Security Requirements for Offshore Hosted Office ... · Security Requirements for Offshore Hosted...

39
Microsoft Office 365 Security Requirements for Offshore Hosted Office Productivity Services: conformance guide for Office 365. Published 1/07/2017 Microsoft New Zealand Limited 22 Viaduct Harbour Avenue, Auckland

Transcript of Security Requirements for Offshore Hosted Office ... · Security Requirements for Offshore Hosted...

Page 1: Security Requirements for Offshore Hosted Office ... · Security Requirements for Offshore Hosted Office Productivity Services: Office 365 conformance guide. Page 1 of 37 Microsoft

Microsoft Office 365

Security Requirements for Offshore

Hosted Office Productivity Services:

conformance guide for Office 365.

Published 1/07/2017

Microsoft New Zealand Limited

22 Viaduct Harbour Avenue, Auckland

Page 2: Security Requirements for Offshore Hosted Office ... · Security Requirements for Offshore Hosted Office Productivity Services: Office 365 conformance guide. Page 1 of 37 Microsoft

Table of Contents Introduction ................................................................................................................................................................................................................. 1

How to use this document ................................................................................................................................................................................. 1

Fit with the GCIO Cloud Risk and Assurance Framework ......................................................................................................................... 1

Disclaimer................................................................................................................................................................................................................ 2

Acknowledgement ............................................................................................................................................................................................... 2

Summary ...................................................................................................................................................................................................................... 3

Microsoft Office 365 Solution Map................................................................................................................................................................. 4

Microsoft Guidance on GCIO Security Requirements ............................................................................................................................... 6

1. Information, data or materials classified at CONFIDENTIAL and above must not be stored or processed in

off-shore hosted office productivity services .............................................................................................................................................. 6

2. Agencies must have process controls relating to intrusion detection, prevention, investigations, and

enterprise logging. ............................................................................................................................................................................................... 9

3. Agencies must architect ICT networks to ensure that cloud services can be used safely and effectively. ........................ 10

4. Agencies must have control over the interaction between public cloud services and end user devices. ......................... 11

5. Agencies must ensure compatibility with existing government security technology services such as

SEEMail and, where appropriate, cyber defence capabilities............................................................................................................... 15

6. Agencies must ensure that information and data is encrypted in transit and at rest. ............................................................. 16

7. Agencies must have sole control over the associated cryptographic keys ................................................................................. 18

8. Agencies must ensure that multi-factor authentication is used to control access to the service. ....................................... 23

9. Agencies must identify where data stored by a service is replicated or backed-up. .............................................................. 24

10. Agencies must revise their agency disaster recovery and incident management plans to cater for

offshore hosted office productivity services .............................................................................................................................................. 26

11. Agencies must have decommissioning processes as outlined in the NZISM ........................................................................... 27

12. Agencies must require assurance checks on cloud service providers in accordance with the NZISM ............................ 28

13. Agencies must ensure that there are appropriate security controls over physical access to datacentres...................... 29

14. Agencies must have assurance that appropriate patching and software maintenance is undertaken ........................... 30

15. Agencies must ensure that there are technical protections to prevent data-mingling on shared storage

platforms ............................................................................................................................................................................................................... 31

Office 365 Subscription Plans mapped to Security Technologies ...................................................................................................... 33

Appendix: Office 365 encryption capabilities ............................................................................................................................................... 34

Page 3: Security Requirements for Offshore Hosted Office ... · Security Requirements for Offshore Hosted Office Productivity Services: Office 365 conformance guide. Page 1 of 37 Microsoft

Security Requirements for Offshore Hosted Office Productivity Services: Office 365 conformance guide.

Page 1 of 37

Microsoft New Zealand

July 2017

Introduction

In January 2017, the New Zealand Government Chief Information Officer (GCIO) published Security Requirements for

Offshore Hosted Office Productivity Services Explained (the “GCIO Security Requirements”), a guidance document that

sets out the security requirements New Zealand government agencies must conform to when using offshore hosted

office productivity services. The guidance was developed as part of the GCIO’s work on accelerating public sector

adoption of cloud services, as directed by Cabinet in July 2016 [CAB Min (16) 03/16 refers].

This document provides Microsoft’s response to the GCIO Security Requirements. It is designed to assist agencies to

conform1 to these security control requirements when using Microsoft Office 365.

How to use this document

This document provides agencies with information intended to assist them in determining how to conform with each

of the 15 items in the GCIO Security Requirements document when using Office 365. Where appropriate, it also

identifies additional risks or considerations, and provides advice related to each requirement.

Agencies should note that they are expected to conform to, not comply with, the GCIO Security Requirements.

Accordingly, this document has not been developed as a compliance guide; it does not provide a simple check list of

steps that agencies should take. Rather, for each of the 15 security requirements, it indicates how an agency can either

meet the “baseline” control requirement set out by the GCIO or, where this is not feasible, how to identify

compensating controls that enable conformance.

For each requirement, the document sets out:

• A summary of the GCIO security control requirement.

• Key aspects of conforming to this requirement.

• Guidance on how Microsoft can help agencies conform to the requirement.

• Other information Microsoft feels agencies should consider in relation to the requirement.

• Sources of additional information.

Readers should note that some of the answers assume that the organisation making use of this document is an

“Eligible Agency” under the terms of the Microsoft G2015 all-of-government agreement that is in place with the New

Zealand Department of Internal Affairs.

Fit with the GCIO Cloud Risk and Assurance Framework

The GCIO Security requirements neither stand alone, nor represent the only things that agencies must consider when

adopting Office 365. Rather, as shown in figure 1 below, they fit into the wider GCIO Cloud Risk and Assurance

Framework that agencies should follow when procuring any cloud service.

1 Note: Paragraph 13 of the GCIO Security requirements document states: “New Zealand government agencies may use offshore hosted

office productivity services provided they conform to the security requirements from the Cabinet Minute, and other relevant NZISM

controls, as detailed in this guidance.”

Page 4: Security Requirements for Offshore Hosted Office ... · Security Requirements for Offshore Hosted Office Productivity Services: Office 365 conformance guide. Page 1 of 37 Microsoft

Security Requirements for Offshore Hosted Office Productivity Services: Office 365 conformance guide.

Page 2 of 37

Microsoft New Zealand

July 2017

• Follow GCIO Cloud Risk

Assessment Process.

• Complete GCIO Cloud

Risk Assessment Tool,

using content from

Microsoft New Zealand’s

"GCIO 105" question

responses for O365.

• Obtain O365 risk

assessment and security

certification audit reports

from GCIO.

• Use other GCIO risk

assessment approaches

and tools as appropriate.

• Use guidance in this

document.

• Follow C&A

requirements set out in

NZISM.

• Complete GCIO Cloud

Endorsement by Agency

template

• Provide completed Cloud

Risk Assessment Tool

and Cloud Endorsement

by Agency to GCIO.

• Note: GCIO does not act

as approver but can

request agency to review

if not deemed adequate.

Figure 1 – Fit with GCIO Cloud Risk and Assurance Framework

Disclaimer

The information contained in this document represents the current view of Microsoft Corporation on the issues

discussed, and the current state of both O365 and other Microsoft products and services, as of the date of publication.

Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on

the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information presented after the date of

publication.

This document is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR

STATUTORY, AS TO THE INFORMATION IN THIS DOCUMENT.

Complying with all applicable copyright laws is the responsibility of the user. Without limiting the rights under

copyright, no part of this document may be reproduced, stored in or introduced into a retrieval system, or transmitted

in any form or by any means (electronic, mechanical, photocopying, recording, or otherwise), or for any purpose,

without the express written permission of Microsoft Corporation.

Acknowledgement

Microsoft acknowledges the assistance of Axenic Ltd. in the preparation of this document.

Undertake initial risk assessment

Conform to "GCIO Security Requirements"

Complete agency certification and

accreditationInform GCIO

Page 5: Security Requirements for Offshore Hosted Office ... · Security Requirements for Offshore Hosted Office Productivity Services: Office 365 conformance guide. Page 1 of 37 Microsoft

Security Requirements for Offshore Hosted Office Productivity Services: Office 365 conformance guide.

Page 3 of 37

Microsoft New Zealand

July 2017

Summary

New Zealand government agencies can use Microsoft Office 365 and conform to all but one of the ‘baseline’ security

requirements in the GCIO guidance document (see “Important Note” below), primarily by using the native security

controls available in Office 365.

While agencies remain accountable for ensuring that their security obligations are met, Microsoft provides its Office

365 customers with a comprehensive security ‘toolkit’ to meet these needs. This toolkit consists of five main areas:

Figure 2 - Microsoft Office 365 Security Toolkit

1. Guidance or supporting documentation - Microsoft provides agencies guidance or supporting technical

documentation that they can use to complete a process or activity (e.g. integrate with on-premises

infrastructure);

2. Security features that agencies can integrate - Office 365 can provide a feature (e.g. Office 365 auditing) that

agencies can integrate with their related processes and systems (e.g. security incident response and

management);

3. Ancillary Microsoft security capabilities – alongside capabilities within Office 365, Microsoft can provide

ancillary capabilities or features that agencies can configure or enable (e.g. Azure Information Protection,

Multi-factor Authentication, Mobile Device Management);

4. Service assurance documents - Microsoft provides service assurance artefacts (e.g. content in the Microsoft

Trust Centre) that agencies can review as part of their assurance processes; or

5. Built-in security features - Office 365 provides a capability or feature (e.g. Encryption of Data at Rest) that

agencies can leverage.

Microsoft Office 365

Security Toolkit

1. Guidance or supporting

documentation

2. O365 security features that agencies can

integrate

3. Ancillary Microsoft security

capabilities

4. Service assurance

documents

5. Built-in security features

Page 6: Security Requirements for Offshore Hosted Office ... · Security Requirements for Offshore Hosted Office Productivity Services: Office 365 conformance guide. Page 1 of 37 Microsoft

Security Requirements for Offshore Hosted Office Productivity Services: Office 365 conformance guide.

Page 4 of 37

Microsoft New Zealand

July 2017

Combined with good agency security practice, Microsoft is confident that agencies can meet their obligations to

protect the security and privacy of their information within Office 365, and provides capabilities that can assist them in

achieving this. For example, Office 365 Secure Score is a security analytics service that helps organisations better

understand and improve their security posture and reduce their risk when using Office 365. Secure Score can help

agencies balance their security and productivity needs with guidance to help them enable the right mix of the 71

available security features, and to model what their score would look like after adopting some of these features.

Agencies can also compare their score with other organisations and see how their score has been trending over time.

NOTE: Secure Score displays information from various sources like AAD, but Secure Score does not store any of this

personal information inside the service.

Important Note:

The exception to Microsoft’s ability to enable agencies to conform to the ‘baseline’ security controls in the GCIO

Security Requirements document is requirement 7 that states “Agencies must have sole control over the associated

cryptographic keys”. While Microsoft’s Azure Information Protection with Hold Your Own Key (HYOK) capability

may be utilised for conforming to the baseline requirement, Microsoft believes that doing so is not advisable in most

circumstances.

Counter to the goal of reducing agency risk, if used incorrectly the deployment of any Hold Your Own Key (HYOK)

cryptographic capability, whether provided by Microsoft or any other party, can significantly INCREASE an agency’s risk

profile by introducing the possibility of PERMANENT loss of access to agency data hosted in the cloud. If an agency

wishes to deploy this capability, in-depth discussion with Microsoft is strongly advised.

Microsoft Office 365 Solution Map

The table below summarises this document by listing the Security Control Requirements for Offshore Hosted Office

Productivity Services, and mapping these to relevant elements of the “Microsoft Office 365 Security Toolkit” that

provide capabilities, products and/or services that can help an agency meet the requirement.

ID GCIO Security Control Requirement Office 365 Security Toolkit feature Detailed Guidance

1. G

uid

an

ce

2. S

ecu

rity

Featu

re

3. A

ncil

lary

cap

ab

ilit

y

4. S

erv

ice A

ssu

ran

ce

5. B

uil

t-in

secu

rity

Strategy and Architecture

1 Information, data, or materials classified at

CONFIDENTIAL and above MUST NOT be stored or

processed in off-shore hosted office productivity

services.

✓ ✓ Refer to page 6

2 Agencies MUST have process controls relating to

intrusion detection, prevention, investigations, and

enterprise logging in operation.

✓ ✓ ✓ Refer to page 9

3 Agencies MUST architect their ICT Networks to ensure

that cloud services can be used safely and effectively.

✓ ✓ Refer to page 10

4 Agencies MUST have control over the interaction

between public cloud services and end user devices.

✓ ✓ ✓ ✓ Refer to page 11

Page 7: Security Requirements for Offshore Hosted Office ... · Security Requirements for Offshore Hosted Office Productivity Services: Office 365 conformance guide. Page 1 of 37 Microsoft

Security Requirements for Offshore Hosted Office Productivity Services: Office 365 conformance guide.

Page 5 of 37

Microsoft New Zealand

July 2017

5 Agencies MUST ensure compatibility with existing

government security technology services in use, such

as SEEMail and cyber defence capabilities.

✓ ✓ Refer to page 15

Cryptography

6 Agencies MUST ensure that data is encrypted in

transit and at rest.

✓ ✓ Refer to page 16

7 Agencies MUST have sole control over the

associated cryptographic key.

Not recommended in most instances Refer to page 18

Access Control

8 Agencies MUST ensure that multi-factor

authentication is used to control access to the

service.

✓ ✓ Refer to page 23

Backup and Recovery

9 Agencies MUST identify where data stored by a

service is replicated and/or backed-up.

✓ Refer to page 24

10 Agency MUST revise their agency disaster-recovery

plans to cater for cloud-based services.

✓ ✓ ✓ Refer to page 26

System Decommissioning

11 Agencies MUST have decommissioning processes as

outlined in the NZISM.

✓ ✓ Refer to page 27

3rd party (Independent) Assurance

12 Agencies MUST have assurance checks on cloud

service providers in accordance with the NZISM.

✓ ✓ Refer to page 28

13 Agencies MUST ensure that there are appropriate

security controls over physical access to data centres.

✓ Refer to page 29

14 Agencies MUST have assurance that appropriate

patching and maintenance of software is undertaken.

✓ ✓ Refer to page 30

15 Agencies MUST ensure there are technical

protections to prevent data-mingling on shared

storage platforms.

✓ ✓ Refer to page 31

Page 8: Security Requirements for Offshore Hosted Office ... · Security Requirements for Offshore Hosted Office Productivity Services: Office 365 conformance guide. Page 1 of 37 Microsoft

Security Requirements for Offshore Hosted Office Productivity Services: Office 365 conformance guide.

Page 6 of 37

Microsoft New Zealand

July 2017

Microsoft Guidance on GCIO Security Requirements

1. Information, data or materials classified at CONFIDENTIAL and above must not be stored or processed in

off-shore hosted office productivity services

What is this security control?

Agencies can use Microsoft Office 365 to store or process information, data and materials that is classified at

RESTRICTED or below. This means that information that has been classified at CONFIDENTIAL, SECRET or TOP SECRET

cannot be stored in either Office 365 or any other cloud service (either on- or offshore). However, official information

that does not meet the threshold for a security classification (i.e. information that is referred to as UNCLASSIFIED’) and

information that has been classified at IN-CONFIDENCE, SENSITIVE and/or RESTRICTED can be stored in Office 365.

Readers should note that, on average, respondents to a recent GCIO survey on agency adoption of cloud services

indicated that they have very little (less than 1%) information classified above RESTRICTED. Respondents with

information above RESTRICTED were primarily from the national security and justice sectors.

Security

ClassificationOffice 365

UNCLASSIFIED

IN-CONFIDENCE

SENSITIVE

RESTRICTED

CONFIDENTIAL

SECRET

TOP SECRET

Figure 3 - New Zealand Security Classification System

mapped to Office 365

Key aspects of conforming to this requirement

Agencies must ensure that all information, data and materials are assessed, classified and protectively marked

(labelled) and handled in accordance with the New Zealand Government Security Classification System. A protective

marking indicates the required level of protection to all users of any official information and gives assurances that

information of broadly equivalent worth or value is given an appropriate and consistent level of protection throughout

the New Zealand government. Agencies should have a defined process for achieving this, and agency staff should be

made aware of the data handling process and their obligation to apply it, and provided with sufficient training on how

to apply it correctly.

To conform to with this security requirement, agencies must ensure that they do not store any information, data and

materials classified at or above CONFIDENTIAL in Microsoft Office 365 or its ancillary cloud services (e.g. Azure Active

Directory).

Page 9: Security Requirements for Offshore Hosted Office ... · Security Requirements for Offshore Hosted Office Productivity Services: Office 365 conformance guide. Page 1 of 37 Microsoft

Security Requirements for Offshore Hosted Office Productivity Services: Office 365 conformance guide.

Page 7 of 37

Microsoft New Zealand

July 2017

How can Microsoft help agencies meet this requirement?

Agencies are responsible for assessing and classifying their own information, data, and materials.

Data Loss Prevention (DLP) in Office 365 allows organisations to protect sensitive content in both email and

documents spread across Exchange Online, SharePoint Online and OneDrive for Business.

Examples of sensitive information that you might want to prevent from being improperly disclosed outside your

organisation include financial data or personally identifiable information (PII) such as credit card numbers, health

records, or other sensitive data which you tell the system to protect. With a DLP policy, you can:

• Identify sensitive information across many locations, such as Exchange Online, SharePoint Online, and

OneDrive for Business. For example, you can identify any document containing a credit card number that’s

stored in any OneDrive for Business site, or you can monitor just the OneDrive sites of specific people.

• Prevent the accidental sharing of sensitive information. For example, you can identify any document or

email containing a health record that’s shared with people outside your organisation, and then automatically

block access to that document or block the email from being sent.

• Monitor and protect sensitive information in the desktop versions of Outlook 2016, Excel 2016,

PowerPoint 2016, and Word 2016. Just like in Exchange Online, SharePoint Online, and OneDrive for

Business, these Office 2016 desktop programs include the same capabilities to identify sensitive information

and apply DLP policies. DLP provides continuous monitoring when people share content in these Office 2016

programs.

• Help users learn how to stay compliant without interrupting their workflow. You can educate your users

about DLP policies and help them remain compliant without blocking their work. For example, if a user tries to

share a document containing sensitive information, a DLP policy can both send them an email notification and

show them a policy tip in the context of the document library that allows them to override the policy if they

have a business justification. The same policy tips also appear in Outlook on the web, Office mobile apps,

Outlook 2013 and later, Excel 2016, PowerPoint 2016, and Word 2016.

• View DLP reports showing content that matches your organisation’s DLP policies. To assess how your

organisation is complying with a DLP policy, you can see how many matches each policy and rule has over

time. If a DLP policy allows users to override a policy tip and report a false positive, you can also view what

users have reported.

You create and manage DLP policies through the Office 365 Security & Compliance Centre.

With Azure Information Protection (AIP), classification of data can occur at the time of creation or modification, either

automatically or manually, based on source, context and content. Once data has been classified, a persistent label is

embedded in the data and actions such as visual marking and encryption can be taken based on the classification and

label.

AIP, which uses Azure Rights Management (Azure RMS) as the protection engine, can be used to allow agency staff to

easily apply a label and associated protection policies (use rights and encryption) to documents and emails. AIP

supports whitelisting of domains so that agencies can share information with the appropriate level of data security

without adding the overhead of managing access to the data.

Page 10: Security Requirements for Offshore Hosted Office ... · Security Requirements for Offshore Hosted Office Productivity Services: Office 365 conformance guide. Page 1 of 37 Microsoft

Security Requirements for Offshore Hosted Office Productivity Services: Office 365 conformance guide.

Page 8 of 37

Microsoft New Zealand

July 2017

In Microsoft’s view, all content should be classified and labelled, and agencies should develop a view on when it is

appropriate to apply AIP protection policies and encryption to mitigate risk. For most agencies, this will be for

information classified as SENSITIVE or RESTRICTED, and on an as-required basis for lower classifications.

What else should agencies consider?

Agencies intending to use AIP should carefully plan to define and meet appropriate information classification needs,

and define relevant protection policies, rules, and classification labels BEFORE enforcing data protection. Agencies also

need to ensure that they educate their staff on what information should be classified to what level, and how to label

documents and emails using AIP, even if automatic classification is applied.

It is important to balance flexibility with simplicity when constructing your classification and protection options – aim

to give your people easy, good choices. Too many choices will be counterproductive. Microsoft recommends starting

with 3-5 top level labels across an agency and then scoping any additional labels to targeted users as needed.

Without proper planning and support, agency staff may be reluctant to apply data protection policies. This could result

in incorrectly classified data, leading to its possible disclosure, or rendering it inaccessible for legitimate use. Microsoft

can provide guidance to agencies as they undertake this work.

Where can agencies go for more information?

Additional Information on URL

New Zealand Government Security

Classification System

https://www.protectivesecurity.govt.nz/home/information-security-

management-protocol/new-zealand-government-security-classification-

system/

Azure Information Protection

technical documentation

https://docs.microsoft.com/en-us/information-protection/

Azure RMS Security Evaluation https://aka.ms/rmssec

EMS Solution - Secure data using

classification, labelling, and

protection

https://docs.microsoft.com/en-us/enterprise-mobility-

security/solutions/infoprotect-secure-classify-scenario

Microsoft France information

protection whitepaper series

https://sway.com/yXywe-nYIf9EFpiI

https://www.microsoft.com/en-us/download/details.aspx?id=44565

Classify

•Manually select an appropriate classification

•Auto-suggest (or enforce) classification based on content scan

Label

•Apply in-document labelling

•Tag the file or email with metadata

Protect

•Restrict the ability to copy, print and screen capture content

•Encrypt using Microsoft key, customer-managed or customer-held key

•Limit access to just your organisation, or specific people or groups within your organisation

Share

•Share encrypted content securely with external individuals and organisations

•Auto-expire content

•Monitor who is accessing your protected files and where they are located

•Revoke access to your protected files

Page 11: Security Requirements for Offshore Hosted Office ... · Security Requirements for Offshore Hosted Office Productivity Services: Office 365 conformance guide. Page 1 of 37 Microsoft

Security Requirements for Offshore Hosted Office Productivity Services: Office 365 conformance guide.

Page 9 of 37

Microsoft New Zealand

July 2017

2. Agencies must have process controls relating to intrusion detection, prevention, investigations, and

enterprise logging.

What is this security control?

Agencies must be able to detect, prevent, and respond to information security incidents related to their use of Office

365, and ensure that Office 365 provides an adequate level of logging and reporting so that incidents can be

investigated.

Key aspects of conforming to this requirement

Agencies are responsible for having an information security incident management process so that they can recognise,

respond to and manage information security incidents when using Office 365 (as well as any existing on-premises

infrastructure and cloud services). While Microsoft will detect, prevent, and investigate security incidents in Office 365,

agencies need to define what audit events they want to monitor and be alerted on, and configure their Office 365

instance to report on these events (through Power BI dashboards, Management Activity APIs, Advanced Security

Management, etc.). In addition, agencies need to integrate their incident management processes with Microsoft’s to

ensure that security incidents can be effectively managed throughout their lifecycle.

How can Microsoft help agencies meet this requirement?

Microsoft’s security incident response management processes include technical mechanisms, organisational policies,

and operational procedures to prevent, monitor, detect, and respond to security incidents in Office 365. Microsoft

security teams operate 24 x 7 x 365 security incident monitoring and response services, and are continually looking for

indicators of compromise, including by using continual Red Teaming as part of Microsoft’s ‘assume breach’ strategy’.

Agencies can communicate security incidents to the Microsoft Security Response Center (MSRC) and be notified of any

security incidents by their Technical Account Manager (TAM).

Office 365 produces audit and event logs recording user and administrator activities, exceptions, faults, and security

events. Office 365 has several audit and reporting features that enable agencies to track user and administrative

activity within their Office 365 tenant, including changes made to configuration settings, and changes made to

documents or other items. Some of the auditing and reporting features include:

• Content Search and eDiscovery.

• Unified Audit Log Search.

• Office 365 Management Activity API.

• Office 365 Activity Usage Reports Dashboard.

• Advanced Security Management.

• Customer Lockbox.

Agencies can use their on-premises Security Incident and Event Manager (SIEM) solution - many of which already ship

connectors for Office 365 - with the Office 365 Management Activity API to get the same report information as the

information provided in the Office 365 Security and Compliance Center, but with SIEM integration. They can manage

the on-premises report, and keep this information on premises indefinitely.

Agencies’ Office 365 administrators can use Customer Lockbox to control how a Microsoft support engineer accesses

your data during a support case. In rare scenarios where the engineer requires access to your data to troubleshoot and

fix an issue, Customer Lockbox allows you to approve or reject the access request. If you approve it, the engineer can

access the data. Each request has an expiration time, and once the issue is resolved, the request is closed, and access is

revoked.

Page 12: Security Requirements for Offshore Hosted Office ... · Security Requirements for Offshore Hosted Office Productivity Services: Office 365 conformance guide. Page 1 of 37 Microsoft

Security Requirements for Offshore Hosted Office Productivity Services: Office 365 conformance guide.

Page 10 of 37

Microsoft New Zealand

July 2017

What else should agencies consider?

To use the Office 365 audit and reporting features, agencies need to enable audit logging to record user and

administrator activity. This feature is not enabled by default.

Agencies are responsible for ensuring that they have intrusion detection and prevention measures, and audit and

event logging capabilities in place, for the components they are responsible for managing (e.g. end-user computing

devices, Active Directory servers).

In addition to the events and log data that is available to customers, there is an internal Microsoft log data collection

service called Cosmos that is used by Office 365 engineers. Office 365 service teams upload audit logs into Cosmos

for aggregation and correlation, alerting, and reporting to correct vulnerabilities and improve the performance of

Office 365. To ensure the protection of customer data that may be present in the logs, an automated tool obfuscates

any fields that contain customer data, such as tenant information and end-user identifiable information, and replaces

these fields with a hashed (encrypted) value.

Where can agencies go for more information?

Additional Information

on

URL

Office 365 Security

Incident Management

http://download.microsoft.com/download/2/F/1/2F16A9CA-8D4F-4BB5-8F85-

3A362131A95B/Office%20365%20Security%20Incident%20Management.pdf

Security in Office 365

Whitepaper

https://www.microsoft.com/en-us/download/confirmation.aspx?id=26552

Management API

Reference Guide

https://msdn.microsoft.com/en-us/office-365/office-365-management-activity-api-

reference

3. Agencies must architect ICT networks to ensure that cloud services can be used safely and effectively.

What is this security control?

Agencies need to ensure that their infrastructure supports their adoption and use of Office 365, and that it is

architected to protect information from unauthorised access, disclosure, modification, and loss.

In addition to this, agencies need to ensure that their users can easily and effectively use Office 365 services through

supporting security services (e.g. single sign-on, mobile device management, mobile application management).

Key aspects of conforming to this requirement

Agencies need to ensure that their adoption of Office 365 meets their identified use cases, and create an architecture

to ensure the safe and effective use of the service. Agencies need to identify what Office 365 deployment scenario best

fits their requirements, and how the supporting information services and systems will be secured, before adopting the

service.

Microsoft strongly recommends that New Zealand government agencies plan for a hybrid Office 365 scenario,

where some functionality is provided by online services (e.g. Azure Active Directory) and some is delivered by on-

premises servers (e.g. Active Directory servers). It is expected that most agencies will still need to operate and manage

at least some on-premises infrastructure for the foreseeable future for a variety of reasons, including enabling

integration with SEEMail (if used). For agencies that do not want to manage any server infrastructure and have all

functionality provided by Office 365 and related cloud computing services, it is recommended that they contact

Microsoft New Zealand for advice and guidance on what is possible.

Page 13: Security Requirements for Offshore Hosted Office ... · Security Requirements for Offshore Hosted Office Productivity Services: Office 365 conformance guide. Page 1 of 37 Microsoft

Security Requirements for Offshore Hosted Office Productivity Services: Office 365 conformance guide.

Page 11 of 37

Microsoft New Zealand

July 2017

Agencies need to determine how their users will work, how end-user computing devices will be used and protected,

and how users will be identified and authenticated. Some common user and device decisions include:

• Mobile or office-based – will staff be in an office environment, working from home, or working on the go?

• Managed or personal devices – does the agency want to issue staff with devices, or support the use of personal

devices as part of a BYOD strategy?

• Single sign-on and Identity Federation – will the agency want users to be able to log on to Office 365 with their on-

premises credentials or use a 3rd party identity provider?

Once agencies understand their adoption and use of Office 365, they should gain assurance that it meets their

business requirements (including security requirements). This can be achieved through activities such as formal

security architecture and design reviews, which could be performed internally or through an independent 3rd party.

How can Microsoft help agencies meet this requirement?

To assist with meeting this requirement, Microsoft provides a wide range of independent audit reports and supporting

assurance documentation including the results of Office 365 penetration testing. This is available through the Service

Trust Platform in the Microsoft Trust Center. Microsoft also provides various support, documentation, tools and

resources, and expert services such as FastTrack, to help agencies plan for, adopt and manage Office 365.

Where can agencies go for more information?

Additional Information on URL

FastTrack Productivity Guide https://fasttrack.microsoft.com/office/envision/productivitylibrary

Adoption Guide https://go.microsoft.com/fwlink/?LinkId=690086

Office Training Center Bill of Materials https://www.microsoft.com/en-us/download/details.aspx?id=54088

Office Training Roadmaps https://support.office.com/en-us/article/office-training-roadmaps-

62a4b0dc-beba-4d8e-b79c-0ad200e705a1?ui=en-US&rs=en-

US&ad=US&wt.mc_id=AID573689_QSG_BLOG_140051

Office 365 Blogs https://blogs.office.com/?filter=true&filter-product=office-365

MSIT Worksmart Training Guides https://technet.microsoft.com/en-us/bb687781.aspx

Sample Adoption Guide https://view.officeapps.live.com/op/view.aspx?src=https://fto365dev.blob.c

ore.windows.net:443/media/Default/DocResources/en-

us/Resources/Sample_Adoption_Plan.xlsx

FastTrack Engagement Content http://fasttrack.microsoft.com/office/drive-value/engage

Office Training Center http://aka.ms/O365Learning

FastTrack EMS Guide https://fasttrack.microsoft.com/ems/envision

4. Agencies must have control over the interaction between public cloud services and end user devices.

What is this security control?

Agencies must ensure that end-user computing devices (e.g. workstations, laptops, tablets, and smartphones) used to

access Office 365 are configured, managed, and maintained to protect information from unauthorised access,

disclosure, modification, and loss.

Key aspects of conforming to this requirement

Agencies are responsible for managing the security of the end-user computing devices that their staff use to access

Office 365. Agencies should understand how staff are using devices when accessing Office 365, and determine

Page 14: Security Requirements for Offshore Hosted Office ... · Security Requirements for Offshore Hosted Office Productivity Services: Office 365 conformance guide. Page 1 of 37 Microsoft

Security Requirements for Offshore Hosted Office Productivity Services: Office 365 conformance guide.

Page 12 of 37

Microsoft New Zealand

July 2017

appropriate policies to ensure that those devices can be used safety and effectively. This applies to agency-supplied or

personal devices as part of a Bring-Your-Own-Device (BYOD) strategy.

Agencies are responsible for implementing device management solutions that ensure:

• Devices are configured and hardened, via either a traditional standard operating environment build or

“modern management” deployment).

• Devices are patched and updated.

• A strong authentication mechanism is used to control access to the device.

• Multi-factor authentication is used to authenticate the user to Office 365.

• Devices have encryption of data at rest enabled.

• Data on devices can be protected or securely erased through remote wipe functions.

How can Microsoft help agencies meet this requirement?

Office 365 provides agencies with basic built-in mobile device management for iOS, Android, and Windows Phones.

Office 365 Mobile Device Management functions include being able to enforce passwords, enforce mobile device

encryption, and prevent access from jailbroken/rooted mobile devices. In addition, Office 365 supports secure data

erasure capabilities either through an incorrect number of failed password attempts (local wipe) or by remotely wiping

the device.

Microsoft Intune extends the Mobile Device Management (MDM) capabilities of Office 3652, enabling not only deeper

management of Android and iOS devices but also the management of Mac OS X and Windows PC devices. Intune

provides the same Office 365 MDM capabilities plus the ability to enrol and manage more types of end-user devices,

define, and enforce device configuration policies, and manage user and device profiles (e.g. certificate, Wi-Fi, VPN, and

email profiles).

Intune also provides the ability to protect data at the application and identity level through Intune App Protection

(Mobile Application Management (MAM)) policies for devices that are not enrolled in MDM. This capability is available

for iOS and Android devices. Capabilities include:

• Encrypting the data in apps.

• Securing app access by requiring a PIN/passcode or corporate credentials.

• Blocking copy and paste, or preventing data transfer outside of the work context (work-only apps and work identity

within multi-identity apps).

• Preventing backup to personal cloud storage and preventing "Save as".

• Having all web links open within the Intune Managed Browser.

Intune App Protection can work independently of a MDM solution, providing both an additional layer of protection

and a different model for securing agency apps and data in BYOD scenarios. Importantly, the policies work neatly with

the multi-identity support built into the Office apps – enabling agencies to protect data while letting staff keep using

the apps for personal documents and email.

For devices running Windows 10 Pro or Enterprise, Windows Information Protection (WIP) can be used to protect an

agency from data leakage by providing MAM-style management across applications, data sources and data. Files

arriving onto the device from defined corporate sources (e.g. VPN, SharePoint Online, Exchange) are encrypted at the

file level using Windows Encrypting File System (EFS) and can only be accessed by users with the appropriate

certificates. Flow of information out of applications defined as ‘corporate’ can also be controlled – without the

2 https://support.office.com/en-us/article/Choose-between-MDM-for-Office-365-and-Microsoft-Intune-c93d9ab9-efb2-4349-9b93-

30c30562ee22

Page 15: Security Requirements for Offshore Hosted Office ... · Security Requirements for Offshore Hosted Office Productivity Services: Office 365 conformance guide. Page 1 of 37 Microsoft

Security Requirements for Offshore Hosted Office Productivity Services: Office 365 conformance guide.

Page 13 of 37

Microsoft New Zealand

July 2017

applications needing to be updated or changed. WIP can be managed using either Configuration Manager or a MDM

tool such as Intune.

From an authentication perspective, Office 365 offers Office 365 Multi-Factor Authentication (MFA) which requires that

users must use more than one verification method before being able to access the Office 365 services, regardless of

device and location. This is a useful but basic version of Azure Multi-Factor Authentication (Azure MFA) which is

available as a standalone service or as part of the Enterprise Mobility and Security (EMS) suite. Azure MFA provides

fraud alerting, reporting, the option of trusted IPs/networks and makes the service available for other cloud and on-

premises applications and services.

Azure Active Directory Conditional Access enables you to set specific conditions for a user to access an application or

cloud services including Office 365. Conditional Access helps protect access to an agency's applications and resources

from unknown and/or unmanaged devices, and devices that do not meet the security policy of an agency.

After access requirements are met, the user is authenticated and can access the application. This applies a set of

contextual controls at the user, location/network, session, risk profile, device, and app levels – which can be different

for different services, and applied to all users or just groups or individuals. You can allow or block access or challenge

users with Multi-Factor Authentication, device enrolment, or password change. A key scenario is restricting access to

domain-joined or Intune-enrolled and compliant devices. Additionally, Azure Active Directory Identity Protection

(included in Enterprise Mobility and Security E5) applies machine learning-based identity protection to detect

suspicious behaviour and apply risk-based conditional access that protects your applications and critical company data

in real time.

Office 365 E5 includes Office 365 Advanced Security Management (ASM) which provides more visibility and control

over data flowing in and out of Office 365.

• Threat detection—Helps you identify high-risk and abnormal usage, and security incidents.

• Enhanced control—Shapes your Office 365 environment leveraging granular controls and security policies.

• Discovery and insights—Get enhanced visibility into your Office 365 usage and shadow IT without installing an

endpoint agent.

The Enterprise Mobility and Security suite provides an expanded version of this toolset called Cloud App Security (CAS

– Microsoft’s native Cloud Access Security Broker capability). The key differences are:

• ASM provides protection and monitoring for Office 365 only, while CAS will work across all your cloud services.

• Usage patterns, upload/download traffic anomalies.

• Extended policy engine, policy enforcement and data loss prevention (DLP) features.

• Discovery, security, and risk ratings across 13,000 cloud services.

• Automatic firewall, and application proxy log uploads.

• AIP integration allowing for the protection of files in Office 365 OneDrive and SharePoint Online with Azure RMS

directly.

What else should agencies consider?

Agencies need to understand how their staff operate and use their computing devices, and define appropriate device

and application policies that are in proportion to the risk of having agency information accessible from the device.

Office 365 MDM & MFA

Intune MDM & Azure MFA

w/Conditional Access

Intune MAM

Office 365 Advanced Security

Management

Cloud App Security & Azure

Identity Protection

Increasing sophistication of protection

Page 16: Security Requirements for Offshore Hosted Office ... · Security Requirements for Offshore Hosted Office Productivity Services: Office 365 conformance guide. Page 1 of 37 Microsoft

Security Requirements for Offshore Hosted Office Productivity Services: Office 365 conformance guide.

Page 14 of 37

Microsoft New Zealand

July 2017

Poorly defined and implemented policies will lead to the information not being appropriately protected. Conversely,

overly restrictive policies can lead to the device being unusable, leading to staff being unproductive or finding

alternative (and potentially riskier) ways of working.

Where can agencies go for more information?

Additional Information on URL

Microsoft Identity Driven

Security

http://download.microsoft.com/download/E/C/7/EC78FF06-02BB-4DFD-9EBB-

CADB66BB594F/Microsoft_Identity%20Driven%20Security_Datasheet_EN_US.pdf

Office 365 MDM https://support.office.com/en-us/article/Overview-of-Mobile-Device-Management-

MDM-for-Office-365-faa7d8e5-645d-4d59-839c-c8d4c1869e4a

Intune MDM https://docs.microsoft.com/en-us/intune/

Intune App Protection (MAM

with/out enrolment)

https://docs.microsoft.com/en-us/intune-azure/manage-apps/what-is-app-

protection-policy and

https://msdn.microsoft.com/en-

us/windows/hardware/commercialize/customize/mdm/implement-server-side-

mobile-application-management

Office 365 MFA https://support.office.com/en-us/article/Plan-for-multi-factor-authentication-for-

Office-365-Deployments-043807b2-21db-4d5c-b430-c8a6dee0e6ba

Azure MFA https://docs.microsoft.com/en-us/azure/multi-factor-authentication/index

Azure Active Directory

Conditional Access

https://docs.microsoft.com/en-us/azure/active-directory/active-directory-

conditional-access

Azure Active Directory

Identity Protection

https://docs.microsoft.com/en-us/azure/active-directory/active-directory-

identityprotection

Office 365 Advanced Security

Management

https://support.office.com/en-us/article/Overview-of-Advanced-Security-

Management-in-Office-365-81f0ee9a-9645-45ab-ba56-de9cbccab475?ui=en-

US&rs=en-NZ&ad=NZ

Cloud App Security https://docs.microsoft.com/en-us/cloud-app-security/

Office 365 Secure Score https://support.office.com/en-us/article/Introducing-the-Office-365-Secure-Score-

c9e7160f-2c34-4bd0-a548-5ddcc862eaef?ui=en-US&rs=en-US&ad=US

Controlling Access to Office

365 and Protecting Content

on Devices

https://www.microsoft.com/en-us/download/details.aspx?id=53317

Page 17: Security Requirements for Offshore Hosted Office ... · Security Requirements for Offshore Hosted Office Productivity Services: Office 365 conformance guide. Page 1 of 37 Microsoft

Security Requirements for Offshore Hosted Office Productivity Services: Office 365 conformance guide.

Page 15 of 37

Microsoft New Zealand

July 2017

5. Agencies must ensure compatibility with existing government security technology services such as SEEMail

and, where appropriate, cyber defence capabilities.

What is this security control?

Agencies must identify any government security technology services they currently use that may be affected by their

adoption of Office 365 and determine whether they can be successfully integrated with it.

Key aspects of conforming to this requirement

Agencies must identify and assess whether the government security technology services that they currently use can be

successfully integrated with Office 365. They should also identify whether they need to re-architect and redeploy those

services to support integration (see Requirement 3).

If a security technology service that is currently used by the agency cannot be integrated with Office 365, the agency

must determine whether it can effectively manage the risks associated with its use of Office 365 without the service in

place.

How can Microsoft help agencies meet this requirement?

Microsoft has published the Office 365: SEEMail Integration and Reference Architecture whitepaper that presents some

of the architectural patterns and considerations for integrating SEEMail with Office 365.

Note: the GCIO and Microsoft are working to update this guidance at the time of publication of this document.

What else should agencies consider?

A frequent agency objective when implementing Office 365 is the retirement of all on-premises/locally-hosted

Exchange infrastructure. However, for agencies mastering their identity in Active Directory and synchronising to Azure

Active Directory, the supported configuration is the use of a locally hosted Exchange Server to manage the Exchange

attributes in Active Directory. The Exchange Server(s) can be standalone management consoles or configured as a

hybrid to allow for local hosting of some mailboxes, and to act as a secure mail relay between a SEEMail gateway and

Exchange Online. Please note:

• The SEEMail gateway forwards all mail unencrypted to an agency’s internal mail system – creating the need for a

mail relay to encrypt everything using TLS when forwarding it on to Exchange Online.

• There are other tools (including ADSIEDIT) that can be used to deal with the Exchange attributes in Active Directory,

but this is not a supported method. As such, we cannot recommend this approach.

• A 3rd party mail relay could be used between SEEMail and Exchange Online.

Agencies participating in SEEMail but wishing to pursue a ‘pure’ cloud-only environment with no locally-hosted Active

Directory should contact Microsoft to discuss this approach. A potential approach to cloud-only integration with

SEEMail is use of a 3rd party mail relay. A SEEMail compatible pattern for establishing this is expected to be developed

through work currently occurring with the GCIO (see above).

Page 18: Security Requirements for Offshore Hosted Office ... · Security Requirements for Offshore Hosted Office Productivity Services: Office 365 conformance guide. Page 1 of 37 Microsoft

Security Requirements for Offshore Hosted Office Productivity Services: Office 365 conformance guide.

Page 16 of 37

Microsoft New Zealand

July 2017

Where can agencies go for more information?

Additional Information on URL

SEEMail https://www.ict.govt.nz/services/show/SEEMail

Office 365: SEEMail Integration and

Reference Architecture

http://aka.ms/seemail-gcio

Exchange Online Protection https://technet.microsoft.com/en-us/library/jj723119(v=exchg.150).aspx

Exchange Online Advanced Threat

Protection

https://technet.microsoft.com/en-us/library/exchange-online-advanced-

threat-protection-service-description.aspx

De-commissioning on-premises

Exchange servers

https://technet.microsoft.com/en-us/library/dn931280(v=exchg.150).aspx

6. Agencies must ensure that information and data is encrypted in transit and at rest.

What is this security control?

Encryption of information and data in transit:

Information sent between end-user computing devices (e.g. workstations, laptops, tablets, and smartphones),

integrated agency information services and systems (e.g. Active Directory, Active Directory Federation Services,

SEEMail), and Office 365 must be encrypted. In addition to this, information sent or shared with another party using

Office 365 must be encrypted.

Encryption of information and data at rest:

Agencies need to ensure that information stored at rest in Office 365 is encrypted. Similarly, information that is

synchronised with Office 365 and stored on end-user computing devices (e.g. workstations, laptops, tablets and

smartphones) must be encrypted.

Key aspects of conforming to this requirement

Agencies need to configure their information services or systems (e.g. Mail Relay) to use Transport Layer Security (TLS)

if they choose to integrate with Office 365. Microsoft supports TLS integrations (e.g. forced TLS) that ensure data is

protected while travelling across the agency’s internal network and across the Internet. However, agencies are

responsible for configuring and managing their systems to use TLS.

Note that all email from the SEEMail gateway forwards to your mail system unencrypted, so email going to Office 365

will need to be encrypted by a mail relay (typically an Exchange Server in hybrid configuration – see above).

In addition, agencies need to enable encryption of data at rest for any devices, information services or systems that

connect to and stores information from Office 365.

How can Microsoft help agencies meet this requirement?

Microsoft follows a control and compliance framework that focuses on risks to the Office 365 service and to customer

content. Microsoft implements a large set of technology and process-based methods (referred to as controls) to

mitigate these risks. Identification, evaluation, and mitigation of risks via controls is a continuous process. The

implementation of controls within various layers of our cloud services such as facilities, network, servers, applications,

users (such as Microsoft administrators) and data form a defence-in-depth strategy.

Within this framework all customer content within Microsoft Office 365 is protected by a variety of technologies and

processes, including various forms of encryption. Microsoft uses service-side technologies in Office 365 that encrypt

customer content at rest and in-transit. For content at rest, Office 365 uses both operating system and application

(service) encryption. For content in-transit, Office 365 uses Transport Layer Security (TLS) and Internet Protocol Security

(IPsec). Validation of our encryption policies and processes policy and their enforcement is independently verified

Page 19: Security Requirements for Offshore Hosted Office ... · Security Requirements for Offshore Hosted Office Productivity Services: Office 365 conformance guide. Page 1 of 37 Microsoft

Security Requirements for Offshore Hosted Office Productivity Services: Office 365 conformance guide.

Page 17 of 37

Microsoft New Zealand

July 2017

through third-party auditors. Some risk scenarios, and important details of the currently available Microsoft encryption

technologies that mitigate them, are listed in the tables in the appendix to this document.

Note: As of July 2017 (subject to change) Azure Active Directory will encrypt customer directory data at rest via

encryption (BitLocker) using AES 128-bit encryption. This will be enabled by default for all Azure Active Directory

subscriptions.

From a device perspective, Microsoft recommends that all devices by an agency that interact with Office 365 services

are encrypted – whether they are owned by the agency or BYOD. Encryption can typically be enforced through

management tools such as Microsoft BitLocker Administration and Monitoring (MBAM) for BitLocker device encryption

in Windows and mobile device management tools like Intune. Note that the Windows 10 Creators’ Update has

introduced support for managing BitLocker through Intune MDM policies leveraging the Windows configuration

service provider.

For additional security or where BYOD devices are not enrolled in MDM (and thus may not be encrypted) the

recommendation is to make use of Intune App Protection (MAM) and the MAM-enabled Office Mobile Apps such as

OneDrive, Outlook, Excel, PowerPoint, and Word. These apps support app-level encryption – protecting agency data

on what should be considered a less-trusted device.

Introduced in Windows 10 Anniversary Edition for Enterprise and Pro editions is a new capability called Windows

Information Protection (WIP). Agencies can create policies (using Configuration Manager, Microsoft Intune, or other

MDM tools) defining which applications can work with corporate (agency) data and what locations are sources of

corporate data (e.g. Office 365, VPN sessions, file servers etc.) - and the level of control versus auditing. Corporate data

is automatically encrypted after it’s loaded on a device from an enterprise source or if an employee marks the data as

corporate. Then, when the enterprise data is written to disk, WIP uses the Windows-provided Encrypting File System

(EFS) to protect it and associate it with the agency’s identity. Even if the files are copied to removable media they

remain encrypted and can only be accessed on a WIP-enabled device and by an authenticated agency user. While

useful on agency-owned and managed devices, this can be invaluable on BYOD Windows devices provided they are

running Windows 10 Pro. For this reason, we recommend that BYOD policy should stipulate Windows devices must be

running Windows 10 Pro.

Customer-managed encryption technologies

Office 365 provides additional data encryption technologies that agencies can manage and configure to further

protect their information. These technologies offer a variety of ways to further encrypt customer content at rest or in-

transit, and include:

• Azure Rights Management.

• Office 365 Message Encryption.

• Secure Multipurpose Internet Mail Extension (S/MIME).

What else should agencies consider?

Agencies need to be careful when using 3rd party content filters, web proxies, data loss prevention (DLP) products and

SSL/TLS interception products that detect and protect against malware. Agencies should be aware of security products

or services that intercept secured network traffic by performing a ‘man-in-the-middle (MiTM)’ interception of the

communications. Recent advisories highlight how some of these security products can weaken SSL/TLS, significantly

degrading the security of the network traffic, and increasing the likelihood of an agency user falling victim to MiTM

attacks by malicious third parties. Agencies should thoroughly evaluate the risks associated with inserting such 3rd

party capabilities between themselves and Office 365, as per the requirements of the GCIO’s Cloud Computing Risk

and Assurance Framework.

Page 20: Security Requirements for Offshore Hosted Office ... · Security Requirements for Offshore Hosted Office Productivity Services: Office 365 conformance guide. Page 1 of 37 Microsoft

Security Requirements for Offshore Hosted Office Productivity Services: Office 365 conformance guide.

Page 18 of 37

Microsoft New Zealand

July 2017

Where can agencies go for more information?

Additional Information on URL

Office 365 MDM https://support.office.com/en-us/article/Overview-of-Mobile-Device-

Management-MDM-for-Office-365-faa7d8e5-645d-4d59-839c-c8d4c1869e4a

Intune MDM https://docs.microsoft.com/en-us/intune/

Intune App Protection https://docs.microsoft.com/en-us/intune-azure/manage-apps/what-is-app-

protection-policy

and

https://msdn.microsoft.com/en-

us/windows/hardware/commercialize/customize/mdm/implement-server-side-

mobile-application-management

MBAM https://technet.microsoft.com/en-us/windows/hh826072.aspx

Windows Information Protection https://technet.microsoft.com/en-us/itpro/windows/keep-secure/protect-

enterprise-data-using-wip

Office 365 Content Encryption

Whitepaper

https://www.microsoft.com/en-us/download/confirmation.aspx?id=54652

Data Encryption in SharePoint

and OneDrive

https://technet.microsoft.com/en-us/library/dn905447.aspx

7. Agencies must have sole control over the associated cryptographic keys

What is this security control?

Agencies must be the sole party that controls (generates, owns, and manages) the associated cryptographic keys used

to protect their data within Office 365.

Important:

Agencies cannot meet this requirement and effectively use office productivity services in the public cloud. Microsoft

Office 365 must have access to cryptographic keys to encrypt and decrypt agency data for processing purposes, and

enable functioning of important information protection and security capabilities of the service.

Note: it is essential that agencies consider the following:

1. This is an inherent attribute of any SaaS service, whether provided by Microsoft or any other party.

2. It is not only information protection and security capabilities that are impacted if a SaaS service cannot decrypt

customer data - many or most productivity features would also be impacted.

Microsoft advises agencies to seriously consider the extent to which this baseline control is impractical to implement,

and thoroughly review the associated risks. To conform with the security control requirement, Microsoft advises that

agencies should consider adopting the GCIO approved approach of applying “compensating controls” as defined in

the GCIOs security requirements guidance document.

Key aspects of conforming to this requirement

Agencies need to carefully consider the extent to which they either need or want to have control over the

cryptographic keys used to encrypt their data when using Office 365. Agencies should consider the potential risks and

opportunities associated with who takes responsibility for managing the cryptographic keys used in Office 365.

Page 21: Security Requirements for Offshore Hosted Office ... · Security Requirements for Offshore Hosted Office Productivity Services: Office 365 conformance guide. Page 1 of 37 Microsoft

Security Requirements for Offshore Hosted Office Productivity Services: Office 365 conformance guide.

Page 19 of 37

Microsoft New Zealand

July 2017

Microsoft New Zealand recommends that New Zealand government agencies use the default Microsoft

approach to key management. In a default Office 365 implementation, Microsoft will be the trusted key

management service provider.

Microsoft establishes and manages cryptographic keys for required cryptography employed within the information

system in accordance with defined requirements for key generation, distribution, storage, access, and destruction. In

accordance with the "Public Key Infrastructure Operational Security Standard" component of Microsoft’s Security

Policy, Microsoft Online Services including Office 365 leverage the cryptographic capabilities that are directly a part of

the Windows Operating System for certificates and authentication mechanisms (e.g. Kerberos). These cryptographic

modules have been certified by NIST as being FIPS 140-2 complaint. Relevant NIST certificate numbers are: 1321, 1333,

1334, 1335, 1336, and 1339. Any time cryptographic capabilities are employed to protect the confidentiality, integrity,

or availability of data within Microsoft Online Services, the modules and/or ciphers used are FIPS 140 compliant.

Alternatively, agencies can choose the customer-managed approach. The agency will control (generate, store, and

manage) keys used by Office 365 services, and store these keys in the Azure Key Vault service. Office 365 services can

then be configured to use the customer’s keys that are stored in Azure Key Vault – this feature is called Office 365

Customer Key and will be generally available in Q3 of CY17. To use Customer Key, agencies will need a robust

cryptographic key management capability with appropriate personnel, operational processes, and infrastructure to

ensure that they can manage their tenant keys throughout their lifecycle. Failure to effectively manage tenant keys can

lead to widespread service outage. Microsoft has designed Customer Key so that the risk of permanent customer data

loss due to accidental or malicious actions is very low. The Customer Key feature is designed with best-in-class

protection of customer data, utilizing separation of duties and encryption key diversity to address a range of threat

scenarios. In addition to these crucial protections, Customer Key provides customers with the ability to remove all

cryptographic keys necessary for Microsoft to process customer data stored in Office 365.

Below is a basic summary of the key management options available to Office 365 customers, and key considerations in

their selection, split into tenant/service-level and item/file-level capabilities. Note that the table also includes details

for Microsoft’s Azure Information Protection (AIP) encryption capabilities (both bring your own and hold your own key

options) which agencies may wish to deploy as part of the baseline and/or compensating controls they elect to

implement to conform to this requirement. Note also that, to enable AIP BYOK or HYOK capabilities, agencies will

need to purchase the Azure Key Vault Premium service and operate a supported HSM infrastructure (e.g. Thales

nShield HSM).

Page 22: Security Requirements for Offshore Hosted Office ... · Security Requirements for Offshore Hosted Office Productivity Services: Office 365 conformance guide. Page 1 of 37 Microsoft

Security Requirements for Offshore Hosted Office Productivity Services: Office 365 conformance guide.

Page 20 of 37

Microsoft New Zealand

July 2017

Table 1: Office 365 key management options

Key management

option

Office 365

Default

Office 365

Customer Key

Azure

Information

Protection

Default

Azure

Information

Protection BYOK

Azure

Information

Protection

HYOK

CONSIDERATION SERVICE-LEVEL ITEM/FILE-LEVEL

Applicability All O365

services

Exchange Online,

SharePoint Online

Email

messages, Files

Email messages,

Files

Email

messages, Files

Responsible for

key management

Microsoft Customer +

Microsoft

Microsoft Customer Customer

Responsible for

key operation and

uptime

Microsoft Customer +

Microsoft

Microsoft Microsoft Customer

Thales HSM

required?

No Optional -

agencies can use

Azure Key Vault

for key generation,

or use their own

Thales HSM to

generate keys.

No Yes Yes

(highly

available HSM

solution

strongly

recommended)

Locally hosted

Rights

Management

Service

infrastructure

required?

No No No No Yes

Data transparent

to Office 365

services - SaaS

features work as

designed/expecte

d e.g. search,

Delve, DLP, ASM

etc.?

Yes Yes Yes Yes – with

significant

limitations in

Exchange Online3

No – files are

opaque

Additional privacy

functionality

provided

- Customer can

withdraw the

ability for

Microsoft to

process customer

data

- Service unable to

process AIP

protected items

following customer

withdrawal of key.

Microsoft and

other 3rd

parties cannot

access your

protected data.

How can Microsoft help agencies meet this requirement?

Office 365 is a trustworthy key management service provider. Microsoft has strong cryptographic key management

policies, processes, and technologies in place to ensure the secure use and protection of cryptographic keys

throughout their lifecycle (i.e. generation, distribution, storage, access, and destruction), and has independent,

regularly updated, security certifications and attestations that support it. Office 365 leverages Azure Key Vault, and

also uses the cryptographic modules that are built into the Windows operating system for certificate, authentication

3 Microsoft documentation describes the limitations as ‘Azure RMS BYOK is not compatible with Exchange Online’:

https://docs.microsoft.com/en-us/information-protection/plan-design/byok-price-restrictions

Page 23: Security Requirements for Offshore Hosted Office ... · Security Requirements for Offshore Hosted Office Productivity Services: Office 365 conformance guide. Page 1 of 37 Microsoft

Security Requirements for Offshore Hosted Office Productivity Services: Office 365 conformance guide.

Page 21 of 37

Microsoft New Zealand

July 2017

and encryption mechanisms (e.g. Kerberos, BitLocker), and these cryptographic modules have been certified by NIST as

being FIPS 140-2 validated. Any time cryptographic capabilities are used within Office 365, the modules and/or ciphers

used are FIPS validated.

For customers that do not elect to use Customer Key, Microsoft generates and manages all encryption keys used to

encrypt customer data at rest.

Customers electing to use the Office 365 Customer Key feature will manage the lifecycle of their tenant keys in the

Azure Key Vault service and can choose to either generate their own root key in a Thales HSM and upload it to the

Azure Key Vault FIPS 140-2 Level 2-validated HSMs, or to generate the tenant key directly within Azure Key Vault.

Azure Key Vault provides a REST API so that customers can consume near-real-time logging showing all access and

usage of keys in Azure Key Vault service.

Currently, it is planned that Customer Key will be available in H2 of CY2017, covering Exchange Online, OneDrive for

Business and SharePoint Online services. Skype for Business conversations saved into a user’s conversations folder in

their mailbox will also be included.

Microsoft advises New Zealand government agencies that are contemplating implementing either BYOK or

HYOK capabilities to carefully consider their requirements for doing so from a balance-of-risk perspective.

Implementing such a solution requires the agency to have robust cryptographic key management capabilities in place.

Failure to effectively manage keys used with either Office 365 Customer Key, or Azure Information Protection (BYOK or

HYOK), could lead to widespread service impact and permanent data loss.

Non-technical controls

Alongside technical capabilities that agencies can use as “compensating controls” to conform to this requirement,

Microsoft also makes contractual commitments that allow Office 365 customers to mitigate the type risk that this

control is focused on. These commitments are set out in the Microsoft Online Services Terms (OST).

Specifically, in the OST Microsoft makes the following commitments:

• Use of Customer Data:

“Customer Data will be used only to provide Customer the Online Services including purposes compatible with

providing those services. Microsoft will not use Customer Data or derive information from it for any advertising or

similar commercial purposes. As between the parties, Customer retains all right, title and interest in and to Customer

Data. Microsoft acquires no rights in Customer Data, other than the rights Customer grants to Microsoft to provide

the Online Services to Customer. This paragraph does not affect Microsoft’s rights in software or services Microsoft

licenses to Customer.”

• Disclosure of Customer Data:

“Microsoft will not disclose Customer Data outside of Microsoft or its controlled subsidiaries and affiliates except (1)

as Customer directs, (2) as described in the OST, or (3) as required by law.

Microsoft will not disclose Customer Data to law enforcement unless required by law. If law enforcement contacts

Microsoft with a demand for Customer Data, Microsoft will attempt to redirect the law enforcement agency to request

that data directly from Customer. If compelled to disclose Customer Data to law enforcement, Microsoft will promptly

notify Customer and provide a copy of the demand unless legally prohibited from doing so.

Upon receipt of any other third-party request for Customer Data, Microsoft will promptly notify Customer unless

prohibited by law. Microsoft will reject the request unless required by law to comply. If the request is valid, Microsoft

will attempt to redirect the third party to request the data directly from Customer.

Microsoft will not provide any third party: (a) direct, indirect, blanket or unfettered access to Customer Data; (b)

platform encryption keys used to secure Customer Data or the ability to break such encryption; or (c) access to

Page 24: Security Requirements for Offshore Hosted Office ... · Security Requirements for Offshore Hosted Office Productivity Services: Office 365 conformance guide. Page 1 of 37 Microsoft

Security Requirements for Offshore Hosted Office Productivity Services: Office 365 conformance guide.

Page 22 of 37

Microsoft New Zealand

July 2017

Customer Data if Microsoft is aware that the data is to be used for purposes other than those stated in the third

party’s request.

In support of the above, Microsoft may provide Customer’s basic contact information to the third party.”

Also, to assist agencies to evaluate the overall risk of loss of control of their data that they are exposed to, which this

GCIO security requirement seeks to address, every six months Microsoft publishes its Law Enforcement Requests for

User Data and U.S. National Security Orders for User Data.

What else should agencies consider?

It is important for agencies to understand the implications of the “Additional Considerations” related to this

requirement that are set out in the GCIO Security Requirements document. The use of BYOK still requires the agency

to allow use of its tenant key by Microsoft, as Microsoft needs access to the keys for its services and applications to

encrypt and decrypt data stored in Office 365. Similarly, the use of a 3rd party service provider (e.g. a Cloud Application

Security Broker service, or the TaaS PKI Service Provider) to create a tenant key for BYOK requires the agency to allow

use of its tenant key by both the third party and Microsoft.

In Microsoft’s view, on a balance-of-risk basis, agencies using Office 365 to manage information and data classified

below SENSITIVE or RESTRICTED are best advised to adopt the default Office 365 approach to key management

whereby Microsoft will be the trusted key management service provider. For information or data classified at

SENSITIVE of RESTRICTED level agencies can elect to deploy Azure Information Protection capabilities but should note

the caveats below.

For agencies that are considering Azure Information Protection (AIP) there is an option to implement a Hold Your Own

Key (HYOK) configuration. AIP with HYOK requires an agency to implement additional on-premises infrastructure (e.g.

Active Directory (AD) servers, Active Directory Rights Management Service (AD RMS) servers, HSMs) and will also result

in the agency managing two RMS instances (AD RMS and Azure RMS).

Microsoft does not generally recommended AIP with HYOK for New Zealand government agencies, as

implementing such a solution will substantially degrade the functionality offered by Office 365 and requires the

agency to have confidence that its cryptographic key management processes and infrastructure are utterly robust. Any

data protected with AD RMS policies will become opaque to Office 365, and most functions will not work (e.g. no

search, no web access, no views, no anti-malware, no anti-spam, no eDiscovery, etc.) across this content. In addition,

because Microsoft will have no access to the agency’s tenant or cryptographic keys it cannot recover customer data if

the keys are compromised. If an agency does wish to implement this capability, in depth discussions with

Microsoft are highly advised.

Where can agencies go for more information?

Additional Information on URL

Content Encryption in

Microsoft Office 365

https://www.microsoft.com/en-us/download/confirmation.aspx?id=54652

Whitepaper: Bring Your Own

Key with Azure Key Vault for

Office 365 and Azure

http://download.microsoft.com/download/F/6/3/F63C9623-053F-44DD-BFA8-

C11FA9EA4B61/Bring-Your-Own-Key-with-Azure-Key-Vault-for-Office-365-and-

Azure.docx

Microsoft Azure Information

Protection whitepapers

https://aka.ms/aippapers

Microsoft Online Services

Terms (OST)

https://www.microsoft.com/en-us/Licensing/product-licensing/products.aspx

Page 25: Security Requirements for Offshore Hosted Office ... · Security Requirements for Offshore Hosted Office Productivity Services: Office 365 conformance guide. Page 1 of 37 Microsoft

Security Requirements for Offshore Hosted Office Productivity Services: Office 365 conformance guide.

Page 23 of 37

Microsoft New Zealand

July 2017

8. Agencies must ensure that multi-factor authentication is used to control access to the service.

What is this security control?

Agencies must ensure that agency staff, including administrators, are authenticated using a Multi-Factor

Authentication (MFA) (also called two-factor authentication) method before they are granted access to Office 365.

Traditionally users are authenticated only using a username and a password (i.e. something they know). MFA seeks to

strengthen the authentication process by using one or more additional factors. For example, a onetime password

(OTP) generated by a mobile application (i.e. something they have) and/or a fingerprint (i.e. something they are).

Key aspects of conforming to this requirement

Agencies need to ensure that, for any instance of access from outside of their corporate network, MFA is enforced for

all users, including administrators, before they are granted access to Office 365.

Agencies should also ensure that the mechanism used for staff to use MFA is available to agency staff, such as a cell

phone to receive a OTP SMS code or the Microsoft Authenticator application.

How can Microsoft help agencies meet this requirement?

Microsoft supports the enforcement of MFA for Office 365 using Multi-Factor Authentication for Office 365, Azure

Multi-Factor Authentication or Azure Multi-Factor Authentication Server with Active Directory Federation Services (AD

FS).

Agencies that are using Azure AD to authenticate their users against their on-premises Active Directory must use

Azure Multi-Factor Authentication Server for AD FS, which requires an Azure Multi-Factor Authentication or Azure

Active Directory Premium licence. However, it can be used to secure Office 365, on-premises services, and thousands

of Software as a Service (SaaS) applications from other cloud service providers.

Agencies that are not using Azure AD to authenticate their users can use Multi-Factor Authentication for Office 365 to

secure Office 365 applications at no extra cost.

Both MFA options support the following methods:

• Phone Call – the user receives a call to their registered phone number asking them to verify they are attempting to

sign in. The user can either press the # key on their phone or enter a PIN to authenticate to Office 365.

• SMS Message – the user receives a text message to their registered mobile phone number with a six-digit

verification code. The user must enter the code to authenticate to Office 365.

• Mobile App One-Time Password – the Authenticator app running on the user’s smartphone generates a six-digit

verification code. The user must enter the code to authenticate to Office 365.

• Mobile App Notification – the Authenticator app running on the user’s smartphone presents a verification request.

The user must select Verify or Approve to authenticate to Office 365.

What else should agencies consider?

Agencies need to identify and manage end-user computing devices, applications or custom solutions that do not

natively support Multi-Factor Authentication for Office 365. Office 365 provides support for application passwords that

will need to be used for non-browser clients or applications that do not support modern authentication (e.g. native

email clients).

The Azure MFA user experience is designed to provide easy but secure user access to an agency’s applications and

services. Azure MFA is designed to provide an extra layer of security when strong authentication is required. Using

multi-factor authentication helps protect agency’s applications and services from being accessed by an unauthorised

user whom may have gained access to the credentials of a valid agency user.

Page 26: Security Requirements for Offshore Hosted Office ... · Security Requirements for Offshore Hosted Office Productivity Services: Office 365 conformance guide. Page 1 of 37 Microsoft

Security Requirements for Offshore Hosted Office Productivity Services: Office 365 conformance guide.

Page 24 of 37

Microsoft New Zealand

July 2017

Leveraging Azure Active Directory Premium, agencies can focus MFA to specific applications and services based on the

agencies security context of the application and data within the application. Agencies can also use conditional access

to block access to specific applications when a user is not on a trusted network or IP range. These controls can be

either applied on an application-by-application basis or at top-level, requiring users to always use Azure MFA when

outside of the network.

Azure MFA also has an option to be deployed on-premises in a hybrid configuration to allow for agencies to protect

on-premises resources with the same experience as the Office 365 Azure MFA scenarios.

Azure Active Directory Premium also allows agencies to configure risk-based policies that automatically respond to

detected issues when a specified risk level has been reached. Triggers such as an agency user found on a password

database, users accessing Office 365 (or other cloud applications) from an anonymiser etc. will activate the conditional

access controls provided by Azure Active Directory and Enterprise Mobility and Security (EMS). These can automatically

block or initiate adaptive remediation actions including password resets and multi-factor authentication enforcement

on behalf of an agency.

Agencies can also leverage Azure Active Directory Privileged Identity Management (PIM), to manage, control, and

monitor access to an agency’s resources in Azure AD and Office 365 by administrators. PIM allows for on-demand and

"just in time" administrative access, along with reports about administrator access history and changes in administrator

assignments within the cloud services.

Where can agencies go for more information?

Additional Information on URL

Office 365 MFA https://support.office.com/en-us/article/Plan-for-multi-factor-authentication-for-

Office-365-Deployments-043807b2-21db-4d5c-b430-c8a6dee0e6ba

Azure MFA https://docs.microsoft.com/en-us/azure/multi-factor-authentication/index

Azure MFA Server https://docs.microsoft.com/en-us/azure/multi-factor-authentication/multi-factor-

authentication-get-started-server

Azure Active Directory

Conditional Access

https://docs.microsoft.com/en-us/azure/active-directory/active-directory-

conditional-access

Azure Active Directory

Identity Protection

https://docs.microsoft.com/en-us/azure/active-directory/active-directory-

identityprotection

Azure Active Directory

Privileged Identity

Management

https://docs.microsoft.com/en-us/azure/active-directory/active-directory-privileged-

identity-management-configure?toc=%2fazure%2factive-directory%2fprivileged-

identity-management%2ftoc.json

Modern Authentication -

Active Directory

Authentication Library

(ADAL)

https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-

authentication-libraries https://blogs.office.com/2015/11/19/updated-office-365-

modern-authentication-public-preview/

Microsoft France Azure

Active Directory whitepaper

series

https://sway.com/J-ldpNMIu97EiqYU

https://www.microsoft.com/en-us/download/details.aspx?id=36391

9. Agencies must identify where data stored by a service is replicated or backed-up.

What is this security control?

When using Office 365, agencies must identify the countries where their data will be stored. This includes any

countries where data is replicated or backed-up, to support the agency in meeting compliance, resilience, and disaster

recovery requirements.

Page 27: Security Requirements for Offshore Hosted Office ... · Security Requirements for Offshore Hosted Office Productivity Services: Office 365 conformance guide. Page 1 of 37 Microsoft

Security Requirements for Offshore Hosted Office Productivity Services: Office 365 conformance guide.

Page 25 of 37

Microsoft New Zealand

July 2017

Key aspects of conforming to this requirement

Agencies need to identify and document where the information they store in Office 365 will be located. This includes

services that are available as part of their Office 365 subscription (e.g. Exchange Online, SharePoint Online, etc.), those

that support the use of Office 365 (e.g. Azure Active Directory), as well any additional services that they choose (e.g.

Exchange Online Archiving).

How can Microsoft help agencies meet this requirement?

Microsoft provides information to its customers on the geographic location of data stored in Office 3654,5.

Microsoft has a regionalised datacentre strategy, where the customer’s country or region determines the primary

storage location for their data. Microsoft will replicate customer data to at least two datacentres within the primary

region based on:

• Reducing latency for fast login times for users, and access to data within Office 365.

• Ensuring data availability and resiliency in the case of a major datacentre event.

• Data residency requirements of customers and countries.

For New Zealand government agencies purchasing from New Zealand, the tenant would be automatically placed into

the Australia region for Office 365 and to the Worldwide partition for Azure Active Directory. The Datacentre locations

for these regions are presented in figure 4 below.

Figure 4 - Office 365 and Azure AD Data Locations

What else should agencies consider?

While Australia will be the likely primary region for agency data, Microsoft may need to send some data to Microsoft

personnel or subcontractors outside this region to troubleshoot or investigate specific service issues (e.g. incident

response, service improvement) – generally at the request of the customer. Contractual arrangements regarding such

data movements are set out in the Microsoft Online Services Terms (OST).

4 ‘Where is my data?’ https://www.microsoft.com/online/legal/v2/?docid=25 5 https://www.microsoft.com/en-us/trustcenter/privacy/where-your-data-is-located

Page 28: Security Requirements for Offshore Hosted Office ... · Security Requirements for Offshore Hosted Office Productivity Services: Office 365 conformance guide. Page 1 of 37 Microsoft

Security Requirements for Offshore Hosted Office Productivity Services: Office 365 conformance guide.

Page 26 of 37

Microsoft New Zealand

July 2017

Also, if Microsoft needs to move agency data to a new country (e.g. following a geographical event, region expansion

etc.) agencies will be notified through compliance notifications and asked to opt-in or opt-out depending on their

agreement.

Where can agencies go for more information?

Additional Information on URL

Microsoft Online Services Terms https://www.microsoft.com/en-us/Licensing/product-licensing/products.aspx

10. Agencies must revise their agency disaster recovery and incident management plans to cater for offshore

hosted office productivity services

What is this security control?

Agencies need to ensure that their disaster recovery and incident management plans are updated to account for their

adoption and use of Office 365.

Key aspects of conforming to this requirement

Agencies are responsible for having a documented disaster recovery plan so that they can continue to use Office 365

in the event of a business disruption, and return to normal business operations within their Recovery Time Objectives

and Recovery Point Objectives.

While Office 365 is a highly resilient service providing high levels of service availability, agencies need to integrate their

disaster recovery processes with Microsoft’s to ensure that they can recover quickly from unexpected events such as

hardware or software failure, data corruption, or catastrophic outages. This particularly applies to an agency’s facilities

and services or systems that they choose to integrate with Office 365.

How can Microsoft help agencies meet this requirement?

Microsoft has designed and implemented Office 365 with redundancies and resiliency to maximise reliability and

deliver high service availability. This enables Office 365 to recover quickly from unexpected events such as hardware or

application failure, data corruption, or other incidents that affect users. These provisions will also apply in the event of

low probability but potentially catastrophic events (e.g. a natural disaster or major incident impacting a Microsoft

datacentre), as Office 365 handles failures at the application layer instead of the datacentre layer.

Office 365 has been designed and built around resiliency principles which include:

• Redundancy built into every layer – such as:

o Physical redundancy (e.g. multiple disk/cards, servers, geographical sites, and datacentres).

o Data redundancy (constant replication across datacentres).

o Functional redundancy (the ability for customers to work offline when there is no network connectivity).

• Resiliency - via active load balancing and dynamic prioritisation of tasks based on current loads, constant recovery

testing across failure domains, and both automated failover and manual switchover to healthy resources.

• Distributed functionality of component services - to help limit the scope and impact of a failure in one area and to

simplify all aspects of maintenance and deployment, diagnostics, repair, and recovery.

• Continuous monitoring - with extensive recovery and diagnostic tools to drive automated and manual recovery of

the service.

• Simplification to drive predictability - including the use of standardised components and processes, wherever

possible, loose coupling among the software components for less complex deployment and maintenance, and a

change management process that goes through progressive stages of being deployed worldwide.

Page 29: Security Requirements for Offshore Hosted Office ... · Security Requirements for Offshore Hosted Office Productivity Services: Office 365 conformance guide. Page 1 of 37 Microsoft

Security Requirements for Offshore Hosted Office Productivity Services: Office 365 conformance guide.

Page 27 of 37

Microsoft New Zealand

July 2017

• Human backup - with 24/7 on-call support to provide rapid response and information collection towards problem

resolution.

What else should agencies consider?

Agencies should also consider the disaster recovery requirements for their critical on-premises infrastructure that

integrates with Office 365.

Scenarios that agencies should consider include:

• An outage of Azure Active Directory Connect (previously known as Azure AD Sync or DirSync).

• An outage of Active Directory Federation Services.

• An outage of on-premises Active Directory (for agencies that use their own AD instance for authentication to Office

365).

• Availability of on-premises networks between the agency staff and the Microsoft datacentres.

• Availability of endpoint devices for staff to access Office 365.

An important area to consider is major disaster/event scenarios that are low probability but high impact:

• International network outage – blocking all access to offshore services of any description

• Local disaster crippling local infrastructure hosting, with internet access being restored first

For the first scenario, hybrid configurations (Exchange, Skype for Business) will provide some benefits. In the second

scenario, the offshore, internet-based nature of Office 365 will be an advantage – with the key constraint being

available bandwidth. We recommend the use of password-hash synchronisation through Azure AD Connect for

customers using ADFS, allowing them to cut over and use the hash for authentication in the event of ADFS being

unavailable.

Note: agencies are not obliged to create local backups to conform to the GCIO security control requirements. If an

agency perceives a need to back up any of their O365 data locally, Microsoft will be pleased to discuss approaches or

options for doing this.

Where can agencies go for more information?

Additional Information on URL

Security in Office 365

Whitepaper.docx

https://www.microsoft.com/en-us/download/confirmation.aspx?id=26552

Data Resiliency in Office 365.pdf https://www.microsoft.com/en-us/download/confirmation.aspx?id=53560

Azure AD Connect Health https://docs.microsoft.com/en-nz/azure/active-directory/connect-health/active-

directory-aadconnect-health

Azure AD Connect: Operational

tasks and considerations –

Staging Mode

https://docs.microsoft.com/en-nz/azure/active-directory/connect/active-

directory-aadconnectsync-operations#staging-mode

11. Agencies must have decommissioning processes as outlined in the NZISM

What is this security control?

Agencies need to ensure that they have a decommissioning plan and process, to ensure that they can safely extract

and sanitise data stored in their Office 365 tenant, in accordance with the NZISM.

Key aspects of conforming to this requirement

Agencies need to determine an exit strategy should the need arise to exit their Office 365 tenancy. This includes

having a documented plan for decommissioning their service and securing their data, which will need to include:

Page 30: Security Requirements for Offshore Hosted Office ... · Security Requirements for Offshore Hosted Office Productivity Services: Office 365 conformance guide. Page 1 of 37 Microsoft

Security Requirements for Offshore Hosted Office Productivity Services: Office 365 conformance guide.

Page 28 of 37

Microsoft New Zealand

July 2017

• Migration plans – how will data, users, and licenses be migrated to a replacement service?

• Data retention and archiving requirements – what contractual and legislative requirements exist for retaining data,

and transferring data custodianship for archiving purposes?

• Service decommissioning procedures – what steps are required to end the service subscription, sanitise and delete

agency data, and complete any other decommissioning needs?

How can Microsoft help agencies meet this requirement?

Microsoft offers data deletion as part of its data privacy commitments. For Office 365, at contract termination or

expiration, Microsoft will provide at least 90 days to confirm that all customer data has been migrated, after which the

data will be destroyed to make it unrecoverable.

If a customer prefers, Office 365 provides functions to personally destroy their data following Microsoft guidance. In

addition to this, if the customer revokes the root encryption keys used to secure customer data within the Office 365

(e.g. in a BYOK scenario), then all encrypted data will become permanently unrecoverable.

Microsoft securely disposes of its media using formal media sanitisation and destruction procedures. Microsoft

sanitises and destroys media in accordance with organisational standards and policies and is consistent with NIST 800-

88 (Guidelines for Media Sanitisation).

What else should agencies consider?

Agencies need to understand that once customer content has been destroyed or made unrecoverable, it is

permanently unrecoverable. Microsoft has no ability to recover any customer content or encryption keys.

Where can agencies go for more information?

Additional Information on URL

Content Encryption in Microsoft

Office 365.pdf

https://www.microsoft.com/en-us/download/confirmation.aspx?id=54652

12. Agencies must require assurance checks on cloud service providers in accordance with the NZISM

What is this security control?

Agencies need to undertake assurance activities to confirm that Office 365 has the controls required to effectively

manage their security risks, before certifying and accrediting it for their use.

Key aspects of conforming to this requirement

Agencies are required to undertake assurance activities (e.g. design reviews, penetration testing, controls validation

audits, etc.) as part of the NZISM Certification and Accreditation (C&A) process, and in accordance with the GCIO’s

Cloud Computing Risk and Assurance Framework. These activities are used to provide an agency and its stakeholders

with confidence that the security controls required to manage their risks have been appropriately designed and

implemented.

For security and operational reasons Microsoft does not allow its customers to directly audit its cloud services. Also,

direct auditing of a public cloud service is a very large and costly undertaking. However, agencies can review the large

body of compliance and assurance information, including audit reports, available from Microsoft to gain independent

assurance that it has effective security controls and practices in place for Office 365.

How can Microsoft help agencies meet this requirement?

Every year, Microsoft undergoes 3rd party audits from internationally recognised auditors as an independent validation

that Microsoft complies with their policies and procedures for security, privacy, continuity, and compliance. Office 365

offers one of the most comprehensive set of security certifications and attestations of any cloud service provider,

Page 31: Security Requirements for Offshore Hosted Office ... · Security Requirements for Offshore Hosted Office Productivity Services: Office 365 conformance guide. Page 1 of 37 Microsoft

Security Requirements for Offshore Hosted Office Productivity Services: Office 365 conformance guide.

Page 29 of 37

Microsoft New Zealand

July 2017

including FIPS 140-2, HIPPA, CCSL (IRAP), ISO/IEC 27001, ISO/IEC 27018, SOC 1 and SOC 2. A specialist compliance and

assurance team continuously tracks standards and regulations, developing common control sets for the Microsoft

product team to build into the service.

Microsoft is committed to transparency to help customers meet their compliance needs. Office 365 users are strongly

encourage to access and use the relevant parts of both the Microsoft Trust Centre - especially the industry-leading

Service Trust Platform (STP) – and also the Security & Compliance Center6 embedded within Office 365. These

capabilities allow O365 customers to access security assurance information such as:

• Compliance reports by 3rd party security auditors (e.g. FedRAMP, GRC, ISO, SOC / SSAE 16)

• Trust documents (e.g. whitepapers, FAQ, trust documentation).

• Status of audited controls (further description of Office 365 security controls as part of ISO 27001:2013 and ISO

27018:2014).

• Results of penetration tests.

In addition to this, Microsoft New Zealand is committed to supporting the assurance needs of New Zealand

government and has responded to New Zealand Government Chief Information Officer’s cloud computing security

and privacy considerations questionnaire (i.e. the “GCIO 105”), to help support agencies meet their cloud computing

compliance needs.

What else should agencies consider?

Agencies need to ensure they understand, read, and interpret the service assurance information as part of their

Certification and Accreditation process, to ensure that they are satisfied that Office 365 meets their security

requirements.

Where can agencies go for more information?

Additional Information on URL

Microsoft GCIO 105 response documents –

Office 365, Intune, Azure, Dynamics 365,

Power BI

https://www.microsoft.com/en-us/TrustCenter/Compliance/NZCC

GCIO risk assessment and security audit

reports, and Security Certificates (up to In-

Confidence) for Microsoft Azure, Office 365,

and Azure AD

Available from GCIO on request.

13. Agencies must ensure that there are appropriate security controls over physical access to datacentres

What is this security control?

Agencies need to ensure that Microsoft has implemented appropriate physical security controls to prevent an

unauthorised party gaining physical access to the datacentres hosting Office 365.

Key aspects of conforming to this requirement

For security and operational reasons Microsoft does not allow its customers to directly audit its cloud services. Also,

direct auditing of a public cloud service is a very large and costly undertaking. However, agencies can review the

6 https://support.office.com/en-us/article/Service-assurance-in-the-Office-365-Security-Compliance-Center-47e8b964-4b09-44f7-

a2d7-b8a06e8e389c

Page 32: Security Requirements for Offshore Hosted Office ... · Security Requirements for Offshore Hosted Office Productivity Services: Office 365 conformance guide. Page 1 of 37 Microsoft

Security Requirements for Offshore Hosted Office Productivity Services: Office 365 conformance guide.

Page 30 of 37

Microsoft New Zealand

July 2017

information and 3rd party assurance reports available from Microsoft to gain independent assurance that it has

appropriate physical security in place at the Datacentres that host Office 365.

Agencies are responsible for ensuring the physical security of their end-user computing devices and information

systems, and the locations that they host equipment in or operate from (e.g. Head Office, hot desks, working

remotely).

How can Microsoft help agencies meet this requirement?

Microsoft datacentres around the globe are built from the ground up to protect services and data from harm by

natural disaster or unauthorised access. All datacentres are within scope of the independent and internationally

recognised security audit reports and certifications regularly undertaken on Microsoft Azure.

Microsoft defines and uses security perimeters to protect areas that contain customer information and information

processing facilities. Microsoft implements controls such as perimeter gates, electronic access badge readers,

biometric readers, mantraps, anti-tailgate devices, and anti-pass back controls, as well as alarms, continuous video

surveillance, and security officers to monitor and control access to facilities.

Microsoft protects secure areas within facilities using appropriate entry controls to ensure that only authorised

personnel are allowed access, and to protect infrastructure from accidental damage, disruption and physical

tampering. Microsoft has designed and built secure rooms (e.g. Main Distribution Frame rooms, co-location rooms),

implemented controls such as metal conduits, locked racks or cages, and cable trays, and controls access to secure

areas by requiring two-factor authentication (access badge and biometrics).

In addition to the physical access controls, Microsoft has implemented operational procedures to restrict physical

access to authorised employees, contractors, and visitors. This includes:

• Authorisation to grant temporary or permanent access is limited to authorised staff, and requests and

authorisations are tracked in a ticketing and access control system.

• Visitors are required to be escorted at all times, and access within the facility is logged and audited.

• Access badges are issued to personnel requiring access only after verification of identification, and access is

reviewed on a quarterly basis.

Where can agencies go for more information?

Additional Information on URL

Security in Office 365 Whitepaper.docx https://www.microsoft.com/en-us/download/confirmation.aspx?id=26552

Service Assurance https://support.office.com/en-us/article/Service-assurance-in-the-Office-

365-Security-Compliance-Center-47e8b964-4b09-44f7-a2d7-

b8a06e8e389c

14. Agencies must have assurance that appropriate patching and software maintenance is undertaken

What is this security control?

Agencies need to ensure that Microsoft has implemented a robust and comprehensive product lifecycle, including

effective patch and vulnerability management strategies, to minimise the risk of an unauthorised party exploiting a

known vulnerability to gain access to information stored in Office 365.

Key aspects of conforming to this requirement

Microsoft does not generally allow its customers to directly audit its cloud services. Direct auditing of a public cloud

service is a very large and costly undertaking, and presents potential security risks and operational challenges.

However, to gain independent assurance that it has effective product lifecycle, patch, and vulnerability management

Page 33: Security Requirements for Offshore Hosted Office ... · Security Requirements for Offshore Hosted Office Productivity Services: Office 365 conformance guide. Page 1 of 37 Microsoft

Security Requirements for Offshore Hosted Office Productivity Services: Office 365 conformance guide.

Page 31 of 37

Microsoft New Zealand

July 2017

practices in place for Office 365, agencies can review the extensive information and 3rd party assurance reports and

certifications available via the Microsoft Trust Center.

How can Microsoft help agencies meet this requirement?

Microsoft identifies, reports, and corrects system flaws in Office 365 through vulnerability management, incident

response management, patch and configuration management processes. Microsoft receives vulnerability-related

information from multiple sources which include:

• Microsoft Security Response Centre (MSRC).

• The Microsoft Digital Crimes Unit.

• Vendor websites.

• Other 3rd party services (e.g. Internet Security Systems).

• United States Computer Emergency Readiness Team (US-CERT).

• Internal and external vulnerability scanning of services daily.

Microsoft has implemented procedures to control the installation of software within Office 365. Patches, updates, and

threat mitigations are covered by the Microsoft Security Development Lifecycle (SDL)7. Office 365 has robust patch

management release cycles and engagement models to mitigate new vulnerabilities or threats as quickly as possible.

What else should agencies consider?

Agencies must ensure that they also have a robust and comprehensive product lifecycle, patch and vulnerability

management strategies that cover:

• operating systems and applications on end-user computing devices (e.g. workstations, laptops, tablets, and

smartphones).

• operating system and applications on the infrastructure components they are responsible for managing and

maintaining (e.g. Active Directory servers).

This will ensure that the devices and infrastructure components that are managed by the agency remain compatible

with Office 365 and minimise the risk of malicious party exploiting a known vulnerability in them to gain access to the

information stored in Office 365.

Where can agencies go for more information?

Additional Information on URL

Response to GCIO 105 questions – Microsoft

Office 365 – July 2015 – FINAL.pdf

https://www.microsoft.com/en-us/TrustCenter/Compliance/NZCC

15. Agencies must ensure that there are technical protections to prevent data-mingling on shared storage

platforms

What is this security control?

Agencies need to ensure that Microsoft has implemented technical controls to prevent their data stored in Office 365

from being mixed, blended, or combined with other tenants’ data to protect against unauthorised access, disclosure,

modification, and loss.

Page 34: Security Requirements for Offshore Hosted Office ... · Security Requirements for Offshore Hosted Office Productivity Services: Office 365 conformance guide. Page 1 of 37 Microsoft

Security Requirements for Offshore Hosted Office Productivity Services: Office 365 conformance guide.

Page 32 of 37

Microsoft New Zealand

July 2017

Key aspects of conforming to this requirement

For security and operational reasons, Microsoft does not allow its customers to directly audit its cloud services. Also,

direct auditing of a public cloud service is a very large and costly undertaking. However, agencies can review the

information and 3rd party assurance reports available from Microsoft to gain independent assurance that it has

implemented and maintains controls that prevent data-mingling.

How can Microsoft help agencies meet this requirement?

Microsoft cloud services, including Office 365, have been designed with the assumption that all tenants are potentially

hostile to all other tenants. Microsoft has implemented comprehensive security measures to prevent a tenant from

being able to access content, or affect the security, of another tenant. Multiple forms of protection have been

implemented throughout Office 365 that work together to provide robust logical isolation. These include:

• Logical isolation of tenants, users and services through Azure Active Directory partitions, containers, authorisation

and Role-Based Access Control (RBAC).

• Logical isolation of tenants, users and services within Office 365 through Azure Active Directory and Directory

Services.

• Logical isolation of customer content at the storage level, through operating system ACLs and enforcement by

Azure Active Directory.

• Multi-layered encryption strategy, which combines with the data isolation storage models for each service (e.g.

Exchange Online, Skype for Business, SharePoint Online) to provide additional isolation of customer data.

• SharePoint Online provides additional data isolation mechanisms at the storage level.

Microsoft continuously monitors and explicitly tests for weaknesses and vulnerabilities in tenant boundaries, including

monitoring for intrusion, permission violation attempts, and resource starvation.

Where can agencies go for more information?

Additional Information on URL

Tenant Isolation in

Microsoft Office 365

https://www.microsoft.com/en-us/download/confirmation.aspx?id=54249

Page 35: Security Requirements for Offshore Hosted Office ... · Security Requirements for Offshore Hosted Office Productivity Services: Office 365 conformance guide. Page 1 of 37 Microsoft

Security Requirements for Offshore Hosted Office Productivity Services: Office 365 conformance guide.

Page 33 of 37

Microsoft New Zealand

July 2017

Office 365 Subscription Plans mapped to Security Technologies

The following table details which Office 365 technologies are available in each subscription plan.

Security Feature

Off

ice

36

5 K

1

Off

ice

36

5 E

1

Off

ice

36

5 E

3

Off

ice

36

5 E

5

SP

E E

3

/ EC

S

SP

E E

5

Azure Active Directory ✓ ✓ ✓ ✓ ✓ ✓ Office 365 MFA ✓ ✓ ✓ ✓ ✓ ✓ Office 365 MDM ✓ ✓ ✓ ✓ ✓ ✓ Office 365 Data Loss Prevention ✓ ✓ ✓ ✓

Secure Score ✓ ✓ ✓ ✓ ✓ ✓ Exchange Online Protection - filtering ✓ ✓ ✓ ✓ ✓ ✓ Exchange Online Advanced Threat Protection ✓ ✓

Office 365 Advanced Security Management ✓ ✓

Advanced Threat Intelligence ✓ ✓

Customer Lock Box (process control) ✓ ✓

Skype for Business, OneNote, Outlook and OneDrive

free apps with MAM support ✓ ✓ ✓ ✓ ✓ ✓

Word, Excel and PowerPoint Mobile Apps with MAM

support ✓ ✓ ✓ ✓

Azure AD MFA ✓ ✓

Azure AD Conditional Access ✓ ✓

Azure AD Identity Protection ✓

Azure AD Privileged Identity Management ✓

Intune MDM ✓ ✓

Intune App Protection ✓ ✓

Customer Key (BYOK) in Office 365 ✓ ✓

Azure Information Protection – manual ✓ ✓

Azure Information Protection – automated ✓

Azure Information Protection – BYOK8 ✓ ✓ ✓ ✓

Azure Information Protection – HYOK ✓

Cloud App Security ✓

Windows Information Protection ✓ ✓

• Secure Productive Enterprise E3 (formerly Enterprise Cloud Suite or ‘ECS’) includes Office 365 E3, Enterprise

Mobility and Security E3 and Windows Enterprise E3

• Secure Productive Enterprise E5 includes Office 365 E5, Enterprise Mobility and Security E5 and Windows

Enterprise E5

For more information refer to: https://www.microsoft.com/en-us/secure-productive-enterprise/default.aspx

8 Requires Azure Key Vault - https://docs.microsoft.com/en-us/information-protection/plan-design/byok-price-restrictions

Page 36: Security Requirements for Offshore Hosted Office ... · Security Requirements for Offshore Hosted Office Productivity Services: Office 365 conformance guide. Page 1 of 37 Microsoft

Security Requirements for Offshore Hosted Office Productivity Services: Office 365 conformance guide.

Page 34 of 37

Microsoft New Zealand

July 2017

Appendix: Office 365 encryption capabilities

Table 1: Risk scenarios and relevant encryption capabilities

Risk scenario Encryption

Technology Applies to Implementation Value

Disks or servers in Office

365 are stolen or

improperly recycled.

BitLocker Exchange

Online,

SharePoint

Online,

Skype for

Business

AES 256-bit BitLocker provides a fail-safe approach to

protect against loss of data due to stolen or

improperly recycled hardware (server / disk).

Internal or external hacker

tries to access individual

files / data as a blob.

There is an attempt to

access data across tenant.

Service

encryption

SharePoint

Online

Files or

chunked files,

using AES

256-bit

The encrypted data cannot be decrypted

without access to keys. Helps to mitigate

risk of a hacker accessing data and cross

tenant access of data.

Internal or external hacker

tries to access individual

files / data as a blob.

Skype for

Business

Files, using AES

256-bit

The encrypted data cannot be decrypted

without access to keys. Helps to mitigate

risk of a hacker accessing data.

Man-in-the-middle or

other attack to tap the

data flow between Office

365 and client computers

over Internet.

TLS between

Office 365

and clients

Exchange

Online,

SharePoint

Online,

Skype for

Business,

Yammer

Service

implemented

This implementation provides value to both

Microsoft and customers and assures data

privacy as it flows between Office 365 and

the client.

Data falls into the hands

of a person who should

not have access to the

data.

Azure Rights

Managemen

t (included in

Office 365 or

Azure

Information

Protection)

Exchange

Online,

SharePoint

Online, and

OneDrive for

Business

Customer

managed

Azure Information Protection uses Azure

RMS which provides value to customers by

using encryption, identity, and

authorisation policies to help secure files

and email across multiple devices. Azure

RMS provides value to customers where all

emails originating from Office 365 that

match certain criteria (i.e. all emails to a

certain address) can be automatically

encrypted before they get sent to another

recipient.

Email falls into the hands

of a person who is not

the intended recipient.

S/MIME Exchange

Online

Customer

managed

S/MIME provides value to customers by

assuring that email encrypted with S/MIME

can only be decrypted by the direct

recipient of the email.

Email falls in hands of a

person either within or

outside Office 365 who is

not the intended

recipient of the email.

Office 365

Message

Encryption

Exchange

Online

Customer

managed

OME provides value to customers where all

emails originating from Office 365 that

match certain criteria (i.e. all emails to a

certain address) are automatically

encrypted before they get sent to another

internal or an external recipient.

Email is intercepted via a

man-in-the middle or

other attack while in

transit from an Office 365

tenant to another partner

organisation.

SMTP TLS

with partner

organisation

Exchange

Online

Customer

managed

This scenario provides value to the

customer such that they can send / receive

all emails between their Office 365 tenant

and their partner’s email organisation

inside an encrypted SMTP channel.

Page 37: Security Requirements for Offshore Hosted Office ... · Security Requirements for Offshore Hosted Office Productivity Services: Office 365 conformance guide. Page 1 of 37 Microsoft

Security Requirements for Offshore Hosted Office Productivity Services: Office 365 conformance guide.

Page 35 of 37

Microsoft New Zealand

July 2017

Table 2: details of encryption technologies for data in transit and at rest

Encryption

Technology Implemented

by

Key exchange

algorithm and

strength

Key management9 FIPS 140-2

Validated

BitLocker Exchange

Online

AES 256-bit AES external key is stored in a Secret Safe and in the

registry of the Exchange server. The Secret Safe is a

secured repository that requires high-level elevation

and approvals to access. Access can be requested and

approved only by using an internal tool called Lockbox.

The AES external key is also stored in the Trusted

Platform Module in the server. A 48-digit numerical

password is stored in Active Directory and protected by

Lockbox.

Yes.

SharePoint

Online

AES 256-bit AES external key is stored in a Secret Safe. The Secret

Safe is a secured repository that requires high-level

elevation and approvals to access. Access can be

requested and approved only by using an internal tool

called Lockbox. The AES external key is also stored in

the Trusted Platform Module in the server. A 48-digit

numerical password is stored in Active Directory and

protected by Lockbox.

Yes

Skype for

Business

AES 256-bit AES external key is stored in a Secret Safe. The Secret

Safe is a secured repository that requires high-level

elevation and approvals to access. Access can be

requested and approved only by using an internal tool

called Lockbox. The AES external key is also stored in

the Trusted Platform Module in the server. A 48-digit

numerical password is stored in Active Directory and

protected by Lockbox.

Yes

File-Level

Encryption

SharePoint

Online

AES 256-bit The master keys, which protect the per-blob keys, are

stored in two locations:

1. First, the secured store (a built-in SharePoint secret

repository) which is protected by the Farm Key.

2. Second, the master keys are backed-up in the

central SharePoint Online secret store.

These keys are updated (and the blob keys re-

encrypted) every 42 days.

Yes

Skype for

Business

AES 256-bit Each piece of content is encrypted using a different

randomly generated 256-bit key. The encryption key is

stored in a corresponding metadata XML file which is

also encrypted by a per-conference master key. The

master key is also randomly generated once per

conference.

Yes

TLS between

Office

365 and

clients/partne

rs

Exchange

Online

Opportunistic

TLS supporting

multiple cipher

suites

The TLS certificate for Exchange Online

(outlook.office.com) is a 2048-bit sha256RSA certificate

issued by Baltimore CyberTrust Root.

The TLS root certificate for Exchange Online is a 2048bit

sha1RSA certificate issued by Baltimore CyberTrust

Root.

Be aware that for security reasons, our certificates do

change from time to time.

Yes, when TLS

1.2 with 256-

bit cipher

strength is

used

SharePoint

Online

The TLS certificate for SharePoint Online

(*.sharepoint.com) is a 2048-bit sha256RSA certificate

issued by Baltimore CyberTrust Root.

Yes

9 TLS certificates referenced in this table are for US datacentres; non-US datacentres also use 2048-bit sha256RSA certificates.

Page 38: Security Requirements for Offshore Hosted Office ... · Security Requirements for Offshore Hosted Office Productivity Services: Office 365 conformance guide. Page 1 of 37 Microsoft

Security Requirements for Offshore Hosted Office Productivity Services: Office 365 conformance guide.

Page 36 of 37

Microsoft New Zealand

July 2017

The TLS root certificate for SharePoint Online is a 2048-

bit SHA1RSA certificate issued by Baltimore CyberTrust

Root.

Be aware that for security reasons, our certificates do

change from time to time.

Skype for

Business

TLS for SIP

communications

and PSOM data

sharing sessions

The TLS certificate for Skype for Business (*.lync.com) is

a 2048-bit sha256RSA certificate issued by Baltimore

CyberTrust Root.

The TLS root certificate for Skype for Business is a 2048-

bit sha256RSA certificate issued by Baltimore

CyberTrust Root.

Yes

TLS between

Microsoft

datacentres

Exchange

Online,

SharePoint

Online, and

Skype for

Business

TLS 1.2 with AES

256

Secure Real-

time

Transport

Protocol (SRTP)

Microsoft uses an internally managed and deployed

certification authority for server-to-server

communications between Microsoft datacentres.

Yes

Azure Rights

Management

(included in

Office

365 or Azure

Information

Protection)

Exchange

Online

Supports

Cryptographic

Mode 2, an

updated and

enhanced RMS

cryptographic

implementation.

RSA 2048 for

signature and

encryption, and

SHA-256 for

hash in the

signature.

Managed by Microsoft. Yes

SharePoint

Online

Supports

Cryptographic

Mode 2, an

updated and

enhanced RMS

cryptographic

implementation

. RSA 2048 for

signature and

encryption, and

SHA-256 for

signature.

Managed by Microsoft, which is the default setting; or

Customer-managed (aka BYOK), which is an alternative

to Microsoft-managed keys. Organisation that have an

IT-managed Azure subscription can use BYOK and log

its usage at no extra charge. For more information, see

Implementing bring your own key. In this configuration,

Thales HSMs are used to protect your keys. For more

information, see Thales HSMs and Azure RMS.

Yes

S/MIME Exchange

Online

Cryptographic

Message

Syntax Standard

1.5 (PKCS

#7)

Depends on the customer-managed public key

infrastructure deployed. Key management is performed

by the customer, and Microsoft never has access to the

private keys used for signing and decryption.

Yes, when

configured to

encrypt

outgoing

messages with

3DES or

AES256

Office 365

Message

Encryption

Exchange

Online

Same as Azure

RMS

(Cryptographic

Mode 2 - RSA

2048 for

signature and

encryption,

SHA-256 for

signature)

Uses Azure Information Protection as its encryption

infrastructure. The encryption method used depends on

where you obtain the RMS keys used to encrypt and

decrypt messages.

Yes

Page 39: Security Requirements for Offshore Hosted Office ... · Security Requirements for Offshore Hosted Office Productivity Services: Office 365 conformance guide. Page 1 of 37 Microsoft

Security Requirements for Offshore Hosted Office Productivity Services: Office 365 conformance guide.

Page 37 of 37

Microsoft New Zealand

July 2017

SMTP TLS

with partner

organisation

Exchange

Online

TLS 1.2 with AES

256

The TLS certificate for Exchange Online

(outlook.office.com) is a 2048-bit sha256RSA certificate

issued by Baltimore CyberTrust Root.

The TLS root certificate for Exchange Online is a 2048bit

sha1RSA certificate issued by Baltimore CyberTrust

Root.

Be aware that for security reasons, our certificates do

change from time to time.

Yes, when TLS

1.2 with 256-

bit cipher

strength is

used