Aptera Presents:

Security and Compliance in Office 365

Mark GordonEnterprise Architect

How storing your data in the cloud can be even more secure than storing them on premises

Agenda

•Businesses Security and Compliance needs

•Office 365 Security and Compliance

•Demonstration of Compliance Capabilities

•Next Steps

Common Examples of Compliance Regulations

Transparency/Audit

• 21 CFR Part 11 Audit Trail

• SEC

• SAS 70 Type I and Type II

Privacy/Non Disclosure

•HIPAA•ITAR•FISMA•FERPA•EU model clauses•Gramm-Leach-Blily

Legal

• Hold and E Discovery

• Three common types of compliance concerns

• Most businesses will have some of all three

• Office 365 can be part of compliant solutions for these regulations

Common Compliance Requirements that can be met in Office 365

See THIS link for a framework to build your compliance plan

Healthcare

• HIPAA

• FISMA

• Legal Discovery

• 21 CFR Part 11 Audit Trail

High Tech/Manufacturing

• ITAR

• ISO 27001

• Legal Discovery

• EU Model Clauses

Finance

• PCI

• Gramm–Leach–Bliley Act

• Legal Discovery

• Internal/External Audit

• Compliance starts with and is most importantly corporate policy

• Compliance is implemented through IT systems

• If your technology is not compliant you are not compliant

• Just because your technology is compliant does not make you compliant

Office 365 Trust Center – http:trustoffice365.com

Office 365 Compliance• HIPAA Business Associate Agreement

• ISO 27001

• EU Model Clauses

• DPA-Data Processing Agreement

• FISMA

• ITAR

• FERPA

• External Audit

Office 365 Security

• Modular Datacenters– No access to individual computing

components– Very small IT staff onsite

• Physical Access Controls– Biometric– RFID – Location known and recorded

at all times

• Physical Security

• Redundancy and Disaster Recovery

• Network

Security Threats and Countermeasures

Threats

• Stolen Password

• Data Leakage

• Unsecure Transport

• Lost Devices– Computer– Mobile– USB Drive

• Disk Failures

• Internal theft of Data

• Blind Subpoena

• DOS / Unavailability

Countermeasures

• Two Factor Authentication

• Mail Encryption

• DLP Policy

• Remote Device Wipe

• Hard Drive Encryption

• Portable File Encryption

• Redundant Storage

• Physical and Employee Security

• Encryption in Transit

• Encryption at Rest

• Throttling / 99.98 quarterly uptime

Protecting from Stolen Passwords:Multi-factor Authentication

Implementation

• Built in to Office 365

• Works with your locally managed AD accounts

• Simple to implement

• Implement for Global Administrators or any other users who have access to high risk information

• User can change 2nd factor method

Requirements

• Access to phone or mobile device

• Options– Text

– Application

– Phone Call

Multi-factor Authentication Demo

Protecting e-mail and documents in transit:Encryption Options

• E-mail– Office 365 Mail Encryption

– TLS Transport Rules

• Documents/Communications– All client traffic encrypted

• Lync

• Outlook

• Office

• Browser

• Encrypted mail is hosted on a web server from the Microsoft Datacenter

• Recipients get e-mail with a link to the message

• TLS is easier for the recipient and can be secure

DLP - Encrypted E-mail and TLSDemo

Protecting against lost or stolen devices

Device Security Policy

• Device Password

• Remote Device Wipe

• Bad Password Count Lockout

• Bad Password Count Reset

Remote Wipe

• Can be done from any browser by the device owner or an administrator

Remote Device WipeDemo

Protecting Files on any media or device

Information Rights Management

• Portable Encryption– Works on any device or storage medium

• Access to document can be revoked– Person leaves company or project– Document can expire

• Granular access rights– Read– Copy– Print– Forward

Portable File EncryptionDemo

E-Discovery – Hold – Retention Policy

E-Discovery

• Discovery Agents

• Email, Documents, Lync

• Search options

• Exporting results

In Place Hold

• By search criteria

• Mailbox legal hold– Retention period

Retention Policy

• Defines when items are destroyed or moved

• Can be managed by user and/or set by policy

Discovery-Hold-RetentionDemo

Encryption at RestBYOE – Bring Your Own Encryption

Provider Encryption at Rest

• Protects against– Physical access to disks

• Does not protect against– Blind Subpoena– Programmatic Access to your Data– Administrator Access to your Data

• Native Support for– Read/Write– Search and Index– Remote Access

BYOE

• Protects against– Physical access to disks– Blind Subpoena– Programmatic Access to your Data– Administrator Access to your Data

• Must Allow Support for– Read/Write– Search and Index– Remote Access

BYOE Architecture e-mail

From: Mia To:VincentVincent, attached is thecustomer’s SSN and Credit-Card information.

From: Mia To:Vincent躎疓拺鴵鍔漼軴唺傖듌鐴給섐럑蜖虝私乴諡䂸䄙舅矇潹솴湶썙鑡㨜争껎㾔뻚

From: Mia To:Vincent躎疓拺鴵鍔漼軴唺傖듌鐴給섐럑蜖虝私乴諡䂸䄙舅矇潹솴湶썙鑡㨜争껎㾔뻚

From: Mia To:VincentVincent, attached is thecustomer’s SSN and Credit-Card information.

From: Mia To:Vincent躎疓拺鴵鍔漼軴唺傖듌鐴給섐럑蜖虝私乴諡䂸䄙舅矇潹솴湶썙鑡㨜争껎㾔뻚

Action Plan

Identify Owners for

• Document/mail retention

• Legal Hold/Discovery

• Compliance

• Security Policy

• Disaster Recovery

Define your Corporate

• Compliance requirements

• Security Policy

• Retention Policy

• Legal/Discovery-Hold Policy

• Disaster Recovery Plan

Match against currently systems

• Compliance capabilities

• Security capabilities

• Retention capabilities

• Legal/Discovery-Hold capabilities

Evaluate Office 365 Capabilities

• Compliance

• Security

• Availability/Recovery

• Retention

• Legal

Next Step:FreeApteraCompliance and Security Strategy Review

Surface Winner!

Questions?Email:secure@apterainc.com

Phone:260-739-1949

References

• Free 30 day Office 365 Trial

• Office 365 Service Updates

• Office 365 Service Descriptions

• Office 365 Privacy, Security and Compliance

• Office 365 security white paper