Security Requirements for Offshore Hosted Office...

Click here to load reader

  • date post

    07-Feb-2018
  • Category

    Documents

  • view

    235
  • download

    5

Embed Size (px)

Transcript of Security Requirements for Offshore Hosted Office...

  • Microsoft Office 365

    Security Requirements for Offshore

    Hosted Office Productivity Services:

    conformance guide for Office 365.

    Published 1/07/2017

    Microsoft New Zealand Limited

    22 Viaduct Harbour Avenue, Auckland

  • Table of Contents Introduction ................................................................................................................................................................................................................. 1

    How to use this document ................................................................................................................................................................................. 1

    Fit with the GCIO Cloud Risk and Assurance Framework ......................................................................................................................... 1

    Disclaimer................................................................................................................................................................................................................ 2

    Acknowledgement ............................................................................................................................................................................................... 2

    Summary ...................................................................................................................................................................................................................... 3

    Microsoft Office 365 Solution Map................................................................................................................................................................. 4

    Microsoft Guidance on GCIO Security Requirements ............................................................................................................................... 6

    1. Information, data or materials classified at CONFIDENTIAL and above must not be stored or processed in

    off-shore hosted office productivity services .............................................................................................................................................. 6

    2. Agencies must have process controls relating to intrusion detection, prevention, investigations, and

    enterprise logging. ............................................................................................................................................................................................... 9

    3. Agencies must architect ICT networks to ensure that cloud services can be used safely and effectively. ........................ 10

    4. Agencies must have control over the interaction between public cloud services and end user devices. ......................... 11

    5. Agencies must ensure compatibility with existing government security technology services such as

    SEEMail and, where appropriate, cyber defence capabilities............................................................................................................... 15

    6. Agencies must ensure that information and data is encrypted in transit and at rest. ............................................................. 16

    7. Agencies must have sole control over the associated cryptographic keys ................................................................................. 18

    8. Agencies must ensure that multi-factor authentication is used to control access to the service. ....................................... 23

    9. Agencies must identify where data stored by a service is replicated or backed-up. .............................................................. 24

    10. Agencies must revise their agency disaster recovery and incident management plans to cater for

    offshore hosted office productivity services .............................................................................................................................................. 26

    11. Agencies must have decommissioning processes as outlined in the NZISM ........................................................................... 27

    12. Agencies must require assurance checks on cloud service providers in accordance with the NZISM ............................ 28

    13. Agencies must ensure that there are appropriate security controls over physical access to datacentres...................... 29

    14. Agencies must have assurance that appropriate patching and software maintenance is undertaken ........................... 30

    15. Agencies must ensure that there are technical protections to prevent data-mingling on shared storage

    platforms ............................................................................................................................................................................................................... 31

    Office 365 Subscription Plans mapped to Security Technologies ...................................................................................................... 33

    Appendix: Office 365 encryption capabilities ............................................................................................................................................... 34

  • Security Requirements for Offshore Hosted Office Productivity Services: Office 365 conformance guide.

    Page 1 of 37

    Microsoft New Zealand

    July 2017

    Introduction

    In January 2017, the New Zealand Government Chief Information Officer (GCIO) published Security Requirements for

    Offshore Hosted Office Productivity Services Explained (the GCIO Security Requirements), a guidance document that

    sets out the security requirements New Zealand government agencies must conform to when using offshore hosted

    office productivity services. The guidance was developed as part of the GCIOs work on accelerating public sector

    adoption of cloud services, as directed by Cabinet in July 2016 [CAB Min (16) 03/16 refers].

    This document provides Microsofts response to the GCIO Security Requirements. It is designed to assist agencies to

    conform1 to these security control requirements when using Microsoft Office 365.

    How to use this document

    This document provides agencies with information intended to assist them in determining how to conform with each

    of the 15 items in the GCIO Security Requirements document when using Office 365. Where appropriate, it also

    identifies additional risks or considerations, and provides advice related to each requirement.

    Agencies should note that they are expected to conform to, not comply with, the GCIO Security Requirements.

    Accordingly, this document has not been developed as a compliance guide; it does not provide a simple check list of

    steps that agencies should take. Rather, for each of the 15 security requirements, it indicates how an agency can either

    meet the baseline control requirement set out by the GCIO or, where this is not feasible, how to identify

    compensating controls that enable conformance.

    For each requirement, the document sets out:

    A summary of the GCIO security control requirement.

    Key aspects of conforming to this requirement.

    Guidance on how Microsoft can help agencies conform to the requirement.

    Other information Microsoft feels agencies should consider in relation to the requirement.

    Sources of additional information.

    Readers should note that some of the answers assume that the organisation making use of this document is an

    Eligible Agency under the terms of the Microsoft G2015 all-of-government agreement that is in place with the New

    Zealand Department of Internal Affairs.

    Fit with the GCIO Cloud Risk and Assurance Framework

    The GCIO Security requirements neither stand alone, nor represent the only things that agencies must consider when

    adopting Office 365. Rather, as shown in figure 1 below, they fit into the wider GCIO Cloud Risk and Assurance

    Framework that agencies should follow when procuring any cloud service.

    1 Note: Paragraph 13 of the GCIO Security requirements document states: New Zealand government agencies may use offshore hosted

    office productivity services provided they conform to the security requirements from the Cabinet Minute, and other relevant NZISM

    controls, as detailed in this guidance.

    https://www.ict.govt.nz/assets/Uploads/Security-Requirements-for-OH-Office-Productivity-Jan-2017.docxhttps://www.ict.govt.nz/assets/Uploads/Security-Requirements-for-OH-Office-Productivity-Jan-2017.docxhttps://www.ict.govt.nz/assets/Cloud-computing/Accelerating-the-Adoption-of-Public-Cloud-Services-Redacted.pdfhttps://products.office.com/en-nz/business/Officehttps://www.ict.govt.nz/guidance-and-resources/using-cloud-services/assess-the-risks-of-cloud-services/cloud-computing-mitigating-risk/https://www.ict.govt.nz/guidance-and-resources/using-cloud-services/assess-the-risks-of-cloud-services/cloud-computing-mitigating-risk/

  • Security Requirements for Offshore Hosted Office Productivity Services: Office 365 conformance guide.

    Page 2 of 37

    Microsoft New Zealand

    July 2017

    Follow GCIO Cloud Risk

    Assessment Process.

    Complete GCIO Cloud

    Risk Assessment Tool,

    using content from

    Microsoft New Zealands

    "GCIO 105" question

    responses for O365.

    Obtain O365 risk

    assessment and security

    certification audit reports

    from GCIO.

    Use other GCIO risk assessment approaches

    and tools as appropriate.

    Use guidance in this

    document.

    Follow C&A

    requirements set out in

    NZISM.

    Complete GCIO Cloud

    Endorsement by Agency

    template

    Provide completed Cloud

    Risk Assessment Tool

    and Cloud Endorsement

    by Agency to GCIO.

    Note: GCIO does not act as approver but can

    request agency to review

    if not deemed adequate.

    Figure 1 Fit with GCIO Cloud Risk and Assurance Framework

    Disclaimer

    The information contained in this document represents the current view of Microsoft Corporation on the issues

    discussed, and the current state of both O365 and other Microsoft products and services, as of the date of publication.

    Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on

    the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information presented after the date of

    publication.

    This document is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR

    STATUTORY, AS TO THE INFORMATION IN THIS DOCUMENT.

    Complying with all applicable copyright laws is the responsibility of the user. Without limiting the rights under

    copyright, no part of this document may be reproduced, stored in or introduced into a retrieval system, or transmitted

    in any form or by any means (electronic, mechanical, photocopying, recording, or otherwise), or for any purpose,

    without the express written permission of Microsoft Corporation.

    Acknowledgement

    Microsoft acknowledges the assistance of Axenic Ltd. in the preparation of this document.

    Undertake initial risk assessment

    Conform to "GCIO Security Requirements"

    Complete agency certification and

    accreditationInform GCIO

    https://www.ict.govt.nz/guidance-and-resources/using-cloud-services/assess-the-risks-of-cloud-services/cloud-computing-mitigating-risk/https://www.ict.govt.nz/guidance-and-resources/using-cloud-services/assess-the-risks-of-cloud-services/cloud-computing-mitigating-risk/https://www.ict.govt.nz/assets/Guidance-and-Resources/Cloud-ICT-Assurance/Cloud-Risk-Assessment-Tool-v1-1-1.xlsxhttps://www.ict.govt.nz/assets/Guidance-and-Resources/Cloud-ICT-Assurance/Cloud-Risk-Assessment-Tool-v1-1-1.xlsxhttps://www.microsoft.com/en-us/trustcenter/compliance/nzcchttps://www.microsoft.com/en-us/trustcenter/compliance/nzcchttps://www.ict.govt.nz/guidance-and-resources/information-management/privacy-and-security/https://www.ict.govt.nz/guidance-and-resources/information-management/privacy-and-security/https://www.ict.govt.nz/guidance-and-resources/information-management/privacy-and-security/https://www.ict.govt.nz/assets/Guidance-and-Resources/Cloud-ICT-Assurance/Cloud-Endorsement-Agency-FINAL-protected.docxhttps://www.ict.govt.nz/assets/Guidance-and-Resources/Cloud-ICT-Assurance/Cloud-Endorsement-Agency-FINAL-protected.docx

  • Security Requirements for Offshore Hosted Office Productivity Services: Office 365 conformance guide.

    Page 3 of 37

    Microsoft New Zealand

    July 2017

    Summary

    New Zealand government agencies can use Microsoft Office 365 and conform to all but one of the baseline security

    requirements in the GCIO guidance document (see Important Note below), primarily by using the native security

    controls available in Office 365.

    While agencies remain accountable for ensuring that their security obligations are met, Microsoft provides its Office

    365 customers with a comprehensive security toolkit to meet these needs. This toolkit consists of five main areas:

    Figure 2 - Microsoft Office 365 Security Toolkit

    1. Guidance or supporting documentation - Microsoft provides agencies guidance or supporting technical

    documentation that they can use to complete a process or activity (e.g. integrate with on-premises

    infrastructure);

    2. Security features that agencies can integrate - Office 365 can provide a feature (e.g. Office 365 auditing) that

    agencies can integrate with their related processes and systems (e.g. security incident response and

    management);

    3. Ancillary Microsoft security capabilities alongside capabilities within Office 365, Microsoft can provide

    ancillary capabilities or features that agencies can configure or enable (e.g. Azure Information Protection,

    Multi-factor Authentication, Mobile Device Management);

    4. Service assurance documents - Microsoft provides service assurance artefacts (e.g. content in the Microsoft

    Trust Centre) that agencies can review as part of their assurance processes; or

    5. Built-in security features - Office 365 provides a capability or feature (e.g. Encryption of Data at Rest) that

    agencies can leverage.

    Microsoft Office 365

    Security Toolkit

    1. Guidance or supporting

    documentation

    2. O365 security features that agencies can

    integrate

    3. Ancillary Microsoft security

    capabilities

    4. Service assurance

    documents

    5. Built-in security features

    https://www.microsoft.com/en-us/trustcenterhttps://www.microsoft.com/en-us/trustcenter

  • Security Requirements for Offshore Hosted Office Productivity Services: Office 365 conformance guide.

    Page 4 of 37

    Microsoft New Zealand

    July 2017

    Combined with good agency security practice, Microsoft is confident that agencies can meet their obligations to

    protect the security and privacy of their information within Office 365, and provides capabilities that can assist them in

    achieving this. For example, Office 365 Secure Score is a security analytics service that helps organisations better

    understand and improve their security posture and reduce their risk when using Office 365. Secure Score can help

    agencies balance their security and productivity needs with guidance to help them enable the right mix of the 71

    available security features, and to model what their score would look like after adopting some of these features.

    Agencies can also compare their score with other organisations and see how their score has been trending over time.

    NOTE: Secure Score displays information from various sources like AAD, but Secure Score does not store any of this

    personal information inside the service.

    Important Note:

    The exception to Microsofts ability to enable agencies to conform to the baseline security controls in the GCIO

    Security Requirements document is requirement 7 that states Agencies must have sole control over the associated

    cryptographic keys. While Microsofts Azure Information Protection with Hold Your Own Key (HYOK) capability

    may be utilised for conforming to the baseline requirement, Microsoft believes that doing so is not advisable in most

    circumstances.

    Counter to the goal of reducing agency risk, if used incorrectly the deployment of any Hold Your Own Key (HYOK)

    cryptographic capability, whether provided by Microsoft or any other party, can significantly INCREASE an agencys risk

    profile by introducing the possibility of PERMANENT loss of access to agency data hosted in the cloud. If an agency

    wishes to deploy this capability, in-depth discussion with Microsoft is strongly advised.

    Microsoft Office 365 Solution Map

    The table below summarises this document by listing the Security Control Requirements for Offshore Hosted Office

    Productivity Services, and mapping these to relevant elements of the Microsoft Office 365 Security Toolkit that

    provide capabilities, products and/or services that can help an agency meet the requirement.

    ID GCIO Security Control Requirement Office 365 Security Toolkit feature Detailed Guidance

    1. G

    uid

    an

    ce

    2. S

    ecu

    rity

    Featu

    re

    3. A

    ncil

    lary

    cap

    ab

    ilit

    y

    4. S

    erv

    ice A

    ssu

    ran

    ce

    5. B

    uil

    t-in

    secu

    rity

    Strategy and Architecture

    1 Information, data, or materials classified at

    CONFIDENTIAL and above MUST NOT be stored or

    processed in off-shore hosted office productivity

    services.

    Refer to page 6

    2 Agencies MUST have process controls relating to

    intrusion detection, prevention, investigations, and

    enterprise logging in operation.

    Refer to page 9

    3 Agencies MUST architect their ICT Networks to ensure

    that cloud services can be used safely and effectively.

    Refer to page 10

    4 Agencies MUST have control over the interaction

    between public cloud services and end user devices.

    Refer to page 11

    https://support.office.com/en-us/article/Introducing-the-Office-365-Secure-Score-c9e7160f-2c34-4bd0-a548-5ddcc862eaef

  • Security Requirements for Offshore Hosted Office Productivity Services: Office 365 conformance guide.

    Page 5 of 37

    Microsoft New Zealand

    July 2017

    5 Agencies MUST ensure compatibility with existing

    government security technology services in use, such

    as SEEMail and cyber defence capabilities.

    Refer to page 15

    Cryptography

    6 Agencies MUST ensure that data is encrypted in

    transit and at rest.

    Refer to page 16

    7 Agencies MUST have sole control over the

    associated cryptographic key.

    Not recommended in most instances Refer to page 18

    Access Control

    8 Agencies MUST ensure that multi-factor

    authentication is used to control access to the

    service.

    Refer to page 23

    Backup and Recovery

    9 Agencies MUST identify where data stored by a

    service is replicated and/or backed-up.

    Refer to page 24

    10 Agency MUST revise their agency disaster-recovery

    plans to cater for cloud-based services.

    Refer to page 26

    System Decommissioning

    11 Agencies MUST have decommissioning processes as

    outlined in the NZISM.

    Refer to page 27

    3rd party (Independent) Assurance

    12 Agencies MUST have assurance checks on cloud

    service providers in accordance with the NZISM.

    Refer to page 28

    13 Agencies MUST ensure that there are appropriate

    security controls over physical access to data centres.

    Refer to page 29

    14 Agencies MUST have assurance that appropriate

    patching and maintenance of software is undertaken.

    Refer to page 30

    15 Agencies MUST ensure there are technical

    protections to prevent data-mingling on shared

    storage platforms.

    Refer to page 31

  • Security Requirements for Offshore Hosted Office Productivity Services: Office 365 conformance guide.

    Page 6 of 37

    Microsoft New Zealand

    July 2017

    Microsoft Guidance on GCIO Security Requirements

    1. Information, data or materials classified at CONFIDENTIAL and above must not be stored or processed in

    off-shore hosted office productivity services

    What is this security control?

    Agencies can use Microsoft Office 365 to store or process information, data and materials that is classified at

    RESTRICTED or below. This means that information that has been classified at CONFIDENTIAL, SECRET or TOP SECRET

    cannot be stored in either Office 365 or any other cloud service (either on- or offshore). However, official information

    that does not meet the threshold for a security classification (i.e. information that is referred to as UNCLASSIFIED) and

    information that has been classified at IN-CONFIDENCE, SENSITIVE and/or RESTRICTED can be stored in Office 365.

    Readers should note that, on average, respondents to a recent GCIO survey on agency adoption of cloud services

    indicated that they have very little (less than 1%) information classified above RESTRICTED. Respondents with

    information above RESTRICTED were primarily from the national security and justice sectors.

    Security

    ClassificationOffice 365

    UNCLASSIFIED

    IN-CONFIDENCE

    SENSITIVE

    RESTRICTED

    CONFIDENTIAL

    SECRET

    TOP SECRET

    Figure 3 - New Zealand Security Classification System

    mapped to Office 365

    Key aspects of conforming to this requirement

    Agencies must ensure that all information, data and materials are assessed, classified and protectively marked

    (labelled) and handled in accordance with the New Zealand Government Security Classification System. A protective

    marking indicates the required level of protection to all users of any official information and gives assurances that

    information of broadly equivalent worth or value is given an appropriate and consistent level of protection throughout

    the New Zealand government. Agencies should have a defined process for achieving this, and agency staff should be

    made aware of the data handling process and their obligation to apply it, and provided with sufficient training on how

    to apply it correctly.

    To conform to with this security requirement, agencies must ensure that they do not store any information, data and

    materials classified at or above CONFIDENTIAL in Microsoft Office 365 or its ancillary cloud services (e.g. Azure Active

    Directory).

    https://www.ict.govt.nz/assets/Uploads/Accelerating-Public-Cloud-Services-2016SurveyofPublicSectorCIOs.pdfhttps://protectivesecurity.govt.nz/home/information-security-management-protocol/new-zealand-government-security-classification-system/

  • Security Requirements for Offshore Hosted Office Productivity Services: Office 365 conformance guide.

    Page 7 of 37

    Microsoft New Zealand

    July 2017

    How can Microsoft help agencies meet this requirement?

    Agencies are responsible for assessing and classifying their own information, data, and materials.

    Data Loss Prevention (DLP) in Office 365 allows organisations to protect sensitive content in both email and

    documents spread across Exchange Online, SharePoint Online and OneDrive for Business.

    Examples of sensitive information that you might want to prevent from being improperly disclosed outside your

    organisation include financial data or personally identifiable information (PII) such as credit card numbers, health

    records, or other sensitive data which you tell the system to protect. With a DLP policy, you can:

    Identify sensitive information across many locations, such as Exchange Online, SharePoint Online, and

    OneDrive for Business. For example, you can identify any document containing a credit card number thats

    stored in any OneDrive for Business site, or you can monitor just the OneDrive sites of specific people.

    Prevent the accidental sharing of sensitive information. For example, you can identify any document or

    email containing a health record thats shared with people outside your organisation, and then automatically

    block access to that document or block the email from being sent.

    Monitor and protect sensitive information in the desktop versions of Outlook 2016, Excel 2016,

    PowerPoint 2016, and Word 2016. Just like in Exchange Online, SharePoint Online, and OneDrive for

    Business, these Office 2016 desktop programs include the same capabilities to identify sensitive information

    and apply DLP policies. DLP provides continuous monitoring when people share content in these Office 2016

    programs.

    Help users learn how to stay compliant without interrupting their workflow. You can educate your users

    about DLP policies and help them remain compliant without blocking their work. For example, if a user tries to

    share a document containing sensitive information, a DLP policy can both send them an email notification and

    show them a policy tip in the context of the document library that allows them to override the policy if they

    have a business justification. The same policy tips also appear in Outlook on the web, Office mobile apps,

    Outlook 2013 and later, Excel 2016, PowerPoint 2016, and Word 2016.

    View DLP reports showing content that matches your organisations DLP policies. To assess how your

    organisation is complying with a DLP policy, you can see how many matches each policy and rule has over

    time. If a DLP policy allows users to override a policy tip and report a false positive, you can also view what

    users have reported.

    You create and manage DLP policies through the Office 365 Security & Compliance Centre.

    With Azure Information Protection (AIP), classification of data can occur at the time of creation or modification, either

    automatically or manually, based on source, context and content. Once data has been classified, a persistent label is

    embedded in the data and actions such as visual marking and encryption can be taken based on the classification and

    label.

    AIP, which uses Azure Rights Management (Azure RMS) as the protection engine, can be used to allow agency staff to

    easily apply a label and associated protection policies (use rights and encryption) to documents and emails. AIP

    supports whitelisting of domains so that agencies can share information with the appropriate level of data security

    without adding the overhead of managing access to the data.

    https://technet.microsoft.com/en-us/library/ms.o365.cc.dlplandingpage.aspxhttps://blogs.office.com/2016/07/14/data-loss-prevention-policy-tips-in-onedrive-mobile-apps/https://support.office.com/en-us/article/Office-365-Security-Compliance-Center-7e696a40-b86b-4a20-afcc-559218b7b1b8https://docs.microsoft.com/en-us/information-protection/understand-explore/what-is-information-protectionhttps://docs.microsoft.com/en-us/information-protection/understand-explore/what-is-azure-rms

  • Security Requirements for Offshore Hosted Office Productivity Services: Office 365 conformance guide.

    Page 8 of 37

    Microsoft New Zealand

    July 2017

    In Microsofts view, all content should be classified and labelled, and agencies should develop a view on when it is

    appropriate to apply AIP protection policies and encryption to mitigate risk. For most agencies, this will be for

    information classified as SENSITIVE or RESTRICTED, and on an as-required basis for lower classifications.

    What else should agencies consider?

    Agencies intending to use AIP should carefully plan to define and meet appropriate information classification needs,

    and define relevant protection policies, rules, and classification labels BEFORE enforcing data protection. Agencies also

    need to ensure that they educate their staff on what information should be classified to what level, and how to label

    documents and emails using AIP, even if automatic classification is applied.

    It is important to balance flexibility with simplicity when constructing your classification and protection options aim

    to give your people easy, good choices. Too many choices will be counterproductive. Microsoft recommends starting

    with 3-5 top level labels across an agency and then scoping any additional labels to targeted users as needed.

    Without proper planning and support, agency staff may be reluctant to apply data protection policies. This could result

    in incorrectly classified data, leading to its possible disclosure, or rendering it inaccessible for legitimate use. Microsoft

    can provide guidance to agencies as they undertake this work.

    Where can agencies go for more information?

    Additional Information on URL

    New Zealand Government Security

    Classification System

    https://www.protectivesecurity.govt.nz/home/information-security-

    management-protocol/new-zealand-government-security-classification-

    system/

    Azure Information Protection

    technical documentation

    https://docs.microsoft.com/en-us/information-protection/

    Azure RMS Security Evaluation https://aka.ms/rmssec

    EMS Solution - Secure data using

    classification, labelling, and

    protection

    https://docs.microsoft.com/en-us/enterprise-mobility-

    security/solutions/infoprotect-secure-classify-scenario

    Microsoft France information

    protection whitepaper series

    https://sway.com/yXywe-nYIf9EFpiI

    https://www.microsoft.com/en-us/download/details.aspx?id=44565

    Classify

    Manually select an appropriate classification

    Auto-suggest (or enforce) classification based on content scan

    Label

    Apply in-document labelling

    Tag the file or email with metadata

    Protect

    Restrict the ability to copy, print and screen capture content

    Encrypt using Microsoft key, customer-managed or customer-held key

    Limit access to just your organisation, or specific people or groups within your organisation

    Share

    Share encrypted content securely with external individuals and organisations

    Auto-expire content

    Monitor who is accessing your protected files and where they are located

    Revoke access to your protected files

    https://www.protectivesecurity.govt.nz/home/information-security-management-protocol/new-zealand-government-security-classification-system/https://www.protectivesecurity.govt.nz/home/information-security-management-protocol/new-zealand-government-security-classification-system/https://www.protectivesecurity.govt.nz/home/information-security-management-protocol/new-zealand-government-security-classification-system/https://docs.microsoft.com/en-us/information-protection/https://aka.ms/rmssechttps://docs.microsoft.com/en-us/enterprise-mobility-security/solutions/infoprotect-secure-classify-scenariohttps://docs.microsoft.com/en-us/enterprise-mobility-security/solutions/infoprotect-secure-classify-scenariohttps://sway.com/yXywe-nYIf9EFpiIhttps://www.microsoft.com/en-us/download/details.aspx?id=44565

  • Security Requirements for Offshore Hosted Office Productivity Services: Office 365 conformance guide.

    Page 9 of 37

    Microsoft New Zealand

    July 2017

    2. Agencies must have process controls relating to intrusion detection, prevention, investigations, and

    enterprise logging.

    What is this security control?

    Agencies must be able to detect, prevent, and respond to information security incidents related to their use of Office

    365, and ensure that Office 365 provides an adequate level of logging and reporting so that incidents can be

    investigated.

    Key aspects of conforming to this requirement

    Agencies are responsible for having an information security incident management process so that they can recognise,

    respond to and manage information security incidents when using Office 365 (as well as any existing on-premises

    infrastructure and cloud services). While Microsoft will detect, prevent, and investigate security incidents in Office 365,

    agencies need to define what audit events they want to monitor and be alerted on, and configure their Office 365

    instance to report on these events (through Power BI dashboards, Management Activity APIs, Advanced Security

    Management, etc.). In addition, agencies need to integrate their incident management processes with Microsofts to

    ensure that security incidents can be effectively managed throughout their lifecycle.

    How can Microsoft help agencies meet this requirement?

    Microsofts security incident response management processes include technical mechanisms, organisational policies,

    and operational procedures to prevent, monitor, detect, and respond to security incidents in Office 365. Microsoft

    security teams operate 24 x 7 x 365 security incident monitoring and response services, and are continually looking for

    indicators of compromise, including by using continual Red Teaming as part of Microsofts assume breach strategy.

    Agencies can communicate security incidents to the Microsoft Security Response Center (MSRC) and be notified of any

    security incidents by their Technical Account Manager (TAM).

    Office 365 produces audit and event logs recording user and administrator activities, exceptions, faults, and security

    events. Office 365 has several audit and reporting features that enable agencies to track user and administrative

    activity within their Office 365 tenant, including changes made to configuration settings, and changes made to

    documents or other items. Some of the auditing and reporting features include:

    Content Search and eDiscovery.

    Unified Audit Log Search.

    Office 365 Management Activity API.

    Office 365 Activity Usage Reports Dashboard.

    Advanced Security Management.

    Customer Lockbox.

    Agencies can use their on-premises Security Incident and Event Manager (SIEM) solution - many of which already ship

    connectors for Office 365 - with the Office 365 Management Activity API to get the same report information as the

    information provided in the Office 365 Security and Compliance Center, but with SIEM integration. They can manage

    the on-premises report, and keep this information on premises indefinitely.

    Agencies Office 365 administrators can use Customer Lockbox to control how a Microsoft support engineer accesses

    your data during a support case. In rare scenarios where the engineer requires access to your data to troubleshoot and

    fix an issue, Customer Lockbox allows you to approve or reject the access request. If you approve it, the engineer can

    access the data. Each request has an expiration time, and once the issue is resolved, the request is closed, and access is

    revoked.

    https://gallery.technet.microsoft.com/Cloud-Red-Teaming-b837392ehttps://blogs.office.com/2014/11/13/inside-cloud-monitor-safeguard-data-office-365-service/https://technet.microsoft.com/en-us/security/dn440717https://support.office.com/en-gb/article/Search-and-investigation-in-the-Office-365-Security-Compliance-Center-c4915c5f-82a7-4871-ba20-ef47c7588043https://technet.microsoft.com/en-us/library/office-365-reports.aspxhttps://support.office.com/en-us/article/eDiscovery-in-Office-365-143b3ab8-8cb0-4036-a5fc-6536d837bfce?ui=en-US&rs=en-US&ad=UShttps://support.office.com/en-us/article/Search-the-audit-log-in-the-Office-365-Security-Compliance-Center-0d4d0f35-390b-4518-800e-0c7ec95e946c?ui=en-US&rs=en-US&ad=UShttps://msdn.microsoft.com/en-us/office-365/office-365-management-activity-api-referencehttps://support.office.com/en-us/article/Activity-Reports-in-the-Office-365-admin-center-0d6dfb17-8582-4172-a9a9-aed798150263https://support.office.com/en-us/article/Overview-of-Advanced-Security-Management-in-Office-365-81f0ee9a-9645-45ab-ba56-de9cbccab475https://support.office.com/en-ie/article/Office-365-customer-lockbox-requests-36f9cdd1-e64c-421b-a7e4-4a54d16440a2https://support.office.com/en-us/article/Search-the-audit-log-in-the-Office-365-Security-Compliance-Center-0d4d0f35-390b-4518-800e-0c7ec95e946chttps://support.office.com/en-us/article/Office-365-Customer-Lockbox-Requests-36f9cdd1-e64c-421b-a7e4-4a54d16440a2

  • Security Requirements for Offshore Hosted Office Productivity Services: Office 365 conformance guide.

    Page 10 of 37

    Microsoft New Zealand

    July 2017

    What else should agencies consider?

    To use the Office 365 audit and reporting features, agencies need to enable audit logging to record user and

    administrator activity. This feature is not enabled by default.

    Agencies are responsible for ensuring that they have intrusion detection and prevention measures, and audit and

    event logging capabilities in place, for the components they are responsible for managing (e.g. end-user computing

    devices, Active Directory servers).

    In addition to the events and log data that is available to customers, there is an internal Microsoft log data collection

    service called Cosmos that is used by Office 365 engineers. Office 365 service teams upload audit logs into Cosmos

    for aggregation and correlation, alerting, and reporting to correct vulnerabilities and improve the performance of

    Office 365. To ensure the protection of customer data that may be present in the logs, an automated tool obfuscates

    any fields that contain customer data, such as tenant information and end-user identifiable information, and replaces

    these fields with a hashed (encrypted) value.

    Where can agencies go for more information?

    Additional Information

    on

    URL

    Office 365 Security

    Incident Management

    http://download.microsoft.com/download/2/F/1/2F16A9CA-8D4F-4BB5-8F85-

    3A362131A95B/Office%20365%20Security%20Incident%20Management.pdf

    Security in Office 365

    Whitepaper

    https://www.microsoft.com/en-us/download/confirmation.aspx?id=26552

    Management API

    Reference Guide

    https://msdn.microsoft.com/en-us/office-365/office-365-management-activity-api-

    reference

    3. Agencies must architect ICT networks to ensure that cloud services can be used safely and effectively.

    What is this security control?

    Agencies need to ensure that their infrastructure supports their adoption and use of Office 365, and that it is

    architected to protect information from unauthorised access, disclosure, modification, and loss.

    In addition to this, agencies need to ensure that their users can easily and effectively use Office 365 services through

    supporting security services (e.g. single sign-on, mobile device management, mobile application management).

    Key aspects of conforming to this requirement

    Agencies need to ensure that their adoption of Office 365 meets their identified use cases, and create an architecture

    to ensure the safe and effective use of the service. Agencies need to identify what Office 365 deployment scenario best

    fits their requirements, and how the supporting information services and systems will be secured, before adopting the

    service.

    Microsoft strongly recommends that New Zealand government agencies plan for a hybrid Office 365 scenario,

    where some functionality is provided by online services (e.g. Azure Active Directory) and some is delivered by on-

    premises servers (e.g. Active Directory servers). It is expected that most agencies will still need to operate and manage

    at least some on-premises infrastructure for the foreseeable future for a variety of reasons, including enabling

    integration with SEEMail (if used). For agencies that do not want to manage any server infrastructure and have all

    functionality provided by Office 365 and related cloud computing services, it is recommended that they contact

    Microsoft New Zealand for advice and guidance on what is possible.

    https://support.office.com/en-us/article/Search-the-audit-log-in-the-Office-365-Security-Compliance-Center-0d4d0f35-390b-4518-800e-0c7ec95e946chttp://www.microsoft.com/en-us/download/details.aspx?id=53001http://download.microsoft.com/download/2/F/1/2F16A9CA-8D4F-4BB5-8F85-3A362131A95B/Office%20365%20Security%20Incident%20Management.pdfhttp://download.microsoft.com/download/2/F/1/2F16A9CA-8D4F-4BB5-8F85-3A362131A95B/Office%20365%20Security%20Incident%20Management.pdfhttps://www.microsoft.com/en-us/download/confirmation.aspx?id=26552https://msdn.microsoft.com/en-us/office-365/office-365-management-activity-api-referencehttps://msdn.microsoft.com/en-us/office-365/office-365-management-activity-api-referencehttps://support.office.com/en-us/article/Enterprise-scenarios-for-Office-365-e0d73777-f005-44da-9186-f38058b6e640https://asecmpndst01.blob.core.windows.net/mpnassets/05c919694a574faeb8e01bbd6e0876f2?sv=2014-02-14&sr=b&sig=lfUvr%2Bcs9uzardQS4BXNdCLeEhiMdY7ZXs3U0Pn1PCA%3D&se=2017-05-27T23:52:42Z&sp=rhttps://asecmpndst01.blob.core.windows.net/mpnassets/05c919694a574faeb8e01bbd6e0876f2?sv=2014-02-14&sr=b&sig=lfUvr%2Bcs9uzardQS4BXNdCLeEhiMdY7ZXs3U0Pn1PCA%3D&se=2017-05-27T23:52:42Z&sp=r

  • Security Requirements for Offshore Hosted Office Productivity Services: Office 365 conformance guide.

    Page 11 of 37

    Microsoft New Zealand

    July 2017

    Agencies need to determine how their users will work, how end-user computing devices will be used and protected,

    and how users will be identified and authenticated. Some common user and device decisions include:

    Mobile or office-based will staff be in an office environment, working from home, or working on the go?

    Managed or personal devices does the agency want to issue staff with devices, or support the use of personal

    devices as part of a BYOD strategy?

    Single sign-on and Identity Federation will the agency want users to be able to log on to Office 365 with their on-

    premises credentials or use a 3rd party identity provider?

    Once agencies understand their adoption and use of Office 365, they should gain assurance that it meets their

    business requirements (including security requirements). This can be achieved through activities such as formal

    security architecture and design reviews, which could be performed internally or through an independent 3rd party.

    How can Microsoft help agencies meet this requirement?

    To assist with meeting this requirement, Microsoft provides a wide range of independent audit reports and supporting

    assurance documentation including the results of Office 365 penetration testing. This is available through the Service

    Trust Platform in the Microsoft Trust Center. Microsoft also provides various support, documentation, tools and

    resources, and expert services such as FastTrack, to help agencies plan for, adopt and manage Office 365.

    Where can agencies go for more information?

    Additional Information on URL

    FastTrack Productivity Guide https://fasttrack.microsoft.com/office/envision/productivitylibrary

    Adoption Guide https://go.microsoft.com/fwlink/?LinkId=690086

    Office Training Center Bill of Materials https://www.microsoft.com/en-us/download/details.aspx?id=54088

    Office Training Roadmaps https://support.office.com/en-us/article/office-training-roadmaps-

    62a4b0dc-beba-4d8e-b79c-0ad200e705a1?ui=en-US&rs=en-

    US&ad=US&wt.mc_id=AID573689_QSG_BLOG_140051

    Office 365 Blogs https://blogs.office.com/?filter=true&filter-product=office-365

    MSIT Worksmart Training Guides https://technet.microsoft.com/en-us/bb687781.aspx

    Sample Adoption Guide https://view.officeapps.live.com/op/view.aspx?src=https://fto365dev.blob.c

    ore.windows.net:443/media/Default/DocResources/en-

    us/Resources/Sample_Adoption_Plan.xlsx

    FastTrack Engagement Content http://fasttrack.microsoft.com/office/drive-value/engage

    Office Training Center http://aka.ms/O365Learning

    FastTrack EMS Guide https://fasttrack.microsoft.com/ems/envision

    4. Agencies must have control over the interaction between public cloud services and end user devices.

    What is this security control?

    Agencies must ensure that end-user computing devices (e.g. workstations, laptops, tablets, and smartphones) used to

    access Office 365 are configured, managed, and maintained to protect information from unauthorised access,

    disclosure, modification, and loss.

    Key aspects of conforming to this requirement

    Agencies are responsible for managing the security of the end-user computing devices that their staff use to access

    Office 365. Agencies should understand how staff are using devices when accessing Office 365, and determine

    https://www.microsoft.com/en-us/trustcenter/stphttps://www.microsoft.com/en-us/trustcenter/stphttps://www.microsoft.com/en-us/trustcenterhttp://fasttrack.microsoft.com/officehttps://fasttrack.microsoft.com/office/envision/productivitylibraryhttps://go.microsoft.com/fwlink/?LinkId=690086https://www.microsoft.com/en-us/download/details.aspx?id=54088https://support.office.com/en-us/article/office-training-roadmaps-62a4b0dc-beba-4d8e-b79c-0ad200e705a1?ui=en-US&rs=en-US&ad=US&wt.mc_id=AID573689_QSG_BLOG_140051https://support.office.com/en-us/article/office-training-roadmaps-62a4b0dc-beba-4d8e-b79c-0ad200e705a1?ui=en-US&rs=en-US&ad=US&wt.mc_id=AID573689_QSG_BLOG_140051https://support.office.com/en-us/article/office-training-roadmaps-62a4b0dc-beba-4d8e-b79c-0ad200e705a1?ui=en-US&rs=en-US&ad=US&wt.mc_id=AID573689_QSG_BLOG_140051https://blogs.office.com/?filter=true&filter-product=office-365https://technet.microsoft.com/en-us/bb687781.aspxhttps://view.officeapps.live.com/op/view.aspx?src=https://fto365dev.blob.core.windows.net:443/media/Default/DocResources/en-us/Resources/Sample_Adoption_Plan.xlsxhttps://view.officeapps.live.com/op/view.aspx?src=https://fto365dev.blob.core.windows.net:443/media/Default/DocResources/en-us/Resources/Sample_Adoption_Plan.xlsxhttps://view.officeapps.live.com/op/view.aspx?src=https://fto365dev.blob.core.windows.net:443/media/Default/DocResources/en-us/Resources/Sample_Adoption_Plan.xlsxhttp://fasttrack.microsoft.com/office/drive-value/engagehttp://aka.ms/O365Learninghttps://fasttrack.microsoft.com/ems/envision

  • Security Requirements for Offshore Hosted Office Productivity Services: Office 365 conformance guide.

    Page 12 of 37

    Microsoft New Zealand

    July 2017

    appropriate policies to ensure that those devices can be used safety and effectively. This applies to agency-supplied or

    personal devices as part of a Bring-Your-Own-Device (BYOD) strategy.

    Agencies are responsible for implementing device management solutions that ensure:

    Devices are configured and hardened, via either a traditional standard operating environment build or

    modern management deployment).

    Devices are patched and updated.

    A strong authentication mechanism is used to control access to the device.

    Multi-factor authentication is used to authenticate the user to Office 365.

    Devices have encryption of data at rest enabled.

    Data on devices can be protected or securely erased through remote wipe functions.

    How can Microsoft help agencies meet this requirement?

    Office 365 provides agencies with basic built-in mobile device management for iOS, Android, and Windows Phones.

    Office 365 Mobile Device Management functions include being able to enforce passwords, enforce mobile device

    encryption, and prevent access from jailbroken/rooted mobile devices. In addition, Office 365 supports secure data

    erasure capabilities either through an incorrect number of failed password attempts (local wipe) or by remotely wiping

    the device.

    Microsoft Intune extends the Mobile Device Management (MDM) capabilities of Office 3652, enabling not only deeper

    management of Android and iOS devices but also the management of Mac OS X and Windows PC devices. Intune

    provides the same Office 365 MDM capabilities plus the ability to enrol and manage more types of end-user devices,

    define, and enforce device configuration policies, and manage user and device profiles (e.g. certificate, Wi-Fi, VPN, and

    email profiles).

    Intune also provides the ability to protect data at the application and identity level through Intune App Protection

    (Mobile Application Management (MAM)) policies for devices that are not enrolled in MDM. This capability is available

    for iOS and Android devices. Capabilities include:

    Encrypting the data in apps.

    Securing app access by requiring a PIN/passcode or corporate credentials.

    Blocking copy and paste, or preventing data transfer outside of the work context (work-only apps and work identity

    within multi-identity apps).

    Preventing backup to personal cloud storage and preventing "Save as".

    Having all web links open within the Intune Managed Browser.

    Intune App Protection can work independently of a MDM solution, providing both an additional layer of protection

    and a different model for securing agency apps and data in BYOD scenarios. Importantly, the policies work neatly with

    the multi-identity support built into the Office apps enabling agencies to protect data while letting staff keep using

    the apps for personal documents and email.

    For devices running Windows 10 Pro or Enterprise, Windows Information Protection (WIP) can be used to protect an

    agency from data leakage by providing MAM-style management across applications, data sources and data. Files

    arriving onto the device from defined corporate sources (e.g. VPN, SharePoint Online, Exchange) are encrypted at the

    file level using Windows Encrypting File System (EFS) and can only be accessed by users with the appropriate

    certificates. Flow of information out of applications defined as corporate can also be controlled without the

    2 https://support.office.com/en-us/article/Choose-between-MDM-for-Office-365-and-Microsoft-Intune-c93d9ab9-efb2-4349-9b93-

    30c30562ee22

    https://blogs.technet.microsoft.com/enterprisemobility/2016/03/23/the-path-to-modernizing-windows-management/https://support.office.com/en-us/article/Capabilities-of-built-in-Mobile-Device-Management-for-Office-365-a1da44e5-7475-4992-be91-9ccec25905b0https://docs.microsoft.com/en-us/intune-azure/manage-apps/what-is-app-protection-policyhttps://technet.microsoft.com/en-us/itpro/windows/keep-secure/protect-enterprise-data-using-wiphttps://msdn.microsoft.com/library/cc875821.aspxhttps://support.office.com/en-us/article/Choose-between-MDM-for-Office-365-and-Microsoft-Intune-c93d9ab9-efb2-4349-9b93-30c30562ee22https://support.office.com/en-us/article/Choose-between-MDM-for-Office-365-and-Microsoft-Intune-c93d9ab9-efb2-4349-9b93-30c30562ee22

  • Security Requirements for Offshore Hosted Office Productivity Services: Office 365 conformance guide.

    Page 13 of 37

    Microsoft New Zealand

    July 2017

    applications needing to be updated or changed. WIP can be managed using either Configuration Manager or a MDM

    tool such as Intune.

    From an authentication perspective, Office 365 offers Office 365 Multi-Factor Authentication (MFA) which requires that

    users must use more than one verification method before being able to access the Office 365 services, regardless of

    device and location. This is a useful but basic version of Azure Multi-Factor Authentication (Azure MFA) which is

    available as a standalone service or as part of the Enterprise Mobility and Security (EMS) suite. Azure MFA provides

    fraud alerting, reporting, the option of trusted IPs/networks and makes the service available for other cloud and on-

    premises applications and services.

    Azure Active Directory Conditional Access enables you to set specific conditions for a user to access an application or

    cloud services including Office 365. Conditional Access helps protect access to an agency's applications and resources

    from unknown and/or unmanaged devices, and devices that do not meet the security policy of an agency.

    After access requirements are met, the user is authenticated and can access the application. This applies a set of

    contextual controls at the user, location/network, session, risk profile, device, and app levels which can be different

    for different services, and applied to all users or just groups or individuals. You can allow or block access or challenge

    users with Multi-Factor Authentication, device enrolment, or password change. A key scenario is restricting access to

    domain-joined or Intune-enrolled and compliant devices. Additionally, Azure Active Directory Identity Protection

    (included in Enterprise Mobility and Security E5) applies machine learning-based identity protection to detect

    suspicious behaviour and apply risk-based conditional access that protects your applications and critical company data

    in real time.

    Office 365 E5 includes Office 365 Advanced Security Management (ASM) which provides more visibility and control

    over data flowing in and out of Office 365.

    Threat detectionHelps you identify high-risk and abnormal usage, and security incidents.

    Enhanced controlShapes your Office 365 environment leveraging granular controls and security policies.

    Discovery and insightsGet enhanced visibility into your Office 365 usage and shadow IT without installing an

    endpoint agent.

    The Enterprise Mobility and Security suite provides an expanded version of this toolset called Cloud App Security (CAS

    Microsofts native Cloud Access Security Broker capability). The key differences are:

    ASM provides protection and monitoring for Office 365 only, while CAS will work across all your cloud services.

    Usage patterns, upload/download traffic anomalies.

    Extended policy engine, policy enforcement and data loss prevention (DLP) features.

    Discovery, security, and risk ratings across 13,000 cloud services.

    Automatic firewall, and application proxy log uploads.

    AIP integration allowing for the protection of files in Office 365 OneDrive and SharePoint Online with Azure RMS

    directly.

    What else should agencies consider?

    Agencies need to understand how their staff operate and use their computing devices, and define appropriate device

    and application policies that are in proportion to the risk of having agency information accessible from the device.

    Office 365 MDM & MFA

    Intune MDM & Azure MFA

    w/Conditional Access

    Intune MAM

    Office 365 Advanced Security

    Management

    Cloud App Security & Azure

    Identity Protection

    Increasing sophistication of protection

    https://docs.microsoft.com/en-us/cloud-app-security/azip-integration

  • Security Requirements for Offshore Hosted Office Productivity Services: Office 365 conformance guide.

    Page 14 of 37

    Microsoft New Zealand

    July 2017

    Poorly defined and implemented policies will lead to the information not being appropriately protected. Conversely,

    overly restrictive policies can lead to the device being unusable, leading to staff being unproductive or finding

    alternative (and potentially riskier) ways of working.

    Where can agencies go for more information?

    Additional Information on URL

    Microsoft Identity Driven

    Security

    http://download.microsoft.com/download/E/C/7/EC78FF06-02BB-4DFD-9EBB-

    CADB66BB594F/Microsoft_Identity%20Driven%20Security_Datasheet_EN_US.pdf

    Office 365 MDM https://support.office.com/en-us/article/Overview-of-Mobile-Device-Management-

    MDM-for-Office-365-faa7d8e5-645d-4d59-839c-c8d4c1869e4a

    Intune MDM https://docs.microsoft.com/en-us/intune/

    Intune App Protection (MAM

    with/out enrolment)

    https://docs.microsoft.com/en-us/intune-azure/manage-apps/what-is-app-

    protection-policy and

    https://msdn.microsoft.com/en-

    us/windows/hardware/commercialize/customize/mdm/implement-server-side-

    mobile-application-management

    Office 365 MFA https://support.office.com/en-us/article/Plan-for-multi-factor-authentication-for-

    Office-365-Deployments-043807b2-21db-4d5c-b430-c8a6dee0e6ba

    Azure MFA https://docs.microsoft.com/en-us/azure/multi-factor-authentication/index

    Azure Active Directory

    Conditional Access

    https://docs.microsoft.com/en-us/azure/active-directory/active-directory-

    conditional-access

    Azure Active Directory

    Identity Protection

    https://docs.microsoft.com/en-us/azure/active-directory/active-directory-

    identityprotection

    Office 365 Advanced Security

    Management

    https://support.office.com/en-us/article/Overview-of-Advanced-Security-

    Management-in-Office-365-81f0ee9a-9645-45ab-ba56-de9cbccab475?ui=en-

    US&rs=en-NZ&ad=NZ

    Cloud App Security https://docs.microsoft.com/en-us/cloud-app-security/

    Office 365 Secure Score https://support.office.com/en-us/article/Introducing-the-Office-365-Secure-Score-

    c9e7160f-2c34-4bd0-a548-5ddcc862eaef?ui=en-US&rs=en-US&ad=US

    Controlling Access to Office

    365 and Protecting Content

    on Devices

    https://www.microsoft.com/en-us/download/details.aspx?id=53317

    http://download.microsoft.com/download/E/C/7/EC78FF06-02BB-4DFD-9EBB-CADB66BB594F/Microsoft_Identity%20Driven%20Security_Datasheet_EN_US.pdfhttp://download.microsoft.com/download/E/C/7/EC78FF06-02BB-4DFD-9EBB-CADB66BB594F/Microsoft_Identity%20Driven%20Security_Datasheet_EN_US.pdfhttps://support.office.com/en-us/article/Overview-of-Mobile-Device-Management-MDM-for-Office-365-faa7d8e5-645d-4d59-839c-c8d4c1869e4ahttps://support.office.com/en-us/article/Overview-of-Mobile-Device-Management-MDM-for-Office-365-faa7d8e5-645d-4d59-839c-c8d4c1869e4ahttps://docs.microsoft.com/en-us/intune/https://docs.microsoft.com/en-us/intune-azure/manage-apps/what-is-app-protection-policyhttps://docs.microsoft.com/en-us/intune-azure/manage-apps/what-is-app-protection-policyhttps://msdn.microsoft.com/en-us/windows/hardware/commercialize/customize/mdm/implement-server-side-mobile-application-managementhttps://msdn.microsoft.com/en-us/windows/hardware/commercialize/customize/mdm/implement-server-side-mobile-application-managementhttps://msdn.microsoft.com/en-us/windows/hardware/commercialize/customize/mdm/implement-server-side-mobile-application-managementhttps://support.office.com/en-us/article/Plan-for-multi-factor-authentication-for-Office-365-Deployments-043807b2-21db-4d5c-b430-c8a6dee0e6bahttps://support.office.com/en-us/article/Plan-for-multi-factor-authentication-for-Office-365-Deployments-043807b2-21db-4d5c-b430-c8a6dee0e6bahttps://docs.microsoft.com/en-us/azure/multi-factor-authentication/indexhttps://docs.microsoft.com/en-us/azure/active-directory/active-directory-conditional-accesshttps://docs.microsoft.com/en-us/azure/active-directory/active-directory-conditional-accesshttps://docs.microsoft.com/en-us/azure/active-directory/active-directory-identityprotectionhttps://docs.microsoft.com/en-us/azure/active-directory/active-directory-identityprotectionhttps://support.office.com/en-us/article/Overview-of-Advanced-Security-Management-in-Office-365-81f0ee9a-9645-45ab-ba56-de9cbccab475?ui=en-US&rs=en-NZ&ad=NZhttps://support.office.com/en-us/article/Overview-of-Advanced-Security-Management-in-Office-365-81f0ee9a-9645-45ab-ba56-de9cbccab475?ui=en-US&rs=en-NZ&ad=NZhttps://support.office.com/en-us/article/Overview-of-Advanced-Security-Management-in-Office-365-81f0ee9a-9645-45ab-ba56-de9cbccab475?ui=en-US&rs=en-NZ&ad=NZhttps://docs.microsoft.com/en-us/cloud-app-security/https://support.office.com/en-us/article/Introducing-the-Office-365-Secure-Score-c9e7160f-2c34-4bd0-a548-5ddcc862eaef?ui=en-US&rs=en-US&ad=UShttps://support.office.com/en-us/article/Introducing-the-Office-365-Secure-Score-c9e7160f-2c34-4bd0-a548-5ddcc862eaef?ui=en-US&rs=en-US&ad=UShttps://www.microsoft.com/en-us/download/details.aspx?id=53317

  • Security Requirements for Offshore Hosted Office Productivity Services: Office 365 conformance guide.

    Page 15 of 37

    Microsoft New Zealand

    July 2017

    5. Agencies must ensure compatibility with existing government security technology services such as SEEMail

    and, where appropriate, cyber defence capabilities.

    What is this security control?

    Agencies must identify any government security technology services they currently use that may be affected by their

    adoption of Office 365 and determine whether they can be successfully integrated with it.

    Key aspects of conforming to this requirement

    Agencies must identify and assess whether the government security technology services that they currently use can be

    successfully integrated with Office 365. They should also identify whether they need to re-architect and redeploy those

    services to support integration (see Requirement 3).

    If a security technology service that is currently used by the agency cannot be integrated with Office 365, the agency

    must determine whether it can effectively manage the risks associated with its use of Office 365 without the service in

    place.

    How can Microsoft help agencies meet this requirement?

    Microsoft has published the Office 365: SEEMail Integration and Reference Architecture whitepaper that presents some

    of the architectural patterns and considerations for integrating SEEMail with Office 365.

    Note: the GCIO and Microsoft are working to update this guidance at the time of publication of this document.

    What else should agencies consider?

    A frequent agency objective when implementing Office 365 is the retirement of all on-premises/locally-hosted

    Exchange infrastructure. However, for agencies mastering their identity in Active Directory and synchronising to Azure

    Active Directory, the supported configuration is the use of a locally hosted Exchange Server to manage the Exchange

    attributes in Active Directory. The Exchange Server(s) can be standalone management consoles or configured as a

    hybrid to allow for local hosting of some mailboxes, and to act as a secure mail relay between a SEEMail gateway and

    Exchange Online. Please note:

    The SEEMail gateway forwards all mail unencrypted to an agencys internal mail system creating the need for a

    mail relay to encrypt everything using TLS when forwarding it on to Exchange Online.

    There are other tools (including ADSIEDIT) that can be used to deal with the Exchange attributes in Active Directory,

    but this is not a supported method. As such, we cannot recommend this approach.

    A 3rd party mail relay could be used between SEEMail and Exchange Online.

    Agencies participating in SEEMail but wishing to pursue a pure cloud-only environment with no locally-hosted Active

    Directory should contact Microsoft to discuss this approach. A potential approach to cloud-only integration with

    SEEMail is use of a 3rd party mail relay. A SEEMail compatible pattern for establishing this is expected to be developed

    through work currently occurring with the GCIO (see above).

    http://aka.ms/seemail-gciohttps://technet.microsoft.com/en-us/library/dn931280(v=exchg.150).aspx

  • Security Requirements for Offshore Hosted Office Productivity Services: Office 365 conformance guide.

    Page 16 of 37

    Microsoft New Zealand

    July 2017

    Where can agencies go for more information?

    Additional Information on URL

    SEEMail https://www.ict.govt.nz/services/show/SEEMail

    Office 365: SEEMail Integration and

    Reference Architecture

    http://aka.ms/seemail-gcio

    Exchange Online Protection https://technet.microsoft.com/en-us/library/jj723119(v=exchg.150).aspx

    Exchange Online Advanced Threat

    Protection

    https://technet.microsoft.com/en-us/library/exchange-online-advanced-

    threat-protection-service-description.aspx

    De-commissioning on-premises

    Exchange servers

    https://technet.microsoft.com/en-us/library/dn931280(v=exchg.150).aspx

    6. Agencies must ensure that information and data is encrypted in transit and at rest.

    What is this security control?

    Encryption of information and data in transit:

    Information sent between end-user computing devices (e.g. workstations, laptops, tablets, and smartphones),

    integrated agency information services and systems (e.g. Active Directory, Active Directory Federation Services,

    SEEMail), and Office 365 must be encrypted. In addition to this, information sent or shared with another party using

    Office 365 must be encrypted.

    Encryption of information and data at rest:

    Agencies need to ensure that information stored at rest in Office 365 is encrypted. Similarly, information that is

    synchronised with Office 365 and stored on end-user computing devices (e.g. workstations, laptops, tablets and

    smartphones) must be encrypted.

    Key aspects of conforming to this requirement

    Agencies need to configure their information services or systems (e.g. Mail Relay) to use Transport Layer Security (TLS)

    if they choose to integrate with Office 365. Microsoft supports TLS integrations (e.g. forced TLS) that ensure data is

    protected while travelling across the agencys internal network and across the Internet. However, agencies are

    responsible for configuring and managing their systems to use TLS.

    Note that all email from the SEEMail gateway forwards to your mail system unencrypted, so email going to Office 365

    will need to be encrypted by a mail relay (typically an Exchange Server in hybrid configuration see above).

    In addition, agencies need to enable encryption of data at rest for any devices, information services or systems that

    connect to and stores information from Office 365.

    How can Microsoft help agencies meet this requirement?

    Microsoft follows a control and compliance framework that focuses on risks to the Office 365 service and to customer

    content. Microsoft implements a large set of technology and process-based methods (referred to as controls) to

    mitigate these risks. Identification, evaluation, and mitigation of risks via controls is a continuous process. The

    implementation of controls within various layers of our cloud services such as facilities, network, servers, applications,

    users (such as Microsoft administrators) and data form a defence-in-depth strategy.

    Within this framework all customer content within Microsoft Office 365 is protected by a variety of technologies and

    processes, including various forms of encryption. Microsoft uses service-side technologies in Office 365 that encrypt

    customer content at rest and in-transit. For content at rest, Office 365 uses both operating system and application

    (service) encryption. For content in-transit, Office 365 uses Transport Layer Security (TLS) and Internet Protocol Security

    (IPsec). Validation of our encryption policies and processes policy and their enforcement is independently verified

    https://www.ict.govt.nz/services/show/SEEMailhttp://aka.ms/seemail-gciohttps://technet.microsoft.com/en-us/library/jj723119(v=exchg.150).aspxhttps://technet.microsoft.com/en-us/library/exchange-online-advanced-threat-protection-service-description.aspxhttps://technet.microsoft.com/en-us/library/exchange-online-advanced-threat-protection-service-description.aspxhttps://technet.microsoft.com/en-us/library/dn931280(v=exchg.150).aspx

  • Security Requirements for Offshore Hosted Office Productivity Services: Office 365 conformance guide.

    Page 17 of 37

    Microsoft New Zealand

    July 2017

    through third-party auditors. Some risk scenarios, and important details of the currently available Microsoft encryption

    technologies that mitigate them, are listed in the tables in the appendix to this document.

    Note: As of July 2017 (subject to change) Azure Active Directory will encrypt customer directory data at rest via

    encryption (BitLocker) using AES 128-bit encryption. This will be enabled by default for all Azure Active Directory

    subscriptions.

    From a device perspective, Microsoft recommends that all devices by an agency that interact with Office 365 services

    are encrypted whether they are owned by the agency or BYOD. Encryption can typically be enforced through

    management tools such as Microsoft BitLocker Administration and Monitoring (MBAM) for BitLocker device encryption

    in Windows and mobile device management tools like Intune. Note that the Windows 10 Creators Update has

    introduced support for managing BitLocker through Intune MDM policies leveraging the Windows configuration

    service provider.

    For additional security or where BYOD devices are not enrolled in MDM (and thus may not be encrypted) the

    recommendation is to make use of Intune App Protection (MAM) and the MAM-enabled Office Mobile Apps such as

    OneDrive, Outlook, Excel, PowerPoint, and Word. These apps support app-level encryption protecting agency data

    on what should be considered a less-trusted device.

    Introduced in Windows 10 Anniversary Edition for Enterprise and Pro editions is a new capability called Windows

    Information Protection (WIP). Agencies can create policies (using Configuration Manager, Microsoft Intune, or other

    MDM tools) defining which applications can work with corporate (agency) data and what locations are sources of

    corporate data (e.g. Office 365, VPN sessions, file servers etc.) - and the level of control versus auditing. Corporate data

    is automatically encrypted after its loaded on a device from an enterprise source or if an employee marks the data as

    corporate. Then, when the enterprise data is written to disk, WIP uses the Windows-provided Encrypting File System

    (EFS) to protect it and associate it with the agencys identity. Even if the files are copied to removable media they

    remain encrypted and can only be accessed on a WIP-enabled device and by an authenticated agency user. While

    useful on agency-owned and managed devices, this can be invaluable on BYOD Windows devices provided they are

    running Windows 10 Pro. For this reason, we recommend that BYOD policy should stipulate Windows devices must be

    running Windows 10 Pro.

    Customer-managed encryption technologies

    Office 365 provides additional data encryption technologies that agencies can manage and configure to further

    protect their information. These technologies offer a variety of ways to further encrypt customer content at rest or in-

    transit, and include:

    Azure Rights Management.

    Office 365 Message Encryption.

    Secure Multipurpose Internet Mail Extension (S/MIME).

    What else should agencies consider?

    Agencies need to be careful when using 3rd party content filters, web proxies, data loss prevention (DLP) products and

    SSL/TLS interception products that detect and protect against malware. Agencies should be aware of security products

    or services that intercept secured network traffic by performing a man-in-the-middle (MiTM) interception of the

    communications. Recent advisories highlight how some of these security products can weaken SSL/TLS, significantly

    degrading the security of the network traffic, and increasing the likelihood of an agency user falling victim to MiTM

    attacks by malicious third parties. Agencies should thoroughly evaluate the risks associated with inserting such 3rd

    party capabilities between themselves and Office 365, as per the requirements of the GCIOs Cloud Computing Risk

    and Assurance Framework.

    https://blogs.technet.microsoft.com/windowsitpro/2017/04/05/whats-new-for-it-pros-in-the-windows-10-creators-update/https://www.us-cert.gov/ncas/alerts/TA17-075Ahttps://www.ict.govt.nz/guidance-and-resources/using-cloud-services/assess-the-risks-of-cloud-services/cloud-computing-mitigating-risk/https://www.ict.govt.nz/guidance-and-resources/using-cloud-services/assess-the-risks-of-cloud-services/cloud-computing-mitigating-risk/

  • Security Requirements for Offshore Hosted Office Productivity Services: Office 365 conformance guide.

    Page 18 of 37

    Microsoft New Zealand

    July 2017

    Where can agencies go for more information?

    Additional Information on URL

    Office 365 MDM https://support.office.com/en-us/article/Overview-of-Mobile-Device-

    Management-MDM-for-Office-365-faa7d8e5-645d-4d59-839c-c8d4c1869e4a

    Intune MDM https://docs.microsoft.com/en-us/intune/

    Intune App Protection https://docs.microsoft.com/en-us/intune-azure/manage-apps/what-is-app-

    protection-policy

    and

    https://msdn.microsoft.com/en-

    us/windows/hardware/commercialize/customize/mdm/implement-server-side-

    mobile-application-management

    MBAM https://technet.microsoft.com/en-us/windows/hh826072.aspx

    Windows Information Protection https://technet.microsoft.com/en-us/itpro/windows/keep-secure/protect-

    enterprise-data-using-wip

    Office 365 Content Encryption

    Whitepaper

    https://www.microsoft.com/en-us/download/confirmation.aspx?id=54652

    Data Encryption in SharePoint

    and OneDrive

    https://technet.microsoft.com/en-us/library/dn905447.aspx

    7. Agencies must have sole control over the associated cryptographic keys

    What is this security control?

    Agencies must be the sole party that controls (generates, owns, and manages) the associated cryptographic keys used

    to protect their data within Office 365.

    Important:

    Agencies cannot meet this requirement and effectively use office productivity services in the public cloud. Microsoft

    Office 365 must have access to cryptographic keys to encrypt and decrypt agency data for processing purposes, and

    enable functioning of important information protection and security capabilities of the service.

    Note: it is essential that agencies consider the following:

    1. This is an inherent attribute of any SaaS service, whether provided by Microsoft or any other party.

    2. It is not only information protection and security capabilities that are impacted if a SaaS service cannot decrypt

    customer data - many or most productivity features would also be impacted.

    Microsoft advises agencies to seriously consider the extent to which this baseline control is impractical to implement,

    and thoroughly review the associated risks. To conform with the security control requirement, Microsoft advises that

    agencies should consider adopting the GCIO approved approach of applying compensating controls as defined in

    the GCIOs security requirements guidance document.

    Key aspects of conforming to this requirement

    Agencies need to carefully consider the extent to which they either need or want to have control over the

    cryptographic keys used to encrypt their data when using Office 365. Agencies should consider the potential risks and

    opportunities associated with who takes responsibility for managing the cryptographic keys used in Office 365.

    https://support.office.com/en-us/article/Overview-of-Mobile-Device-Management-MDM-for-Office-365-faa7d8e5-645d-4d59-839c-c8d4c1869e4ahttps://support.office.com/en-us/article/Overview-of-Mobile-Device-Management-MDM-for-Office-365-faa7d8e5-645d-4d59-839c-c8d4c1869e4ahttps://docs.microsoft.com/en-us/intune/https://docs.microsoft.com/en-us/intune-azure/manage-apps/what-is-app-protection-policyhttps://docs.microsoft.com/en-us/intune-azure/manage-apps/what-is-app-protection-policyhttps://msdn.microsoft.com/en-us/windows/hardware/commercialize/customize/mdm/implement-server-side-mobile-application-managementhttps://msdn.microsoft.com/en-us/windows/hardware/commercialize/customize/mdm/implement-server-side-mobile-application-managementhttps://msdn.microsoft.com/en-us/windows/hardware/commercialize/customize/mdm/implement-server-side-mobile-application-managementhttps://technet.microsoft.com/en-us/windows/hh826072.aspxhttps://technet.microsoft.com/en-us/itpro/windows/keep-secure/protect-enterprise-data-using-wiphttps://technet.microsoft.com/en-us/itpro/windows/keep-secure/protect-enterprise-data-using-wiphttps://www.microsoft.com/en-us/download/confirmation.aspx?id=54652https://technet.microsoft.com/en-us/library/dn905447.aspx

  • Security Requirements for Offshore Hosted Office Productivity Services: Office 365 conformance guide.

    Page 19 of 37

    Microsoft New Zealand

    July 2017

    Microsoft New Zealand recommends that New Zealand government agencies use the default Microsoft

    approach to key management. In a default Office 365 implementation, Microsoft will be the trusted key

    management service provider.

    Microsoft establishes and manages cryptographic keys for required cryptography employed within the information

    system in accordance with defined requirements for key generation, distribution, storage, access, and destruction. In

    accordance with the "Public Key Infrastructure Operational Security Standard" component of Microsofts Security

    Policy, Microsoft Online Services including Office 365 leverage the cryptographic capabilities that are directly a part of

    the Windows Operating System for certificates and authentication mechanisms (e.g. Kerberos). These cryptographic

    modules have been certified by NIST as being FIPS 140-2 complaint. Relevant NIST certificate numbers are: 1321, 1333,

    1334, 1335, 1336, and 1339. Any time cryptographic capabilities are employed to protect the confidentiality, integrity,

    or availability of data within Microsoft Online Services, the modules and/or ciphers used are FIPS 140 compliant.

    Alternatively, agencies can choose the customer-managed approach. The agency will control (generate, store, and

    manage) keys used by Office 365 services, and store these keys in the Azure Key Vault service. Office 365 services can

    then be configured to use the customers keys that are stored in Azure Key Vault this feature is called Office 365

    Customer Key and will be generally available in Q3 of CY17. To use Customer Key, agencies will need a robust

    cryptographic key management capability with appropriate personnel, operational processes, and infrastructure to

    ensure that they can manage their tenant keys throughout their lifecycle. Failure to effectively manage tenant keys can

    lead to widespread service outage. Microsoft has designed Customer Key so that the risk of permanent customer data

    loss due to accidental or malicious actions is very low. The Customer Key feature is designed with best-in-class

    protection of customer data, utilizing separation of duties and encryption key diversity to address a range of threat

    scenarios. In addition to these crucial protections, Customer Key provides customers with the ability to remove all

    cryptographic keys necessary for Microsoft to process customer data stored in Office 365.

    Below is a basic summary of the key management options available to Office 365 customers, and key considerations in

    their selection, split into tenant/service-level and item/file-level capabilities. Note that the table also includes details

    for Microsofts Azure Information Protection (AIP) encryption capabilities (both bring your own and hold your own key

    options) which agencies may wish to deploy as part of the baseline and/or compensating controls they elect to

    implement to conform to this requirement. Note also that, to enable AIP BYOK or HYOK capabilities, agencies will

    need to purchase the Azure Key Vault Premium service and operate a supported HSM infrastructure (e.g. Thales

    nShield HSM).

  • Security Requirements for Offshore Hosted Office Productivity Services: Office 365 conformance guide.

    Page 20 of 37

    Microsoft New Zealand

    July 2017

    Table 1: Office 365 key management options

    Key management

    option

    Office 365

    Default

    Office 365

    Customer Key

    Azure

    Information

    Protection

    Default

    Azure

    Information

    Protection BYOK

    Azure

    Information

    Protection

    HYOK

    CONSIDERATION SERVICE-LEVEL ITEM/FILE-LEVEL

    Applicability All O365

    services

    Exchange Online,

    SharePoint Online

    Email

    messages, Files

    Email messages,

    Files

    Email

    messages, Files

    Responsible for

    key management

    Microsoft Customer +

    Microsoft

    Microsoft Customer Customer

    Responsible for

    key operation and

    uptime

    Microsoft Customer +

    Microsoft

    Microsoft Microsoft Customer

    Thales HSM

    required?

    No Optional -

    agencies can use

    Azure Key Vault

    for key generation,

    or use their own

    Thales HSM to

    generate keys.

    No Yes Yes

    (highly

    available HSM

    solution

    strongly

    recommended)

    Locally hosted

    Rights

    Management

    Service

    infrastructure

    required?

    No No No No Yes

    Data transparent

    to Office 365

    services - SaaS

    features work as

    designed/expecte

    d e.g. search,

    Delve, DLP, ASM

    etc.?

    Yes Yes Yes Yes with

    significant

    limitations in

    Exchange Online3

    No files are

    opaque

    Additional privacy

    functionality

    provided

    - Customer can

    withdraw the

    ability for

    Microsoft to

    process customer

    data

    - Service unable to

    process AIP

    protected items

    following customer

    withdrawal of key.

    Microsoft and

    other 3rd

    parties cannot

    access your

    protected data.

    How can Microsoft help agencies meet this requirement?

    Office 365 is a trustworthy key management service provider. Microsoft has strong cryptographic key management

    policies, processes, and technologies in place to ensure the secure use and protection of cryptographic keys

    throughout their lifecycle (i.e. generation, distribution, storage, access, and destruction), and has independent,

    regularly updated, security certifications and attestations that support it. Office 365 leverages Azure Key Vault, and

    also uses the cryptographic modules that are built into the Windows operating system for certificate, authentication

    3 Microsoft documentation describes the limitations as Azure RMS BYOK is not compatible with Exchange Online:

    https://docs.microsoft.com/en-us/information-protection/plan-design/byok-price-restrictions

    https://docs.microsoft.com/en-us/information-protection/plan-design/byok-price-restrictions

  • Security Requirements for Offshore Hosted Office Productivity Services: Office 365 conformance guide.

    Page 21 of 37

    Microsoft New Zealand

    July 2017

    and encryption mechanisms (e.g. Kerberos, BitLocker), and these cryptographic modules have been certified by NIST as

    being FIPS 140-2 validated. Any time cryptographic capabilities are used within Office 365, the modules and/or ciphers

    used are FIPS validated.

    For customers that do not elect to use Customer Key, Microsoft generates and manages all encryption keys used to

    encrypt customer data at rest.

    Customers electing to use the Office 365 Customer Key feature will manage the lifecycle of their tenant keys in the

    Azure Key Vault service and can choose to either generate their own root key in a Thales HSM and upload it to the

    Azure Key Vault FIPS 140-2 Level 2-validated HSMs, or to generate the tenant key directly within Azure Key Vault.

    Azure Key Vault provides a REST API so that customers can consume near-real-time logging showing all access and

    usage of keys in Azure Key Vault service.

    Currently, it is planned that Customer Key will be available in H2 of CY2017, covering Exchange Online, OneDrive for

    Business and SharePoint Online services. Skype for Business conversations saved into a users conversations folder in

    their mailbox will also be included.

    Microsoft advises New Zealand government agencies that are contemplating implementing either BYOK or

    HYOK capabilities to carefully consider their requirements for doing so from a balance-of-risk perspective.

    Implementing such a solution requires the agency to have robust cryptographic key management capabilities in place.

    Failure to effectively manage keys used with either Office 365 Customer Key, or Azure Information Protection (BYOK or

    HYOK), could lead to widespread service impact and permanent data loss.

    Non-technical controls

    Alongside technical capabilities that agencies can use as compensating controls to conform to this requirement,

    Microsoft also makes contractual commitments that allow Office 365 customers to mitigate the type risk that this

    control is focused on. These commitments are set out in the Microsoft Online Services Terms (OST).

    Specifically, in the OST Microsoft makes the following commitments:

    Use of Customer Data:

    Customer Data will be used only to provide Customer the Online Services including purposes compatible with

    providing those services. Microsoft will not use Customer Data or derive information from it for any advertising or

    similar commercial purposes. As between the parties, Customer retains all right, title and interest in and to Customer

    Data. Microsoft acquires no rights in Customer Data, other than the rights Customer grants to Microsoft to provide

    the Online Services to Customer. This paragraph does not affect Microsofts rights in software or services Microsoft

    licenses to Customer.

    Disclosure of Customer Data:

    Microsoft will not disclose Customer Data outside of Microsoft or its controlled subsidiaries and affiliates except (1)

    as Customer directs, (2) as described in the OST, or (3) as required by law.

    Microsoft will not disclose Customer Data to law enforcement unless required by law. If law enforcement contacts

    Microsoft with a demand for Customer Data, Microsoft will attempt to redirect the law enforcement agency to request

    that data directly from Customer. If compelled to disclose Customer Data to law enforcement, Microsoft will promptly

    notify Customer and provide a copy of the de