4

In the news…

Sony Finds More Cases of Hacking of Its ServersBy NICK BILTON , May 2, 2011

Sony said Monday that it had discovered that more credit card information and customer profiles had been compromised during an attack on its servers last week.

Trustworthy Computing

Initaitive (TwC)

BillG

Memo

Malware

Protection

Center

SAS-70

Certification

ISO 27001

Certification

Active

Directory

Microsoft Security

Response Center

(MSRC)

Microsoft Security

Engineering Center/

Security Development

Lifecycle

Global

Foundation

Services

(GFS)FISMA

Certification

Windows

Update

1st Microsoft

Data Center

5

Xbox

Live

One of the world’s largest cloud providers & datacenter/network operators

Office 365 Built-in Security

Office 365 Customer Controls

Office 365 Independent Verification

and Compliance

Office 365 Security

6

24 Hour

Monitored

Physical

Hardware

Isolated

Customer Data

Secure NetworkEncrypted Data

Automated

operations

Microsoft

security best

practices

Office 365 Built-in Security

7

24 Hour

Monitored

Physical

Hardware

Isolated

Customer Data

Secure NetworkEncrypted Data

Automated

operations

Microsoft

security best

practices

24 hour monitored physical hardware

Seismic bracing

24x7 onsite security staff

Days of backup power

Tens of thousands of servers

Perimeter security

Extensive monitoring

Multi-factor authentication

Fire suppression

8

Isolated Customer Data

DATA in Server

Multi-tenant environment is designed to support logical isolation of data that multiple customers store in same physical hardware.

Intended or unintended access of data belonging to a different customer/tenant is prevented by data isolation.

Active Directory’s organizational units keep Customer A’s data isolated from Customer B’s data

9

Automated operations

10

Office 365 Datacenter Network

Microsoft Corporate Network

Grants least privilege required

to complete task.

Verify eligibility by checking if

1. Background Check

Completed

2. Fingerprinting Completed

3. Security Training Completed

O365 Admin

Requests Access

Grants temporary

Privilege

Logged

as Service Request

1. Auditable

2. Available as

self-service

reports

Secure network

Internal Network External Network

Network

Separated

Data

Encrypted

Networks within the Office 365 data centers are segmented.

Physical separation of critical, back-end servers & storage devices from public-facing interfaces.

Edge router security allows ability to detect intrusions and signs of vulnerability.

11

Encrypted Data

Encryption of Data at RestBitLocker 256bit AES Encryption on all email content

• Includes mailbox database files, mailbox transaction log files, search content index files, transport database files, transport transaction log files, and page file OS system disk tracing/message tracking logs.

Encryption of Data in TransitTransport Layer Security (TLS)/ Secure Sockets Layer (SSL)

Exchange Online supports S/MIME and third-party technology such as PGP

Office 365 allows encryption of data both at rest & during transit.

Data unreadable to unauthorized parties.

12

24 Hour

Monitored

Physical

Hardware

Isolated

Customer

Data

Secure Network

Encrypted

Data

Automated

operations

13

Microsoft security best

practices

Security Development Lifecycle

Throttling to Prevent DoS Attacks

Prevent Breach

Reduce vulnerabilities, limit exploit severity

Ongoing Process Improvements

Training Requirements Design Implementation Verification Release Response

Education

Administer and track security training

Process

Guide product teams to meet SDL requirements

Accountability

Establish release criteria & sign-off as part of FSR

IncidentResponse (MSRC)

Core SecurityTraining

Est. SecurityRequirements

Create Quality Gates / Bug Bars

Security & Privacy Risk Assess.

Establish DesignRequirements

Analyze AttackSurface

ThreatModeling

Use Approved Tools

Deprecate UnsafeFunctions

Static Analysis

Dynamic Analysis

Fuzz Testing

Attack Surface Review

Incident Response Plan

Final Security Review

Release Archive

Execute IncidentResponse Plan

14

Exchange Online baselines normal traffic & usage

Ongoing investments to improve ability to recognize DoS traffic patterns

Automatic traffic shaping kicks in when spikes exceed normal

Mitigates: • Non-malicious excessive use

• Buggy clients (BYOD)

• Admin actions

• DoS attacks

Throttling to Prevent DoS attacks

15

Prevent Breach

Port scanning and remediation

Perimeter vulnerability scanning

OS Patching

Network level DDOS detection and prevention

MFA for service access

Automated tooling for routine activities

• Deployment, Debugging, Diagnostic collection, Restarting services

Passwords encrypted in password store

Isolation between mail environment and production access environment for all employees

Zero standing permissions in the service

• Just in time elevations

• Automatic rejection of non-background check employees to high privilege access

• Scrutinized manual approval for background checked employees

Automatic account deletion

• When employee leaves

• When employee moves groups

• Lack of use

16

Office 365 Customer Controls

24 Hour

Monitored

Physical

Hardware

Isolated

Customer Data

Secure NetworkEncrypted Data

Automated

operations

Microsoft

security best

practices

Office 365 Built-in Security

Office 365 Customer Controls

Office 365 Independent Verification

and Compliance

17

Advanced Encryption

Encryption of data at rest using

Rights Management Services• Flexibility to select items customers want to encrypt.

• Can also enable encryption of emails sent outside

the organization.

Office 365 ProPlus supports Cryptographic Agility • Integrates Cryptographic Next Generation (CNG)

interfaces for Windows.

• Administrators can specify cryptographic algorithms

for encrypting and signing documents

Security Risk

Rogue Admin

Risk Mitigation Technology

RMS, BitLocker, LockBox, Physical Facility monitoring

Data Loss Prevention (DLP)

RMS; Exchange 2013 DLP Policies

Stolen/Lost Laptop BitLocker

BitLockerStolen/Lost Mobile Device

18

User Access

Integrated with Active Directory, Azure Active Directory and Active Directory Federation Services

Enables additional authentication mechanisms:• Two-Factor Authentication – including phone-based 2FA

• Client-Based Access Control based on devices/locations

• Role-Based Access Control

19

Compliance: Data Loss Prevention (DLP)

Prevents Sensitive Data From Leaving Organization

Provides an Alert when data such as Social Security & Credit Card Number is emailed.

Alerts can be customized by Admin to catch Intellectual Property from being emailed out.

Empower users to manage their compliance• Contextual policy education

• Doesn’t disrupt user workflow

• Works even when disconnected

• Configurable and customizable

• Admin customizable text and actions

• Built-in templates based on common regulations

• Import DLP policy templates from security partners or

build your own

20

Compliance: Email archiving and retention

Preserve Search

Secondary mailbox with

separate quota

Managed through EAC

or PowerShell

Available on-premises,

online, or through EOA

Automated and time-

based criteria

Set policies at item or

folder level

Expiration date shown

in email message

Capture deleted and

edited email messages

Time-Based In-Place

Hold

Granular Query-Based

In-Place Hold

Optional notification

Web-based eDiscovery Center

and multi-mailbox search

Search primary, In-Place

Archive, and recoverable items

Delegate through roles-based

administration

De-duplication after discovery

Auditing to ensure controls

are met

In-Place Archive Governance Hold eDiscovery

21

Anti Spam/ Anti Virus

Comprehensive protection• Multi-engine antimalware protects against 100% of known viruses

• Continuously updated anti-spam protection captures 98%+ of all inbound spam

• Advanced fingerprinting technologies that identify and stop new spam and

phishing vectors in real time

Easy to use• Preconfigured for ease of use

• Integrated administration console

Granular control• Mark all bulk messages as spam

• Block unwanted email based on language or geographic origin

22

Independent Verification & Compliance

24 Hour

Monitored

Physical

Hardware

Isolated

Customer Data

Secure NetworkEncrypted Data

Automated

operations

Microsoft

security best

practices

Office 365 Built-In Security

Office 365 Customer Controls

Office 365 Independent Verification

and Compliance

23

Why get independently verified?

This saves customers time and money, and allows

Office 365 to provide assurances to customers at scale

Microsoft provides

transparency

“I need to know Microsoft is doing the right things”Alignment and adoption of industry standards

ensure a comprehensive set of practices and

controls in place to protect sensitive data

While not permitting audits, we provide

independent third-party verifications of Microsoft

security, privacy, and continuity controls

24

International Standards &

Controls

ISO 27001

All Customer

Data Processing Agreement

SSAE 16 (Statement on standards for

Attestation Engagement)

SOC 1 (Type I & Type II) compliance

Industry Specific

Compliance & Standards

FISMA US Government

HIPAA/BAA Healthcare Customers

FERPA EDU Customers

Geography Specific

Standards

EU Safe Harbor

EU CustomersEU Model Clauses

Compliance management framework

Policy

Control Framework

Standards

Operating Procedures

Business rules for protecting information and

systems which store and process information

A process or system to assure the

implementation of policy

System or procedural specific requirements

that must be met

Step-by-step procedures

26

Privacy

Choices to keep Office 365 Customer Data separate from consumer services.

Office 365 Customer Data belongs to the customer.

Customers can export their data at any time.

At Microsoft, our strategy is to consistently set a “high bar” around privacy practices that support global standards for data handling and transfer

No Mingling

Data Portability

No advertising products out of Customer Data.

No scanning of email or documents to build analytics or mine data.

No Advertising

Transparency

Microsoft notifies you of changes in data center locations.

Core Customer Data accessed only for troubleshooting and malware prevention purposes

Core Customer Data access limited to key personnel on an exception basis.

How to get notified?

Who accesses and What is accessed?

Clear Data Maps and Geographic boundary information provided

‘Ship To’ address determines Data Center Location

Where is Data Stored?

At Microsoft, our strategy is to consistently set a “high bar” around privacy practices that support global standards for data handling and transfer

Resources Office 365 Trust Center (http://trust.office365.com)• Office 365 Privacy Whitepaper (New!)

• Office 365 Security Whitepaper and Service Description

• Office 365 Standard Responses to Request for Information

• Office 365 Information Security Management Framework

31