Presentation is loading. Please wait.

Presentation is loading. Please wait.

Sessions about to start – Get your RIG on! Microsoft Office 365 Security, Privacy, and Compliance Overview Aaron Dinnage Ben Fletcher OSS203.

Published byBerniece Williamson Modified over 8 years ago

Similar presentations

Presentation on theme: "Sessions about to start – Get your RIG on! Microsoft Office 365 Security, Privacy, and Compliance Overview Aaron Dinnage Ben Fletcher OSS203."— Presentation transcript:

1

2 Sessions about to start – Get your RIG on!

3 Microsoft Office 365 Security, Privacy, and Compliance Overview Aaron Dinnage Ben Fletcher OSS203

4 Answer key questions of Security Compliance Officers Dynamic engaging content that is refreshed every two weeks www.trust.office365.com

5 It’s your data You own it, you control it We run the service for you We are accountable to you Privacy by design Continuous Compliance Built in Security

6 Encrypted Shredded Storage in SharePoint Online Microsoft Security Engineering Center - Security Development Lifecycle (SDL) Exchange Hosted Services (part of Office 365) Hotmail SSAE-16 U.S.-EU Safe Harbor European Union Model Clauses (EUMC) HIPAA BAA Active Directory Microsoft Security Response Center (MSRC) Global Foundation Services (GFS) ISO 27001 Certification Microsoft Security Essentials 1 st Microsoft Data Center Trustworthy Computing Initiative (TwC) Xbox Live MSN Bill Gates Memo Windows Azure FISMA Windows Update Malware Protection Center SAS-70 Microsoft Online Services (MOS) One of the world’s largest cloud providers & datacenter/network operators CJIS Security Policy Agreement 20052010 2013 2014 Bing/MSN Search Outlook.com Message Encryption DLP Fingerprinting Article 29 Working Committee 1989 1995 2000

7 Outsider End User Insider Secure Design Secure Code Protections against attacks Assume Breach Contain Attackers Detect Attackers Remediate Attacks Built controls DLP, Encryption, etc. Auditing

8 Customer controlsBuilt-in service capabilities Physical and data security with access control, encryption and strong authentication Unique customer controls with Rights Management Services to empower customers to protect information Security best practices like penetration testing, Defense-in-depth to protect against cyber- threats

9

10 Facility Network perimeter Internal network Host Application Admin Data Physical controls, video surveillance, access control Edge routers, firewalls, intrusion detection, vulnerability scanning Dual-factor authentication, intrusion detection, vulnerability scanning Access control and monitoring, anti-malware, patch and configuration management Secure engineering (SDL), access control and monitoring, anti-malware Account management, training and awareness, screening Threat and vulnerability management, security monitoring, and response, access control and monitoring, file/data integrity, encryption

11 Perimeter security Fire Suppressio n Multi-factor authentication Extensive monitoring Seismic bracing 24x7 onsite security staff Days of backup power Tens of thousands of servers

12 Backend server and storage Front end server storage Firewall Layer of separation Edge router protection User

13

14 Request Approve Request with reason Zero standing privileges Temporary access granted Manager Just in time access High entropy passwords

15 Automatic account deletion Unique accounts Zero access privileges Security Development Cycle Annual training Background checks Screening

16 Customer data isolation Data encryption Operational best practices Data

17 Customer data isolation Customer A Designed to support logical isolation of data that multiple customers store in same physical hardware. Intended or unintended mingling of data belonging to a different customer/tenant is prevented by design using Active Directory organizational units Customer B

18 Data in-transit SSL/TLS Encryption Client to Server Server to Server Data centre to Data centre Data at Rest Disks encrypted with BitLocker Encrypted shredded storage User

19 ABC D Key Store ABCD Content DB A B C D E

20

21 Wargame exercises Red teaming Blue teaming Monitor emerging threats Execute post breach Insider attack simulation

22 Physical controls, video surveillance, access control Edge routers, firewalls, intrusion detection, vulnerability scanning Dual-factor authentication, intrusion detection, vulnerability scanning Access control and monitoring, anti-malware, patch and configuration management Secure engineering (SDL), access control and monitoring, anti-malware Account management, training and awareness, screening Threat and vulnerability management, security monitoring, and response, access control and monitoring, file/data integrity, encryption Physical Layer Logical Layer Data Layer

23

24 Data protection at rest Data Protection in motion Information can be protected with RMS at rest or in motion Data protection at rest RMS can be applied to any file type using RMS app

25 S/MIME Office 365 Message Encryption Transport Layer Security Exchange server Data disk Exchange server Data disk S/MIME protected Message Delivery User Office 365 Message Encryption SMTP to partners: TLS protected Encryption features

26 Comprehensive protection Easy to use Granular control Multi-engine antimalware protects against 100% of known viruses Continuously updated anti-spam protection captures 98%+ of all inbound spam Advanced fingerprinting technologies that identify and stop new spam and phishing vectors in real time Preconfigured for ease of use Integrated administration console Mark all bulk messages as spam Block unwanted email based on language or geographic origin

27 Identity Management Federation Password Hash Sync 2FA

28 Integrated with Active Directory, Azure Active Directory and Active Directory Federation Services Federation: Secure SAML token based authentication Password Synchronization: Only a one way hash of the password will be synchronized to the cloud such that the original password cannot be reconstructed from it. Enables additional authentication mechanisms: Two-Factor Authentication – including phone-based 2FA Client-Based Access Control based on devices/locations Role-Based Access Control Single federated identity and credentials suitable for medium and large organizations

29 Mobile AppsText MessagesPhone Calls Push Notification One-Time-Passcode (OTP) Token Out-of-Band Call Text One-Time Passcode (OTP) by Text

30 What does compliance mean to customers? What standards do we meet? What is regulatory compliance and organizational compliance?

31 Compliance Commitment to industry standards and organizational compliance Built-in capabilities for global compliance Customer controls for compliance with internal policies Enable customers to meet global compliance standards in ISO 27001, EUMC, HIPAA, FISMA Contractually commit to privacy, security and handling of customer data through Data Processing Agreements Admin Controls like Data Loss Prevention, Archiving, E-Discovery to enable organizational compliance

32 What customer issues does this address? Independent verification Regulatory compliance Peace of mind

33 SSAE/SOC ISO27001 EUMC FERPA FISMA HIPAA HITECH ITAR HMG IL2 CJIS Global Europe U.S. UK U.S. Finance Global Europe Education Government Healthcare Defense Government Law Enforcement ISO SOC HIPAAFedRAMPFERPA HMG IL2 EUMC TC260 MLPS

34 Physical Security Security Best Practices Secure Network Layer Data Encryption Office 365 Service | Master GRC Control Sets | Certifications DLP OME SMIME RBAC RMS New Cert’s and more… Account Mgmt. Incident Monitoring Data Encryption Encryption of stored data and more… Data Minimization & Retention Access Control Office 365 Services Audits Office 365 has over 950 controls Today! Built-in Capabilities Customer Controls

35

36 Helps to identify monitor protect Sensitive data through deep content analysis Identify Protect Monitor End user education

37 Prevents sensitive data from leaving organization Provides an Alert when data such as Social Security & Credit Card Number is emailed. Alerts can be customized by Admin to catch Intellectual Property from being emailed out. Empower users to manage their compliance Contextual policy education Doesn’t disrupt user workflow Works even when disconnected Configurable and customizable Admin customizable text and actions Built-in templates based on common regulations Import DLP policy templates from security partners or build your own

38 Protect sensitive documents from being accidently shared outside your organization No coding required; simply upload sample documents to create fingerprints Scan email and attachments to look for patterns that match document templates

39 Preserve Search Secondary mailbox with separate quota Managed through EAC or PowerShell Available on-premises, online, or through EOA Automated and time- based criteria Set policies at item or folder level Expiration date shown in email message Capture deleted and edited email messages Time-Based In-Place Hold Granular Query-Based In-Place Hold Optional notification Web-based eDiscovery Center and multi-mailbox search Search primary, In-Place Archive, and recoverable items Delegate through roles-based administration De-duplication after discovery Auditing to ensure controls are met In-Place Archive Governance Hold eDiscovery

40 Answer key questions of Security Compliance Officers Dynamic engaging content that is refreshed every two weeks www.trust.office365.com

41 Privacy by design means that we do not use your information for anything other than providing you services No AdvertisingTransparency Privacy controls No advertising products out of Customer Data No scanning of email or documents to build analytics or mine data Various customer controls at admin and user level to enable or regulate sharing If the customer decides to leave the service, they get to take to take their data and delete it in the service Access to information about geographical location of data, who has access and when Notification to customers about changes in security, privacy and audit information

42 We do not mine your data for advertising purposes. It is our policy to not use your data for purposes other than providing you productivity services. We design our Office 365 commercial services to be separate from our consumer services so that there is no mixing of data between the two. Who owns the data I put in your service? Will you use my data to build advertising products? You own your data and retain the rights, title, and interest in the data you store in Office 365. You can take your data with you, whenever you want.

43 Microsoft notifies you of changes in data center locations and any changes to compliance. Core Customer Data accessed only for troubleshooting and malware prevention purposes Core Customer Data access limited to key personnel on an exception basis. How to get notified? Who accesses and What is accessed? Clear Data Maps and Geographic boundary information provided ‘Ship To’ address determines Data Center Location Where is Data Stored? At Microsoft, our strategy is to consistently set a “high bar” around privacy practices that support global standards for data handling and transfer

44 Microsoft Online Services Customer DataUsage Data Account and Address Book Data Customer Data (excluding Core Customer data) Core Customer Data Operating and Troubleshooting the ServiceYes Security, Spam and Malware PreventionYes Improving the Purchased Service, AnalyticsYes No Personalization, User Profile, PromotionsNoYesNo Communications (Tips, Advice, Surveys, Promotions)NoNo/YesNo Voluntary Disclosure to Law EnforcementNo AdvertisingNo We use customer data for just what they pay us for - to maintain and provide Office 365 Service Usage DataAddress Book Data Customer Data (excluding Core Customer Data) Core Customer Data Operations Response Team (limited to key personnel) YesYes, as needed Yes, by exception Support Organization Yes, only as required in response to Support Inquiry No Engineering Yes No Direct Access. May Be Transferred During Trouble-shooting No Partners With customer permission. See Partner for more information Others in Microsoft No No (Yes for Office 365 for small business Customers for marketing purposes) No

45

46 Type of RiskProtection mechanisms Malicious or unauthorized physical access to data center / server / disks BitLocker Facility access restrictions to servers/ datacenter External malicious or unauthorized access to service and customer data Zero standing access privileges Automated operations Auditing of all access and actions Network level DDOS / intrusion detection and prevention Threat management / Assume breach Gaps in software that make the data & service to be vulnerable Security Development Lifecycle (SDL) Rogue administrators / employees in the service or data center Zero standing access privileges Automated operations, Auditing of all access and actions Training Background checks / screening Threat management / Assume breach Microsoft Admin credentials get compromised Multi factor authentication Zero standing access privileges Requires trusted computers to get onto management servers Threat management / Assume breach

47 Type of RiskProtection mechanisms Encryption keys get compromisedSecure key management processes Access to key is limited or removed for people BYOK Administrator’s computer gets compromised/lost BitLocker on the computer Remote desktop session Zero standing access privileges Separate credentials to login to the service Law authorities accessing customer dataRedirect request to customer Threat management and assume breach Service and customer data becomes inaccessible due to an attack. Network level DDOS / intrusion detection and prevention MalwareAnti Malware Malfunction of software which enables unauthorized access Security Development Lifecycle Configuration management

48 Type of RiskProtection mechanisms Interception of email to partners over Internet SMTP session to partners could be protected using opportunistic or forced TLS Interception of client / server communicationSSL / TLS is implemented in all workloads. Interception of communication between datacenters or between servers Office 365 applications use SSL / TLS to secure various server-server communication. All communication is on Microsoft owned networks. Interception or access of content in transit or at rest by other people Rights Management could be applied to the content. Interception of email in transit or rest between users within organization S/MIME could be implemented and applied to emails Interception of email in transit and rest to an external user* Office 365 Message Encryption may be applied to messages

49

50

51 Please complete your session/speaker evaluation Go to: aka.ms/mytechedsyd

52 Q&A

Download ppt "Sessions about to start – Get your RIG on! Microsoft Office 365 Security, Privacy, and Compliance Overview Aaron Dinnage Ben Fletcher OSS203."

Similar presentations

Common Question Who can benefit from Cloud? Every enterprise today can benefit from Cloud.

Common Question Who can benefit from Cloud? Every enterprise today can benefit from Cloud.
How do I handle major objections to Office 365?

How do I handle major objections to Office 365?
Provide a platform built on security, privacy, and trust Maintain an evergreen service Offer highly configurable and scalable services.

Provide a platform built on security, privacy, and trust Maintain an evergreen service Offer highly configurable and scalable services.
Enterprise CAL Overview. Different Types of CALs Standard CAL base A component Standard CAL is a base CAL that provides access rights to basic features.

Enterprise CAL Overview. Different Types of CALs Standard CAL base A component Standard CAL is a base CAL that provides access rights to basic features.
“ “ Accidental email with attachment exposed hundreds of individuals’ names and Social Security Numbers… “ “

“ “ Accidental with attachment exposed hundreds of individuals’ names and Social Security Numbers… “ “
Security Controls – What Works

Security Controls – What Works
Optimize for Software + Services E-mail ArchivingE-mail Archiving Protect CommunicationsProtect Communications Advanced SecurityAdvanced Security Manage.

Optimize for Software + Services Archiving Archiving Protect CommunicationsProtect Communications Advanced SecurityAdvanced Security Manage.
Respond to customer feedback through agile development Deliver new features and valueTrust and compliance Cloud value Continuous innovation with confidence.

Respond to customer feedback through agile development Deliver new features and valueTrust and compliance Cloud value Continuous innovation with confidence.
Lesson 9-Securing a Network. Overview Identifying threats to the network security. Planning a secure network.

Lesson 9-Securing a Network. Overview Identifying threats to the network security. Planning a secure network.
Pre-adoption concern 60% cited concerns around data security as a barrier to adoption 45% concerned that the cloud would result in a lack of data control.

Pre-adoption concern 60% cited concerns around data security as a barrier to adoption 45% concerned that the cloud would result in a lack of data control.
Stephen S. Yau CSE 465-591, Fall 2006 1 Security Strategies.

Stephen S. Yau CSE , Fall Security Strategies.
Version 2.0 for Office 365. Day 1 Administering Office 365 Day 2 Administering Exchange Online Office 365 Overview & InfrastructureLync Online Administration.

Version 2.0 for Office 365. Day 1 Administering Office 365 Day 2 Administering Exchange Online Office 365 Overview & InfrastructureLync Online Administration.
Security Best-in-class security with over a decade of experience building Enterprise software & Online services Physical and data security with.

Security Best-in-class security with over a decade of experience building Enterprise software & Online services Physical and data security with.
Why Compliance Legal and Regulatory requirements Organizational governance requests Internal and external threats Today’s Challenges Duplicate solutions.

Why Compliance Legal and Regulatory requirements Organizational governance requests Internal and external threats Today’s Challenges Duplicate solutions.
Exchange 2010 Overview Name Title Group. What You Tell Us Communication overload Globally distributed customers and partners High cost of communications.

Exchange 2010 Overview Name Title Group. What You Tell Us Communication overload Globally distributed customers and partners High cost of communications.
Network security policy: best practices

Network security policy: best practices
Office 365 Trust Center Answer key questions of Security Compliance Officers Dynamic engaging content that is refreshed every two weeks www.trust.office365.com.

Office 365 Trust Center Answer key questions of Security Compliance Officers Dynamic engaging content that is refreshed every two weeks
OSP214. SECURITY PRIVACY RELIABILITY & SERVICE CONTINUITY COMPLIANCE.

OSP214. SECURITY PRIVACY RELIABILITY & SERVICE CONTINUITY COMPLIANCE.
Welcome to the Exchange 2013 Webcast Archiving, eDiscovery, & Data Loss Prevention.

Welcome to the Exchange 2013 Webcast Archiving, eDiscovery, & Data Loss Prevention.
Presented by Manager, MIS.  GRIDCo’s intentions for publishing an Acceptable Use Policy are not to impose restrictions that are contrary to GRIDCo’s.

Presented by Manager, MIS.  GRIDCo’s intentions for publishing an Acceptable Use Policy are not to impose restrictions that are contrary to GRIDCo’s.

Similar presentations

Ads by Google