presented by jarrod roark director – advanced infrastructure bennett adelson
DESCRIPTION
Presented by Jarrod Roark Director – Advanced Infrastructure Bennett Adelson. Security and Legal Concerns. The missing manual for SharePoint Online. Agenda. Premise Most commonly asked questions and concerns Summary Q and A. Disclaimer. I am not a lawyer!. Premise. - PowerPoint PPT PresentationTRANSCRIPT
Presented by Jarrod RoarkDirector – Advanced Infrastructure
Bennett Adelson
Security and Legal Concerns
The missing manual for SharePoint Online
Agenda
• Premise• Most commonly asked questions and concerns• Summary• Q and A
Disclaimer
I am not a lawyer!
Premise
• Problem: In my experience the number one roadblock to successfully delivering an on time and on budget online services migration/implementation are legal and security concerns inside of our clients Organization.
• Solution:– Education– Policy– Controls
Most common concerns relating to Online Services
• Is my information safe in the cloud?• What if Microsoft gets hacked?• How do we deal with sensitive data?
Is my information safe in the cloud?
• You are responsible for determining whether Microsoft security meets your organization's requirements.
• It is up to you to evaluate if you have particularly sensitive data, or data that must be held to a certain level of security under regulations applicable to your industry.
• ISA 27001• Safe Harbor• SSAE16 SOC1 Type II• FISMA
What if Microsoft gets hacked?
• Limitation on liability. To the extent permitted by applicable law, the liability of each party, its Affiliates, and its contractors arising under this agreement is limited to direct damages up to (1) for Products other than Online Services, the amount you were required to pay for the Product giving rise to that liability and (2) for Online Services, the amount you were required to pay for the Online Service giving rise to that liability during the prior 12 months1.
• Look at your existing cyber insurance policies. Does it have a cloud services rider? If not cost of adding.
1. http://www.microsoft.com/global/en-us/office365/RenderingAssets/mosa/MOSA2011Agr(NA)(ENG)(Apr2012)(HTML).htm
How do we deal with sensitive data?
• Levelset!
How do we deal with sensitive data?Define mobility strategy.
Who
• Users• Roles
What
• Data Categorization
• Applications
Where
• Devices• Location
When
• Business Hours
• Anytime
Policy
Controls = How
Policy + Controls = Strategy
How do we deal with sensitive data?
• Consider the paradigm shift to user centric management.
• Work with your chosen platform, not against it.• Leverage the included and available tools before
third party solutions.– RMS – Data leakage protection– DAC – Policy driven access control– Azure AD premium – user self service and role based
access– Intune – mobile device management
Summary• Education
– Involve Security, Legal and key stakeholders BEFORE making a decision to understand concerns and address.• Lock in scope based on BUSINESS requirements, not what you can do.
– Be informed on the platform • What it can and can not do.
– Watch for project creep early and maintain a tight scope.• Policy
– Define a mobility strategy.– Document requirements and policy early on and stick to it.– Don’t try to implement every thought or suggestion before go live. – Iterative approach based on current corporate culture, and continuously
reviewed/improved.• Controls
– Policy should drive controls not the other way around.– Work with the platform not against it.
