office365 security in depth
DESCRIPTION
Session given at the MVP Open Day 2014 for Spain, Italy and PortugalTRANSCRIPT
Office 365 Security in depth
Alberto Pascual · Office365 MVPPeter Diaz · Lync MVP
Alberto Pascual · Office365 MVP
• More than 20 years in IT, 10 of them Exchange Server related
• Microsoft Community Contributor in 2013 and 2014• MCSA Windows Server 2008/2012, MS Office365 for SMB• Co-Founder of the Office365 Community in Spain
@CO365• Member of the Microsoft UC in Spanish
www.ucenespanol.com• Member of ITPro.es www.itpro.es• Experienced Office365 speaker at European level
Peter Díaz · Lync MVP
• Experience over 10 years in Security and Communications area
• Lync MVP (2012-2013)• Microsoft Certified Trainer (Since 2005)• MCP Lync 2013• MCITP Lync 2010• Certified Ethical Hacking (CEH)• Certified Forensic Investigator (CHFI)• Co-Founder of the Office365 Community in Spain
@CO365• Founder of the Microsoft UC in Spanish
www.ucenespanol.com• Member of ITPro.es www.itpro.es
What are the Org main concerns about IT?
Security
Performance
Availability
Costs
What are the Org main concerns about CLOUD?
Availability
Compliance
Costs
Security
International Standards & Controls
ISO 27001
All CustomerData Processing Agreement
SSAE 16 (Statement on standards for Attestation Engagement) SOC 1 (Type I & Type II) compliance
Industry Specific Compliance & Standards
FISMA US Government
HIPAA/BAA Healthcare Customers
FERPA EDU Customers
Geography Specific Standards
EU Safe HarborEU Customers
EU Model Clauses
Office 365 Compliance & Standards
Full details available at: Microsoft Office 365 Trust Center
Active Directory
PURE CLOUD
WAAD
User
Active Directory
WAAD
DIRSYNC
Active Directory
User
Active Directory
ADFS
LOCAL AD
User
No extra permissions
Can only change own options
User Role-Admin Global AdminFull Access to subscriptionRole specific admin
permissions (password reset, User management, billing Admin…)
Systems Administrator
Human Resources
Compliance Officer
Help Desk
User Roles:
XSS Vulnerability
• https://www.cogmotive.com/blog/office-365-tips/vulnerability-in-office-365-allows-unauthorised-administrator-access
UserNew
GlobalAdmin
Session hijacking
Demo
Server side(is up to MSFT)
Where’s your scope?
Client side(Is up to you)
Some considerations
• Always use In-Private sessions depending on the info you manage
• Always use In-Private sessions when working outside the org• Secure your PC• Use Microsoft Update instead of Windows Update• Say goodbye to Windows XP and hello to Windows 8.1• Fortify your Internet Explorer, specially with addons• Try not to use other browsers that can´t offer secure browsing• Use whenever it´s possible mobile connection instead of a
public one
Questions?