when your ciso says no - security & compliance in office 365

When Your CISOSays NOSecurity & Compliance in Office 365

www.ceiamerica.com

http://www.ceiamerica.com/

CONSULTING | SOLUTIONS | RESULTS2

About Me

Architect; Principal Consultant

Microsoft Solutions Division

Partner Technical Specialist (Purple Badge)

SharePoint | Office365 | Azure

www.sharepointcowbell.com

http://www.sharepointcowbell.com/


•CISO Objections

•The Path to Yes

•Demos

Talking Points

CONSULTING | SOLUTIONS | RESULTS

Pre-adoption concern

60%cited concerns around data security as a barrier to adoption

45%concerned that the cloud would result in a lack of data control

Benefits realized

94%experienced security benefits they didn’t previously have on-premise

62%said privacy protection increased as a result of moving to the cloud

SECURITY

• Design/Operation

• Infrastructure

• Network

• Identity/access

• Data

PRIVACY

COMPLIANCE

TRANPARENCY

Cloud Innovation: Risks & Benefits

Source: Barriers to Cloud Adoption study, ComScore, Sept 2013


Compliance

http://www.asd.gov.au/infosec/irap/index.htm

http://www.asd.gov.au/infosec/irap/index.htm

https://www.fisc.or.jp/

https://www.fisc.or.jp/


United States______ CJIS

CSA CCM

DISA

FDA CFR Title 21 Part 11

FEDRAMP

FERPA

FIPS 140-2

FISMA

HIPAA/HITECH

HITRUST

IRS 1075

ISO/IEC 27001, 27018

MARS-E

NIST 800-171

Section 508 VPATs

SOC 1, 2

United Kingdom___ CSA CCM

ENISA IAF

EU Model Clauses

ISO/IEC 27001, 27018

NIST 800-171

SOC 1, 2, 3

UK G-CloudSpain___ CSA CCM

ENISA IAF

EU Model Clauses

EU-U.S. Privacy Shield

ISO/IEC 27001, 27018

SOC 1, 2

Spain ENS

Spain LOPD Auth.

Singapore____CSA CCM

ISO/IEC 27001, 27018

MTCS

SOC 1, 2

New Zealand____CSA CCM

ISO/IEC 27001, 27018

NZCC Framework

SOC 1, 2,

Japan____CSA CCM

CS Mark (Gold)

FISC

ISO/IEC 27001, 27018

Japan My Number Act

SOC 1, 2

European Union___ CSA CCM

ENISA IAF

EU Model Clauses

EU-U.S. Privacy Shield

ISO/IEC 27001, 27018

SOC 1, 2,

China____China GB 18030

China MLPS

China TRUCS

Austrailia____CSA CCM

IRAP (CCSL)

ISO/IEC 27001, 27018

SOC 1, 2

Argentina____Argentina PDPA

CSA CCM

IRAP (CCSL)

ISO/IEC 27001, 27018

SOC 1, 2

Over 900 controls in the Office 365 compliance

framework enable us to stay up to date with the ever-

evolving industry standards across geographies

Microsoft is regularly audited, submits self-assessments

to independent 3rd party auditors and holds key certifications

Compliance


Comprehensive Compliance

DLP


“No. The Cloud is easier to hack/breach…”


Perimeter

Computer room

Building

Seismic

bracing

Security

operations center

24X7

security staff

Days of

backup power

Cameras AlarmsTwo-factor access control:

Biometric readers & card readers

Barriers Fencing

Datacenter Security


“No. We can’t have our info visible on the open internet…”



Encryption

a. Data at-resti. Volume-level encryption

(BitLocker, AES 128-bit, FIPS-compliant)

ii. File-level encryption (encrypted keys; minimal MS staff access in gov’t cloud)

b. Data in-transiti. TLS/SSL (2048-bit)ii. IPsec encryptioniii.AES 256-bitiv.FIPS validated


Encrypted in transit between client and service and within service data centers

BitLocker encryption protects drives where content is stored

Contents of each file encrypted with a unique key

Large files are stored in parts with a unique key per par

File contents and encryption key are stored separately

Use Azure RMS to encrypt your secret data before uploading

Works across phones, tablets, and PCs

Information protected both within and outside organization

Master key is used to encrypt/decrypt per-file encryption keys

If it is removed or access is revoked, SharePoint Online can no longer decrypt your content

Does not limit/restrict SharePoint Online functionality when enabled

You upload it to Azure Key Vault and grant access to the Office 365 service

You can remove it or revoke access to it at any time



8:40

12:40


• Private VPN


Customers can extend their on-

premises sites using VPN or dedicated

ExpressRoute connections

Customer owns and manage

certificates, policies, and user access


“No. We’ll never be able to determine Appropriate Usage by our users…”


Powerful for experts, and easier for generalists to adopt

Scenario oriented workflows with cross-cutting policies spanning features

Powerful content discovery across Office 365 workloads

Proactive suggestions leveraging Microsoft Security Intelligence Graph

Security and Compliance Center


Azure

Active

Directory

Security &

Compliance

Center

SharePoint Online

Power

BI

Opt-in

for all

O365

tenants

1 billion events

collected daily

Office 365 Auditing


Office 365 Auditing


Audited Activities

https://support.office.com/en-us/article/Search-the-audit-log-in-the-Office-365-Security-Compliance-Center-0d4d0f35-390b-4518-800e-0c7ec95e946c


Tenant-scoped unless noted

Allow sharing via anon access links and to authenticated external users

Allow sharing to authenticated external users only (further limit to existing users)

Don’t allow sharing to external users

Limit external sharing using domains (allow and deny list) –also at site collection level

Prevent external users from sharing files, folders, sites they don’t own

Require external users to accept sharing invitations with the same account the invitations were sent to

Ability to choose default link type from anon, company shareable, restricted

On OneDrive for Business only; When…

Users invite additional external users to shared files

External users accept invitations to access files

Anon access link is created or changed

Prevent sharing of documents marked by DLP to external users

Sharing


“No. ‘Need To Know’ and ‘Least Privilege’ needs to be supported…”


SharePoint Permissions – It Works


• Catch It Before it Happens• The “Minority Report”

Method

• Catch It After it Happens• and discipline the culprit

• Minimize Issues

Other Considerations: Timing


• Physical Security

• Azure RMS

• Rights Management

• Data Loss Prevention

Catch Before


Catch Before


• Data Loss Prevention

• Auditing

Catch After


Catch After


• Labels, Tips

• Rights Management

Minimize


Putting Pieces Together


Resources

32

Thank You!Ricardo Wilkins – Architect, Microsoft Solutions Division

Computer Enterprises, Inc. | www.ceiamerica.com

[email protected]

Office 365 Trust Center

Microsoft Trust Center

Microsoft Secure

Security Blogs on Office Blogs

Compliance Blogs on Office Blogs

Office 365 Roadmap

http://www.ceiamerica.com/

mailto:[email protected]

https://www.microsoft.com/en-us/trustcenter

http://microsoft.com/security

http://blogs.office.com/security

https://fasttrack.microsoft.com/roadmap

when your ciso says no - security & compliance in office 365

Technology