impact on virtually every...
TRANSCRIPT
BYOD
The privacy and security environment is becoming more complicated, more risky
and more regulated every day, and is having a substantial
impact on virtually every company.
Forbes, 2013
Cloud Targeted
AttacksCompliance
““
Identity-
centric
Exchange Hosted
Services (part of Office
365)
Hotmail
SSAE-16
U.S.-EU Safe Harbor
European Union
Model Clauses
(EUMC)
Health Insurance Portability and
Accountability Act Business
Associate Agreement (HIPAA BAA)
Data Processing
Agreement (DPA)Active Directory
Microsoft Security Response
Center (MSRC)
Global Foundation
Services (GFS)
ISO 27001
Certification
Microsoft Security
Essentials
1st Microsoft
Data Center
Trustworthy Computing
Initiative (TwC)
Microsoft Security Engineering
Center - Security Development
Lifecycle (SDL)
Xbox Live
MSN
Bill Gates Memo
Windows Azure
FISMA
Windows
Update
Malware
Protection
Center
SAS-70
Microsoft Online
Services (MOS)
CJIS Security
Policy
Agreement
2005 2010 2013
Bing/MSN
Search
1989 1995 2000
Outlook.com
Security Best-in-class security with over a decade of experience building Enterprise software & Online services
• Physical and data security with access control, encryption and strong authentication
• Security best practices like penetration testing, Defense-in-depth to protect against cyber-threats
• Unique customer controls with Rights Management Services to empower customers to protect information
Compliance Commitment to industry standards and organizational compliance
• Enable customers to meet global compliance standards in ISO 27001, EUMC, HIPAA, FISMA
• Contractually commit to privacy, security and handling of customer data through Data Processing Agreements
• Admin Controls like Data Loss Prevention, Legal Hold, E-Discovery to enable organizational compliance
Privacy Privacy by design with commitment to use customers’ information only to provide services
• No mining of data for advertising
• Transparency with the location of customer data, who has access and under what circumstances
• Privacy controls to regulate sharing of sites, libraries, folders and communications with external parties
Built-in Security
Customer Controls
Independent Verification
Office 365 Security
5
24 Hour
Monitored
Physical
Hardware
Isolated
Customer Data
Secure
NetworkEncrypted Data
Automated
operations
Microsoft
security best
practices
Office 365 Built-in Security
6
24 Hour
Monitored
Physical
Hardware
Isolated
Customer Data
Secure
NetworkEncrypted Data
Automated
operations
Microsoft
security best
practices
24 hour monitored physical hardware
Seismic bracing
24x7 onsite security staff
Days of backup power
Tens of thousands of servers
Perimeter security
Extensive monitoring
Multi-factor authentication
Fire suppression
7
Isolated Customer Data
DATA in Server
Multi-tenant environment is designed to support logical isolation of data that multiple customers store in same physical hardware.
Intended or unintended access of data belonging to a different customer/tenant is prevented by data isolation.
Active Directory’s organizational units keep Customer A’s data isolated from Customer B’s data
8
Automated operations
9
Office 365 Datacenter Network
Microsoft Corporate Network
Grants least privilege required
to complete task.
Verify eligibility by checking if
1. Background Check
Completed
2. Fingerprinting Completed
3. Security Training Completed
O365 Admin
Requests Access
Grants temporary
Privilege
Secure network
Internal Network External Network
Network
Separated
Data
Encrypted
Networks within the Office 365 data centers are segmented.
Physical separation of critical, back-end servers & storage devices from public-facing interfaces.
Edge router security allows ability to detect intrusions and signs of vulnerability.
10
Encrypted Data
Encryption of Data at Rest and in Transit
BitLocker AES Encryption on all messaging content
S/MIME for Email messaging content in Q1 FY14
Transport Layer Security (TLS)/ Secure Sockets Layer (SSL)
Third-party technology such as PGP are supported
Office 365 allows encryption of data both at rest & during transit.
11
24 Hour
Monitored
Physical
Hardware
Isolated
Customer Data
Secure Network
Encrypted
Data
Automated
operations
12
Microsoft security best
practices
Security Development Lifecycle
Throttling to Prevent DoS Attacks
Prevent Breach
Mitigate Breach
Reduce vulnerabilities, limit exploit severity
Ongoing Process Improvements
Training Requirements Design Implementation Verification Release Response
Education
Administer and track security training
Process
Guide product teams to meet SDL requirements
Accountability
Establish release criteria & sign-off as part of FSR
IncidentResponse (MSRC)
Core SecurityTraining
Est. SecurityRequirements
Create Quality Gates / Bug Bars
Security & Privacy Risk Assess.
Establish DesignRequirements
Analyze AttackSurface
ThreatModeling
Use Approved Tools
Deprecate UnsafeFunctions
Static Analysis
Dynamic Analysis
Fuzz Testing
Attack Surface Review
Incident Response Plan
Final Security Review
Release Archive
Execute IncidentResponse Plan
13
Exchange Online baselines normal traffic & usage
Ability to recognize DoS traffic patterns
Automatic traffic shaping kicks in when spikes exceed normal
Mitigates: • Non-malicious excessive use
• Buggy clients (BYOD)
• Admin actions
• DoS attacks
Throttling to Prevent DoS attacks
14
15
• Assume Breach
War game exercises (NEW)
Live site pentest (NEW)
Centralized security
logging & monitoring (NEW)
Prevent Breach
Threat model
Code review
Security development
lifecycle (SDL)
Security testing
Assume breach identifies & addresses
significant gaps:
Detect attack & penetration
Respond to attack & penetration
Recover from data leakage or tampering
Scope ongoing live site testing of security
response plans to drastically improve mean
time to detection & recovery
Reduce exposure to internal attack
(once inside, attackers have broad access)
Periodic environment post breach
assessment & clean state
Prevent Breach and Assume Breach
• Wargame• exercises
Blueteaming
Redteaming
Monitor emerging threats
Executepost breach
Insider attack simulation
Assume Breach
Office 365 Customer Controls
24 Hour
Monitored
Physical
Hardware
Isolated
Customer Data
Secure
NetworkEncrypted Data
Automated
operations
Microsoft
security best
practices
Built-in Security
Customer Controls
Independent Verification
19
Data protection at rest
Data protection at rest
Data protection at rest
Data Protection in motion Data Protection in motion
Information can
be protected
with RMS at rest
or in motion
Data protection at rest
FunctionalityRMS in
Office 365S/MIME
ACLs
(Access Control
Lists)
BitLocker
Cloud
Encryption
Gateways (CEGs)
Data is encrypted in the cloud
Encryption persists with content
Protection tied to user identity
Protection tied to Policy (edit, print, do not forward, expire after 30 days)
Secure collaboration with teams and individuals
Native integration with my services (Content Indexing, eDiscovery, BI, Virus/Malware scanning)
Lost or stolen hard disk
RMS can be activated right inside Office 365 Admin console
Enable Rights Management in the tenant admin
RMS can be applied to Emails
Apply RMS to content
RMS can be applied to SharePoint libraries
Files are protected if they are viewed using Webappsor downloaded to a local machine
RMS can be applied to SharePoint libraries
Files are protected if they are downloaded to a local machine and opened using rich clients
RMS can be applied to any Office documents
User Access
Integrated with Active Directory, Azure Active Directory and Active Directory Federation Services
• Federation: Secure SAML token based authentication
• Password Synchronization: Only a one way hash of the password will be synchronized to WAAD such that the original password cannot be reconstructed from it.
Enables additional authentication mechanisms:• Two-Factor Authentication – including phone-based 2FA
• Client-Based Access Control based on devices/locations
• Role-Based Access Control
24
• Enable customers to meet global compliance
standards in ISO 27001, EUMC, HIPAA, FISMA
• Contractually commit to privacy, security and
handling of customer data through Data
Processing Agreements
• Admin Controls like Data Loss Prevention,
Archiving, E-Discovery to enable organizational
compliance
Commitment to industry standards and organizational compliance
Certification Status
CERT MARKET REGION
26
Data Loss Prevention (DLP)
Prevents Sensitive Data From Leaving Organization
Provides an Alert when data such as Social Security & Credit Card Number is emailed.
Alerts can be customized by Admin to catch Intellectual Property from being emailed out.
Empower users to manage their compliance• Contextual policy education
• Doesn’t disrupt user workflow
• Works even when disconnected
• Configurable and customizable
• Admin customizable text and actions
• Built-in templates based on common regulations
• Import DLP policy templates from security partners or
build your own
27
Email archiving and retention
Preserve Search
Secondary mailbox with
separate quota
Managed through EAC
or PowerShell
Available on-premises,
online, or through EOA
Automated and time-
based criteria
Set policies at item or
folder level
Expiration date shown
in email message
Capture deleted and
edited email messages
Time-Based In-Place
Hold
Granular Query-Based
In-Place Hold
Optional notification
Web-based eDiscovery Center
and multi-mailbox search
Search primary, In-Place
Archive, and recoverable items
Delegate through roles-based
administration
De-duplication after discovery
Auditing to ensure controls
are met
In-Place Archive Governance Hold eDiscovery
28
Anti Spam/ Anti Virus
Comprehensive protection• Multi-engine antimalware protects against 100% of known viruses
• Continuously updated anti-spam protection captures 98%+ of all inbound spam
• Advanced fingerprinting technologies that identify and stop new spam and
phishing vectors in real time
Easy to use
• Preconfigured for ease of use
• Integrated administration console
Granular control
• Mark all bulk messages as spam
• Block unwanted email based on language or geographic origin
29
Privacy by design means that we do not use your information for
anything other than providing you services
• No advertising products out of
Customer Data
• No scanning of email or documents to
build analytics or mine data
• Various customer controls at admin and
user level to enable or regulate sharing
• If the customer decides to leave the
service, they get to take to take their
data and delete it in the service
• Access to information about
geographical location of data, who has
access and when
• Notification to customers about
changes in security, privacy and audit
information
We do not mine your data for advertising purposes. It is our policy to not use your data for
purposes other than providing you productivity services.
We design our Office 365 commercial services to be separate from our consumer services so
that there is no mixing of data between the two.
You own your data and retain the rights, title, and interest in the data you store in Office 365.
You can take your data with you, whenever you want.
Learn more about data portability and how we use your data.
Who owns the data I put in your service?
Will you use my data to build advertising products?
Microsoft notifies you of changes in data center locations and any changes to compliance.
Core Customer Data accessed only for troubleshooting and malware prevention purposes
Core Customer Data access limited to key personnel on an exception basis.
How to get notified?
Who accesses and What is accessed?
Clear Data Maps and Geographic boundary information provided
‘Ship To’ address determines Data Center Location
Where is Data Stored?
At Microsoft, our strategy is to consistently set a “high bar” around privacy practices that support global standards for data handling and transfer
Microsoft Online Services Customer Data1 Usage DataAccount andAddress Book Data
Customer Data (excluding Core Customer data)
CoreCustomer Data
Operating and Troubleshooting the Service Yes Yes Yes Yes
Security, Spam and Malware Prevention Yes Yes Yes Yes
Improving the Purchased Service, Analytics Yes Yes Yes No
Personalization, User Profile, Promotions No Yes No No
Communications (Tips, Advice, Surveys, Promotions) No No/Yes No No
Voluntary Disclosure to Law Enforcement No No No No
Advertising5 No No No No
We use customer data for just what they pay us for - to maintain and provide Office 365 Service
Usage Data Address Book DataCustomer Data (excluding Core Customer Data*)
Core Customer Data
Operations Response Team (limited to key personnel only)
Yes. Yes, as needed. Yes, as needed. Yes, by exception.
Support OrganizationYes, only as required in response to Support Inquiry.
Yes, only as required in response to Support Inquiry.
Yes, only as required in response to Support Inquiry.
No.
Engineering Yes.No Direct Access. May Be Transferred During Trouble-shooting.
No Direct Access. May Be Transferred During Trouble-shooting.
No.
PartnersWith customer permission. See Partner for more information.
With customer permission. See Partner for more information.
With customer permission. See Partner for more information.
With customer permission. See Partner for more information.
Others in Microsoft No.No (Yes for Office 365 for small business Customers for marketing purposes).
No. No.
Resources Office 365 Trust Center (http://trust.office365.com)
Office 365 Hub (http://infopedia/Pages/MOD-Office-365-Security.aspx)
34