Office 365 Security and Compliance overview

Angelos EliadesMicrosoft Certified Trainer, Training Manager at Aktina

angelos@aktina.com.cy

Common Business Requirements

• Security • Is my information safe?

• Retention • What happens when an employee leaves?

• Policies • How do we manage our information?

• Auditing • What's happening to the information?

• Control • Who has access to the information?

• Reporting • How do I know what's happening with the information?

Office 365 Defense

Physical controls, video surveillance, access control

Edge routers, firewalls, intrusion detection, vulnerability scanning

Dual-factor authentication, intrusion detection, vulnerability scanning

Access control and monitoring, anti-malware, patch and configuration management

Secure engineering, access control and monitoring, anti-malware

Account management, training and awareness, screening

Threat and vulnerability management, security monitoring, and response, access control and monitoring, file/data integrity, encryption

Physical Layer

Logical Layer

Data Layer

Two faces of compliance in Office 365

Built-in service capabilities (global compliance)

Customer controls for complianceand internal policies

• Access Control

• Auditing and Logging

• Continuity Planning

• Incident Response

• Risk Assessment

• Communications Protection

• Identification and Authorization

• Information Integrity

• Awareness and Training

• Data Loss Prevention

• Archiving

• Retention

• eDiscovery

• Legal Hold

• Encryption

• S/MIME

• Rights Management

• Office 365 email encryption

Security best practices like penetration testing, Defense-in-depth to protect against cyber-threats

Network security

Network Separated

Data Encrypted

• Networks within the Office 365 data centers are segmented. • Physical separation of critical, back-end servers & storage devices from public-facing interfaces. • Edge router security allows ability to detect intrusions and signs of vulnerability.• firewall rules and host based firewall rules are implemented in the network

Personnel security - Just in time access

• Mandatory background check for high-privilege access, fingerprinting, security training. • Just-In-Time access and elevation that is granted on an as-needed (default access time is 4 hours)

• System grants least privilege required to complete task• Role Based Access Control - RBAC• Servers in Office 365 service, have a pre-determined set of processes that can be run using Applocker

Approvalprocess

Requestwith reason

Temporary access

Microsoft admin/engineerZero standing privileges

Datacenters security

• Sectional Datacenters • No access to individual computing components • Very small IT staff onsite

• Physical Access Controls • Biometric sensors, 24-hour secured access• Motion sensors• Location known and recorded at all times• Security breach alarms.

• Physical Security of containers• Redundancy and Disaster Recovery• Regularly back up data

Where is my data?

http://o365datacentermap.azurewebsites.net/

Customer data isolation

• Designed to support logical isolation of data that multiple customers store in same physical hardware.

• Intended or unintended mingling of data belonging to a different customer/tenant is prevented by design using Active Directory organizational units

Customer data Security

• Data in transit • Strong SSL/TLS protocols• Client to Server encryption • Datacenter-to-datacenter encryption

• Data at rest • BitLocker 256bit AES disk encryption • Auditing• Per-file encryption for customer content • Encryption at rest protects data on servers

Encryption at rest with Per-file Encryption

1

2

5

3

4

6

Storage containers

E

Breach simulations

Privacy

Privacy by design means that Microsoft do not use your informationfor anything other than providing your services

Recent worldwide uptimes

SLA: Commit to delivering at least 99.9%* uptime with a financially backed guarantee.*43 minutes per month, 10% service credits

2014 2015

99.95% 99.98% 99.99% 99.99% 99.95% 99.98% 99.98%

Q2 Q3 Q4 Q1 Q2 Q3 Q4

Standards & Certifications

https://products.office.com/business/office-365-trust-center-top-10-trust-tenets-cloud-security-and-privacy

Data security with access control, encryption and strong authentication

Unique customer controls with Rights Management Services to allow customers to protect information

Anti Spam/ Anti Virus

• Multi-engine antimalware protects against 100% of known viruses. • Continuously updated anti-spam protection captures 98%+ of all inbound spam. • Advanced fingerprinting technologies that identify and stop new spam and phishing vectors in

real time. • Mark all bulk messages as spam. • Block unwanted email based on language or geographic origin.

Multi-factor authentication using any phone

Push Notification One time Passcode

(OTP) Token

Office or mobile device

One-time Passcode (OTP) by SMS

Needs something you “know” (a password?) and something you “own” (a mobile phone?)

Mobile Apps Phone calls Text Messages

Mobile Device Management-BYOD

ConditionalAccess

DeviceManagement

SelectiveWipe

Advanced ApplicationManagement

Microsoft IntuneMDM Office 365 Built-in

Mobile Device Management Conditional access

Mobile Device Management Device management

Mobile Device Management Selective Wipe

Rights Management Service

Prevents sensitive information from being printed, forwarded, or copied by unauthorized peopleinside the organization.

• Hosted service, with limited infrastructureto maintain.

• Persistent protection stays with the fileno matter where it goes.

• Granular permissions control who can opena file and then what they can do with it.

• Flexibility to use user-defined permissionpolicies and centrally defined templates.

• RMS can be applied to any file type using RMS app*

RMS with SharePoint online

RMS over other approaches

Functionality RMS in Office 365 S/MIMEACLs

(Access Control Lists)

BitLocker

Data is encrypted in the cloud

Encryption persists with content

Protection tied to user identity

Protection tied to policy (edit, print, do not forward, expire after 30 days)

Secure collaboration with teams and individuals

Native integration with my services (Content indexing, eDiscovery, BI, virus/malware scanning)

Lost or stolen hard disk

Data Loss Prevention -DLP• Prevents sensitive data from leaking

either inside or outside the organization

• Provides an Alert when data such as Social Security & Credit Card Number is emailed.

• Alerts can be customized by Admin to catch intellectual Property from being emailed out.

• Permit users to manage their compliance • Doesn't disrupt user workflow• Works even when disconnected• Configurable and customizable• Admin customizable text and actions• Built-in templates based on common

regulations • Import DLP policy templates from security

partners or build your own

DLP document fingerprinting

Scan email and attachments to look for patterns that match document

templates

Protect sensitive documents from being accidently shared outside

your organization

No coding required; simply upload sample documents to create

fingerprints

eDiscovery and In-Place Hold

Hold Deletion Search

Keep the data you do want Delete the data you don't want Find the data you need

Data Held In-Place

Customize holds based on filters

Hold across multiple products in a single action

Capture deleted & edited messages

Automated time-based criteria to delete

Set policies at item or folder level admin or user

Set site level retention polices

Search across multiple products

De-duplication & search statistics

Case management

Export search results

Perform searches and place holds on mailboxes, SharePoint Online Sites, and OneDrive for Business locations.

More encryption mechanisms

• Rights Management Service with DLP• S/MIME* provides secure certificate-based

email access. • Office 365 Message Encryption allows to

send encrypted email to any SMTP address

*Secure/ Multipurpose Internet Mail Extensions

Security Threats and Countermeasures

Threats Countermeasures

• Stolen Password • Data Leakage • Unsecure Transport • Lost Devices

• Computer • Mobile • USB Drive

• Disk Failures • DOS / Unavailability

• Internal theft of Data

• Two Factor Authentication • DLP Policy • Mail Encryption

• Hard Drive Encryption• Remote Device Wipe • Portable File Encryption

• Redundant Storage • Throttling / 99-98 quarterly uptime

• Physical and Employee Security • Encryption in Transit • Encryption at Rest

Office 365 email Encryption and DLP fingerprint

Demo

To send the message without removing the information, you must first select Override

angelos@aktina.com.cy

Thank you