Presentation is loading. Please wait.

Presentation is loading. Please wait.

Why Trust Office 365? Office 365 Security, Privacy and Compliance.

Published byIrma Miles Modified over 8 years ago

Similar presentations

Presentation on theme: "Why Trust Office 365? Office 365 Security, Privacy and Compliance."— Presentation transcript:

1

2

3

4 Why Trust Office 365?

5 Office 365 Security, Privacy and Compliance

6 Exchange Hosted Services (part of Office 365) Hotmail SSAE-16 U.S.-EU Safe Harbor European Union Model Clauses (EUMC) Health Insurance Portability and Accountability Act Business Associate Agreement (HIPAA BAA) Data Processing Agreement (DPA) Active Directory Microsoft Security Response Center (MSRC) Global Foundation Services (GFS) ISO 27001 Certification Microsoft Security Essentials 1 st Microsoft Data Center Trustworthy Computing Initiative (TwC) Microsoft Security Engineering Center - Security Development Lifecycle (SDL) Xbox Live MSN Bill Gates Memo Windows Azure FISMA Windows Update Malware Protection Center SAS-70 Microsoft Online Services (MOS) One of the world’s largest cloud providers & datacenter/network operators CJIS Security Policy Agreement 20052010 2013 Bing/MSN Search 1989 1995 2000 Outlook.com

7 Security best practices like penetration testing, Defense-in-depth to protect against cyber-threats Service Capabilities Customer Controls Physical and data security with access control, encryption and strong authentication Unique customer controls with Rights Management Services to empower customers to protect information

8 Security – Service capabilities

9 Network perimeter Internal network Host Application Data Admin User Facility

10

11 Physical Security Seismic bracing 24x7 onsite security staff Days of backup power Tens of thousands of servers Perimeter security Extensive monitoring Multi-factor authentication Fire suppression

12 Internal Network External Network Physical separation Edge router security / firewalls Port scanning Perimeter vulnerability scanning

13 Zero standing permissions in the service Automated tooling for routine activities Auditing of operator access and actions Security Development Lifecycle Patching/Malware protection Office 365

14 Microsoft Corporate Network ‘Lock Box’ Process 13 Office 365 Datacenter Network Grants least privilege required to complete task. Verify eligibility by checking if; 1.Background Check Completed 2.Fingerprinting Completed 3.Security Training Completed O365 Admin Requests Access Grants temporary Privilege

15 Account management Training, policies and awareness Background checks, screening account deletion Unique accounts Zero access privileges

16 Encryption of data in transit (server/server) File and data integrity Encryption of data in transit (client / server) Encryption of data at rest Customer data isolation Operational best practices Data protection

17 Assume Breach War game exercises Live site pentest Centralized security logging & monitoring Prevent Breach Threat model Code review Security development lifecycle (SDL) Security testing Assume breach identifies & addresses significant gaps:  Detect attack & penetration  Respond to attack & penetration  Recover from data leakage or tampering Scope ongoing live site testing of security response plans to drastically improve mean time to detection & recovery Reduce exposure to internal attack (once inside, attackers have broad access) Periodic environment post breach assessment & clean state Prevent Breach and Assume Breach

18 Red teaming Blue teaming Monitor emerging threats Execute post breach Insider attack simulation Assume Breach

19 Protects against – Unauthorized physical access to servers / hardware in datacenters A disk or server not getting recycled appropriately Beyond Bitlocker – ‘Fort Knox’ PC Windows server Data disk BitLocker protected Customer Environment BitLocker

20 SSL/TLS Encryption Client to Server Server to Server Data center to Data center Customer Environment PC server Client server: SSL/TLS protected Data disk Server to server: SSL/TLS protected Encryption in Transit

21 Network perimeter Internal network Host Application Data Admin User Facility

22 Network perimeter Internal network Host Application Data User Facility Threat and vulnerability management, monitoring, and response Edge routers, intrusion detection, vulnerability scanning Dual-factor authentication, intrusion detection, vulnerability scanning Access control and monitoring, anti-malware, patch and configuration management Secure engineering (SDL), access control and monitoring, anti-malware Access control and monitoring, file/data integrity, encryption Account management, training and awareness, screening Physical controls, video surveillance, access control

23

24 Data protection at rest Data Protection in motion Information can be protected with RMS at rest or in motion Data protection at rest RMS can be applied to any file type using RMS app

25 Dem o

26 Digital signatures Encryption during transit and at rest Available in Q1 2014 Customer Environment Exchange Service Data disk Exchange server Data disk S/MIME protected Message Delivery S/MIME protected Message Delivery PC Domain PKI Attribute sync Message Delivery

27 BitLocker protected Send encrypted emails to anyone! All you need is a Office 365 or Microsoft Account to receive encrypted emails Customer Environment PC Exchange server Emails to external users protected with Office 365 Message Encryption Message Delivery

28 SMTP TLS Protect SMTP session to partners - Opportunistic TLS - Forced TLS Customer Environment Windows computer Exchange server Data disk SMTP to partners: TLS protected

29 Anti Spam / Anti Virus Comprehensive protection Multi-engine antimalware protects against 100% of known viruses Continuously updated anti-spam protection captures 98%+ of all inbound spam Advanced fingerprinting technologies that identify and stop new spam and phishing vectors in real time Easy to use Preconfigured for ease of use Integrated administration console Granular control Mark all bulk messages as spam Block unwanted email based on language or geographic origin 28

30

31 User Access Integrated with Active Directory, Azure Active Directory and Active Directory Federation Services Federation: Secure SAML token based authentication Password Synchronization: Only a one way hash of the password Enables additional authentication mechanisms: Two-Factor Authentication – including phone-based 2FA Client-Based Access Control based on devices/locations

32 Cloud Identity Single identity in the cloud Suitable for small organizations with no integration to on- premises directories Directory Synchronization Single identity suitable for medium and large organizations without federation Federated Identity Single federated identity and credentials suitable for medium and large organizations

33 Mobile Apps Two Factor authentication using any phone Text MessagesPhone Calls Push Notification One-Time-Passcode (OTP) Token Out-of-Band Call Text One-Time Passcode (OTP) by Text 

34 Type of RiskProtection mechanismsImplementation Malicious or unauthorized physical access to data center / server / disks BitLocker Facility access restrictions to servers/ datacenter Backend control in the service External malicious or unauthorized access to service and customer data Zero standing access privileges Automated operations Auditing of all access and actions Network level DDOS / intrusion detection and prevention Threat management / Assume breach Backend control in the service Gaps in software that make the data & service to be vulnerable Security Development Lifecycle (SDL)Backend control in the service Rogue administrators / employees in the service or data center Zero standing access privileges Automated operations, Auditing of all access and actions Training Background checks / screening Threat management / Assume breach Backend control implemented in the service. Microsoft Admin credentials get compromised Multi factor authentication Zero standing access privileges Requires trusted computers to get onto management servers Threat management / Assume breach Backend control implemented in the service.

35 Type of RiskProtection mechanismsImplementation Encryption keys get compromised Secure key management processes Access to key is limited or removed for people BYOK Backend control in the service Administrator’s computer gets compromised/lost BitLocker on the computer Remote desktop session Zero standing access privileges Separate credentials to login to the service Backend control in the service Law authorities accessing customer data Redirect request to customer Threat management and assume breach Backend control in the service Service and customer data becomes inaccessible due to an attack. Network level DDOS / intrusion detection and prevention Backend control in the service MalwareAnti MalwareBackend control in the service Malfunction of software which enables unauthorized access Security Development Lifecycle Configuration management Backend control in the service

36

37 Enable customers to meet global compliance standards in ISO 27001, EUMC, HIPAA, FISMA Contractually commit to privacy, security and handling of customer data through Data Processing Agreements Admin Controls like Data Loss Prevention, Archiving, E-Discovery to enable organizational compliance Service Capabilities for Global Compliance Customer controls for compliance with internal policies

38

39 SSAE/SOC ISO27001 EUMC FERPA FISMA PCI HIPAA HITECH ITAR HMG IL2 CJIS Global Europe U.S. Global U.S. UK U.S. Finance Global Europe Education Government CardData Healthcare Defense Government Law Enforcement ISO SOC HIPAAFedRAMPFERPA HMG IL2 EUMC TC260 MLPS

40 Physical Security Security Best Practices Secure Network Layer Data Encryption Office 365 Service | Master GRC Control Sets | Certifications DLP OME SMIME RBAC RMS Account Mgmt. Incident Monitoring Data Encryption Encryption of stored data and more… Data Minimization & Retention New Cert’s and more … Access Control AUDITS

41

42 Compliance controls sensitive data through deep content analysis 1. 4. 3. 2.

43 DLP document fingerprinting Protect sensitive documents from being accidently shared outside your organization No coding required; simply upload sample documents to create fingerprints Scan email and attachments to look for patterns that match document templates

44 Dem o

45 Data Loss Prevention (DLP) Prevents Sensitive Data From Leaving Organization Provides an Alert when data such as Social Security & Credit Card Number is emailed Alerts can be customized by Admin to catch Intellectual Property from being emailed out Empower users to manage their compliance Contextual policy education Doesn’t disrupt user workflow Works even when disconnected Configurable and customizable Admin customizable text and actions Built-in templates based on common regulations Import DLP policy templates from security partners or build your own

46 Email archiving and retention Preserve Search Secondary mailbox with separate quota Managed through EAC or PowerShell Available on-premises, online, or through EOA Automated and time- based criteria Set policies at item or folder level Expiration date shown in email message Capture deleted and edited email messages Time-Based In-Place Hold Granular Query-Based In-Place Hold Optional notification Web-based eDiscovery Center and multi-mailbox search Search primary, In-Place Archive, and recoverable items Delegate through roles-based administration De-duplication after discovery Auditing to ensure controls are met In-Place ArchiveGovernance Hold eDiscovery

47

48 We do not use your information for anything other than providing you services No Advertising TransparencyPrivacy controls No advertising products out of Customer Data No scanning of email or documents to build analytics or mine data Various customer controls at admin and user level to enable or regulate sharing If the customer decides to leave the service, they get to take to take their data and delete it in the service Access to information about geographical location of data, who has access and when Notification to customers about changes in security, privacy and audit information

49 We do not mine your data for advertising purposes. It is our policy to not use your data for purposes other than providing you productivity services. We design our Office 365 commercial services to be separate from our consumer services so that there is no mixing of data between the two. You own your data and retain the rights, title, and interest in the data you store in Office 365. You can take your data with you, whenever you want. Learn more about data portability and how we use your data.data portabilityhow we use your data Who owns the data I put in your service? Will you use my data to build advertising products?

50 Microsoft notifies you of changes in data center locations and any changes to compliance. Core Customer Data accessed only for troubleshooting and malware prevention purposes Core Customer Data access limited to key personnel on an exception basis. How to get notified? Who accesses and What is accessed? Clear Data Maps and Geographic boundary information provided ‘Ship To’ address determines Data Center Location Where is Data Stored? At Microsoft, our strategy is to consistently set a “high bar” around privacy practices that support global standards for data handling and transfer

51 Trust and Confidence We understand customers around the world have serious questions and concerns. We take privacy seriously and provide customer data only in response to specific, targeted lawful demands.

52

53 Taking Action

54 Office 365 Trust Center (http://trust.office365.com) Customer Direct Office 365 Blog (http://blogs.office.com/)

55

56 Microsoft Online Services Customer Data 1 Usage Data Account and Address Book Data Customer Data (excluding Core Customer data) Core Customer Data Operating and Troubleshooting the ServiceYes Security, Spam and Malware PreventionYes Improving the Purchased Service, AnalyticsYes No Personalization, User Profile, PromotionsNoYesNo Communications (Tips, Advice, Surveys, Promotions)NoNo/YesNo Voluntary Disclosure to Law EnforcementNo Advertising 5 No We use customer data for just what they pay us for - to maintain and provide Office 365 Service Usage DataAddress Book Data Customer Data (excluding Core Customer Data * ) Core Customer Data Operations Response Team (limited to key personnel only) Yes.Yes, as needed. Yes, by exception. Support Organization Yes, only as required in response to Support Inquiry. No. EngineeringYes. No Direct Access. May Be Transferred During Trouble-shooting. No. Partners With customer permission. See Partner for more information. Others in MicrosoftNo. No (Yes for Office 365 for small business Customers for marketing purposes). No.

57 Sponsored by

58

Download ppt "Why Trust Office 365? Office 365 Security, Privacy and Compliance."

Similar presentations

Common Question Who can benefit from Cloud? Every enterprise today can benefit from Cloud.

Common Question Who can benefit from Cloud? Every enterprise today can benefit from Cloud.
How do I handle major objections to Office 365?

How do I handle major objections to Office 365?
Provide a platform built on security, privacy, and trust Maintain an evergreen service Offer highly configurable and scalable services.

Provide a platform built on security, privacy, and trust Maintain an evergreen service Offer highly configurable and scalable services.
Enterprise CAL Overview. Different Types of CALs Standard CAL base A component Standard CAL is a base CAL that provides access rights to basic features.

Enterprise CAL Overview. Different Types of CALs Standard CAL base A component Standard CAL is a base CAL that provides access rights to basic features.
Certification Authority. Overview  Identifying CA Hierarchy Design Requirements  Common CA Hierarchy Designs  Documenting Legal Requirements  Analyzing.

Certification Authority. Overview  Identifying CA Hierarchy Design Requirements  Common CA Hierarchy Designs  Documenting Legal Requirements  Analyzing.
“ “ Accidental email with attachment exposed hundreds of individuals’ names and Social Security Numbers… “ “

“ “ Accidental with attachment exposed hundreds of individuals’ names and Social Security Numbers… “ “
Security Controls – What Works

Security Controls – What Works
Information Security Policies and Standards

Information Security Policies and Standards
Compliance in Office 365 Edge Pereira Sandy Millar From Avanade Australia OSS304.

Compliance in Office 365 Edge Pereira Sandy Millar From Avanade Australia OSS304.
Respond to customer feedback through agile development Deliver new features and valueTrust and compliance Cloud value Continuous innovation with confidence.

Respond to customer feedback through agile development Deliver new features and valueTrust and compliance Cloud value Continuous innovation with confidence.
Pre-adoption concern 60% cited concerns around data security as a barrier to adoption 45% concerned that the cloud would result in a lack of data control.

Pre-adoption concern 60% cited concerns around data security as a barrier to adoption 45% concerned that the cloud would result in a lack of data control.
Version 2.0 for Office 365. Day 1 Administering Office 365 Day 2 Administering Exchange Online Office 365 Overview & InfrastructureLync Online Administration.

Version 2.0 for Office 365. Day 1 Administering Office 365 Day 2 Administering Exchange Online Office 365 Overview & InfrastructureLync Online Administration.
Security Best-in-class security with over a decade of experience building Enterprise software & Online services Physical and data security with.

Security Best-in-class security with over a decade of experience building Enterprise software & Online services Physical and data security with.
Exchange 2010 Overview Name Title Group. What You Tell Us Communication overload Globally distributed customers and partners High cost of communications.

Exchange 2010 Overview Name Title Group. What You Tell Us Communication overload Globally distributed customers and partners High cost of communications.
Network security policy: best practices

Network security policy: best practices
Office 365 Trust Center Answer key questions of Security Compliance Officers Dynamic engaging content that is refreshed every two weeks www.trust.office365.com.

Office 365 Trust Center Answer key questions of Security Compliance Officers Dynamic engaging content that is refreshed every two weeks
OSP214. SECURITY PRIVACY RELIABILITY & SERVICE CONTINUITY COMPLIANCE.

OSP214. SECURITY PRIVACY RELIABILITY & SERVICE CONTINUITY COMPLIANCE.
What’s New in Exchange Online. Disclaimer This presentation contains preliminary information that may be changed substantially prior to final commercial.

What’s New in Exchange Online. Disclaimer This presentation contains preliminary information that may be changed substantially prior to final commercial.
Welcome to the Exchange 2013 Webcast Archiving, eDiscovery, & Data Loss Prevention.

Welcome to the Exchange 2013 Webcast Archiving, eDiscovery, & Data Loss Prevention.
EXL302-R. Storage Management Balance mailbox size demands with available storage resources Reduce the proliferation of.PST files stored outside of IT.

EXL302-R. Storage Management Balance mailbox size demands with available storage resources Reduce the proliferation of.PST files stored outside of IT.

Similar presentations

Ads by Google