in the news…download.microsoft.com/documents/hk/technet/techdays2013/day … · • includes...
TRANSCRIPT
4
In the news…
Sony Finds More Cases of Hacking of Its ServersBy NICK BILTON , May 2, 2011
Sony said Monday that it had discovered that more credit card information and customer profiles had been compromised during an attack on its servers last week.
Trustworthy Computing
Initaitive (TwC)
BillG
Memo
Malware
Protection
Center
SAS-70
Certification
ISO 27001
Certification
Active
Directory
Microsoft Security
Response Center
(MSRC)
Microsoft Security
Engineering Center/
Security Development
Lifecycle
Global
Foundation
Services
(GFS)FISMA
Certification
Windows
Update
1st Microsoft
Data Center
5
Xbox
Live
One of the world’s largest cloud providers & datacenter/network operators
Office 365 Built-in Security
Office 365 Customer Controls
Office 365 Independent Verification
and Compliance
Office 365 Security
6
24 Hour
Monitored
Physical
Hardware
Isolated
Customer Data
Secure NetworkEncrypted Data
Automated
operations
Microsoft
security best
practices
Office 365 Built-in Security
7
24 Hour
Monitored
Physical
Hardware
Isolated
Customer Data
Secure NetworkEncrypted Data
Automated
operations
Microsoft
security best
practices
24 hour monitored physical hardware
Seismic bracing
24x7 onsite security staff
Days of backup power
Tens of thousands of servers
Perimeter security
Extensive monitoring
Multi-factor authentication
Fire suppression
8
Isolated Customer Data
DATA in Server
Multi-tenant environment is designed to support logical isolation of data that multiple customers store in same physical hardware.
Intended or unintended access of data belonging to a different customer/tenant is prevented by data isolation.
Active Directory’s organizational units keep Customer A’s data isolated from Customer B’s data
9
Automated operations
10
Office 365 Datacenter Network
Microsoft Corporate Network
Grants least privilege required
to complete task.
Verify eligibility by checking if
1. Background Check
Completed
2. Fingerprinting Completed
3. Security Training Completed
O365 Admin
Requests Access
Grants temporary
Privilege
Logged
as Service Request
1. Auditable
2. Available as
self-service
reports
Secure network
Internal Network External Network
Network
Separated
Data
Encrypted
Networks within the Office 365 data centers are segmented.
Physical separation of critical, back-end servers & storage devices from public-facing interfaces.
Edge router security allows ability to detect intrusions and signs of vulnerability.
11
Encrypted Data
Encryption of Data at RestBitLocker 256bit AES Encryption on all email content
• Includes mailbox database files, mailbox transaction log files, search content index files, transport database files, transport transaction log files, and page file OS system disk tracing/message tracking logs.
Encryption of Data in TransitTransport Layer Security (TLS)/ Secure Sockets Layer (SSL)
Exchange Online supports S/MIME and third-party technology such as PGP
Office 365 allows encryption of data both at rest & during transit.
Data unreadable to unauthorized parties.
12
24 Hour
Monitored
Physical
Hardware
Isolated
Customer
Data
Secure Network
Encrypted
Data
Automated
operations
13
Microsoft security best
practices
Security Development Lifecycle
Throttling to Prevent DoS Attacks
Prevent Breach
Reduce vulnerabilities, limit exploit severity
Ongoing Process Improvements
Training Requirements Design Implementation Verification Release Response
Education
Administer and track security training
Process
Guide product teams to meet SDL requirements
Accountability
Establish release criteria & sign-off as part of FSR
IncidentResponse (MSRC)
Core SecurityTraining
Est. SecurityRequirements
Create Quality Gates / Bug Bars
Security & Privacy Risk Assess.
Establish DesignRequirements
Analyze AttackSurface
ThreatModeling
Use Approved Tools
Deprecate UnsafeFunctions
Static Analysis
Dynamic Analysis
Fuzz Testing
Attack Surface Review
Incident Response Plan
Final Security Review
Release Archive
Execute IncidentResponse Plan
14
Exchange Online baselines normal traffic & usage
Ongoing investments to improve ability to recognize DoS traffic patterns
Automatic traffic shaping kicks in when spikes exceed normal
Mitigates: • Non-malicious excessive use
• Buggy clients (BYOD)
• Admin actions
• DoS attacks
Throttling to Prevent DoS attacks
15
Prevent Breach
Port scanning and remediation
Perimeter vulnerability scanning
OS Patching
Network level DDOS detection and prevention
MFA for service access
Automated tooling for routine activities
• Deployment, Debugging, Diagnostic collection, Restarting services
Passwords encrypted in password store
Isolation between mail environment and production access environment for all employees
Zero standing permissions in the service
• Just in time elevations
• Automatic rejection of non-background check employees to high privilege access
• Scrutinized manual approval for background checked employees
Automatic account deletion
• When employee leaves
• When employee moves groups
• Lack of use
16
Office 365 Customer Controls
24 Hour
Monitored
Physical
Hardware
Isolated
Customer Data
Secure NetworkEncrypted Data
Automated
operations
Microsoft
security best
practices
Office 365 Built-in Security
Office 365 Customer Controls
Office 365 Independent Verification
and Compliance
17
Advanced Encryption
Encryption of data at rest using
Rights Management Services• Flexibility to select items customers want to encrypt.
• Can also enable encryption of emails sent outside
the organization.
Office 365 ProPlus supports Cryptographic Agility • Integrates Cryptographic Next Generation (CNG)
interfaces for Windows.
• Administrators can specify cryptographic algorithms
for encrypting and signing documents
Security Risk
Rogue Admin
Risk Mitigation Technology
RMS, BitLocker, LockBox, Physical Facility monitoring
Data Loss Prevention (DLP)
RMS; Exchange 2013 DLP Policies
Stolen/Lost Laptop BitLocker
BitLockerStolen/Lost Mobile Device
18
User Access
Integrated with Active Directory, Azure Active Directory and Active Directory Federation Services
Enables additional authentication mechanisms:• Two-Factor Authentication – including phone-based 2FA
• Client-Based Access Control based on devices/locations
• Role-Based Access Control
19
Compliance: Data Loss Prevention (DLP)
Prevents Sensitive Data From Leaving Organization
Provides an Alert when data such as Social Security & Credit Card Number is emailed.
Alerts can be customized by Admin to catch Intellectual Property from being emailed out.
Empower users to manage their compliance• Contextual policy education
• Doesn’t disrupt user workflow
• Works even when disconnected
• Configurable and customizable
• Admin customizable text and actions
• Built-in templates based on common regulations
• Import DLP policy templates from security partners or
build your own
20
Compliance: Email archiving and retention
Preserve Search
Secondary mailbox with
separate quota
Managed through EAC
or PowerShell
Available on-premises,
online, or through EOA
Automated and time-
based criteria
Set policies at item or
folder level
Expiration date shown
in email message
Capture deleted and
edited email messages
Time-Based In-Place
Hold
Granular Query-Based
In-Place Hold
Optional notification
Web-based eDiscovery Center
and multi-mailbox search
Search primary, In-Place
Archive, and recoverable items
Delegate through roles-based
administration
De-duplication after discovery
Auditing to ensure controls
are met
In-Place Archive Governance Hold eDiscovery
21
Anti Spam/ Anti Virus
Comprehensive protection• Multi-engine antimalware protects against 100% of known viruses
• Continuously updated anti-spam protection captures 98%+ of all inbound spam
• Advanced fingerprinting technologies that identify and stop new spam and
phishing vectors in real time
Easy to use• Preconfigured for ease of use
• Integrated administration console
Granular control• Mark all bulk messages as spam
• Block unwanted email based on language or geographic origin
22
Independent Verification & Compliance
24 Hour
Monitored
Physical
Hardware
Isolated
Customer Data
Secure NetworkEncrypted Data
Automated
operations
Microsoft
security best
practices
Office 365 Built-In Security
Office 365 Customer Controls
Office 365 Independent Verification
and Compliance
23
Why get independently verified?
This saves customers time and money, and allows
Office 365 to provide assurances to customers at scale
Microsoft provides
transparency
“I need to know Microsoft is doing the right things”Alignment and adoption of industry standards
ensure a comprehensive set of practices and
controls in place to protect sensitive data
While not permitting audits, we provide
independent third-party verifications of Microsoft
security, privacy, and continuity controls
24
International Standards &
Controls
ISO 27001
All Customer
Data Processing Agreement
SSAE 16 (Statement on standards for
Attestation Engagement)
SOC 1 (Type I & Type II) compliance
Industry Specific
Compliance & Standards
FISMA US Government
HIPAA/BAA Healthcare Customers
FERPA EDU Customers
Geography Specific
Standards
EU Safe Harbor
EU CustomersEU Model Clauses
Compliance management framework
Policy
Control Framework
Standards
Operating Procedures
Business rules for protecting information and
systems which store and process information
A process or system to assure the
implementation of policy
System or procedural specific requirements
that must be met
Step-by-step procedures
26
Privacy
Choices to keep Office 365 Customer Data separate from consumer services.
Office 365 Customer Data belongs to the customer.
Customers can export their data at any time.
At Microsoft, our strategy is to consistently set a “high bar” around privacy practices that support global standards for data handling and transfer
No Mingling
Data Portability
No advertising products out of Customer Data.
No scanning of email or documents to build analytics or mine data.
No Advertising
Transparency
Microsoft notifies you of changes in data center locations.
Core Customer Data accessed only for troubleshooting and malware prevention purposes
Core Customer Data access limited to key personnel on an exception basis.
How to get notified?
Who accesses and What is accessed?
Clear Data Maps and Geographic boundary information provided
‘Ship To’ address determines Data Center Location
Where is Data Stored?
At Microsoft, our strategy is to consistently set a “high bar” around privacy practices that support global standards for data handling and transfer
Resources Office 365 Trust Center (http://trust.office365.com)• Office 365 Privacy Whitepaper (New!)
• Office 365 Security Whitepaper and Service Description
• Office 365 Standard Responses to Request for Information
• Office 365 Information Security Management Framework
31