data security and compliancy in office 365
DESCRIPTION
Presented by Jethro Seghers.TRANSCRIPT
Office 365
Data Security & Compliancy Jethro Seghers
MVP Office 365MCITP SharePoint 2010ITILv3 Certified
@jseghers – http://www.j-solutions.be/blog
Blogger
Twitter: @jseghersE-mail: [email protected]: http://www.j-solutions.be/blog
Consultant
Jethro Seghers
Trainer
@jseghers – http://www.j-solutions.be/blog
J-Solutions.be Located in Belgium Provides IT Business Consultancy - Evangelism
SharePoint 2010/2013 and Online Cloud Services – Office 365, Windows Intune & Azure IT as a service – MOF and ITIL v3
@jseghers – http://www.j-solutions.be/blog
Agenda Terminology Infrastructure settings Exchange Online Lync Online SharePoint Online Sources of Information
Data Security
The protection of data from unauthorized (accidental or intentional) modification, destruction, or disclosure
Data Compliance
Compliance is either a state of being in accordance with established guidelines, specifications, or legislation or the process of becoming so
BRINGING TOGETHER CLOUD VERSIONS OF OUR MOST TRUSTED COMMUNICATIONS AND COLLABORATION PRODUCTS WITH THE LATEST
VERSION OF OUR DESKTOP SUITE FOR BUSINESSES OF ALL SIZES.
Infrastructure
@jseghers – http://www.j-solutions.be/blog
Overview Microsoft Datacenters & their locations DataFlow Privacy Encryption Identity Protection Password Policies
@jseghers – http://www.j-solutions.be/blog
Microsoft Datacenters . Physical Security
Secure physical access for authorized personnel only State of the Art datacenters
Hosted Applications Security Anti SPAM Encryption Mail
Security Development Lifecycle Potential threats while running a service Exposed aspects of the service that are open to attack
@jseghers – http://www.j-solutions.be/blog
Microsoft Datacenters .. Secured Office 365 Services Infrastructure
Server Monitoring via System Center Secure Remote Access via RDS Intrusion Detection
Network-level Security Measures Customer Access via SSL Uptime 99,9 %
Identity & Access Management Access control follows the separation of duties
principle and granting least privilege.
@jseghers – http://www.j-solutions.be/blog
Where is our data stored: Example: EMEA A primary data center is where the application
software and the customer data running on the application software are hosted.
A backup data center is used for failover purposes Data center Dublin: Primary for F.O.P.E. Data center The Netherlands: SharePoint Online Dublin + The Netherlands: interchangeably
Exchange Online + Lync Online
@jseghers – http://www.j-solutions.be/blog
What is stored in the US: EMEA Customer Information Microsoft Online Portal Routing Lync Online Communications Office 365 Authentication
Additionally, Microsoft abides by the Safe Harbor Framework for transfer of data between the European Union and the United States.
@jseghers – http://www.j-solutions.be/blog
Privacy .Microsoft Online Services Customer Data
Usage Data Account andAddress Book Data
Customer Data(excluding CoreCustomer Data)
CoreCustomer Data
Operating and Troubleshooting the Service
Yes Yes Yes Yes
Security, Spam and Malware Prevention
Yes Yes Yes Yes
Improving the Purchased Service, Analytics
Yes Yes Yes No
Personalization, User Profile Promotions
No Yes No No
Communications (Tips, Advice, Surveys, Promotions)
No Yes No No
@jseghers – http://www.j-solutions.be/blog
Privacy ..Microsoft Online Services Customer Data
Usage Data Account andAddress Book Data
Customer Data(excluding CoreCustomer Data)
CoreCustomer Data
Voluntary Disclosure to Law Enforcement
No No No No
Advertising No No No No
@jseghers – http://www.j-solutions.be/blog
Encryption HTTPS Communication with
portal.microsoftonline.com HTTPS Communication between clients and
Exchange Online for all protocols PGP: Transportation and storage of Exchange
Online Messages Lync Online: Instant Messaging, IM Federation SharePoint Online: HTTPS Connection (only for
Enterprise & Academic)
@jseghers – http://www.j-solutions.be/blog
Identity Protection Identity stored in Microsoft Online Identity federation via SSO Granular Licenses Different Administrator Roles
Identity options comparison1. MS Online IDs
• Authentication is done by Microsoft
Pros• Bound to the SLA of 99,9% of MSFT.• Users and groups mastered on-premise
Cons• 2 sets of credentials that need to be
maintained• Different Password policies
2. Federated IDs + Dir Sync
• Authentication is done by Corporate Infrastructure
• Larger enterprise organizations with AD on-premise
Pros• SSO with corporate cred• Users and groups mastered on-premise• Password policy controlled on-premise• Enables co-existence scenarios
Cons• High availability server deployments required
@jseghers – http://www.j-solutions.be/blog
Password Policy Password Restriction: 8 characters minimum and
16 characters maximum Values allowed:
A-Z a-z 0-9 ! @ # $ % ^ & * - _ + = [ ] { } | \ : ‘ , . ? / ` ~ “ < > ( ) ; No UNICODE
Cannot contain the username alias (part before @ symbol) Password expiry duration:
This is set to 90 days and is not configurable
@jseghers – http://www.j-solutions.be/blog
Password Policy Password expiry:
Can be enabled/disable via powershell at user level Password strength
Strong passwords require 3 out of 4 of the following: Lowercase characters Uppercase characters Numbers (0-9) Symbols (see password restrictions above)
Password history Last password cannot be used again
@jseghers – http://www.j-solutions.be/blog
Password Policy Account Lockout
After 10 unsuccessful logon attempts (wrong password), the user will need to solve a CAPTCHA dialog as part of logon.
Is this Independently Verified?
@jseghers – http://www.j-solutions.be/blog
MS Online Certification and Compliance Finder Certified for ISO 27001 EU Safe Harbor HIPAA-Business Associate Agreement Data Processing Agreement FISMA
Exchange Online
@jseghers – http://www.j-solutions.be/blog
Exchange Online . Archiving Moderation Security/Distribution Groups Item Level Recovery Transport Rules Retention Policies – Managed Folder Assistent Deleted Mailbox Recovery
@jseghers – http://www.j-solutions.be/blog
Exchange Online .. Journaling F.O.P.E in Current Version, Built-In in EXO Wave 15 Auditing Retention Hold Litigation Hold Mobile Device
DEMO
Lync Online
@jseghers – http://www.j-solutions.be/blog
Lync Online Privacy Settings External Communications User Defined Settings
Sending files via IM Make audio and video calls Record Call and conferences Federation with Lync users in other organizations Federation with Users of public IM service providers Dial-in Conferencing
DEMO
SharePoint Online
@jseghers – http://www.j-solutions.be/blog
SharePoint Online . Information Management Policy – Records Use Of Term Store & Required Fields – Content
Types Drop Off Library Audit Blocked File Types Security Versioning Recycle Bin Backup: 14 days
DEMO
@jseghers – http://www.j-solutions.be/blog
Sources Of Information Office 365 Trust Center : http://
www.microsoft.com/en-us/office365/trust-center.aspx
Service Description Office 365 Password Policy Security White Paper Data Boundaries
Questions