Learn. Connect. Explore.Learn. Connect. Explore.

Microsoft Office 365Security, Privacy & Compliance

Gurmeet Singh

Technology Specialist

Randhir Kumar Dhawan

Technology Specialist

Built-in Security

Customer Controls

Independent Verification

Office 365 Security

24 Hour

Monitored

Physical

Hardware

Isolated

Customer Data

Secure

NetworkEncrypted Data

Automated

operations

Microsoft

security best

practices

Office 365 Built-in Security

24 Hour

Monitored

Physical

Hardware

Isolated

Customer Data

Secure

NetworkEncrypted Data

Automated

operations

Microsoft

security best

practices

24 hour monitored physical hardware

Seismic bracing

24x7 onsite security staff

Days of backup power

Tens of thousands of servers

Perimeter security

Extensive monitoring

Multi-factor authentication

Fire suppression

Isolated Customer Data

DATA in Server

Multi-tenant environment is designed to support logical isolation of data that multiple customers store in same physical hardware.

Intended or unintended access of data belonging to a different customer/tenant is prevented by data isolation.

Active Directory’s organizational units keep Customer A’s data isolated from Customer B’s data

Automated operations

Office 365 Datacenter Network

Microsoft Corporate Network

Grants least privilege required

to complete task.

Verify eligibility by checking if

1. Background Check

Completed

2. Fingerprinting Completed

3. Security Training Completed

O365 Admin

Requests Access

Grants temporary

Privilege

Secure network

Internal Network External Network

Network

Separated

Data

Encrypted

Networks within the Office 365 data centers are segmented.

Physical separation of critical, back-end servers & storage devices from public-facing interfaces.

Edge router security allows ability to detect intrusions and signs of vulnerability.

Office 365 allows encryption of data both at rest & during transit Data unreadable to unauthorized parties

• BitLocker 256bit AES Encryption on all messaging content• Includes mailbox database files, mailbox transaction log files, search content index files,

transport database files, transport transaction log files, and page file OS system disk tracing/message tracking logs

• Data Striping• Malicious access to a single physical hard drive will not yield any meaningful data

• Mailbox messages are striped, which means that the content of customer’s mail messages are distributed across drives

• Transport Layer Security (TLS)/ Secure Sockets Layer (SSL)

• Exchange Online supports S/MIME and third-party technology such as PGP

Microsoft Security Best Practices

24 Hour

Monitored

Physical

Hardware

Isolated

Customer Data

Secure Network

Encrypted

Data

Automated

operations

Microsoft security best

practices

Security Development Lifecycle

Throttling to Prevent DoS Attacks

Prevent Breach

Mitigate Breach

Reduce vulnerabilities, limit exploit severity

Ongoing Process Improvements

Training Requirements Design Implementation Verification Release Response

Education

Administer and track security training

Process

Guide product teams to meet SDL requirements

Accountability

Establish release criteria & sign-off as part of FSR

IncidentResponse (MSRC)

Core SecurityTraining

Est. SecurityRequirements

Create Quality Gates / Bug Bars

Security & Privacy Risk Assess.

Establish DesignRequirements

Analyze AttackSurface

ThreatModeling

Use Approved Tools

Deprecate UnsafeFunctions

Static Analysis

Dynamic Analysis

Fuzz Testing

Attack Surface Review

Incident Response Plan

Final Security Review

Release Archive

Execute IncidentResponse Plan

Baseline normal traffic & usage

Ability to recognize DoS traffic patterns

Automatic traffic shaping kicks in when spikes exceed normal

Mitigates: • Non-malicious excessive use

• Buggy clients (BYOD)

• Admin actions

• DoS attacks

Built-in Security

Customer Controls

Independent Verification

Office 365 Customer Control

24 Hour

Monitored

Physical

Hardware

Isolated

Customer Data

Secure

NetworkEncrypted Data

Automated

operations

Microsoft

security best

practices

Built-in Security

Customer Controls

Independent Verification

Office 365 Customer Control

Data protection at rest

Data protection at rest

Data protection at rest

Data Protection in motion Data Protection in motion

Information can

be protected

with RMS at rest

or in motion

Data protection at rest

FunctionalityRMS in

Office 365S/MIME

ACLs

(Access Control

Lists)

BitLocker

Cloud

Encryption

Gateways (CEGs)

Data is encrypted in the cloud

Encryption persists with content

Protection tied to user identity

Protection tied to Policy (edit, print, do not forward, expire after 30 days)

Secure collaboration with teams and individuals

Native integration with my services (Content Indexing, eDiscovery, BI, Virus/Malware scanning)

Lost or stolen hard disk

User Access

Integrated with Active Directory, Azure Active Directory and Active Directory Federation Services

• Federation: Secure SAML token based authentication

• Password Synchronization: Only a one way hash of the password will be synchronized to WAAD such that the original password cannot be reconstructed from it.

Enables additional authentication mechanisms:• Two-Factor Authentication – including phone-based 2FA

• Client-Based Access Control based on devices/locations

• Role-Based Access Control

Anti Spam/ Anti Virus

Comprehensive protection• Multi-engine antimalware protects against 100% of known viruses

• Continuously updated anti-spam protection captures 98%+ of all inbound spam

• Advanced fingerprinting technologies that identify and stop new spam and

phishing vectors in real time

Easy to use

• Preconfigured for ease of use

• Integrated administration console

Granular control

• Mark all bulk messages as spam

• Block unwanted email based on language or geographic origin

• Enable customers to meet global compliance

standards in ISO 27001, EUMC, HIPAA, FISMA

• Contractually commit to privacy, security and

handling of customer data through Data

Processing Agreements

• Admin Controls like Data Loss Prevention,

Archiving, E-Discovery to enable organizational

compliance

Commitment to industry standards and organizational compliance

Office 365 Independent Verification

24 Hour

Monitored

Physical

Hardware

Isolated

Customer Data

Secure

NetworkEncrypted Data

Automated

operations

Microsoft

security best

practices

Built-in Security

Customer Controls

Independent Verification

Built-in Security

Customer Controls

Independent Verification

Office 365 Customer Control

Standards & Certifications

SSAE/SOC

ISO27001

EUMC

FERPA

FISMA

PCI

HIPAA

HITECH

ITAR

HMG IL2

CJIS

Global

Global

Europe

U.S.

U.S.

Global

U.S.

U.S.

U.S.

UK

U.S.

Finance

Global

Europe

Education

Government

CardData

Healthcare

Healthcare

Defense

Government

Law Enforcement

ISOSOC

HIPAA FedRAMP FERPAHMGIL2

EUMCTC260MLPS

Relentless on Security

24 hour monitored physical datacenters

Logical isolation of data between tenants

Segregation of internal datacenter network from the external networks

Encryption at rest and in transit (AD-RMS)

Securing access to services via identity

Data loss prevention

Anti-virus/anti spam

Service Continuity

99.9% uptime

Financial guarantees on uptime

Redundancy in both functionality as well as data

Automated monitoring and recovery systems

24x7 on-call engineering team available to handle issues

Independently Verified

ISO 27001

EU Model Clauses

HIPAA-HITECH

FERPA

FISMA

U.K. G-Cloud IL2

CJIS

Data Maps Customers know where their data is stored

Role based Access Customers know who can access their data and why

Compliance Notifications Customers can stay in the know by choosing to receive updates regarding changes to security, privacy, and audit information

No advertising We don’t build advertising products out of customer data

No data mining We don’t scan the contents of customer email or documents for analytics or data mining

No co-mingling Business data and consumer data are stored separately

Data is portable Customers own the data and can remove their data whenever they choose

Office 365 Trust Center (http://trust.office365.com)

Demo1. Data Loss Prevention (DLP)

2. Two Factor Authentication

3. Information Rights Management (IRM)

4. Legal Hold & eDiscovery

ReferencesRelated references for you to expand your knowledge on the subject• <Quote related references here>

technet.microsoft.com/en-in

aka.ms/mva

msdn.microsoft.com/

Your Feedback is Important

OPTION 3: Feedback stations outside the hall

Fill out evaluation of this session and help shape future events.

OPTION 1 OPTION 2

Replace this space with the

actual QR Code

Follow us online

Facebookfacebook.com/MicrosoftDeveloper.India

twitter.com/msdevindia

Twitter

Twitter: <speaker’s handle>

Email:<optional>