intelligent security, compliance and privacy in office 365
TRANSCRIPT
Intelligent Security, Compliance and Privacy in Office 365by Miguel Isidoro
December 17th, 2016
Our SponsorsGOLD SPONSORS
SILVER SPONSORS BRONZE SPONSORS
Who Am I?Miguel IsidoroSenior SharePoint & Office 365 Consultant
[email protected]://www.linkedin.com/in/miguelisidorohttps://blogit.create.pt/miguelisidorohttp://www.create.pt
Agenda Platform Security Privacy Compliance Transparency Advanced Threat Protection Roadmap
Platform Security
Trust in Office 365
Control and Management
Privacy Compliance Security
HIGH AVAILABILITY & GLOBAL SCALABILITY
http://trust.office365.com
Transparency
99.98%
• The world's largest network of high security data centers
• Encrypted information at rest and in transit• At rest: all files are encrypted using:
• Disk level encryption - BitLocker encrypts all data on disk• Per-file encryption – files are broken down into chunks
individually encrypted with per-file unique encryption keys that are themselves encrypted and stored in a physically separate location
• In transit: every file in SharePoint and OneDrive is encrypted using TLS (1.0, 1.1 and 1.2) with 2048-bit keys
• Bring you own encryption key*
Platform Security
Privacy
• Differentiated Access Policies• Greater control over external sharing• Granular Access Controls*
Privacy
• User• Who you are, what is your role• Device• Are you accessing from a managed or unmanaged device• Location• Are you accessing from a expected or unexpected
location• Sensitivity of information• What is the sensitity of the data you are acessing?
Differentiated Access Policies
• Greater control over external sharing• Don’t allow sharing with users from blocked domains• Allow sharing with users from specific domains
External Sharing
• Sharing window duration• When sharing with external users, it is possible to set an
expiration window
External Sharing
• Allows admins to configure more granular roles for users
• Instead of just having 2 roles like before (“User” and “Global administrator”), there are now more roles available
Granular Access Controls
Compliance
• Security & Compliance Center• Data Loss Prevention (DLP)• Information Rights Management• Mobile Device Management
Compliance
• New portal for centralized management of security and compliance related policies. Includes:• Document retention
policies• In-place hold• Data Loss Prevention
(DLP)• eDiscovery• Audit log search• etc
Security & Compliance Center
Gestão centralizada de políticas de hold, eliminação e DLP no SharePoint
• Data Loss Protection (DLP) is one of the pieces of the Compliance offering in Office 365 which allows the management of compliance across Office 365, Exchange Online and SharePoint Online to protect sensitive information
• Office 365 includes more than 80 types of sensitive information out of the box and growing. Some examples:• Credit Card Number• Social Security Number• National Id Number
Data Loss Prevention
• To create a policy we must define:• What content to protect• When and how to protect• Conditions - the content must match before the rule is enforced --
for example, look only for content containing Social Security numbers that have been shared with people outside your organization
• Actions - that you want the rule to take automatically when content matching the conditions is found -- for example, block access to the document and send both the user and compliance officer an email notification
Data Loss Prevention
Data Loss Prevention (Policy Tips)
Create security policies, notify users when policy violations occur, and block access to sensitive content
DemoData Loss Prevention
• Allows admins to define policies to protect content in the following ways:
• Helps to prevent an authorized viewer from copying, modifying, printing, faxing, or copying and pasting the content for unauthorized use
• Helps to prevent an authorized viewer from copying the content by using the Print Screen feature in Microsoft Windows
• Helps to prevent an unauthorized viewer from viewing the content if it is sent in e-mail after it is downloaded from the server
• Restricts access to content to a specified period of time, after which users must confirm their credentials and download the content again
• Helps to enforce corporate policies that govern the use and dissemination of content within your organization
Important: Policies are still applied even if documents are downloaded and copied to an offline location
Information Rights Management (IRM)
• Mobile Device Management for Office 365 (~2m) – Link
Mobile Device Management for Office 365
• Allows to manage mobile devices (iPads, iPhone, Android, Windows Phone) in order to access information in Office 365 resources securely. Some features:
• Set up device policies like password requirements and security settings
• Prevent jail broken or rooted devices from connecting
• Selective Wipe
Mobile Device Management for Office 365
Mobile Device Management for Office 365
Mobile Device Management for Office 365
• Fore more advanced features, use Microsoft Intune (available through separate subscription or Enterprise Mobility + Security)
• Device management in Intune performed using Azure Portal and Intune Management Console (not in Office 365 Security & Compliance Center)
• Some of the features:• Prevent cut/copy/paste/save as of data from corporate apps to
personal apps• Management of PC devices (ex: software update management, app
deployment, etc)• Comprehensive PC management (e.g. Group Policy, login scripts,
BitLocker management, virtual desktop and power management, custom reporting, etc.)
Microsoft Intune
DemoMobile Device Management (Intune)
Transparency
• Customer Lockbox (Office 365)• SharePoint Insights
Transparency
• You must provide explicit permission for Microsoft to access your data
• When access is granted, it’s given on a just-in-time basis and documented for total transparency
• Microsoft engineers do not have standing access to your data
Customer Lockbox
Important: Access to content is given by the customer!
Customer Lockbox (Flow)
CustomerMicrosoft Engineer
Lockbox system
Microsoft Manager
Microsoft Engineer
Customer
Creates support ticket
Creates support ticket
Microsoft receives approval request
Microsoft approves request
Customer approves request
• Audit Log Search• DLP Policy Matches• Reports
SharePoint Insights
• Allows to search the audit logs and view:• User activity in SharePoint Online and OneDrive for Business (Ex:
Viewed Files, Downloaded Files, Deleted Files, etc)• User activity in Exchange Online• Admin activity in SharePoint Online• Admin activity in Azure Active Directory• Admin activity in Exchange Online• User and admin activity in Sway• User and admin activity in Power BI for Office 365• User and admin activity in Yammer
• Audit Log will be able to show aggregated auditing records from SharePoint Online and SharePoint Server (On-Premise)*
Audit Log Search
Audit Log Search
Audit Log Search
• Allows admins to view reports of DLP policy violations
DLP Policy Matches
• Allows admins to view several reports:• Auditing reports• Device management reports• Data Loss Prevention reports
Reports
DemoSharePoint Insights
Advanced Threat Protection
• Stay Secure with Advanced Threat Protection in Office 365 (~1m) – Link
Advanced Threat Protection
• An advanced email filtering service that provides additional protection against specific types of advanced threats
• It contains:• Safe Attachments• Safe Links
Advanced Threat Protection
• Allows the safe delivery of attachments upon a prior analysis
• Analysis is made in a sandboxed environment
Safe Attachments
• All attachments are now analysed in an sandboxed environment and files are only delived if considered safe. Sandbox looks for:
• Files running executables
• Files requesting elevation of priviligies
• Files making registry calls
Safe Attachments
• Real time, time-of-click protection against malicious URLs
• Allows links in the body of the email can be rewritten to prevent users to go to malicious URL when they click on a malicious link
Safe Links
Safe Links• If users click on malicious URL, an intermediate page is shown
Roadmap
Roadmap
New data centers: France, South Korea and USABring your own encryption keySharePoint site classificationHybrid SharePoint Auditing (preview)
Q2 and Q3 2016 Q4 2016 and 2017
New data centers: UK, Canada Customer LockboxDLP, MDM and MAMConditional Access Policies
App Discovery Dashboard Multi-factor authentication
https://fasttrack.microsoft.com/roadmap
Q&A?
Our SponsorsGOLD SPONSORS
SILVER SPONSORS BRONZE SPONSORS
