BRK2194: Office 365 Security and Control

[Speaker: Sara Manning Dawson; Vijay Kumar] We have been working hard to make Office 365 the most secure place for your data; even more secure than an on-premises environment. In the data center, between datacenters, on your devices, and everywhere along the way your data is secure and you are in control. Learn about both service security and the unique controls you have to help protect your data in transit, at rest, on devices, and anywhere else it may go.

Best PracticesBreakoutIgnite2015
1.0x

BRK2194: Office 365 Security and Control

Created 2 years ago

Duration 1:13:48
lesson view count 164
[Speaker: Sara Manning Dawson; Vijay Kumar] We have been working hard to make Office 365 the most secure place for your data; even more secure than an on-premises environment. In the data center, between datacenters, on your devices, and everywhere along the way your data is secure and you are in control. Learn about both service security and the unique controls you have to help protect your data in transit, at rest, on devices, and anywhere else it may go.
Select the file type you wish to download
Slide Content
  1. Office 365 Security and Control

    Slide 1 - Office 365 Security and Control

    • Sara Manning Dawson
    • Group Program Manager
    • Office 365
    • BRK2194
  2. What to take with you

    Slide 2 - What to take with you

    • What to leave behind
    • It’s your data
    • You own it, you control it
    • We run the service for you
    • We are accountable to you
    • Your people are your greatest asset, and your biggest security liability
    • We can help
    • With hundreds of billions of items to protect in Office 365,We are invested accordingly
    • Outdated Security Conventional Wisdom
    • Get the facts, learn the features
    • Learn how to best apply them to your organization
    • Transparency and Control
  3. Why

    Slide 3 - Why

  4. Name + Password for online bank account

    Slide 4 - Name + Password for online bank account

    • $1000
    • Mag-stripe data from a "secure" premium credit card
    • $80
    • Your Mother's Maiden Name
    • $6
    • Your Social Security Number
    • $3
    • Credit card number + social security number + expiration date + mother’s maiden name
    • $4-$5
    • Name + Password for online bank account
    • 5-10%
    • $.58 per record
    • Why
  5. How

    Slide 5 - How

    • “Criminals used a third-party vendor’s user name and password to enter the perimeter of Home Depot’s network.” Home Depot Press Release, Nov 6 2014
    • “Target said last week stolen vendor credentials were used in the breach of payment and personal information for as many as 110 million customers”
    • Money.cnn.com, Feb 6 2014
    • …the company also confirmed that five tech employees had their credentials compromised. …Easier is better. So while the attackers could have used Java, Windows, or Adobe vulnerabilities, the fastest way to obtain credentials is to ask for them, which is exactly what Phishing does in most cases. Csoonline.com, Feb 9 2015
  6. We hear you

    Slide 6 - We hear you

    • Is my data safe in your data centers?
    • Who has access to my organization’s data?
    • What visibility do I have into the activity on my data?
    • Can I encrypt everything?
    • Enterprise Focus Group – Microsoft Corporation, 2014
  7. We hear you

    Slide 7 - We hear you

    • Defenses In Place
    • What are the steps that I can take to move farther to the right?
    • How does Office 365 help?
    • Risk
    • Few Defenses, High Risk
    • More Defenses, Lower Risk
  8. Agenda

    Slide 8 - Agenda

    • Threats
    • To the
    • Service
    • Insider
    • Threats
    • Custodial
    • Access
    • ?
    • With hundreds of billions of records to protect in Office 365,We are invested
    • accordingly
    • It’s your data
    • You own it, you control it
    • We run the service for you
    • We are accountable to you
    • Your people are your greatest asset, and your biggest security liability
    • We can help
  9. Agenda

    Slide 9 - Agenda

    • Threats
    • To the
    • Service
    • Insider
    • Access
    • Custodial
    • Access
    • ?
  10. Slide 10

    • Cloud Security Surface Area
    • IaaS
    • PaaS
    • SaaS
    • Storage
    • Servers
    • Networking
    • Virtualization
    • O/S
    • Middleware
    • Data
    • Applications
    • Runtime
    • Office365
  11. Slide 11

    • Content
    • Transparency, control
    • Encryption
    • 100101011010100011011011
    • Application
    • Securing and access control
    • Host
    • Configuration management
    • Network
    • Intrusion and vulnerability detection
    • Independently verified to meet key standards – ISO 27001, SSAE 16 (SOC 1) Type II and (SOC2) Type II only), FISMA
    • Physical security
    • Access control
    • Defense in depth approach
  12. Physical Security

    Slide 12 - Physical Security

    • Perimeter security
    • Fire
    • Suppression
    • Multi-factor
    • authentication
    • Extensive
    • monitoring
    • Seismic bracing
    • 24x7 onsite security staff
    • Days of backup power
    • Tens of thousands of servers
  13. Network security

    Slide 13 - Network security

    • Other Microsoft networks
    • Office 365network
    • Router ACLs
    • Edge router ACLs
    • Load balancers
    • Customer
  14. Host/Application

    Slide 14 - Host/Application

    • Patching/Malware protection
    • Whitelisted processes
    • Security Development Lifecycle
    • Automated tooling for routine activities
    • Zero standing permissions in the service
    • Auditing of all operator access and actions
  15. Prove Vigilance

    Slide 15 - Prove Vigilance

    • Red
    • teaming
    • Blue teaming
    • Monitor emerging threats
    • Execute
    • post breach
    • War-game exercises
    • Bug
    • Bounty
  16. Slide 16

    • 16
    • Event Detected
    • Security Team
    • Engaged
    • Security Incident Confirmed
    • Event
    • Start
    • DevOps Engaged
    • Incident Response
    • Determine Customer Impact
    • Customer
    • Notification
    • Customer Process
    • Step 1
    • Determine Affected Customers
    • Breach
    • Response
    • Investigate, Scope, Contain
    • Incident Response
  17. Slide 17

    • Encryption
    • Customercontrolled keys
    • Encryption at rest
    • 100101011010100011011011
    • Content level
    • Encryption
    • Encryption in transit
    • Transport Layer Security
    • SSL
    • Bitlocker
    • File, Message Level Encryption
  18. Slide 18

    • Encryption at rest
    • 100101011010100011011011
    • Encryption at rest
    • 100101011010100011011011
    • Customer
    • Customer
    • Data Loss Prevention
    • Search
    • Insights
    • General content analysis
    • Data Loss Prevention
    • Search
    • Insights
    • General content analysis
    • Encryption in transit
    • Per-fileencryption
    • Approach
  19. Slide 19

    • Content DB
    • OneDrive: Per-file Encryption
    • A
    • B
    • C
    • D
    • Key Store
    • A
    • B
    • C
    • D
    • A
    • B
    • C
    • D
    • crypto
    • Microsoft OneDrive for Business: Most Secure for Your Data in the Cloud
  20. Slide 20

    • Mailbox
    • DB
    • Exchange: Per-message encryption
    • Customer
    • Azure Key Vault
  21. 21

    Slide 21 - 21

    • Helping You To Comply
    • Compliance with Standards and Regulations Made Easier in the Cloud with Office 365
    • Office 365 Trust Center http://trust.office365.com
  22. Agenda

    Slide 22 - Agenda

    • Threats
    • To the
    • Service
    • Insider
    • Access
    • Custodial
    • Access
    • ?
  23. Custodians (Us)

    Slide 23 - Custodians (Us)

    • Account
    • Management
    • Automatic account expiry
    • Unique accounts
    • Zero standing access
    • 2FA
    • Machine-generated password
    • Training, policies
    • and awareness
    • Personnel
    • SDL
    • Annual training
    • Background checks
    • Screening
    • Integrated with HR System
  24. Slide 24

    • Microsoft Engineer
    • Microsoft Manager
    • Microsoft
    • Approval
    • Microsoft Engineer
    • Lockbox system
    • Submits request
    • Audit logs for all access
    • Just-in-time access for limited duration
    • Scoped, least privileged access
    • Lockbox
    • Engineers have current background check, security training.
    • Second level of management or higher
    • Customer
  25. Slide 25

    • Microsoft Engineer
    • Microsoft Manager
    • Microsoft
    • Approved
    • Customer
    • Microsoft Engineer
    • Lockbox system
    • Customer
    • Submits request
    • 100101011010100011
    • Customer
    • Approved
    • Customer controls authorization of Office 365 personnel access
    • Now we want to extend Lockbox approval to you for human access to customer content
    • Customer Lockbox
    • Available end of 2015 for Exchange, Q1 2016 for OneDrive
    • Advancing into Next generation for Security and Trust in Cloud Services (Thurs Morning)
  26. Slide 26

    • 3
    • x 10-4
  27. We represent your interests

    Slide 27 - We represent your interests

    • We will only disclose customer data when legally required, and only after attempting to redirect the request to the customer.
    • We will notify the customer and provide a copy of the demand unless legally prohibited from doing so.
    • We will resist government demands that are invalid.
    • We back up these commitments in our contracts, and will go to court if necessary when government orders seeking customer data do not comply with applicable laws.
  28. U.S. Warrant Case. Microsoft is in litigation with the U.S. government to resist a criminal search warrant seeking customer data stored outside the United States.  The case is on appeal.  It raises important questions about the ability of the U.S. government to issue search warrants for data outside the U.S., given that the government clearly cannot search homes or business premises abroad.

    Slide 28 - U.S. Warrant Case. Microsoft is in litigation with the U.S. government to resist a criminal search warrant seeking customer data stored outside the United States. The case is on appeal. It raises important questions about the ability of the U.S. government to issue search warrants for data outside the U.S., given that the government clearly cannot search homes or business premises abroad.

    • National Security Letters. Microsoft resisted a National Security Letter non-disclosure order, which prohibited Microsoft from notifying the customer of a government demand to disclose its data. The FBI withdrew the demand.
    • Government Requests Transparency. Microsoft filed a lawsuit against the U.S. government to permit greater disclosure about government demands for customer data. The U.S. government settled, allowing Microsoft and others to share broader information with customers.
    • Commitments into action
  29. We represent your interests

    Slide 29 - We represent your interests

    • We don’t provide any government with direct, unfettered access to your data.
    • We don’t assist any government’s efforts to break our encryption or provide any government with encryption keys.
    • We don’t engineer back doors into our products and we take steps to ensure governments can independently verify this.
    • If a reports suggests there is a bigger surveillance program, we aren’t involved
  30. Resources

    Slide 30 - Resources

    • Office 365 Trust Center http://trust.office365.com
    • Office 365 Blog http://blogs.office.com/
    • Enabling transparency and control
    • Enhancing transparency and control for Office 365 customers
    • Customer Lockbox
    • Office 365 management activity API for security and compliance monitoring
    • Whitepapers
    • Overview of Security
    • http://aka.ms/securitywhitepaper
    • Overview of Security and Compliance in Office 365
    • Customer controls for Information Protection
    • http://aka.ms/customercontrolsm
    • Law Enforcement Requests Report
    • http://www.microsoft.com/about/corporatecitizenship/en-us/reporting/transparency/
  31. Agenda

    Slide 31 - Agenda

    • Threats
    • To the
    • Service
    • Insider
    • Access
    • Custodial
    • Access
    • ?
  32. Threat Landscape

    Slide 32 - Threat Landscape

    • Accessing
    • and
    • Moving
    • Data
    • Client Side Storage
    • Data
    • Enterprise Grade Data Protection and Compliance with Office 365: Today and Beyond by Rudra Mitra(Tuesday morning)
  33. Slide 33

    • Mobile Apps
    • If you do nothing else…MFA
    • Text Messages
    • Phone Calls
    • Push Notification
    • One-Time-Passcode(OTP) Token
    • Out-of-Band* Call
    • Text
    • One-Time Passcode
    • (OTP) by Text
    • *Out of band refers to being able to use a second factor with no modification to the existing app UX.
    • Taking Advantage of Identity Capabilities in the Azure Pack
  34. Phishing: Evolving threat space

    Slide 34 - Phishing: Evolving threat space

    • T=0
    • T=5
    • T=10
    • T=15
    • T=100
    • Phisher creates malicious domain
    • First phishing message sent
    • Phishing message lands in user inbox
    • Domain classified as malware on URL block lists
    • User clicks on link in message
    • Traditionally, once it passes perimeter security, it’s too late
  35. Protect against sites with malicious content, phishing sites

    Slide 35 - Protect against sites with malicious content, phishing sites

    • Provides admins visibility into compromised users
    • Rewriting the URLs to proxy them through another server
    • Safe links via ATP
    • IP + envelop filter
    • Signature-based AV
    • Blocking known exploits
    • EOP user
    • without ATP
    • Antispam filter
    • Rewriting URLs to redirect to a web server
    • EOP user
    • with ATP
    • User clicking URL is taken to EOP web servers for the latest check at the “time of click”
    • Web servers
    • perform latest URL reputation check
    • Deep Dive into How Microsoft Handles Spam and Advanced Email Threats
  36. Safe links

    Slide 36 - Safe links

    • Admin sets policy
    • Users notified if a malicious link is clicked in email
  37. DMARC, DKIM support

    Slide 37 - DMARC, DKIM support

    • http://blogs.office.com/2015/01/20/enhanced-email-protection-dkim-dmarc-office-365
    • Domain Key Identified Mail
    • Domain-based Messaging and Reporting Compliance
    • Exchange Online Protection, Mailflow, and Encryption: Notes from the Field
  38. Rights Management Service

    Slide 38 - Rights Management Service

    • S/MIME
    • Office 365 Message Encryption
    • Exchange server
    • Data disk
    • Exchange server
    • Data disk
    • RMS, S/MIME protected
    • Message Delivery
    • User
    • Office 365 Message Encryption
    • SMTP to partners: TLS protected
    • Encryption tools
  39. Office 365 Message Encryption

    Slide 39 - Office 365 Message Encryption

    • Exchange Online
    • Policy detection and Enforcement
    • Tenant configuration
    • Office 365 User
    • Internet User
    • Send
    • Microsoft account/Organization Account
    • Mail Reading Portal
    • Deliver
    • Post
  40. Data Loss Prevention

    Slide 40 - Data Loss Prevention

    • Helps to
    • identify
    • monitor
    • protect
    • Sensitive data through deep content analysis
    • Identify
    • Protect
    • Monitor
    • End user education
    • End-to-End Data Loss Prevention
  41. Slide 41

    • Activity Logs: Exchange
    • Users
    • Admins
    • Microsoft
    • Engagement
    • Security
    • Operations
    • Activity
    • API
    • Compliance
    • Report/Dashboards
    • ISVs
  42. Slide 42

    • Activity Logs: ISV Integrations
  43. Demo

    Slide 43 - Demo

    • Activity Logs In Sharepoint
    • Auditing for Office 365
  44. Microsoft Intune

    Slide 44 - Microsoft Intune

    • Device Management
    • Built-In
    • Device Management
    • Conditional Access
    • Selective Wipe
    • Built-In
    • Microsoft Intune
    • Application Management
    • LoB app
    • Device and Data Protection with Mobile Device Management in Office 365
  45. What to take with you

    Slide 45 - What to take with you

    • What to leave behind
    • It’s your data
    • You own it, you control it
    • We run the service for you
    • We are accountable to you
    • Your people are your greatest asset, and your biggest security liability
    • We can help
    • With hundreds of billions of items to protect in Office 365,We are invested accordingly
    • Outdated Security Conventional Wisdom
    • Get the facts, learn the features
    • Learn how to best apply them to your organization
    • Transparency and Control
  46. Got Questions?

    Slide 46 - Got Questions?

    • 3-5pm Tues: O365 Security Booth in Expo Hall