Internal Audit, Risk, Business & Technology Consulting

INFORMATION SECURITY IN OFFICE 365:

A SHARED RESPONSIBILITY

March 2017

Antonio MaioProtiviti | Senior SharePoint ArchitectMicrosoft Office Server and Services MVP

Email: antonio.maio@protiviti.comBlog: www.trustsharepoint.comSlide share: http://www.slideshare.net/AntonioMaio2Twitter: @AntonioMaio2

© 2016 Protiviti Inc. An Equal Opportunity Employer M/F/Disability/Veterans. Protiviti is not licensed or registered as a public accounting firm and

does not issue opinions on financial statements or offer attestation services. All registered trademarks are the property of their respective owners.

SHARED RESPONSIBILITY

2

• Understand Cloud Provider Responsibilities

• Understand Your Responsibilities

In a cloud environment, security and information protection

must be a Shared Responsibility.

Understanding how your responsibilities are managed

requires strong Information Governance policies &

procedures.

SAAS = Office 365

PAAS = Azure Web Services, Azure Functions

IAAS = Azure VMs

© 2016 Protiviti Inc. An Equal Opportunity Employer M/F/Disability/Veterans. Protiviti is not licensed or registered as a public accounting firm and

does not issue opinions on financial statements or offer attestation services. All registered trademarks are the property of their respective owners.

• SharePoint Permissions

• Information Rights Management/Azure RMS

• External Sharing Controls

• OneDrive for Business Sharing Controls

• (built in) TLS 1.2 Communication

• (built in) Encrypted Data at Rest

• Multi-Factor Authentication

• Modern Authentication (ADAM)

• Retention Policies

• Site Classification

• Office 365 Trust Center

• Secure Score

• Security and Compliance Center

− Activity Monitoring/Audit Log Search

− Automatic Alerts

− Security Roles & Permissions

− Data Loss Prevention

− Advanced Security Management

− eDiscovery

− Mail Filtering/Anti-Malware/DKIM

− Advanced Threat Protection (ATP for email)

− Compliance Reports/Trust Documents/Audit Controls

• Customer Lockbox

• Threat Intelligence (preview)

• Advanced Data Governance (preview)

• Azure Information Protection

• Azure Key Fault/Bring your Own Key (BYOK)

OFFICE 365 SECURITYCapabilities & Features

3

Internal Audit, Risk, Business & Technology Consulting

DEMONSTRATIONExternal Sharing Controls

OneDrive for Business Sharing Controls

© 2016 Protiviti Inc. An Equal Opportunity Employer M/F/Disability/Veterans. Protiviti is not licensed or registered as a public accounting firm and

does not issue opinions on financial statements or offer attestation services. All registered trademarks are the property of their respective owners.

• SharePoint Permissions

• Information Rights Management/Azure RMS

• External Sharing Controls

• OneDrive for Business Sharing Controls

• (built in) TLS 1.2 Communication

• (built in) Encrypted Data at Rest

• Multi-Factor Authentication

• Modern Authentication (ADAM)

• Retention Policies

• Site Classification

• Office 365 Trust Center

• Secure Score

• Security and Compliance Center

− Activity Monitoring/Audit Log Search

− Automatic Alerts

− Security Roles & Permissions

− Data Loss Prevention

− Advanced Security Management

− eDiscovery

− Mail Filtering/Anti-Malware/DKIM

− Advanced Threat Protection (ATP for email)

− Compliance Reports/Trust Documents/Audit Controls

• Customer Lockbox

• Threat Intelligence (preview)

• Advanced Data Governance (preview)

• Azure Information Protection

• Azure Key Fault/Bring your Own Key (BYOK)

OFFICE 365 SECURITYCapabilities & Features

5

Internal Audit, Risk, Business & Technology Consulting

DEMONSTRATIONOffice 365 Security and Compliance Center

© 2016 Protiviti Inc. An Equal Opportunity Employer M/F/Disability/Veterans. Protiviti is not licensed or registered as a public accounting firm and

does not issue opinions on financial statements or offer attestation services. All registered trademarks are the property of their respective owners.

• SharePoint Permissions

• Information Rights Management/Azure RMS

• External Sharing Controls

• OneDrive for Business Sharing Controls

• (built in) TLS 1.2 Communication

• (built in) Encrypted Data at Rest

• Multi-Factor Authentication

• Modern Authentication (ADAM)

• Retention Policies

• Site Classification

• Office 365 Trust Center

• Secure Score

• Security and Compliance Center

− Activity Monitoring/Audit Log Search

− Automatic Alerts

− Security Roles & Permissions

− Data Loss Prevention

− Advanced Security Management

− eDiscovery

− Mail Filtering/Anti-Malware/DKIM

− Advanced Threat Protection (ATP for email)

− Compliance Reports/Trust Documents/Audit Controls

• Customer Lockbox

• Threat Intelligence (preview)

• Advanced Data Governance (preview)

• Azure Information Protection

• Azure Key Fault/Bring your Own Key (BYOK)

OFFICE 365 SECURITYCapabilities & Features

7

Internal Audit, Risk, Business & Technology Consulting

DEMONSTRATIONOffice 365 Secure Score

© 2016 Protiviti Inc. An Equal Opportunity Employer M/F/Disability/Veterans. Protiviti is not licensed or registered as a public accounting firm and

does not issue opinions on financial statements or offer attestation services. All registered trademarks are the property of their respective owners.

• SharePoint Permissions

• Information Rights Management/Azure RMS

• External Sharing Controls

• OneDrive for Business Sharing Controls

• (built in) TLS 1.2 Communication

• (built in) Encrypted Data at Rest

• Multi-Factor Authentication

• Modern Authentication (ADAM)

• Retention Policies

• Site Classification

• Office 365 Trust Center

• Secure Score

• Security and Compliance Center

− Activity Monitoring/Audit Log Search

− Automatic Alerts

− Security Roles & Permissions

− Data Loss Prevention

− Advanced Security Management

− eDiscovery

− Mail Filtering/Anti-Malware/DKIM

− Advanced Threat Protection (ATP for email)

− Compliance Reports/Trust Documents/Audit Controls

• Customer Lockbox

• Threat Intelligence (preview)

• Advanced Data Governance (preview)

• Azure Information Protection

• Azure Key Fault/Bring your Own Key (BYOK)

OFFICE 365 SECURITYCapabilities & Features

9

• Customer must approve access request, before Microsoft engineer gets any access to Customer tenant

Customers can control whether Microsoft Office 365 engineers may have access to their tenant.

Customers can control whether Microsoft Office 365 engineers may have access to their tenant.

Customers can control whether Microsoft Office 365 engineers may have access to their tenant.

© 2016 Protiviti Inc. An Equal Opportunity Employer M/F/Disability/Veterans. Protiviti is not licensed or registered as a public accounting firm and

does not issue opinions on financial statements or offer attestation services. All registered trademarks are the property of their respective owners.

FINAL THOUGHTS

•Understand your Responsibilities

• Learn about Office 365 Security Capabilities

−Understand which are relevant to you and your business

•Develop a Security Role Out Plan

• Ensure the selected security procedures (and capabilities) line up with

your Information Governance Plan

13

© 2016 Protiviti Inc. An Equal Opportunity Employer M/F/Disability/Veterans. Protiviti is not licensed

or registered as a public accounting firm and does not issue opinions on financial statements or

offer attestation services. All registered trademarks are the property of their respective owners.