microsoft office 365 cloud principles

8/10/2019 Microsoft Office 365 Cloud Principles

1/36


2/36


3/36

Is cloud computing secure?

Are Microsoft Online Services se

Security

Where is my data?

Who has access to my data ?

Transparency

What does privacy at Microsoft mean?

Are you using my data to build advertisingproducts?

Privacy

What certifications and capabilities doesMicrosoft hold?

How does Microsoft support customercompliance needs?

Do I have the right to audit Microsoft?

Compliance


4/36

Exceedge

R

Compliance withWorld Class Industry

standards verifiedby 3rdparties

Independently

VerifiedYour

PrivacyMatters

You know where dataresides, who can

access it and what wedo with it

Leadership in

Transparency


5/36

http://trustoffice365.com

Office 365 Privacy Whitepaper

Office 365 Security Whitepaper andService Description

Office 365 Standard Responses to

Request for Information Office 365 Information SecurityManagement Framework


6/36

Services are highly configurable and scalable without customization.

Services are under the Microsoft Security Policy.

We provide transparency in data locationand transfers.

We audit on your behalf and provide certification reports.

Microsofts liability is capped, consistent with industry standards.

Office 365 is an evergreen service. Customers need to stay current.

Our solution evolves rapidly with a documented roadmap.

We provide services offers to help you migrate to the cloud efficientl


7/36

7


8/36

Office 365 is a highly standardized service that Microsoft offers unstandardized contractual terms and condition.


9/36


10/36


11/36

Establish SecurityRequirements

Create QualityGates / Bug Bars

Security & PrivacyRisk Assessment

Reduce vulnerabilities, limit exploit severity

Training Requirements

Education

Administer and tracksecurity training

Core SecurityTraining

Design Implementation Verification

Process

Guide product teams to meetSDL requirements

Establish DesignRequirements

Analyze AttackSurface

ThreatModeling

Use ApprovedTools

DeprecateUnsafe

Functions

Static Analysis

DynamicAnalysis

Fuzz Testing

Attack SurfaceReview

IncidentResponse Pla

FinalSecurityReview

ReleaseArchive

Ongoing Process Improvements

Release

Establishrelease criteriaand sign-off as

part of FSR

Accou


12/36

Network perimeter

Internal network

Host

Application

Data

User

Facility

Threat and vulnerability management, monitoring

Edge routers, intrusion detection, vulnerability sc

Dual-factor authentication, intrusion detection, vuscanning

Access control and monitoring, anti-malware, pat

configuration management

Secure engineering (SDL), access control and monmalware

Access control and monitoring, file/data integrity

Account management, training and awareness, sc

Physical controls, video surveillance, access contr


13/36

https://www.cert.org/blogs/certcc/2011/04/office_shootout_microso
https://www.cert.org/blogs/certcc/2011/04/office_shootout_microsoft_offi.htmlhttps://www.cert.org/blogs/certcc/2011/04/office_shootout_microsoft_offi.html


14/36


15/36

Choices to keep Office 365 Customer Data separate from consumer services.

Office 365 Customer Data belongs to the customer.

Customers can export their data at any time.

At Microsoft, our strategy is to consistently set a high bar around privacy practiceglobal standards for data handling and transfer

Privacy at Office 365

No Mingling

Data Portability

No advertising products out of Customer Data.

No scanning of email or documents to build analytics or mine data.

No Advertising


16/36

How Privacy of Data is Protected?Microsoft Online Services Customer Data1 Usage Data

Account andAddress Book Data

Customer Data (excludingCore Customer data)

Operating and Troubleshooting the Service Yes Yes Yes

Security, Spam and Malware Prevention Yes Yes Yes Improving the Purchased Service, Analytics Yes Yes Yes

Personalization, User Profile, Promotions No Yes No

Communications (Tips, Advice, Surveys, Promotions) No No/Yes No

Voluntary Disclosure to Law Enforcement No No No

Advertising5 No No No

We use customer data for just what they pay us for - to maintain and provide Offic

Usage Data Address Book DataCustomer Data (excludingCore Customer Data*)

Core

Operations Response Team

(limited to key personnel only)Yes. Yes, as needed. Yes, as needed. Yes,

Support OrganizationYes, only as required inresponse to Support Inquiry.

Yes, only as required in response toSupport Inquiry.

Yes, only as required in responseto Support Inquiry.

No.

Engineering Yes.No Direct Access. May Be TransferredDuring Trouble-shooting.

No Direct Access. May BeTransferred During Trouble-shooting.

No.

PartnersWith customer permission. SeePartner for more information.

With customer permission. See Partnerfor more information.

With customer permission. SeePartner for more information.

WithPart

Others in Microsoft No.No (Yes for Office 365 for small businessCustomers for marketing purposes).

No. No.


17/36

Compliance


18/36

Office 365 compliance

Address privacy, security and handling of Customer Data.

Going above and beyond the EU Model Clauses to address additional requirements from individual EU member stat

Enables customers to comply with their local regulations.

Office 365 is the first major business productivity public cloud service provider willing to sign EU Model Clauses with

EU Model Clauses a set of stringent European Union wide data protection requirements

Data Processing Agreement

EU Model Clauses

ISO27001 is one of the best security benchmarks available across the world.

Office 365 first major business productivity public cloud service to implement rigorous ISO security controls on physand management

ISO27001

We are the first and only major cloud based productivity to offer the

ff


19/36

Office 365 compliance

EU generally prohibits personal data from crossing borders into other countries except under circumstances in whichbeen legitimated by a recognized mechanism, such as the "Safe Harbor" certification

Microsoft was first certified under the Safe Harbor program in 2001, and we recertify compliance with the Safe Harbotwelve months

EU Safe Harbor

HIPAA is a U.S. law that requires HIPAA covered entities to meet certain privacy and security standards with respect tidentifiable health information

Microsoft is offering to sign the Business Associate Agreement (BAA) for any Microsoft Enterprise Agreement customenables our customers to comply with HIPAA concerning protected health information.

US Health Insurance Portability and Accountability A

Comply with additional industry leading standards


20/36


21/36

T


22/36

Transparency

Microsoft notifies you of changes in data center locations.

Core Customer Data accessed only for troubleshooting and malware prevention purposes

Core Customer Data access limited to key personnel on an exception basis.

How to get notified?

Who accesses and What is accessed?

Clear Data Maps and Geographic boundary information provided

Ship To address determines Data Center Location

Where is Data Stored?

At Microsoft, our strategy is to consistently set a high bar around privacy practiceglobal standards for data handling and transfer


23/36


24/36

This saves customers time and money, and allows Micto provide assurances to customers at scale.


25/36

Policy

ControlFramework

Standards

Operating Procedures

Business rules for protecting inforsystems which store and process i

A process or system to assure the of policy

System or procedural specific requ

must be met

Step-by-step procedures


26/36

26


27/36


28/36


29/36


30/36


31/36


32/36


33/36

Recommended PartnerMicrosoft Cloud Vantage

l d


34/36

Cloud Vantage Services helps you realize

business value from your Office 365

investments by providing deep expertise

and collaborationacross the fulllifecycle

to smoothly transition to Office 365, and

make the most out of your cloud

investments.

Cloud Vantage S


35/36


36/36

2013 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/o

information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentations. Because Microsoft must

conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date

MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

microsoft office 365 cloud principles

Documents