Post on 14-Apr-2017
The State of Office 365 Security
A Quick Intro
Tel AvivWorld-Class R&D
BostonCorporate HQ
Doug LaneVP of Product
Marketing
Today’s Topics• Office 365 market trajectory• Microsoft’s big cloud security moves• The current native Office 365 security toolbox• Vertical-specific considerations• Real-world tests of Office 365 security• When to consider third party cloud security solutions• Q&A
Office 365 is Taking Off
It’s Going Enterprise
Is Office 365 ready for the enterprise?
Operationally, yes.…but security is a big concern for many organizations
Microsoft’s Response
Key Native Security Features
Identity and Access Management
Data Loss Prevention
EOP & ATP for Exchange Online• Exchange Online Protection
(EOP)• Included with Business / Enterprise
subscriptions• Anti-Malware/Anti-Spam
• Advanced Threat Protection (ATP)• Optional add-on• Message sandboxing, link
reputation checking, and URL reporting/tracing
Activity Reporting and Visibility
Customer Lockbox
Native Encryption Capabilities
• Encryption in transit (TLS)• Encryption at rest (BitLocker)• S/MIME• Office 365 Message
Encryption
Data ResidencyData Security
Unauthorized Disclosure
Compliance
The Big Question: Is it Good Enough?
“By 2018, 40% of Office 365 deployments will rely on third-party tools to fill gaps in security and compliance, which is a major increase from less than 10% in 2015” (Gartner)
Example: Healthcare• Mature framework for sharing
compliance responsibility with third parties
• Microsoft provides blanket BAA contractual language
• More is always better, but Microsoft provides a good foundation
Other Verticals are….Messier
• Financial Services: FDIC and other industry audits
• Multi-National Enterprise: International data residency laws
• Law Firms and Mission-Based Orgs: Control over subpoena process
• Government Sector: ITAR compliance risk
Is the Risk Real or Imagined?
Data Disclosure Uncertainty
International Data Residency Uncertainty
And Finally…Desperate Measures
Third Party Cloud Security Landscape
Key Benefits:• Unified approach• Separation of control
Cloud Data Protection
“The Treatment”Cloud
Discovery“The
Diagnosis”
Key Cloud Data Protection Ingredients• Zero visibility encryption is the centerpiece• Additional non-encryption controls focused on protecting
data• Data redaction• Policy definition and enforcement (via inline proxy AND out-of-band
SaaS provider APIs)• Alerting: built-in and/or feeds to SIEM tools for more advance usage.• Auditing / Analytics: built-in/or and feeds to analytics tools (e.g.,
Splunk)
(SSL)
(SSL)
From: Mia To:VincentVincent, attached is thecustomer’s SSN and Credit-Card information.
(Vaultive & SSL)
From: Mia To:Vincent躎疓拺鴵鍔漼軴唺傖듌鐴給섐럑蜖虝私乴諡䂸䄙舅矇潹솴湶썙鑡㨜争껎㾔뻚
From: Mia To:Vincent躎疓拺鴵鍔漼軴唺傖듌鐴給섐럑蜖虝私乴諡䂸䄙舅矇潹솴湶썙鑡㨜争껎㾔뻚
From: Mia To:Vincent躎疓拺鴵鍔漼軴唺傖듌鐴給섐럑蜖虝私乴諡䂸䄙舅矇潹솴湶썙鑡㨜争껎㾔뻚
From: Mia To:VincentVincent, attached is thecustomer’s SSN and Credit-Card information.
Intended Recipient
CDPGateway
Example: Zero Visibility Encryption
Final Thoughts• Microsoft is highly committed to Office 365 security• It offers extensive native capabilities across the board• Best of breed third party products will continue to fill
critical gaps• A key question: can your business/industry support
Microsoft having access to your unencrypted data?
Want to learn more about Office 365 Security?
Visit: http://vaultive.com/for-your-technology/office-365-security/