When considering a cloud based service like Office 365, questions about security and trust often gets asked – questions like: Can I trust Office 365 with my company’s data?  How secure is my data in Office 365?  Organizations are often cautious when it comes to trusting cloud services with storing and providing access to corporate data. Answering those questions requires learning about the security strategy the provider has employed, and the specific controls they have put in place to protect your data.  This session will answer those questions and provide an overview of the robust set of security capabilities available in Office 365.

1. September 2016
Email: antonio.maio@protiviti.com
Blog: www.trustsharepoint.com
Slide share: http://www.slideshare.net/AntonioMaio2
Twitter: @AntonioMaio2

3. Reference: Microsoft Security Bulletins: https://technet.microsoft.com/en-us/library/security/dn631937.aspx

5. Reference: https://www.microsoft.com/en-us/trustcenter/Compliance/default.aspx
Shared Responsibility

6. In a cloud environment, security and information protection must be a Shared Responsibility.

7. https://channel9.msdn.com/Shows/Azure-Friday/Red-vs-Blue-Internal-security-penetration-testing-of-
Microsoft-Azure

9. Preferred secure communication protocol is TLS 1.2.
• Includes all communication from the internet to Office 365 (client desktops, web browsers, apps, mobile devices, etc.)
• Includes all communication between servers within the Office 365 data center
• Supported protocols: TLS 1.2, 1.1 and 1.0
• When considering on premise deployments, TLS/SSL is recommended
for secure communication even for intranets
• Digital Certificates are completely managed by Microsoft
Reference and cipher suites:
https://technet.microsoft.com/en-us/library/dn569286.aspx

10. • SSL 3.0 (and earlier) has been considered insecure for years due to inherent vulnerabilities
• Deprecated & removed on Dec. 1, 2014
• TLS 1.0 is now also considered insecure due to an inherent vulnerability
• Maintained for now for browser compatibility
• Only used when TLS 1.2 or 1.1 will not work with the client browser
• Will be deprecated and removed from Office 365 later in ??? (rumor)
• Regulatory standards are recognizing that SSL 3.0 and TLS 1.0 are no longer secure
• Recommendations to remove these protocol versions (ex. PCI DSS standard has a deadline of June 30, 2016 to
remove or have mitigation plans in place for these protocols)
• On premise SharePoint 2010 and 2013: you may only disable SSL 3.0
• You may not disable TLS 1.0 without adverse side effects
• Properly disabling TLS 1.0 requires upgrade to SharePoint 2016
Preferred secure communication protocol is TLS 1.2. We no longer use SSL.

11. • Extremely complex file encryption strategy used to protect files in the Office 365 data center

13. Files are chunked; the chunks encrypted with unique keys and randomly distributed and stored.

14. Unique keys used to encrypt chunks are themselves encrypted and stored in the content database.

15. The master key is stored in the Key Store, the most secure asset in the Microsoft Office 365 data center.

16. Keys are rotated every 24 hours.

17. An attacker needs to gain access to all 3 assets in order to decrypt a single file.
• Each of these three storage components physically separate.
• The information held in any one of the components is unusable on its own.
• Without access to all three it is impossible to retrieve the keys to the chunks, decrypt the keys to make them
usable, associate the keys with their corresponding chunks, decrypt any chunk, or reconstruct a document from
its constituent chunks.

19. • OAuth - OAuth is a server-to-server authentication protocol that allows applications to authenticate to each other.
With OAuth, user credentials and passwords are not passed from one computer to another. Instead, authentication
and authorization is based on the exchange of security tokens, which grant access to a specific set of resources for a
specific amount of time.
• SAML - Security Assertion Markup Language is an XML-based, open-standard data format for exchanging
authentication and authorization data between parties, in particular, between an identity provider and a service
provider.

20. Multi-factor authentication helps protect against unauthorized access to the Office 365 environment.

21. Multi-factor authentication helps protect against unauthorized access to the Office 365 environment.

22. • New integrated authentication mechanism built into Office client
apps
• Uses ADAL (Active Directory Authentication Library)
• Cross platform: Windows, Mac OS X, Windows Phone, iOS, Android
• Provides advanced sign in features for the Office client
applications:
• Multi-Factor Authentication (MFA)
• SAML third-party identity providers
• Smart card
• Certificate based authentication
• Microsoft Outlook no longer requires “basic authentication”
• Benefits:
• Greater consistency in the user experience for users authenticating to Office 365
services and apps
• Greater security across the entire Office 365 service & app suite
Newly launched authentication protocol which became generally available in May 20, 2016.

23. • Application Supported
• Office client applications:
• Windows: Office 2016, Office 2013 (update in previewnow)
• MacOS: Office 2016 (in previewnow)
• iOS: Word, Excel & PowerPoint
• Androidphone:Word, Excel &PowerPoint
• Androidtablet: Word, Excel & PowerPoint (coming soon)
• Windows Phone:iOS: Word, Excel & PowerPoint (coming soon)
• Outlook
• Windows: included with Office client
• MacOS: coming soon
• iOS, Android:available now
• Windows Phone:coming soon
• Skype for Business
• Windows: included with Office client
• MacOS: TBD
• iOS, Android,Windows Phone:coming soon
• OneDrive for Business
• Windows: included with Office client
• MacOS: TBD
• iOS, Android,Windows Phone(8.1): coming soon
• No support planned for: Office 2010 or 2007, Office for Mac 2011, Windows Phone 7, OWA for iOS or Android
Modern authentication must be on-boarded for some Office 365 services and environments.

24. • Default enablement in some Office 365 services:
• Exchange Online: OFF by default
• SharePoint Online: ON by default
• Skype for Business: OFF by default
• Can be enabled via PowerShell
• Support must be enabled on Office Clients and in service for Modern authentication to work
• Ex. Outlook 2016 willattempt ModernAuthentication and auto-revert to Basic Authenticationif ExchangeOnlineis not enabled
References:
• Implications forADFSFederated Auth:http://social.technet.microsoft.com/wiki/contents/articles/30253.office-2013-and-office-365-proplus-modern-authentication-and-client-
access-filtering-policies-things-to-know-before-onboarding.aspx
• Howto enablein Exchange Online:http://social.technet.microsoft.com/wiki/contents/articles/32711.exchange-online-how-to-enable-your-tenant-for-modern-authentication.aspx
• Azure AD PowerShell has Modern Authentication capabilities now in public preview:
http://blogs.technet.com/b/ad/archive/2015/10/20/azure-ad-powershell-public-preview-of-support-for-azure-mfa-new-device-management-commands.aspx
Modern authentication must be on-boarded for some Office 365 services and environments.

27. Confidentiality Statement and Restriction for Use
"This proposal contains confidential material proprietary to Protiviti Inc. ("Protiviti"), a wholly owned subsidiary of Robert Half International Inc. ("RHI"). RHI is a publicly-traded company and as
such, the materials, information, ideas, and concepts contained herein are non-public, should be used solely and exclusively to evaluate the capabilities of Protiviti to provide assistance to the
client and should not be used in any inappropriate manner or in violation of applicable securities laws. The contents of this proposal are intended for the use of the client and may not be
distributed to third parties. This proposal does not constitute an agreement between Protiviti and the client. Any services Protiviti may provide to the client will be governed by the terms of a
separate written agreement signed by both Protiviti and client. This proposal is based solely on information provided to us by the client, which we have not verified. Accordingly, we are not
responsible for any inaccuracies in that information. Furthermore, changes in the client’s definition of requirements will necessarily affect the proposal set forth herein."