1. Trusting Office 365 2. Overview of Office 365 for Government

Bob BallardChief IT StrategistPublic SectorMicrosoft Corporationrballard@Microsoft.com

The trust questions…

Is cloud computing secure?Are Microsoft Online Services secure?

Security

Where is my data?Who has access to my data ?

TransparencyWhat does privacy at Microsoft mean? Are you using my data to build advertising products?

Privacy

What certifications and capabilities does Microsoft hold?How does Microsoft support customer compliance needs?Do I have the right to audit Microsoft?

Compliance

Choices to keep Office 365 Customer Data separate from consumer services.

Office 365 Customer Data belongs to the customer. Customers can export their data at any time.

At Microsoft, our strategy is to consistently set a “high bar” around privacy practices that support global standards for data handling and transfer

Privacy at Office 365

No Mingling

Data Portability

No advertising products out of Customer Data. No scanning of email or documents to build analytics or mine data.

No Advertising

Transparency

Microsoft notifies you of changes in data center locations.

Core Customer Data accessed only for troubleshooting and malware prevention purposes Core Customer Data access limited to key personnel on an exception basis.

How to get notified?

Who accesses and What is accessed?

Clear Data Maps and Geographic boundary information provided‘Ship To’ address determines Data Center Location

Where is Data Stored?

At Microsoft, our strategy is to consistently set a “high bar” around privacy practices that support global standards for data handling and transfer

Service Security – Defense in DepthA risk-based, multi-dimensional approach to safeguarding services and dataSecurity Management

Network perimeter

Internal network

Host

Application

Data

User

Facility

Threat and vulnerability management, monitoring, and response

Edge routers, intrusion detection, vulnerability scanning

Dual-factor authentication, intrusion detection, vulnerability scanning

Access control and monitoring, anti-malware, patch and configuration management

Secure engineering (SDL), access control and monitoring, anti-malware

Access control and monitoring, file/data integrity

Account management, training and awareness, screening

Physical controls, video surveillance, access control

Compliance update

ISO 27001 All customers Available

EU Safe Harbor EU customers Available

SSAE 16 (Statement on standards for Attestation Engagement) SOC 1 (Type I & Type II) compliance

Primarily US customers Available

FISMA US Government Available

HIPAA/BAA All Customers Available

EU Model Clauses EU Customers Available

Data Processing Agreement All Customers Available

FERPA EDU Customers Available

Compliance with key standards

Office 365 for GovernmentGovernment community cloud

Why a US Government community cloud?

Given the strong sense of affinity and community

within many government agencies, there has been a strong demand for a cloud made specifically for the

government

In response to this demand, Microsoft has added Office 365 for Government to the

portfolio of our Cloud offerings

Why a US Government community cloud?

Office 365 For Government will be built to the same Enterprise

security standards that the Office 365 For Enterprise

offering has today

Physically segmented core customer data

Public Trust Medium Govt. adjudicated BI’s

Why a US Government community cloud?

Multi-Tenant Cloud

Dedicated Cloud

Multi-TenantPublic Cloud • Microsoft offering for all world wide customers

• US Government data stored in US data centers• FISMA ATO with 1 agency & submitted for ATO with several

agencies• Microsoft background investigations

Office 365 For Government

• Microsoft offering for qualifying US Govt. customers • US Govt. tenants segregated from Enterprise cloud

tenants• Based on NIST definition of community cloud• FISMA package to be submitted for ATO with first

customer • Public Trust Moderate Background InvestigationsEnterprise-Dedicated

Cloud • Dedicated infrastructure for each customer • Microsoft background investigations

Dedicated -ITAR • Dedicated infrastructure for each qualifying customer• Isolated & separate from Dedicated Public Cloud in caged

env.• FISMA-Moderate ATO from USDA• Support for customers complying with ITAR regulatory

controls• Public Trust High Background Investigations

GCC: Integral part of Microsoft cloud vision

Availability Tenant Community

Customer Data Location

At Rest

ITAR Regulatory

Support

Position Of Public

TrustFISMA

PackageFISMA

ATO

Multi-TenantPublic Cloud Anyone Public

communityRegionally Located No

Microsoft Background

CheckFISMA Moderate Yes

GCC US Govt. entities with *.GOV or *.MIL domain extensions

US Govt. Community

US Located & Community Segregated

No Moderate FISMA ModerateSecurity package

ready for customer review

ITAR US Govt. entities & qualifying commercial

entities

Individual customer

US Located & Customer

SegregatedYes High FISMA Moderate Yes

1 Details of FISMA Moderate package will vary by environment.2 The FISMA package includes a list of control implementations, operational procedures and testing that shows how the service complies with NIST requirements. The FISMA ATO (Authority To Operate) indicates that a Federal entity has reviewed and approved the FISMA Package .

1 2

What you will find in each cloud?

Core Customer data is segregated• Exchange – Separate Forest• SharePoint – Separate Farm

“Core Customer Data” refers to data generated by the customer in the course of their business and provided to O365 teams to hold in the course of providing services, defined as “Core Customer Data” in the O365 Asset Classification* policy.Core Customer Data is located in US SoilOther data classes are handled according to existing O365 MT standards as described in the Trust Center. (E.G. existing regional controls for PII.)

Core Customer Data

• Email body• SharePoint files body• SharePoint site content• Blob or structured storage

data

Data segregation

1. What is IPv6 (Internet Protocol version 6) is a version of the Internet Protocol intended to succeed IPV4, which is the protocol currently used to direct almost all Internet traffic• Data Transfer in Internet happens via packets that are routed across networks by routing protocols.

Packets require an addressing scheme (IPv4/IPv6), to specify source & destination addresses.• Each host, computer or other device on the Internet requires an IP address in order to communicate.

2. Depletion of IPV4 Addresses: Last block of ipv4 addresses was assigned in February 2011.• Perception: Office 365 needs to be seen as supporting ipv6. This perception decides RFP wins. Below

objections to ipv6 may don’t matter.• There may be unused ipv4 blocks that can be re-released.• Current ipv4 addresses should be enough. No one really uses ipv6.

3. Industry Trend: Industry Trend IPv6 solves the problem of IPv4 address depletion by offering a virtually limitless pool of IP addresses that can be used by computers, smartphones, home appliances, gaming devices and all sorts of sensors and actuators that have yet to be invented.

4. Primary reason to use ipv6: IPv4 uses 32-bit addresses and can support 4.3 billion devices connected directly to the Internet. IPv6, on the other hand, uses 128-bit addresses and supports 2 to the 128th power devices (greater than billion devices per human being on planet).

What is the next big Government initiative? IPv6

Office 365 Trust Center

Clear messaging with plain English

Details for security experts

Links videos, whitepapers

http://trust.office365.com