Office 365 Trust Center Answer key questions of Security Compliance Officers Dynamic engaging content that is refreshed every two weeks
It’s your data You own it, you control it We run the service for you We are accountable to you
Today’s Security Landscape Social media giants Facebook, LinkedIn, among others, get hacked… repeatedly.
Article 29 Working Committee Encrypted Shredded Storage in SharePoint Online Microsoft Security Engineering Center - Security Development Lifecycle (SDL) Exchange Hosted Services (part of Office 365) Hotmail SSAE-16 U.S.-EU Safe Harbor European Union Model Clauses (EUMC) HIPAA BAA Active Directory Microsoft Security Response Center (MSRC) Global Foundation Services (GFS) ISO Certification Microsoft Security Essentials 1 st Microsoft Data Center Trustworthy Computing Initiative (TwC) Microsoft experience and credentials Xbox Live MSN Bill Gates Memo Windows Azure FISMA Windows Update Malware Protection Center SAS-70 Microsoft Online Services (MOS) One of the world’s largest cloud providers & datacenter/network operators CJIS Security Policy Agreement Bing/MSN Search Outlook.com Message Encryption DLP Fingerprinting
Making Sense of Threats Outsider End User Insider Secure Design Secure Code Protections against attacks Assume Breach Contain Attackers Detect Attackers Remediate Attacks Built controls DLP, Encryption, etc. Auditing
Customer controlsBuilt-in service capabilities Security best practices like penetration testing, Defense-in-depth to protect against cyber-threats
Physical controls, video surveillance, access control Edge routers, firewalls, intrusion detection, vulnerability scanning Dual-factor authentication, intrusion detection, vulnerability scanning Access control and monitoring, anti-malware, patch and configuration management Secure engineering (SDL), access control and monitoring, anti-malware Account management, training and awareness, screening Threat and vulnerability management, security monitoring, and response, access control and monitoring, file/data integrity, encryption Facility Network perimeter Internal network Host Application Admin Data
Physical Security Perimeter security Fire Suppressio n Multi-factor authentication Extensive monitoring Seismic bracing 24x7 onsite security staff Days of backup power Tens of thousands of servers
Backend server and storage Front end server storage Firewall Layer of separation Edge router protection User
Request Approve Request with reason Zero standing privileges Temporary access granted Manager Just in time access High entropy passwords
Administrators Automatic account deletion Unique accounts Zero access privileges Security Development Cycle Annual training Background checks Screening
Data Customer data isolation Data encryption Operational best practices
Customer data isolation Customer A Designed to support logical isolation of data that multiple customers store in same physical hardware. Intended or unintended mingling of data belonging to a different customer/tenant is prevented by design using Active Directory organizational units 18 Customer B
Data at Rest Disks encrypted with Bitlocker Encrypted shredded storage Data in-transit SSL/TLS Encryption Client to Server Server to Server Data center to Data center User Encryption
Encrypted Shredded Storage ABC D Key Store ABCD Content DB A B C D E
Assume Breach Wargame exercises Red teaming Blue teaming Monitor emerging threats Execute post breach Insider attack simulation
Demo
Physical controls, video surveillance, access control Edge routers, firewalls, intrusion detection, vulnerability scanning Dual-factor authentication, intrusion detection, vulnerability scanning Access control and monitoring, anti-malware, patch and configuration management Secure engineering (SDL), access control and monitoring, anti-malware Account management, training and awareness, screening Threat and vulnerability management, security monitoring, and response, access control and monitoring, file/data integrity, encryption
Data protection at rest Data Protection in motion Information can be protected with RMS at rest or in motion Data protection at rest RMS can be applied to any file type using RMS app
S/MIME Office 365 Message Encryption Transport Layer Security Exchange server Data disk Exchange server Data disk S/MIME protected Message Delivery User Office 365 Message Encryption SMTP to partners: TLS protected Encryption features
Multi-engine antimalware protects against 100% of known viruses Continuously updated anti-spam protection captures 98%+ of all inbound spam Advanced fingerprinting technologies that identify and stop new spam and phishing vectors in real time Preconfigured for ease of use Integrated administration console Mark all bulk messages as spam Block unwanted based on language or geographic origin
Identity Management Federation Password Sync 2FA
User Access Integrated with Active Directory, Azure Active Directory and Active Directory Federation Services Federation: Secure SAML token based authentication Password Synchronization: Only a one way hash of the password will be synchronized to the cloud such that the original password cannot be reconstructed from it. Enables additional authentication mechanisms: Two-Factor Authentication – including phone-based 2FA Client-Based Access Control based on devices/locations Role-Based Access Control Single federated identity and credentials suitable for medium and large organizations
Mobile Apps Enterprise authentication using any phone Text MessagesPhone Calls Push Notification One-Time-Passcode (OTP) Token Out-of-Band* Call Text One-Time Passcode (OTP) by Text *Out of band refers to being able to use a second factor with no modification to the existing app UX.
What does compliance mean to customers? What standards do we meet? What is regulatory compliance and organizational compliance?
Compliance Commitment to industry standards and organizational compliance Built-in capabilities for global compliance Customer controls for compliance with internal policies Enable customers to meet global compliance standards in ISO 27001, EUMC, HIPAA, FISMA Contractually commit to privacy, security and handling of customer data through Data Processing Agreements Admin Controls like Data Loss Prevention, Archiving, E-Discovery to enable organizational compliance
What customer issues does this address Independent verification Regulatory compliance Peace of mind
Standards & Certifications SSAE/SOC ISO27001 EUMC FERPA FISMA HIPAA HITECH ITAR HMG IL2 CJIS Global Europe U.S. UK U.S. Finance Global Europe Education Government Healthcare Defense Government Law Enforcement ISO SOC HIPAAFedRAMPFERPA HMG IL2 EUMC TC260 MLPS
How Office 365 Controls meet Compliance? Physical Security Security Best Practices Secure Network Layer Data Encryption Office 365 Service | Master GRC Control Sets | Certifications DLP OME SMIME RBAC RMS New Cert’s and more… Account Mgmt. Incident Monitoring Data Encryption Encryption of stored data and more… Data Minimization & Retention Access Control Office 365 Services Audits Office 365 has over 950 controls Today! Built-in Capabilities Customer Controls
Compliance controls Helps to identify monitor protect Sensitive data through deep content analysis Identify Protect Monitor End user education
Data Loss Prevention (DLP) Prevents sensitive data from leaving organization Provides an Alert when data such as Social Security & Credit Card Number is ed. Alerts can be customized by Admin to catch Intellectual Property from being ed out. Empower users to manage their compliance Contextual policy education Doesn’t disrupt user workflow Works even when disconnected Configurable and customizable Admin customizable text and actions Built-in templates based on common regulations Import DLP policy templates from security partners or build your own
Protect sensitive documents from being accidently shared outside your organization No coding required; simply upload sample documents to create fingerprints Scan and attachments to look for patterns that match document templates
archiving and retention Preserve Search Secondary mailbox with separate quota Managed through EAC or PowerShell Available on-premises, online, or through EOA Automated and time- based criteria Set policies at item or folder level Expiration date shown in message Capture deleted and edited messages Time-Based In-Place Hold Granular Query-Based In-Place Hold Optional notification Web-based eDiscovery Center and multi-mailbox search Search primary, In-Place Archive, and recoverable items Delegate through roles-based administration De-duplication after discovery Auditing to ensure controls are met In-Place ArchiveGovernance Hold eDiscovery
Privacy Privacy by design means that we do not use your information for anything other than providing you services No Advertising Transparency Privacy controls No advertising products out of Customer Data No scanning of or documents to build analytics or mine data Various customer controls at admin and user level to enable or regulate sharing If the customer decides to leave the service, they get to take to take their data and delete it in the service Access to information about geographical location of data, who has access and when Notification to customers about changes in security, privacy and audit information
Resources Answer key questions of Security Compliance Officers Dynamic engaging content that is refreshed every two weeks
Type of Risk Protection mechanisms Malicious or unauthorized physical access to data center / server / disksBitLocker Facility access restrictions to servers/ datacenter External malicious or unauthorized access to service and customer dataZero standing access privileges Automated operations Auditing of all access and actions Network level DDOS / intrusion detection and prevention Threat management / Assume breach Gaps in software that make the data & service to be vulnerableSecurity Development Lifecycle (SDL) Rogue administrators / employees in the service or data centerZero standing access privileges Automated operations, Auditing of all access and actions Training Background checks / screening Threat management / Assume breach Microsoft Admin credentials get compromisedMulti factor authentication Zero standing access privileges Requires trusted computers to get onto management servers Threat management / Assume breach
Security – key risks Type of RiskProtection mechanisms Encryption keys get compromisedSecure key management processes Access to key is limited or removed for people BYOK Administrator’s computer gets compromised/lost BitLocker on the computer Remote desktop session Zero standing access privileges Separate credentials to login to the service Law authorities accessing customer dataRedirect request to customer Threat management and assume breach Service and customer data becomes inaccessible due to an attack. Network level DDOS / intrusion detection and prevention MalwareAnti Malware Malfunction of software which enables unauthorized access Security Development Lifecycle Configuration management
Security – key risks Type of RiskProtection mechanisms Interception of to partners over Internet*SMTP session to partners could be protected using opportunistic or forced TLS Interception of client / server communicationSSL / TLS is implemented in all workloads. Interception of communication between datacenters or between servers Office 365 applications use SSL / TLS to secure various server-server communication. All communication is on Microsoft owned networks. Interception or access of content in transit or at rest by other people.** Rights Management could be applied to the content. Interception of in transit or rest between users within organization* S/MIME could be implemented and applied to s Interception of in transit and rest to an external user* Office 365 Message Encryption may be applied to messages
No Advertising We do not mine your data for advertising purposes. It is our policy to not use your data for purposes other than providing you productivity services. We design our Office 365 commercial services to be separate from our consumer services so that there is no mixing of data between the two. Who owns the data I put in your service? Will you use my data to build advertising products? You own your data and retain the rights, title, and interest in the data you store in Office 365. You can take your data with you, whenever you want. Learn more about data portability and how we use your data.data portabilityhow we use your data
Microsoft notifies you of changes in data center locations and any changes to compliance. Core Customer Data accessed only for troubleshooting and malware prevention purposes Core Customer Data access limited to key personnel on an exception basis. How to get notified? Who accesses and What is accessed? Clear Data Maps and Geographic boundary information provided ‘Ship To’ address determines Data Center Location Where is Data Stored? At Microsoft, our strategy is to consistently set a “high bar” around privacy practices that support global standards for data handling and transfer
How Privacy of Data is Protected? Microsoft Online Services Customer Data 1 Usage Data Account and Address Book Data Customer Data (excluding Core Customer data) Core Customer Data Operating and Troubleshooting the ServiceYes Security, Spam and Malware PreventionYes Improving the Purchased Service, AnalyticsYes No Personalization, User Profile, PromotionsNoYesNo Communications (Tips, Advice, Surveys, Promotions)NoNo/YesNo Voluntary Disclosure to Law EnforcementNo Advertising 5 No We use customer data for just what they pay us for - to maintain and provide Office 365 Service Usage DataAddress Book Data Customer Data (excluding Core Customer Data * ) Core Customer Data Operations Response Team (limited to key personnel only) Yes.Yes, as needed. Yes, by exception. Support Organization Yes, only as required in response to Support Inquiry. No. Engineering Yes. No Direct Access. May Be Transferred During Trouble-shooting. No. Partners With customer permission. See Partner for more information. Others in Microsoft No. No (Yes for Office 365 for small business Customers for marketing purposes). No.