Security in Microsoft Office 365

Paul Andrew@pndrwwww.linkedin.com/in/pandrew/

OUC207

Identity-centric environment

Targeted attacks

Cloud computing

Regulatory/compliance issues

Consumerisation of IT

Key trends affecting security

2

Microsoft experience and credentials

1989 1995 2000 2005 2010

One of the world’s largest cloud providers & datacenter/network operators

1st Microsoft Data Center

Microsoft SecurityResponse Center

(MSRC)

Windows Update

Active Update

Xbox Live

Global Foundation

Services (GFS)

Trustworthy Computing

Initiative (TwC)

BillG Memo

Microsoft Security Engineering Center/

Security Development Lifecycle

Malware Protection

Center

SAS-70 Certification

ISO 27001 Certification

FISMACertification

Customer Data Privacy and the US GovtRead our Microsoft_On_The_Issues Blog by Brad Smith, MS General Counsel.Microsoft is obligated to comply with applicable laws that governments pass.

1. No government gets direct and unfettered access to customer data. 2. If a government wants customer data it needs to follow legal process.3. We only respond to requests for specific accounts and identifiers. 4. All of these requests are reviewed by Microsoft’s compliance team.

National Security Requests from Office 365We have never provided any government with customer data from any of our business or government customers for national security purposes.

Law Enforcement Requests from Office 365 for 2012In three instances, we notified the customer of the demand and they asked us to produce the data. In the fourth case, the customer received the demand directly and asked Microsoft to produce the data.

Choice to keep Office 365 Customer Data separate from consumer services.

Office 365 Customer Data belongs to the customer. Customers can export their data at any time. Customers can report on necessary Microsoft access to data.

At Microsoft, our strategy is to consistently set a “high bar” around privacy practices that support global standards for data handling and transfer

Privacy at Office 365 vs Competitor

No Mingling

Data Portability

No advertising products out of Customer Data. No marketing emails to users.No scanning of email or documents to build analytics or mine data.

No Advertising

Microsoft shares details of where customer data is stored. Data Centers are independently audited.

Transparent Data Location

Office 365 security

Microsoft security

best practices

24-hour monitored physical hardware

Isolated customer

data

Secure network

Encrypted data

Automated operations

Office 365 built-in security

Office 365 customer controls

Office 365 independent verification & compliance

Office 365 built-in security

Microsoft security

best practices

24-hour monitored physical hardware

Isolated customer

data

Secure network

Encrypted data

Automated operations

24-hour monitored physical hardware

Extensive monitoring

• Seismic bracing• 24x7 onsite security staff• Days of backup power• Tens of thousands of

servers

Controlled access

Fire suppression

Perimeter security

Isolated customer dataLogically isolated customer data within Office 365

Physically separated consumer and commercial services

Customer A Customer B

Secure network

Internal network External network

Network Separated

Data Encrypted

• Networks within the Office 365 data centers are segmented. • Physical separation of critical, back-end servers & storage devices

from public-facing interfaces. • Edge router security allows ability to detect intrusions and signs of

vulnerability.

Office 365 provides data encryption• BitLocker 256bit AES

Encryption of messaging content in Exchange Online

• Information Rights Management for encryption of documents in SharePoint Online

• Transport Layer Security (TLS)/ Secure Sockets Layer (SSL)

• Third-party technology such as PGP

• Third party encryption gateways

• Not supported by Microsoft

• May encounter:• Loss of functionality

• Compatibility issues

• Increased TCO

• New security challenges

• Supportability issues

Automated operations

Office 365 datacenter

network

Microsoft corporate network

Lock box: Role based

access control

O365 Adminrequests

access

Grants temporary privilege

Grants least privilege required to complete task.Verify eligibility by checking if

1. Background Check Completed2. Fingerprinting Completed3. Security Training Completed

Microsoft security best practices

24-hourmonitored physical hardware

Isolated customer

data

Secure network

Encrypted data

Automated operations

Microsoft security

best practices

Security development lifecycle

Throttling to prevent DoS attacks

Prevent breach

Mitigate breach

Security development lifecycleReduce vulnerabilities, limit exploit severity

ResponseReleaseVerificationImplementationDesignRequirementsTraining

• Incident response plan

• Final security review

• Release archive

• Execute incidentresponse plan

• Use approved tools

• Deprecate unsafe functions

• Static analysis

• Dynamic analysis

• Fuzz testing

• Attack surface

review

• Est. Securityrequirements

• Create quality gates / bug bars

• Security & privacy risk assess.

• Establish designrequirements

• Analyze attack surface

• Threatmodeling

• Core securitytraining

Education

Administer and track security training

Process

Guide product teams to meet SDL requirements

Establish release criteria & sign-off as part of FSR

Incidentresponse (MSRC)

Accountability

Ongoing process improvements

Throttling to prevent DoS attacksExchange Online baselines normal traffic & usageAbility to recognize DoS traffic patternsAutomatic traffic shaping kicks in when spikes exceed normalMitigates: • Non-malicious excessive use• Buggy clients (BYOD)• Admin actions• DoS attacks

Prevent breachPort scanning and remediation

Perimeter vulnerability scanning

OS Patching

Network level DDoS detection and prevention

MFA for service access

Auditing of all operator access and actions

Zero standing permissions in the service• Just in time elevations• Automatic rejection of non-

background check employees to high privilege access

• Scrutinized manual approval for background checked employees

Automatic account deletion• When employee leaves• When employee moves

groups• Lack of use

Automated tooling for routine activities• Deployment, Debugging,

Diagnostic collection, Restarting services

Passwords encrypted in password store

Isolation between mail environment and production access environment for all employees

Mitigate breach

•Detect

•Response

•Audit

•More

Details Are Not Disclosed

Office 365 security

Microsoft security

best practices

24-hour monitored physical hardware

Isolated customer

data

Secure network

Encrypted data

Automated operations

Office 365 built-in security

Office 365 customer controls

Office 365 independent verification & compliance

Advanced encryption using RMS

Data protection at rest Data protection at rest Data protection at rest Data protection at rest

Information can be

protected with RMS at

rest or in motion

Data protection in motion

Data protection in motion

Demo

RMS Demo

User accessIntegrated with Active Directory, Azure Active Directory, and Active Directory Federation ServicesEnables additional authentication mechanisms:• Two-factor authentication –

including phone-based 2FA• Client-based access control based

on devices/locations• Role-based access control

Compliance: Data Loss Prevention (DLP) Empower users to manage

their compliance• Contextual policy education• Doesn’t disrupt user workflow• Works even when disconnected• Configurable and customizable• Admin customizable text and actions• Built-in templates based

on common regulations • Import DLP policy templates from

security partners or build your own

Prevents sensitive data from leaving organization

Provides an alert when data such as social security & credit card number is emailed.

Alerts can be customized by Admin to catch intellectual property from being emailed out.

Demo

DLP Demo

Compliance: email archiving and retention

In-Place Archive Governance Hold eDiscovery

• Secondary mailbox with separate quota

• Managed through EAC or PowerShell

• Available on-premises, online, or through EOA

• Automated and time-based criteria

• Set policies at item or folder level

• Expiration date shown in email message

• Capture deleted and edited email messages

• Time-based in-place hold • Granular query-based

in-place hold• Optional notification

• Web-based eDiscovery Center and multi-mailbox search

• Search primary, in-place archive, and recoverable items

• Delegate through roles-based administration

• De-duplication after discovery

• Auditing to ensure controls are met

SearchPreserve

Comprehensive protection• Multi-engine antimalware protects against 100% of known viruses• Continuously updated anti-spam protection captures 98%+ of all inbound spam• Advanced fingerprinting technologies that identify and stop new spam and phishing vectors in

real time

Anti-spam/anti-virus

Easy to use• Preconfigured for ease of use• Integrated administration console

Granular control• Mark all bulk messages as spam• Block unwanted email based on language or geographic origin

Independent verification & compliance

Microsoft security

best practices

24-hour monitored physical hardware

Isolated customer

data

Secure network

Encrypted data

Automated operations

Office 365 built-in security

Office 365 customer controls

Office 365 independent verification & compliance

Why get independently verified?“I need to know Microsoft is doing the right things”Alignment and adoption of industry standards ensure a comprehensive set of practices and controls in place to protect sensitive data

While not permitting audits, we provide independent third-party verifications of Microsoft security, privacy, and continuity controls

This saves customers time and money, and allows Office 365 to provide assurances to customers at scale

Microsoft provides transparency

Certifications

ISOSOC

HIPAA

FERPA

HMG IL2

EUMC

Cert Market Region

SSAE/SOC Finance Global

ISO27001 Global Global

EUMC Europe Europe

FERPA Education U.S.

FISMA Government U.S.

HIPAA Healthcare U.S.

HITECH Healthcare U.S.

ITAR Defense U.S.

HMG IL2 Government UK

CJIS Law Enforcement U.S.

Certification status

IRS 1075 Tax/Payroll U.S.

FFIEC Finance U.S.

FISC Japan-Finance U.S.CNSS1253 Military U.S.

Queued or In Progress

30

APAC Data Map

Summary

31

Security and information protection is critical to Office 365• Built in security• Customer controls• 3rd party verification and certification

References:• http://trust.office365.com• http://fasttrack.office.com/

• http://www.linkedin.com/groups/Microsoft-Office-365-3724282

Win.Attend any Office 365 or Lync Session and be in-to-win a1 Year Subscription to Office 365 Home Premium, Spot Prizes, Your $2,500 Office in the Cloud, or one of 30 Attacknid Doom Razors!

Related contentBreakout Sessions (session codes & titles)OUC202 Microsoft Office 365 DeploymentOUC206 Deploying and Updating Microsoft Office 365 ProPlus with Click-to-RunOUC310 Microsoft Exchange Hybrid Deployment and Migration On Your TermsAZR209 Identity and Windows Azure - the brave new world of SSO in the cloud

Find Me Later At...The Microsoft Stand at the Hub

Evaluate this session and you could win instantly!

Head to...aka.ms/te

© 2013 Microsoft Corporation. All rights reserved.Microsoft, Windows and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.