Presentation is loading. Please wait.

Presentation is loading. Please wait.

Office 365 Trust Center Answer key questions of Security Compliance Officers Dynamic engaging content that is refreshed every two weeks www.trust.office365.com.

Published byLucinda Hoover Modified over 8 years ago

Similar presentations

Presentation on theme: "Office 365 Trust Center Answer key questions of Security Compliance Officers Dynamic engaging content that is refreshed every two weeks www.trust.office365.com."— Presentation transcript:

1

2

3 Office 365 Trust Center Answer key questions of Security Compliance Officers Dynamic engaging content that is refreshed every two weeks www.trust.office365.com

4 It’s your data You own it, you control it We run the service for you We are accountable to you

5 Today’s Security Landscape Social media giants Facebook, LinkedIn, among others, get hacked… repeatedly.

6 Article 29 Working Committee Encrypted Shredded Storage in SharePoint Online Microsoft Security Engineering Center - Security Development Lifecycle (SDL) Exchange Hosted Services (part of Office 365) Hotmail SSAE-16 U.S.-EU Safe Harbor European Union Model Clauses (EUMC) HIPAA BAA Active Directory Microsoft Security Response Center (MSRC) Global Foundation Services (GFS) ISO 27001 Certification Microsoft Security Essentials 1 st Microsoft Data Center Trustworthy Computing Initiative (TwC) Microsoft experience and credentials Xbox Live MSN Bill Gates Memo Windows Azure FISMA Windows Update Malware Protection Center SAS-70 Microsoft Online Services (MOS) One of the world’s largest cloud providers & datacenter/network operators CJIS Security Policy Agreement 20052010 2013 2014 Bing/MSN Search 1989 1995 2000 Outlook.com Message Encryption DLP Fingerprinting

7 Making Sense of Threats Outsider End User Insider Secure Design Secure Code Protections against attacks Assume Breach Contain Attackers Detect Attackers Remediate Attacks Built controls DLP, Encryption, etc. Auditing

8 Customer controlsBuilt-in service capabilities Security best practices like penetration testing, Defense-in-depth to protect against cyber-threats

9

10 Physical controls, video surveillance, access control Edge routers, firewalls, intrusion detection, vulnerability scanning Dual-factor authentication, intrusion detection, vulnerability scanning Access control and monitoring, anti-malware, patch and configuration management Secure engineering (SDL), access control and monitoring, anti-malware Account management, training and awareness, screening Threat and vulnerability management, security monitoring, and response, access control and monitoring, file/data integrity, encryption Facility Network perimeter Internal network Host Application Admin Data

11

12 Physical Security Perimeter security Fire Suppressio n Multi-factor authentication Extensive monitoring Seismic bracing 24x7 onsite security staff Days of backup power Tens of thousands of servers

13 Backend server and storage Front end server storage Firewall Layer of separation Edge router protection User

14

15 Request Approve Request with reason Zero standing privileges Temporary access granted Manager Just in time access High entropy passwords

16 Administrators Automatic account deletion Unique accounts Zero access privileges Security Development Cycle Annual training Background checks Screening

17 Data Customer data isolation Data encryption Operational best practices

18 Customer data isolation Customer A Designed to support logical isolation of data that multiple customers store in same physical hardware. Intended or unintended mingling of data belonging to a different customer/tenant is prevented by design using Active Directory organizational units 18 Customer B

19 Data at Rest Disks encrypted with Bitlocker Encrypted shredded storage Data in-transit SSL/TLS Encryption Client to Server Server to Server Data center to Data center User Encryption

20 Encrypted Shredded Storage ABC D Key Store ABCD Content DB A B C D E

21

22 Assume Breach Wargame exercises Red teaming Blue teaming Monitor emerging threats Execute post breach Insider attack simulation

23 Demo

24 Physical controls, video surveillance, access control Edge routers, firewalls, intrusion detection, vulnerability scanning Dual-factor authentication, intrusion detection, vulnerability scanning Access control and monitoring, anti-malware, patch and configuration management Secure engineering (SDL), access control and monitoring, anti-malware Account management, training and awareness, screening Threat and vulnerability management, security monitoring, and response, access control and monitoring, file/data integrity, encryption

25

26 Data protection at rest Data Protection in motion Information can be protected with RMS at rest or in motion Data protection at rest RMS can be applied to any file type using RMS app

27 S/MIME Office 365 Message Encryption Transport Layer Security Exchange server Data disk Exchange server Data disk S/MIME protected Message Delivery User Office 365 Message Encryption SMTP to partners: TLS protected Encryption features

28 Multi-engine antimalware protects against 100% of known viruses Continuously updated anti-spam protection captures 98%+ of all inbound spam Advanced fingerprinting technologies that identify and stop new spam and phishing vectors in real time Preconfigured for ease of use Integrated administration console Mark all bulk messages as spam Block unwanted email based on language or geographic origin

29 Identity Management Federation Password Sync 2FA

30 User Access Integrated with Active Directory, Azure Active Directory and Active Directory Federation Services Federation: Secure SAML token based authentication Password Synchronization: Only a one way hash of the password will be synchronized to the cloud such that the original password cannot be reconstructed from it. Enables additional authentication mechanisms: Two-Factor Authentication – including phone-based 2FA Client-Based Access Control based on devices/locations Role-Based Access Control Single federated identity and credentials suitable for medium and large organizations

31 Mobile Apps Enterprise authentication using any phone Text MessagesPhone Calls Push Notification One-Time-Passcode (OTP) Token Out-of-Band* Call Text One-Time Passcode (OTP) by Text *Out of band refers to being able to use a second factor with no modification to the existing app UX.

32 What does compliance mean to customers? What standards do we meet? What is regulatory compliance and organizational compliance?

33 Compliance Commitment to industry standards and organizational compliance Built-in capabilities for global compliance Customer controls for compliance with internal policies Enable customers to meet global compliance standards in ISO 27001, EUMC, HIPAA, FISMA Contractually commit to privacy, security and handling of customer data through Data Processing Agreements Admin Controls like Data Loss Prevention, Archiving, E-Discovery to enable organizational compliance

34 What customer issues does this address Independent verification Regulatory compliance Peace of mind

35 Standards & Certifications SSAE/SOC ISO27001 EUMC FERPA FISMA HIPAA HITECH ITAR HMG IL2 CJIS Global Europe U.S. UK U.S. Finance Global Europe Education Government Healthcare Defense Government Law Enforcement ISO SOC HIPAAFedRAMPFERPA HMG IL2 EUMC TC260 MLPS

36 How Office 365 Controls meet Compliance? Physical Security Security Best Practices Secure Network Layer Data Encryption Office 365 Service | Master GRC Control Sets | Certifications DLP OME SMIME RBAC RMS New Cert’s and more… Account Mgmt. Incident Monitoring Data Encryption Encryption of stored data and more… Data Minimization & Retention Access Control Office 365 Services Audits Office 365 has over 950 controls Today! Built-in Capabilities Customer Controls

37

38 Compliance controls Helps to identify monitor protect Sensitive data through deep content analysis Identify Protect Monitor End user education

39 Data Loss Prevention (DLP) Prevents sensitive data from leaving organization Provides an Alert when data such as Social Security & Credit Card Number is emailed. Alerts can be customized by Admin to catch Intellectual Property from being emailed out. Empower users to manage their compliance Contextual policy education Doesn’t disrupt user workflow Works even when disconnected Configurable and customizable Admin customizable text and actions Built-in templates based on common regulations Import DLP policy templates from security partners or build your own

40 Protect sensitive documents from being accidently shared outside your organization No coding required; simply upload sample documents to create fingerprints Scan email and attachments to look for patterns that match document templates

41 Email archiving and retention Preserve Search Secondary mailbox with separate quota Managed through EAC or PowerShell Available on-premises, online, or through EOA Automated and time- based criteria Set policies at item or folder level Expiration date shown in email message Capture deleted and edited email messages Time-Based In-Place Hold Granular Query-Based In-Place Hold Optional notification Web-based eDiscovery Center and multi-mailbox search Search primary, In-Place Archive, and recoverable items Delegate through roles-based administration De-duplication after discovery Auditing to ensure controls are met In-Place ArchiveGovernance Hold eDiscovery

42 Privacy Privacy by design means that we do not use your information for anything other than providing you services No Advertising Transparency Privacy controls No advertising products out of Customer Data No scanning of email or documents to build analytics or mine data Various customer controls at admin and user level to enable or regulate sharing If the customer decides to leave the service, they get to take to take their data and delete it in the service Access to information about geographical location of data, who has access and when Notification to customers about changes in security, privacy and audit information

43 Resources Answer key questions of Security Compliance Officers Dynamic engaging content that is refreshed every two weeks www.trust.office365.com

44

45 Type of Risk Protection mechanisms Malicious or unauthorized physical access to data center / server / disksBitLocker Facility access restrictions to servers/ datacenter External malicious or unauthorized access to service and customer dataZero standing access privileges Automated operations Auditing of all access and actions Network level DDOS / intrusion detection and prevention Threat management / Assume breach Gaps in software that make the data & service to be vulnerableSecurity Development Lifecycle (SDL) Rogue administrators / employees in the service or data centerZero standing access privileges Automated operations, Auditing of all access and actions Training Background checks / screening Threat management / Assume breach Microsoft Admin credentials get compromisedMulti factor authentication Zero standing access privileges Requires trusted computers to get onto management servers Threat management / Assume breach

46 Security – key risks Type of RiskProtection mechanisms Encryption keys get compromisedSecure key management processes Access to key is limited or removed for people BYOK Administrator’s computer gets compromised/lost BitLocker on the computer Remote desktop session Zero standing access privileges Separate credentials to login to the service Law authorities accessing customer dataRedirect request to customer Threat management and assume breach Service and customer data becomes inaccessible due to an attack. Network level DDOS / intrusion detection and prevention MalwareAnti Malware Malfunction of software which enables unauthorized access Security Development Lifecycle Configuration management

47 Security – key risks Type of RiskProtection mechanisms Interception of email to partners over Internet*SMTP session to partners could be protected using opportunistic or forced TLS Interception of client / server communicationSSL / TLS is implemented in all workloads. Interception of communication between datacenters or between servers Office 365 applications use SSL / TLS to secure various server-server communication. All communication is on Microsoft owned networks. Interception or access of content in transit or at rest by other people.** Rights Management could be applied to the content. Interception of email in transit or rest between users within organization* S/MIME could be implemented and applied to emails Interception of email in transit and rest to an external user* Office 365 Message Encryption may be applied to messages

48 No Advertising We do not mine your data for advertising purposes. It is our policy to not use your data for purposes other than providing you productivity services. We design our Office 365 commercial services to be separate from our consumer services so that there is no mixing of data between the two. Who owns the data I put in your service? Will you use my data to build advertising products? You own your data and retain the rights, title, and interest in the data you store in Office 365. You can take your data with you, whenever you want. Learn more about data portability and how we use your data.data portabilityhow we use your data

49 Microsoft notifies you of changes in data center locations and any changes to compliance. Core Customer Data accessed only for troubleshooting and malware prevention purposes Core Customer Data access limited to key personnel on an exception basis. How to get notified? Who accesses and What is accessed? Clear Data Maps and Geographic boundary information provided ‘Ship To’ address determines Data Center Location Where is Data Stored? At Microsoft, our strategy is to consistently set a “high bar” around privacy practices that support global standards for data handling and transfer

50 How Privacy of Data is Protected? Microsoft Online Services Customer Data 1 Usage Data Account and Address Book Data Customer Data (excluding Core Customer data) Core Customer Data Operating and Troubleshooting the ServiceYes Security, Spam and Malware PreventionYes Improving the Purchased Service, AnalyticsYes No Personalization, User Profile, PromotionsNoYesNo Communications (Tips, Advice, Surveys, Promotions)NoNo/YesNo Voluntary Disclosure to Law EnforcementNo Advertising 5 No We use customer data for just what they pay us for - to maintain and provide Office 365 Service Usage DataAddress Book Data Customer Data (excluding Core Customer Data * ) Core Customer Data Operations Response Team (limited to key personnel only) Yes.Yes, as needed. Yes, by exception. Support Organization Yes, only as required in response to Support Inquiry. No. Engineering Yes. No Direct Access. May Be Transferred During Trouble-shooting. No. Partners With customer permission. See Partner for more information. Others in Microsoft No. No (Yes for Office 365 for small business Customers for marketing purposes). No.

51

52 www.microsoft.com/learning http://microsoft.com/msdn http://microsoft.com/technet http://channel9.msdn.com/Events/TechEd

53

54

55

Download ppt "Office 365 Trust Center Answer key questions of Security Compliance Officers Dynamic engaging content that is refreshed every two weeks www.trust.office365.com."

Similar presentations

Common Question Who can benefit from Cloud? Every enterprise today can benefit from Cloud.

Common Question Who can benefit from Cloud? Every enterprise today can benefit from Cloud.
How do I handle major objections to Office 365?

How do I handle major objections to Office 365?
Provide a platform built on security, privacy, and trust Maintain an evergreen service Offer highly configurable and scalable services.

Provide a platform built on security, privacy, and trust Maintain an evergreen service Offer highly configurable and scalable services.
1 Chapter 8 Fundamentals of System Security. 2 Objectives In this chapter, you will: Understand the trade-offs among security, performance, and ease of.

1 Chapter 8 Fundamentals of System Security. 2 Objectives In this chapter, you will: Understand the trade-offs among security, performance, and ease of.
Enterprise CAL Overview. Different Types of CALs Standard CAL base A component Standard CAL is a base CAL that provides access rights to basic features.

Enterprise CAL Overview. Different Types of CALs Standard CAL base A component Standard CAL is a base CAL that provides access rights to basic features.
Security Controls – What Works

Security Controls – What Works
Optimize for Software + Services E-mail ArchivingE-mail Archiving Protect CommunicationsProtect Communications Advanced SecurityAdvanced Security Manage.

Optimize for Software + Services Archiving Archiving Protect CommunicationsProtect Communications Advanced SecurityAdvanced Security Manage.
Respond to customer feedback through agile development Deliver new features and valueTrust and compliance Cloud value Continuous innovation with confidence.

Respond to customer feedback through agile development Deliver new features and valueTrust and compliance Cloud value Continuous innovation with confidence.
Pre-adoption concern 60% cited concerns around data security as a barrier to adoption 45% concerned that the cloud would result in a lack of data control.

Pre-adoption concern 60% cited concerns around data security as a barrier to adoption 45% concerned that the cloud would result in a lack of data control.
Version 2.0 for Office 365. Day 1 Administering Office 365 Day 2 Administering Exchange Online Office 365 Overview & InfrastructureLync Online Administration.

Version 2.0 for Office 365. Day 1 Administering Office 365 Day 2 Administering Exchange Online Office 365 Overview & InfrastructureLync Online Administration.
Security challenges Used by many 100,000s of customers Used by many 10,000,000s of users Processing Billions of emails a day Using Thousands of.

Security challenges Used by many 100,000s of customers Used by many 10,000,000s of users Processing Billions of s a day Using Thousands of.
Security Best-in-class security with over a decade of experience building Enterprise software & Online services Physical and data security with.

Security Best-in-class security with over a decade of experience building Enterprise software & Online services Physical and data security with.
60% cited concerns around data security as a barrier to adoption 45% concerned that the cloud would result in a lack of data control Security Privacy.

60% cited concerns around data security as a barrier to adoption 45% concerned that the cloud would result in a lack of data control Security Privacy.
Why Compliance Legal and Regulatory requirements Organizational governance requests Internal and external threats Today’s Challenges Duplicate solutions.

Why Compliance Legal and Regulatory requirements Organizational governance requests Internal and external threats Today’s Challenges Duplicate solutions.
Exchange 2010 Overview Name Title Group. What You Tell Us Communication overload Globally distributed customers and partners High cost of communications.

Exchange 2010 Overview Name Title Group. What You Tell Us Communication overload Globally distributed customers and partners High cost of communications.
OSP214. SECURITY PRIVACY RELIABILITY & SERVICE CONTINUITY COMPLIANCE.

OSP214. SECURITY PRIVACY RELIABILITY & SERVICE CONTINUITY COMPLIANCE.
Welcome to the Exchange 2013 Webcast Archiving, eDiscovery, & Data Loss Prevention.

Welcome to the Exchange 2013 Webcast Archiving, eDiscovery, & Data Loss Prevention.
EXL302-R. Storage Management Balance mailbox size demands with available storage resources Reduce the proliferation of.PST files stored outside of IT.

EXL302-R. Storage Management Balance mailbox size demands with available storage resources Reduce the proliferation of.PST files stored outside of IT.
What are your questions and feedback? How can you best manage change or if there’s a service incident? What tools do you have at your disposal? What’s.

What are your questions and feedback? How can you best manage change or if there’s a service incident? What tools do you have at your disposal? What’s.
Introduction to Exchange Server 2010 Omar El-Sherif Solutions Specialist – Unified Communications Microsoft Egypt.

Introduction to Exchange Server 2010 Omar El-Sherif Solutions Specialist – Unified Communications Microsoft Egypt.

Similar presentations

Ads by Google