Date post: | 27-Dec-2015 |
Category: |
Documents |
Upload: | norman-phelps |
View: | 219 times |
Download: | 2 times |
Identity-centric environment
Targeted attacks
Cloud computing
Regulatory/compliance issues
Consumerisation of IT
Key trends affecting security
2
Microsoft experience and credentials
1989 1995 2000 2005 2010
One of the world’s largest cloud providers & datacenter/network operators
1st Microsoft Data Center
Microsoft SecurityResponse Center
(MSRC)
Windows Update
Active Update
Xbox Live
Global Foundation
Services (GFS)
Trustworthy Computing
Initiative (TwC)
BillG Memo
Microsoft Security Engineering Center/
Security Development Lifecycle
Malware Protection
Center
SAS-70 Certification
ISO 27001 Certification
FISMACertification
Customer Data Privacy and the US GovtRead our Microsoft_On_The_Issues Blog by Brad Smith, MS General Counsel.Microsoft is obligated to comply with applicable laws that governments pass.
1. No government gets direct and unfettered access to customer data. 2. If a government wants customer data it needs to follow legal process.3. We only respond to requests for specific accounts and identifiers. 4. All of these requests are reviewed by Microsoft’s compliance team.
National Security Requests from Office 365We have never provided any government with customer data from any of our business or government customers for national security purposes.
Law Enforcement Requests from Office 365 for 2012In three instances, we notified the customer of the demand and they asked us to produce the data. In the fourth case, the customer received the demand directly and asked Microsoft to produce the data.
Choice to keep Office 365 Customer Data separate from consumer services.
Office 365 Customer Data belongs to the customer. Customers can export their data at any time. Customers can report on necessary Microsoft access to data.
At Microsoft, our strategy is to consistently set a “high bar” around privacy practices that support global standards for data handling and transfer
Privacy at Office 365 vs Competitor
No Mingling
Data Portability
No advertising products out of Customer Data. No marketing emails to users.No scanning of email or documents to build analytics or mine data.
No Advertising
Microsoft shares details of where customer data is stored. Data Centers are independently audited.
Transparent Data Location
Office 365 security
Microsoft security
best practices
24-hour monitored physical hardware
Isolated customer
data
Secure network
Encrypted data
Automated operations
Office 365 built-in security
Office 365 customer controls
Office 365 independent verification & compliance
Office 365 built-in security
Microsoft security
best practices
24-hour monitored physical hardware
Isolated customer
data
Secure network
Encrypted data
Automated operations
24-hour monitored physical hardware
Extensive monitoring
• Seismic bracing• 24x7 onsite security staff• Days of backup power• Tens of thousands of
servers
Controlled access
Fire suppression
Perimeter security
Isolated customer dataLogically isolated customer data within Office 365
Physically separated consumer and commercial services
Customer A Customer B
Secure network
Internal network External network
Network Separated
Data Encrypted
• Networks within the Office 365 data centers are segmented. • Physical separation of critical, back-end servers & storage devices
from public-facing interfaces. • Edge router security allows ability to detect intrusions and signs of
vulnerability.
Office 365 provides data encryption• BitLocker 256bit AES
Encryption of messaging content in Exchange Online
• Information Rights Management for encryption of documents in SharePoint Online
• Transport Layer Security (TLS)/ Secure Sockets Layer (SSL)
• Third-party technology such as PGP
• Third party encryption gateways
• Not supported by Microsoft
• May encounter:• Loss of functionality
• Compatibility issues
• Increased TCO
• New security challenges
• Supportability issues
Automated operations
Office 365 datacenter
network
Microsoft corporate network
Lock box: Role based
access control
O365 Adminrequests
access
Grants temporary privilege
Grants least privilege required to complete task.Verify eligibility by checking if
1. Background Check Completed2. Fingerprinting Completed3. Security Training Completed
Microsoft security best practices
24-hourmonitored physical hardware
Isolated customer
data
Secure network
Encrypted data
Automated operations
Microsoft security
best practices
Security development lifecycle
Throttling to prevent DoS attacks
Prevent breach
Mitigate breach
Security development lifecycleReduce vulnerabilities, limit exploit severity
ResponseReleaseVerificationImplementationDesignRequirementsTraining
• Incident response plan
• Final security review
• Release archive
• Execute incidentresponse plan
• Use approved tools
• Deprecate unsafe functions
• Static analysis
• Dynamic analysis
• Fuzz testing
• Attack surface
review
• Est. Securityrequirements
• Create quality gates / bug bars
• Security & privacy risk assess.
• Establish designrequirements
• Analyze attack surface
• Threatmodeling
• Core securitytraining
Education
Administer and track security training
Process
Guide product teams to meet SDL requirements
Establish release criteria & sign-off as part of FSR
Incidentresponse (MSRC)
Accountability
Ongoing process improvements
Throttling to prevent DoS attacksExchange Online baselines normal traffic & usageAbility to recognize DoS traffic patternsAutomatic traffic shaping kicks in when spikes exceed normalMitigates: • Non-malicious excessive use• Buggy clients (BYOD)• Admin actions• DoS attacks
Prevent breachPort scanning and remediation
Perimeter vulnerability scanning
OS Patching
Network level DDoS detection and prevention
MFA for service access
Auditing of all operator access and actions
Zero standing permissions in the service• Just in time elevations• Automatic rejection of non-
background check employees to high privilege access
• Scrutinized manual approval for background checked employees
Automatic account deletion• When employee leaves• When employee moves
groups• Lack of use
Automated tooling for routine activities• Deployment, Debugging,
Diagnostic collection, Restarting services
Passwords encrypted in password store
Isolation between mail environment and production access environment for all employees
Mitigate breach
•Detect
•Response
•Audit
•More
Details Are Not Disclosed
Office 365 security
Microsoft security
best practices
24-hour monitored physical hardware
Isolated customer
data
Secure network
Encrypted data
Automated operations
Office 365 built-in security
Office 365 customer controls
Office 365 independent verification & compliance
Advanced encryption using RMS
Data protection at rest Data protection at rest Data protection at rest Data protection at rest
Information can be
protected with RMS at
rest or in motion
Data protection in motion
Data protection in motion
Demo
RMS Demo
User accessIntegrated with Active Directory, Azure Active Directory, and Active Directory Federation ServicesEnables additional authentication mechanisms:• Two-factor authentication –
including phone-based 2FA• Client-based access control based
on devices/locations• Role-based access control
Compliance: Data Loss Prevention (DLP) Empower users to manage
their compliance• Contextual policy education• Doesn’t disrupt user workflow• Works even when disconnected• Configurable and customizable• Admin customizable text and actions• Built-in templates based
on common regulations • Import DLP policy templates from
security partners or build your own
Prevents sensitive data from leaving organization
Provides an alert when data such as social security & credit card number is emailed.
Alerts can be customized by Admin to catch intellectual property from being emailed out.
Demo
DLP Demo
Compliance: email archiving and retention
In-Place Archive Governance Hold eDiscovery
• Secondary mailbox with separate quota
• Managed through EAC or PowerShell
• Available on-premises, online, or through EOA
• Automated and time-based criteria
• Set policies at item or folder level
• Expiration date shown in email message
• Capture deleted and edited email messages
• Time-based in-place hold • Granular query-based
in-place hold• Optional notification
• Web-based eDiscovery Center and multi-mailbox search
• Search primary, in-place archive, and recoverable items
• Delegate through roles-based administration
• De-duplication after discovery
• Auditing to ensure controls are met
SearchPreserve
Comprehensive protection• Multi-engine antimalware protects against 100% of known viruses• Continuously updated anti-spam protection captures 98%+ of all inbound spam• Advanced fingerprinting technologies that identify and stop new spam and phishing vectors in
real time
Anti-spam/anti-virus
Easy to use• Preconfigured for ease of use• Integrated administration console
Granular control• Mark all bulk messages as spam• Block unwanted email based on language or geographic origin
Independent verification & compliance
Microsoft security
best practices
24-hour monitored physical hardware
Isolated customer
data
Secure network
Encrypted data
Automated operations
Office 365 built-in security
Office 365 customer controls
Office 365 independent verification & compliance
Why get independently verified?“I need to know Microsoft is doing the right things”Alignment and adoption of industry standards ensure a comprehensive set of practices and controls in place to protect sensitive data
While not permitting audits, we provide independent third-party verifications of Microsoft security, privacy, and continuity controls
This saves customers time and money, and allows Office 365 to provide assurances to customers at scale
Microsoft provides transparency
Certifications
ISOSOC
HIPAA
FERPA
HMG IL2
EUMC
Cert Market Region
SSAE/SOC Finance Global
ISO27001 Global Global
EUMC Europe Europe
FERPA Education U.S.
FISMA Government U.S.
HIPAA Healthcare U.S.
HITECH Healthcare U.S.
ITAR Defense U.S.
HMG IL2 Government UK
CJIS Law Enforcement U.S.
Certification status
IRS 1075 Tax/Payroll U.S.
FFIEC Finance U.S.
FISC Japan-Finance U.S.CNSS1253 Military U.S.
Queued or In Progress
30
APAC Data Map
Summary
31
Security and information protection is critical to Office 365• Built in security• Customer controls• 3rd party verification and certification
References:• http://trust.office365.com• http://fasttrack.office.com/
• http://www.linkedin.com/groups/Microsoft-Office-365-3724282
Win.Attend any Office 365 or Lync Session and be in-to-win a1 Year Subscription to Office 365 Home Premium, Spot Prizes, Your $2,500 Office in the Cloud, or one of 30 Attacknid Doom Razors!
Related contentBreakout Sessions (session codes & titles)OUC202 Microsoft Office 365 DeploymentOUC206 Deploying and Updating Microsoft Office 365 ProPlus with Click-to-RunOUC310 Microsoft Exchange Hybrid Deployment and Migration On Your TermsAZR209 Identity and Windows Azure - the brave new world of SSO in the cloud
Find Me Later At...The Microsoft Stand at the Hub
Evaluate this session and you could win instantly!
Head to...aka.ms/te
© 2013 Microsoft Corporation. All rights reserved.Microsoft, Windows and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.