideshare.net/AntonioMaio2Twitter: @AntonioMaio2
MACGYVER
2
IT Team Member• Typically work alone
• Given responsibility for Office 365
• No formal security training, or self-trained
• Smart - Comfortable learning & working with technology
• Good at pulling together solutions with what’s available
• Smaller organization – No/low budget for training & tools
• Very security minded/concerned
NINJA
3
The Security Expert• Typically work alone
• Formally trained security expert / Know your stuff
(CISSP, CISM, MSCP, OSCP, etc.)
• Very security minded/concerned
• Some budget for training & tools
SWAT TEAM
4
The Information Security Team• Highly skilled team members
• Comprised of multiple security experts
• Distributed roles & responsibilities
• Larger or heavily regulated organizations
• Very security minded & compliance focused
• Annual budgets for training & tools
Internal Audit, Risk, Business & Technology Consulting
BUILT IN SECURITYWhat everyone should know…
6
• Understand Cloud Provider Responsibilities
• Understand Your Responsibilities
In a cloud environment, security and information
protection must be a Shared Responsibility.
Understanding how your responsibilities are
managed requires strong Information
Governance policies & procedures.
SAAS = Office 365
PAAS = Azure Web Services, Azure Functions, etc.
IAAS = Azure VMs
https://channel9.msdn.com/Shows/Azure-Friday/Red-vs-Blue-Internal-security-penetration-testing-of-Microsoft-
Azure
Reference and cipher suites:https://technet.microsoft.com/en-us/library/dn569286.aspx
Internal Audit, Risk, Business & Technology Consulting
MACGYVER – IT TEAM MEMBER
Control how sites and documents can be shared with External Users on a site collection by site collection basis.
Click Settings > Services and Add-Ins > Sites
SharePoint Online has the same inherited, hierarchical, permissive permission model as SharePoint On Premise.
Office 365Customer Tenant
SharePoint Online
Site Collection Site Collection
Site Site
Library List
Document Item
Site
Document
Document
Item
Demo Members SharePoint Group Edit
Demo Owners SharePoint Group Full Control
Demo Visitors SharePoint Group Read
Finance Team Domain Group Edit
Senior Mgmt Domain Group Full
Control
Research Team Domain Group Full Control
Senior Mgmt Domain Group Full Control
Research Team Domain Group Full Control
Senior Mgmt Domain Group Full Control
Antonio.Maio Domain User Full Control
• If a user is a member of multiple groups which have access to a resource, the user will get the highest level of group access granted.
• To remove a user’s access to a resource, they must be removed from all groups which have access.
• There is no concept of a deny policy.
• https://securescore.office.com
Internal Audit, Risk, Business & Technology Consulting
NINJA – SECURITY EXPERT
Multi-factor authentication helps protect against unauthorized access to the Office 365 environment.
Multi-factor authentication helps protect against unauthorized access to the Office 365 environment.
• New integrated authentication mechanism built into Office client apps
• Uses ADAL (Active Directory Authentication Library)
• Cross platform: Windows, Mac OS X, Windows Phone, iOS, Android
• Provides advanced sign in features for the Office clients:
• Multi-Factor Authentication (MFA)
• SAML third-party identity providers
• Smart card
• Certificate based authentication
• Microsoft Authenticator App
• Third party Authenticator App
• Microsoft Outlook no longer requires “basic authentication”
• Greater consistency in the user experience for users authenticating to Office 365 services and
apps
• Greater security across the entire Office 365 service & app suite
Newly launched authentication protocol which became generally available in May 20, 2016.
• Dependent on client application (requires Office/Outlook 2016, or
Office 2013 with latest SP)
• Support must be enabled on Office Clients and in Office 365 service:
• Ex. Outlook 2016 will attempt Modern Authentication and auto-revert to Basic
Authentication if Exchange Online is not enabled
• No support planned for: Office 2010 or 2007, Office for Mac 2011, Windows Phone 7,
OWA for iOS or Android
• Default enablement in some Office 365 services:
• Exchange Online: OFF by default
• SharePoint Online: ON by default
• Skype for Business: OFF by default
• Enabled via PowerShell
Modern authentication must be on-boarded for some Office 365 services and environments.
Data Loss Prevention policies identify and protect sensitive data in SharePoint Online & OneDrive for Business.
• Automatically identify and protect 80
sensitive data types (SSN, credit card #,
national ID #, etc.)
• Applies to SharePoint Online
• Applies to OneDrive for Business
• Applies to files/documents
• Does not apply to list items
• Manage policies that when sensitive data
is found can:
• Educate users with policy tips
• Block access
• Alert Admins or InfoSec teams
• Create incident reports
Classification labels provide a method for users to specify retention policies on individual documents/emails.
• Click Classifications > Label Policies
• Not used by Azure Information
Protection or Rights Management
• Primarily used for retention of
documents and email
• Labels define a retention period
• Define what occurs when retention
period expires
Classification labels provide a method for users to specify retention policies on individual documents/emails.
• Click Classifications >
Label Policies
• Define if a label is
published and which
services it is available to
– can publish labels to:
Manage how spam, malware is blocked & quarantined by adjusting your Office 365 Mail Filtering policies.
• Default standard anti-spam policies
already in place
• Manage Allow Lists by sender or
domain
• Manage Block Lists by sender or
domain
• Customize policies by:
Internal Audit, Risk, Business & Technology Consulting
SWAT – INFORMATION SECURITY TEAM
• Customer must approve access request, before Microsoft engineer gets any access to Customer tenant
Customers can control whether Microsoft Office 365 engineers may have access to their tenant.
Monitor user and admin activity with machine learning to identity suspicious behavior and automatically apply security policies to protect against malicious attackers.
• Click Alerts > Manage Alerts
• Click Manage Advanced Alerts
THANK YOU
Antonio MaioProtiviti | Senior SharePoint ArchitectMicrosoft Office Server and Services MVP
Email: [email protected]: www.trustsharepoint.comSlide share: http://www.slideshare.net/AntonioMaio2Twitter: @AntonioMaio2
Top Related