Internal Audit, Risk, Business & Technology Consulting

OFFICE 365 SECURITY MACGYVER, NINJA OR SWAT TEAM?

Antonio MaioProtiviti | Senior SharePoint ArchitectMicrosoft Office Server and Services MVP

Email: antonio.maio@protiviti.comBlog: www.trustsharepoint.comSlide share: http://www.slideshare.net/AntonioMaio2Twitter: @AntonioMaio2

MACGYVER

2

IT Team Member• Typically work alone

• Given responsibility for Office 365

• No formal security training, or self-trained

• Smart - Comfortable learning & working with technology

• Good at pulling together solutions with what’s available

• Smaller organization – No/low budget for training & tools

• Very security minded/concerned

NINJA

3

The Security Expert• Typically work alone

• Formally trained security expert / Know your stuff

(CISSP, CISM, MSCP, OSCP, etc.)

• Very security minded/concerned

• Some budget for training & tools

SWAT TEAM

4

The Information Security Team• Highly skilled team members

• Comprised of multiple security experts

• Distributed roles & responsibilities

• Larger or heavily regulated organizations

• Very security minded & compliance focused

• Annual budgets for training & tools

Internal Audit, Risk, Business & Technology Consulting

BUILT IN SECURITYWhat everyone should know…

6

• Understand Cloud Provider Responsibilities

• Understand Your Responsibilities

In a cloud environment, security and information

protection must be a Shared Responsibility.

Understanding how your responsibilities are

managed requires strong Information

Governance policies & procedures.

SAAS = Office 365

PAAS = Azure Web Services, Azure Functions, etc.

IAAS = Azure VMs

https://channel9.msdn.com/Shows/Azure-Friday/Red-vs-Blue-Internal-security-penetration-testing-of-Microsoft-

Azure

Reference and cipher suites:https://technet.microsoft.com/en-us/library/dn569286.aspx

Internal Audit, Risk, Business & Technology Consulting

MACGYVER – IT TEAM MEMBER

Control how sites and documents can be shared with External Users on a site collection by site collection basis.

Click Settings > Services and Add-Ins > Sites

SharePoint Online has the same inherited, hierarchical, permissive permission model as SharePoint On Premise.

Office 365Customer Tenant

SharePoint Online

Site Collection Site Collection

Site Site

Library List

Document Item

Site

Document

Document

Item

Demo Members SharePoint Group Edit

Demo Owners SharePoint Group Full Control

Demo Visitors SharePoint Group Read

Finance Team Domain Group Edit

Senior Mgmt Domain Group Full

Control

Research Team Domain Group Full Control

Senior Mgmt Domain Group Full Control

Research Team Domain Group Full Control

Senior Mgmt Domain Group Full Control

Antonio.Maio Domain User Full Control

• If a user is a member of multiple groups which have access to a resource, the user will get the highest level of group access granted.

• To remove a user’s access to a resource, they must be removed from all groups which have access.

• There is no concept of a deny policy.

• https://securescore.office.com

Internal Audit, Risk, Business & Technology Consulting

NINJA – SECURITY EXPERT

Multi-factor authentication helps protect against unauthorized access to the Office 365 environment.

Multi-factor authentication helps protect against unauthorized access to the Office 365 environment.

• New integrated authentication mechanism built into Office client apps

• Uses ADAL (Active Directory Authentication Library)

• Cross platform: Windows, Mac OS X, Windows Phone, iOS, Android

• Provides advanced sign in features for the Office clients:

• Multi-Factor Authentication (MFA)

• SAML third-party identity providers

• Smart card

• Certificate based authentication

• Microsoft Authenticator App

• Third party Authenticator App

• Microsoft Outlook no longer requires “basic authentication”

• Greater consistency in the user experience for users authenticating to Office 365 services and

apps

• Greater security across the entire Office 365 service & app suite

Newly launched authentication protocol which became generally available in May 20, 2016.

• Dependent on client application (requires Office/Outlook 2016, or

Office 2013 with latest SP)

• Support must be enabled on Office Clients and in Office 365 service:

• Ex. Outlook 2016 will attempt Modern Authentication and auto-revert to Basic

Authentication if Exchange Online is not enabled

• No support planned for: Office 2010 or 2007, Office for Mac 2011, Windows Phone 7,

OWA for iOS or Android

• Default enablement in some Office 365 services:

• Exchange Online: OFF by default

• SharePoint Online: ON by default

• Skype for Business: OFF by default

• Enabled via PowerShell

Modern authentication must be on-boarded for some Office 365 services and environments.

Data Loss Prevention policies identify and protect sensitive data in SharePoint Online & OneDrive for Business.

• Automatically identify and protect 80

sensitive data types (SSN, credit card #,

national ID #, etc.)

• Applies to SharePoint Online

• Applies to OneDrive for Business

• Applies to files/documents

• Does not apply to list items

• Manage policies that when sensitive data

is found can:

• Educate users with policy tips

• Block access

• Alert Admins or InfoSec teams

• Create incident reports

Classification labels provide a method for users to specify retention policies on individual documents/emails.

• Click Classifications > Label Policies

• Not used by Azure Information

Protection or Rights Management

• Primarily used for retention of

documents and email

• Labels define a retention period

• Define what occurs when retention

period expires

Classification labels provide a method for users to specify retention policies on individual documents/emails.

• Click Classifications >

Label Policies

• Define if a label is

published and which

services it is available to

– can publish labels to:

Manage how spam, malware is blocked & quarantined by adjusting your Office 365 Mail Filtering policies.

• Default standard anti-spam policies

already in place

• Manage Allow Lists by sender or

domain

• Manage Block Lists by sender or

domain

• Customize policies by:

Internal Audit, Risk, Business & Technology Consulting

SWAT – INFORMATION SECURITY TEAM

• Customer must approve access request, before Microsoft engineer gets any access to Customer tenant

Customers can control whether Microsoft Office 365 engineers may have access to their tenant.

Monitor user and admin activity with machine learning to identity suspicious behavior and automatically apply security policies to protect against malicious attackers.

• Click Alerts > Manage Alerts

• Click Manage Advanced Alerts

THANK YOU

Antonio MaioProtiviti | Senior SharePoint ArchitectMicrosoft Office Server and Services MVP

Email: antonio.maio@protiviti.comBlog: www.trustsharepoint.comSlide share: http://www.slideshare.net/AntonioMaio2Twitter: @AntonioMaio2