Post on 13-Jul-2020
Office 365 Security and Compliance overview
Angelos EliadesMicrosoft Certified Trainer, Training Manager at Aktina
angelos@aktina.com.cy
Common Business Requirements
• Security • Is my information safe?
• Retention • What happens when an employee leaves?
• Policies • How do we manage our information?
• Auditing • What's happening to the information?
• Control • Who has access to the information?
• Reporting • How do I know what's happening with the information?
Office 365 Defense
Physical controls, video surveillance, access control
Edge routers, firewalls, intrusion detection, vulnerability scanning
Dual-factor authentication, intrusion detection, vulnerability scanning
Access control and monitoring, anti-malware, patch and configuration management
Secure engineering, access control and monitoring, anti-malware
Account management, training and awareness, screening
Threat and vulnerability management, security monitoring, and response, access control and monitoring, file/data integrity, encryption
Physical Layer
Logical Layer
Data Layer
Two faces of compliance in Office 365
Built-in service capabilities (global compliance)
Customer controls for complianceand internal policies
• Access Control
• Auditing and Logging
• Continuity Planning
• Incident Response
• Risk Assessment
• Communications Protection
• Identification and Authorization
• Information Integrity
• Awareness and Training
• Data Loss Prevention
• Archiving
• Retention
• eDiscovery
• Legal Hold
• Encryption
• S/MIME
• Rights Management
• Office 365 email encryption
Security best practices like penetration testing, Defense-in-depth to protect against cyber-threats
Network security
Network Separated
Data Encrypted
• Networks within the Office 365 data centers are segmented. • Physical separation of critical, back-end servers & storage devices from public-facing interfaces. • Edge router security allows ability to detect intrusions and signs of vulnerability.• firewall rules and host based firewall rules are implemented in the network
Personnel security - Just in time access
• Mandatory background check for high-privilege access, fingerprinting, security training. • Just-In-Time access and elevation that is granted on an as-needed (default access time is 4 hours)
• System grants least privilege required to complete task• Role Based Access Control - RBAC• Servers in Office 365 service, have a pre-determined set of processes that can be run using Applocker
Approvalprocess
Requestwith reason
Temporary access
Microsoft admin/engineerZero standing privileges
Datacenters security
• Sectional Datacenters • No access to individual computing components • Very small IT staff onsite
• Physical Access Controls • Biometric sensors, 24-hour secured access• Motion sensors• Location known and recorded at all times• Security breach alarms.
• Physical Security of containers• Redundancy and Disaster Recovery• Regularly back up data
Where is my data?
http://o365datacentermap.azurewebsites.net/
Customer data isolation
• Designed to support logical isolation of data that multiple customers store in same physical hardware.
• Intended or unintended mingling of data belonging to a different customer/tenant is prevented by design using Active Directory organizational units
Customer data Security
• Data in transit • Strong SSL/TLS protocols• Client to Server encryption • Datacenter-to-datacenter encryption
• Data at rest • BitLocker 256bit AES disk encryption • Auditing• Per-file encryption for customer content • Encryption at rest protects data on servers
Encryption at rest with Per-file Encryption
1
2
5
3
4
6
Storage containers
E
Breach simulations
Privacy
Privacy by design means that Microsoft do not use your informationfor anything other than providing your services
Recent worldwide uptimes
SLA: Commit to delivering at least 99.9%* uptime with a financially backed guarantee.*43 minutes per month, 10% service credits
2014 2015
99.95% 99.98% 99.99% 99.99% 99.95% 99.98% 99.98%
Q2 Q3 Q4 Q1 Q2 Q3 Q4
Standards & Certifications
https://products.office.com/business/office-365-trust-center-top-10-trust-tenets-cloud-security-and-privacy
Data security with access control, encryption and strong authentication
Unique customer controls with Rights Management Services to allow customers to protect information
Anti Spam/ Anti Virus
• Multi-engine antimalware protects against 100% of known viruses. • Continuously updated anti-spam protection captures 98%+ of all inbound spam. • Advanced fingerprinting technologies that identify and stop new spam and phishing vectors in
real time. • Mark all bulk messages as spam. • Block unwanted email based on language or geographic origin.
Multi-factor authentication using any phone
Push Notification One time Passcode
(OTP) Token
Office or mobile device
One-time Passcode (OTP) by SMS
Needs something you “know” (a password?) and something you “own” (a mobile phone?)
Mobile Apps Phone calls Text Messages
Mobile Device Management-BYOD
ConditionalAccess
DeviceManagement
SelectiveWipe
Advanced ApplicationManagement
Microsoft IntuneMDM Office 365 Built-in
Mobile Device Management Conditional access
Mobile Device Management Device management
Mobile Device Management Selective Wipe
Rights Management Service
Prevents sensitive information from being printed, forwarded, or copied by unauthorized peopleinside the organization.
• Hosted service, with limited infrastructureto maintain.
• Persistent protection stays with the fileno matter where it goes.
• Granular permissions control who can opena file and then what they can do with it.
• Flexibility to use user-defined permissionpolicies and centrally defined templates.
• RMS can be applied to any file type using RMS app*
RMS with SharePoint online
RMS over other approaches
Functionality RMS in Office 365 S/MIMEACLs
(Access Control Lists)
BitLocker
Data is encrypted in the cloud
Encryption persists with content
Protection tied to user identity
Protection tied to policy (edit, print, do not forward, expire after 30 days)
Secure collaboration with teams and individuals
Native integration with my services (Content indexing, eDiscovery, BI, virus/malware scanning)
Lost or stolen hard disk
Data Loss Prevention -DLP• Prevents sensitive data from leaking
either inside or outside the organization
• Provides an Alert when data such as Social Security & Credit Card Number is emailed.
• Alerts can be customized by Admin to catch intellectual Property from being emailed out.
• Permit users to manage their compliance • Doesn't disrupt user workflow• Works even when disconnected• Configurable and customizable• Admin customizable text and actions• Built-in templates based on common
regulations • Import DLP policy templates from security
partners or build your own
DLP document fingerprinting
Scan email and attachments to look for patterns that match document
templates
Protect sensitive documents from being accidently shared outside
your organization
No coding required; simply upload sample documents to create
fingerprints
eDiscovery and In-Place Hold
Hold Deletion Search
Keep the data you do want Delete the data you don't want Find the data you need
Data Held In-Place
Customize holds based on filters
Hold across multiple products in a single action
Capture deleted & edited messages
Automated time-based criteria to delete
Set policies at item or folder level admin or user
Set site level retention polices
Search across multiple products
De-duplication & search statistics
Case management
Export search results
Perform searches and place holds on mailboxes, SharePoint Online Sites, and OneDrive for Business locations.
More encryption mechanisms
• Rights Management Service with DLP• S/MIME* provides secure certificate-based
email access. • Office 365 Message Encryption allows to
send encrypted email to any SMTP address
*Secure/ Multipurpose Internet Mail Extensions
Security Threats and Countermeasures
Threats Countermeasures
• Stolen Password • Data Leakage • Unsecure Transport • Lost Devices
• Computer • Mobile • USB Drive
• Disk Failures • DOS / Unavailability
• Internal theft of Data
• Two Factor Authentication • DLP Policy • Mail Encryption
• Hard Drive Encryption• Remote Device Wipe • Portable File Encryption
• Redundant Storage • Throttling / 99-98 quarterly uptime
• Physical and Employee Security • Encryption in Transit • Encryption at Rest
Office 365 email Encryption and DLP fingerprint
Demo
To send the message without removing the information, you must first select Override
angelos@aktina.com.cy
Thank you