Date post: | 18-Nov-2014 |
Category: |
Technology |
Upload: | nordic-infrastructure-conference |
View: | 2,535 times |
Download: | 2 times |
Andy MaloneMicrosoft Office 365: Security Deep Dive
Microsoft MVP (Enterprise Security)
Founder: Cybercrime Security Forum!
Microsoft International Event Speaker
MCT (18 Years)
Winner: Microsoft Speaker Idol 2006
See me speak @ Microsoft TechEd 2014
Andy Malone
Follow me on Twitter @AndyMalone
The Extras…Follow @AndyMalone & Get my SkyDrive Link
The Inevitable Questions
Is cloud computing secure?
Are Microsoft Online Services secure?
Security
Where is my data?
Who has access to my data ?
Transparency
What does privacy at Microsoft mean?
Are you using my data to build advertising products?
Privacy
What certifications and capabilities does Microsoft hold?
How does Microsoft support customer compliance needs?
Do I have the right to audit Microsoft?
Compliance
The World is changing
• Telecoms Advancements
• Consumerization of mobile devices
• Lower costs in hardware
• Cheap low cost storage
• Massive growth in virtualization
• Low Cost Software development
• Easier support / licensing models
• Elasticity & Scalability
The World is changing• Product is evolving into a Service
• Focus is moving from “location or Work place” to “Any location”
• Huge growth in BYOD
• Users will consume data rather than use a specific device to access it
• New administration & management models. E.g. RBAC, federation
• Will bring new security challenges
We respect your privacy
You know ‘where’ data resides, ‘who’ can access it,
and ‘what’ we do with it
Compliance with World Class Industry standards
verified by 3rd parties
Independently Verified
Your Privacy Matters
Leadership in Transparency
Microsoft Cloud “Trusted Service”
Excellence in cutting edge security practices
Relentless on Security
4 core trust pillars
Cloud PrinciplesUnderstand that this is a two-way trust
Liability represents aggregate amount.
Liability is limited to direct damages.
Microsoft’s liability is capped at 12 months’ services fees.
Understand that Microsoft’s liability is cappedConsistent with industry standard.
First things first - Risk
Risk Management is the name given to a logical and systematic method of identifying, analyzing, treating and monitoring the risks involved in any activity or process.
It is also a methodology that helps managers make best use of their available resources
The threat landscape is changing
• Increased number of malicious threats have increased
• Bot’s, Spam, Viruses, Trojans
• Enterprise software costs very expensive, licensing complex
• Government snooping fears*
• Cybercrime now big business
Cloud Considerations
• Customer Accountability
• Multi-tenancy
• Different responsibilities
• Trust
• Operational support Vs Service support
Protecting Data
• All data & PPI must be protected against:
– Disclosure
– Destruction
– Interruption
– Modification
– Theft
• This requires the organization to create operational, technical, and physical controls to address information protection for both local & hosted stored data.
Microsoft’s Data Centre Locations
Transparency
Microsoft notifies you of changes in data center locations.
Core Customer Data accessed only for troubleshooting and malware prevention purposes
Core Customer Data access limited to key personnel on an exception basis.
How to get notified?
Who accesses and What is accessed?
Clear Data Maps and Geographic boundary information provided
‘Ship To’ address determines Data Center Location
Where is Data Stored?
The Microsoft strategy is to consistently set a “high bar” around privacy practices that support global standards for data handling and transfer
Data Storage & Access
• Microsoft offers transparency around location of customer data
• Microsoft adhere to the requirements from the strictest markets, like the EU Data Protection Directive, so that it can legally store and use data in compliance with legal requirements
• Microsoft tracks major international privacy laws so we know what is coming and are ready to address it
Role-Based Access Control
Role groups define high-level job functions
End-user role assignment policies for self-service
Who What WhereDelegate multiple roles
Limit the scope of the role assignment; e.g., “Legal Department” or “Asia Offices
Assign task-, action-, or feature-based permissions
Systems Administrator
Human Resources
Compliance Officer
Help Desk
RBAC for Office 365 Operations
20
Office 365 Datacenter Network Corporate Network
Lock Box: Role Based Access
Control
Grants least privilege required to complete task.Verify eligibility by checking if1. Background Check Completed2. Fingerprinting Completed3. Security Training Completed
O365 AdminRequests Access
Grants temporary Privilege
Logged as Service Request1. Auditable2. Available as
self-service reports
Product Team
Operations
Traditional IT
• Highly skilled, domain specific IT (not true Tier 1)
• Success depends on static, predictable systems
Service IT
• Tiered IT
• Progressive escalations (tier-to-tier)
• “80/15/5” goal
Direct Support
• Tier 1 used for routing/escalation only
• 10-12 engineering teams provide direct support of service 24x7
Engineered Operations
• Direct escalations
• Operations applied to specific problem spaces (i.e., deployment)
• Emphasize software and automation over human processes
Tier 2 Operations
Tier 1 Operations
Service
Product Team
Tier 1 Operations
Service Service
Software Aided Processes
Pro
du
ct
Team
Op
erat
ion
s
Sup
po
rt
Oth
er
Product Team
Service
Office 365 operations model evolution
DemoOffice 365 RBAC & Admin
Establish SecurityRequirements
Create Quality Gates / Bug Bars
Security & Privacy Risk Assessment
Microsoft Security development lifecycleReduce vulnerabilities, limit exploit severity
Training Requirements
Education
Administer and track security training
Core SecurityTraining
Design Implementation Verification
Process
Guide product teams to meet SDL requirements
Establish DesignRequirements
Analyze AttackSurface
ThreatModeling
Use Approved Tools
Deprecate Unsafe
Functions
Static Analysis
Dynamic Analysis
Fuzz Testing
Attack Surface Review
Incident Response Plan
Final Security Review
Release Archive
Execute Incident
Response Plan
Ongoing Process Improvements
Release Response
IncidentResponse (MSRC)
Establish release criteria and sign-
off as part of FSR
Accountability
Office 365 Built-in Security
Office 365 Customer Controls
Office 365 Independent Verificationand Compliance
Office 365 Security
25
24 Hour Monitored
Physical Hardware
Isolated Customer Data
Secure NetworkEncrypted Data
Automated operations
Microsoft security best
practices
Service security– Defence in depthA risk-based, multi-dimensional approach to safeguarding services and data
SECURITY MANAGEMENT
NETWORK PERIMETER
INTERNAL NETWORK
HOST
APPLICATION
DATA
USER
FACILITY
Threat and vulnerability management, monitoring, and response
Edge routers, intrusion detection, vulnerability scanning
Dual-factor authentication, intrusion detection, vulnerability scanning
Access control and monitoring, anti-malware, patch and configuration management
Secure engineering (SDL), access control and monitoring, anti-malware
Access control and monitoring, file/data integrity
Account management, training and awareness, screening
Physical controls, video surveillance, access control
The Snowden Effect!
Privacy
Choices to keep Office 365 Customer Data separate from consumer services.
Office 365 Customer Data belongs to the customer.
Customers can export their data at any time.
At Microsoft, our strategy is to consistently set a “high bar” around privacy practices that support global standards for data handling and transfer
Privacy in Office 365
No Mingling
Data Portability
No advertising products out of Customer Data.
No scanning of email or documents to build analytics or mine data.
No Advertising
How Privacy of Data is Protected?Microsoft Online Services Customer Data1 Usage Data
Account and
Address Book Data
Customer Data (excluding
Core Customer data)
Core
Customer Data
Operating and Troubleshooting the Service Yes Yes Yes Yes
Security, Spam and Malware Prevention Yes Yes Yes Yes
Improving the Purchased Service, Analytics Yes Yes Yes No
Personalization, User Profile, Promotions No Yes No No
Communications (Tips, Advice, Surveys, Promotions) No No/Yes No No
Voluntary Disclosure to Law Enforcement No No No No
Advertising5 No No No No
Microsoft: We use customer data for just what they pay us for - to maintain and provide Office 365 Service
Usage Data Address Book DataCustomer Data (excluding
Core Customer Data*)Core Customer Data
Operations Response Team
(limited to key personnel only)Yes. Yes, as needed. Yes, as needed. Yes, by exception.
Support OrganizationYes, only as required in response to
Support Inquiry.
Yes, only as required in response to Support
Inquiry.
Yes, only as required in response to
Support Inquiry.No.
Engineering Yes.No Direct Access. May Be Transferred During
Trouble-shooting.
No Direct Access. May Be
Transferred During Trouble-
shooting.
No.
PartnersWith customer permission. See
Partner for more information.
With customer permission. See Partner for
more information.
With customer permission. See
Partner for more information.
With customer permission. See
Partner for more information.
Others in Microsoft No.No (Yes for Office 365 for small business
Customers for marketing purposes).No. No.
Government Subpoenas• Will Microsoft turn over my data to US companies or the US government?
– Microsoft believes customers should control their own information
– When compelled by U.S. law enforcement to produce customer records,
Microsoft will first attempt to redirect these demands to the customer
– Microsoft will notify the customer unless it cannot, either because Microsoft is
unable to reach the customer or is legally prohibited from doing so
– Microsoft will only produce the specific records ordered by law enforcement
and nothing else
• Your organization is most likely already exposed to government
jurisdiction; therefore, for many companies, moving to the cloud doesn’t
represent a huge increase in risk
Compliance
Compliance management framework
Policy
Control Framework
Standards
Operating Procedures
Business rules for protecting information and systems which store and process information
A process or system to assure the implementation of policy
System or procedural specific requirements that must be met
Step-by-step procedures
International Standards & Controls
ISO 27001
All CustomerData Processing Agreement
SSAE 16 (Statement on standards for AttestationEngagement) SOC 1 (Type I & Type II) compliance
Industry Specific Compliance & Standards
FISMA US Government
HIPAA/BAA Healthcare Customers
FERPA EDU Customers
Geography Specific Standards
EU Safe HarborEU Customers
EU Model Clauses
Office 365 Compliance & Standards
Full details available at: Microsoft Office 365 Trust Center
Addressing Audit Concerns• Microsoft offers:
– Alignment and adoption of industry standards
– Comprehensive set of practices and controls in place to protect your data
– Focus on solutions for millions of users worldwide
– Independent third party attestations of Microsoft security, privacy, and continuity controls
• This allows Microsoft Online to provide assurances to customers at scale
This saves customers time and money, and allows Microsoft to provide assurances to customers at scale
• Alignment and adoption of industry standards ensure a comprehensive set of practices and controls in place to protect sensitive data
• While not permitting audits, we provide independent third-party verifications of Microsoft security, privacy, and continuity controls.
Auditing on Your Behalf
Windows Azure / Office 365 Identity Solutions
• No Integration Required
• No Single Sign On
• User logon Via Portal
• No Servers on Premise
• Dirsync Tool – Perfect for Provisioning large groups of Users
• No Single Sign On
• User Login Via Portal
• No Servers on Premise
• Deploy Dirsync
• Implement ADFS
• Users Login with WAD Credentials
• Complex Server Infrastructure on Prem
• Deployed as Part of a Hybrid Solution
No Integration
Dirsync
Password Sync
ADFS & Dirsync
Full Single Sign On (SSO
Hybrid
Office Subscription
Services
Contoso customer premises
Identity Architecture and Integration Options
1. No Integration
2. Directory Data Only
3. Directory and Single sign-on (SSO)
ADMS Online
Directory Sync
Windows Azure Active Directory
Provisioningplatform
LyncOnline
SharePoint Online
Exchange Online
Active Directory Federation Server 3.0
Trust
IdPDirectory
Store
Admin Portal/PowerShell
Authentication platform
Office 365 Desktop Setup
IdP
Limitations of Windows AD• Directory service implemented on MS domain
networks
• Introduced in Windows 2000
• DCs authenticate and authorise users and computers in a domain
• Assigns and enforces security policies
• Deployed in a single domain nor as part of a larger forest
• Can be expanded through Trust Relationships
• Has both physical & logical attributes
• Only one instance per domain
• Active Directory uses LDAP, Kerberos, and DNS
WAD: Potential Issues• As a number of trust limitations in respect
to size & complexity
• Designed primarily to manage in-house networks
• Protocol limitations i.e. LDAP
• Customer security concerns about WAD data in cloud (closed attributes)
• Does not natively support new cloud based protocols
• Solution: Extend AD attributes into cloud…
What is Windows Azure Active Directory?
• Customized Version of ADLDS / ADAM
• Every Office 365 Customer is an Azure AD Tennant
• Designed primarily to meet the needs of cloud applications
• Extends Customers Active Directory into the cloud
• Think of it as a Fish on a Hook!
• Identity as a service: essential part of Platform as a Service
Protocols to Connect to Windows Azure ADProtocol Purpose Details
REST/HTTP directory access
Create, Read, Update, Delete directory objects and relationships
Compatible with OData V3Authenticate with OAuth 2.0
OAuth 2.0 Service to service authenticationDelegated access
JWT token format
Open ID Connect Web application authenticationRich client authentication
Under investigationJWT token format
SAML 2.0 Web application authentication SAML 2.0 token format
WS-Federation 1.3 Web application authentication SAML 1.1 token formatSAML 2.0 token formatJWT token format
• ADFS Server
• ADFS Proxy (Consider UAG)
• Deployment Options: Installed Stand Alone or as Part of a Server Farm
• Additional Servers can be added via GUI or by using FsConfig.exe JoinFarm
DemoIdentity & Federation
Exchange security and protection
Protect communications
eDiscovery
• Unified portal for data across SharePoint, Exchange, and Lync
• Role-based access eliminates IT as a bottleneck
• In-place hold prevents data loss without needing to export or back up data
Use proximity searches to
understand context
Query results across Exchange and SharePoint
Laser-focused refiners to help find the data you need
Get instant statistics
Exchange security and protection
Stop viruses and malware Exchange Online Protection provides multi-engine protection
Protect sensitive data Scan exchange transport for sensitive content with Data Loss Prevention features
Granular control on email using RMS
Anti-spam
Anti-malware
Unified
management Policy
FunctionalityRMS in Office
365S/MIME
ACLs (Access Control
Lists)BitLocker
Cloud Encryption Gateways (CEGs)
Data is encrypted in the cloud
Encryption persists with content
Protection tied to user identity
Protection tied to Policy (edit, print, do not forward, expire after 30 days)
Secure collaboration with teams and individuals
Native integration with my services (Content Indexing, eDiscovery, BI, Virus/Malware scanning)
Helps meet compliance requirements
Mitigate risk of lost or stolen hard disk
Advanced Encryption
• New options
– Rules can be configured to run for a specific time period time
– Rules can be run in Test Mode
• New filters
– Total message size
– Attachment extension keyword matching
– Sender IP address
• New actions
– Criteria based routing
– Forced TLS routing
– Halt processing of remaining rules on a message. (“Stop processing rules”.)
Improved transport rule options
Data protection at rest
Data protection at rest
Data protection at rest
Information protection using RMS
Data Protection in motion Data Protection in motion
Information can be protected with RMS at rest or in motion
Data protection at rest
PersistentProtection
+Encryption Policy: Access Permissions
Use Right Permissions
• Provides identity-based protection for sensitive data
– Controls access to information across the information lifecycle
– Allows only authorized access based on trusted identity
– Secures transmission and storage of sensitive information wherever it goes – policies embedded into the content; documents encrypted
– Embeds digital usage policies (print, view, edit, expiration etc. ) into the content to help prevent misuse after delivery
Rights Management Services
Enabling RMS in Office 365
RMS can be applied to Emails
RMS can be applied to SharePoint libraries
RMS can be applied to any Office documents
Apply RMS to content
Files are protected if they are viewed using Web apps or downloaded to a local machine
Helps to
identify
monitor
protect
sensitive data through deep content analysis.
Data Loss Prevention in Exchange
Easy to use
Monitor
Protect
Identify
Data Loss Prevention (DLP)
• Familiar rules and policy process
• In-product user policy education
• “Degrees” of policy enforcement
Customize user notification as well as internal audit
reporting
For a single data type, create multiple
rules based on recipient
Integrated compliance experience
DemoOffice 365 Security & Compliance
Review
SecurityComplianceTransparencyPrivacy
The Extras…Follow @AndyMalone & Get my SkyDrive Link
Thank you Follow me on Twitter @AndyMalone
Please evaluate the sessionbefore you leave