We're currently living Take 1 of the Content Security Journey and now we've reached a critical juncture where technologies have evolved to support Take 2. Our journey to reach the a secure digital workplace includes understanding users, their roles, what devices they're working on, and how to protect that content at rest and flying across the network. Based on real-life use cases in the Aerospace & Defense and Life Sciences industries you will walk away with an understanding of the technologies available to you, and a clear way to communicate with business stakeholders.
History of Content Security: Take 2 - ShareCloudSummit Houston
1. WithumSmith+Brown, PC | BE IN A POSITION OF STRENGTH 0SM
The History of Content Security
Take 2
Adam Levithan
March 29, 2018
The History of Content Security: Take 2
Adam Levithan, MVP
Product Manager
Withum Digital
2. WithumSmith+Brown, PC | BE IN A POSITION OF STRENGTH 2SM
About Me
Adam Levithan
@collabadam
alevithan@withum.com
Principal
Product Manager, OneWindow Workplace
12+ years in Collaboration
Office 365 Expertise: User
Adoption, Information
Architecture, Content Migration,
Document Management, Security
9. WithumSmith+Brown, PC | BE IN A POSITION OF STRENGTH 9SM
Customers are sharing more than ever
10. WithumSmith+Brown, PC | BE IN A POSITION OF STRENGTH 10SM
MALICIOUS
INSIDER
ACCIDENTAL
DATA EXPOSURE
MALICIOUS
OUTSIDER
59% 23% 14%
SOURCE OF BREACH DATA – 2013-2017 – breachlevelindex.com
How Do Data Leaks Happen?
11. WithumSmith+Brown, PC | BE IN A POSITION OF STRENGTH 11SM
Balancing end user and IT expectations
12. WithumSmith+Brown, PC | BE IN A POSITION OF STRENGTH 12SM
History of Security Take 2
Know Your Users Track EverythingProtect Your Content
13. WithumSmith+Brown, PC | BE IN A POSITION OF STRENGTH 13SM
Track Everything
History of Security Take 2
Know Your Users Protect Your Content
IDENTIFY ACCESS
?
14. WithumSmith+Brown, PC | BE IN A POSITION OF STRENGTH 14SM
Life Sciences Scenario – Authentication
Explosion
Originally produced for
15. WithumSmith+Brown, PC | BE IN A POSITION OF STRENGTH 15SM
Life Sciences Scenario – Single Sign On
Originally produced for
17. 3rd party applications
UltiPro
Cisco Webex
Canvas
SAP NetWeaver
Zscaler ZSCloud
Box
myday
Cornerstone
OnDemand
Workplace
by Facebook
Google Apps
Salesforce
Concur
SuccessFactors
Workday
ServiceNow
# monthly active users
20Mmonthly active users
of 3rd party apps
634,000Active Azure AD integrated
applications and services
18. WithumSmith+Brown, PC | BE IN A POSITION OF STRENGTH 18SM
The User Secures Devices and Apps
Mobile devices and PCs
Mobile Device Management
IT
Intune in Azure Portal
Mobile App Management
IT
Intune in Azure Portal
Mobile devices
Intune
MAM apps
19. WithumSmith+Brown, PC | BE IN A POSITION OF STRENGTH 19SM
Secure your organization’s identity
Require two-factor authentication
Prevents stolen credentials from accessing Office 365 resources
Enable on a per-person basis in the Office 365 admin center
Authenticate via SMS, phone call, certificate, or hardware token
Control Content Sharing
Prevents accidental data leakage
Enable at multiple levels, Tenant, Site Collection and Sites (coming soon)
Track policies are being followed through Security & Compliance Center & Powershell
20. WithumSmith+Brown, PC | BE IN A POSITION OF STRENGTH 20SM
Govern your organization’s access
Consider device-based conditional access
Require a healthy device in addition to a trusted identity
Limit functionality when an unmanaged device accesses SharePoint through the browser
Health determined via domain join status or Intune compliance
Force sign-out of idle sessions
Prevents accidental exposure on shared devices
Currently in preview, available for all customers in 2018
Evaluate the need for IP-based conditional access
Simulate restricted access model of an on-premises deployment
Restricts SharePoint access to specific client IP ranges that you configure
21. WithumSmith+Brown, PC | BE IN A POSITION OF STRENGTH 21SM
Limit risk of untrusted devices
Restrict sync to trusted devices
Prevent data from being stored locally on unmanaged devices
Policy allows sync to only devices joined to your domain
Safeguard data on mobile devices with Mobile Device Management
Limit exposure of data accessed via the OneDrive and SharePoint mobile apps
Disallow opening content in other apps, downloading files
Encrypt app data when device is locked, prevent app data from being backed up
22. WithumSmith+Brown, PC | BE IN A POSITION OF STRENGTH 22SM
History of Security Take 2
Protect Your Content
CONTENT APPLICATIONNETWORKPHYSICAL
Know Your Users Track Everything
23. IN THE PAST, THE FIREWALL
WAS THE SECURITY PERIMETER
devices datausers apps
On-premises /
Private cloud
25. WithumSmith+Brown, PC | BE IN A POSITION OF STRENGTH 25SM
Things to Consider
Known Vulnerabilities
• Enable business apps
• Block “bad” apps
• Limit app functions
• Limit file types
• Block websites
• Exploits
• Malware
Unknown Vulnerabilities
• Detect Malicious websites
• Bad domains
• Stolen credentials
• Dynamic analysis
• Static analysis
• Attack techniques
• Anomaly detection
• Analytics
26. WithumSmith+Brown, PC | BE IN A POSITION OF STRENGTH 26SM
Physical and logical isolation
Limited datacenter access
Restricted to essential personnel only
Multiple factors of authentication including smart cards and biometrics
On-premise security officers, motion sensors, video surveillance
Intrusion detection alerts include anomalous activity by datacenter engineers
Isolated network and identity
Networks are isolated from the Microsoft corporate network
Administered with dedicated Active Directory domains
No domain trust outside of the service, no domain trust between test and production
Further partitioned into isolated domains for management and security
27. WithumSmith+Brown, PC | BE IN A POSITION OF STRENGTH 27SM
Protected in transit
Encrypted between client and service
TLS 1.2 with Perfect Forward Secrecy, 2048-bit key
TLS 1.0 is minimum supported protocol
Connection will negotiate the most secure protocol supported by your client
Only secure access is permitted
SharePoint Online requires HTTPS for all authenticated connections
HSTS header prevents HTTP downgrade on untrusted networks
Encrypted within the service
Customer content is always encrypted in transit between datacenters
28. WithumSmith+Brown, PC | BE IN A POSITION OF STRENGTH 28SM
Application security
Security Development Lifecycle
All engineers receive security training annually
Code review and static analysis required for every change
Microsoft Security Response Center
Dedicated team for vulnerability report assessment and response
Skilled engineers triage reports and evaluate mitigations
Online Services Bug Bounty
Incentivizes vulnerability hunting by external researchers
Researchers receive credit and financial reward when they disclose responsibly
29. WithumSmith+Brown, PC | BE IN A POSITION OF STRENGTH 29SM
Service Encryption
Application-level encryption
Service uses per-file keys to protect SharePoint content
Microsoft manages these keys
Service automatically creates them when a file is uploaded or edited
Microsoft can transparently roll them or upgrade them as needed
Defense-in-depth
Ensures separation between server admins, Azure admins, and customer content
30. WithumSmith+Brown, PC | BE IN A POSITION OF STRENGTH 30SM
Service Encryption with Customer Key
Customer Keys Tenant Intermediate Key Site Encryption Key File Chunk Keys
31. WithumSmith+Brown, PC | BE IN A POSITION OF STRENGTH 31SM
Content security
Volume encryption
BitLocker encryption protects drives where content is stored
Renders content unreadable if drive is removed from the server
Per-file encryption
Contents of each file encrypted with a unique key
Large files are stored in parts with a unique key per part
Encrypted contents, encryption keys, file part mapping are stored separately
32. LabelDiscover Classify
Sensitivity Retention
Encryption
Restrict Access
Watermark
Header/Footer
Retention
Deletion
Records Management
Archiving
Sensitive data discovery
Data at risk
Policy violations
Policy recommendations
Proactive alerts
Comprehensive policies to protect and govern your most important data – throughout its lifecycle
Unified approach to discover, classify & label
Automatically apply policy-based actions
Proactive monitoring to identify risks
Broad coverage across locations
Apply label
Unified approach
Monitor
35. MICROSOFT CLOUD APP SECURITY
Visibility into 15k+ cloud apps, data access & usage,
potential abuse
AZURE SECURITY CENTER INFORMATION PROTECTION
Classify & label sensitive structured data in Azure SQL, SQL
Server and other Azure repositories
OFFICE APPS
Protect sensitive information while working in Excel, Word,
PowerPoint, Outlook
AZURE INFORMATION PROTECTION
Classify, label & protect files – beyond Office 365, including
on-premises & hybrid
OFFICE 365 DATA LOSS PREVENTION
Prevent data loss across Exchange Online, SharePoint Online,
OneDrive for Business
SHAREPOINT & GROUPS
Protect files in libraries and lists
OFFICE 365 ADVANCED DATA GOVERNANCE
Apply retention and deletion policies to sensitive and
important data in Office 365
ADOBE PDFs
Natively view and protect PDFs on Adobe Acrobat Reader
WINDOWS INFORMATION PROTECTION
Separate personal vs. work data on Windows 10 devices,
prevent work data from traveling to non-work locations
OFFICE 365 MESSAGE ENCRYPTION
Send encrypted emails in Office 365 to anyone
inside or outside of the company
CONDITIONAL ACCESS
Control access to files based on policy, such as identity, machine
configuration, geo location
Discover | Classify | Protect | Monitor
SDK FOR PARTNER ECOSYSTEM & ISVs
Enable ISVs to consume labels, apply protection
36. Data Classification Service (DCS)Service Integration Client apps
Microsoft Cloud App Security
• Consistent Auto Classification across Microsoft services
• Native integration in content pipeline and substrate
• Deep Content Scanning with 90+ built-in sensitive types
• Fully extensible scanning with custom type support
NEW GDPR template with EU sensitive types
NEW Custom sensitive type authoring and fine tuning
NEW Exact Data Match based classification
NEW Image classification with OCR
Uniform Content Discovery & Classification
AIP Scanner
On Premises
Discover & Classify across Microsoft Services
Azure Service
37. WithumSmith+Brown, PC | BE IN A POSITION OF STRENGTH 37SM
Unified labeling across Office 365, Azure
and Windows Information Protection
Centralized management
Configure and manage labels across apps and services in
Office, Azure and Windows – all from the Security &
Compliance Center
Unified classification
Uniform content classification to protect and preserve data
across Office, Azure, Windows
Consistent across M365 & extensible to 3rd party
Consistent integration and experience across M365 apps &
services. Extensible to 3rd party apps & solutions
38. WithumSmith+Brown, PC | BE IN A POSITION OF STRENGTH 38SM
History of Security Take 2
Know Your Users ClassifyTrack EverythingProtect Your Content
39. WithumSmith+Brown, PC | BE IN A POSITION OF STRENGTH 39SM
39
Compliance in Aerospace & Defense
TechnologyNon-Technology
Control Families
- Access Control
- Awareness and Training
- Audit and Accountability
- Configuration Management
- Identification and
Authentication
- Incident Response
- Maintenance
- Media Protection
- Physical Protection
- Personnel Security
- System and Communications
Protection
- System and Information
Integrity
Documents not supported by DLP
Control Families
- Access Control
- Awareness and Training
- Audit and Accountability
- Incident Response
- Media Protection
- Personnel Security
- Risk Assessment
- Security Assessment
- System and Information Integrity
Documents Stored in Team Collaboration & supported by DLP
Identity &
Access
Management
Team
Collaboration
DRM
Cloud
Originally produced for
40. WithumSmith+Brown, PC | BE IN A POSITION OF STRENGTH 40SM
Meet your regulatory requirements
Audit Office 365 activity
Search and download audit logs from the Office 365 Security Center
Configure activity alerts on specific audit event criteria
Configure an eDiscovery Center
Supports full lifecycle of electronic discovery across SharePoint, Exchange, and Skype
Create cases, add content sources, run keyword queries, place holds
Apply retention policies
Retain content for a minimum period of time or delete content that exceeds a timespan
Policy can be scoped to content containing specific keywords or sensitive information
41. WithumSmith+Brown, PC | BE IN A POSITION OF STRENGTH 41SM
Unified
Auditing
Pipeline
Compliance Center
Office 365 Activity Report
PowerShell cmdlet
Long-term
Auditing Storage
in O365
Azure AD
SharePoint Online
Exchange Online
OneDrive for Business
Office 365 Activity API
Third party application
Management
Activity API
42. WithumSmith+Brown, PC | BE IN A POSITION OF STRENGTH 42SM
New Microsoft 365 Specialized
Workspaces
security.microsoft.com compliance.microsoft.com
43. Compliance Manager is a dashboard that provides the Compliance Score and a summary of your
data protection and compliance stature as well as recommendations to improve data protection and
compliance. This is a recommendation, it is up to you to evaluate and validate the effectiveness of
customer controls as per your regulatory environment. Recommendations from Compliance Manager
and Compliance Score should not be interpreted as a guarantee of compliance.
Ongoing risk assessment
An intelligent score reflects your compliance
posture against regulations or standards
Simplified compliance
Streamlined workflow across teams and richly
detailed reports for auditing preparation
Actionable insights
Recommended actions to improve your data
protection capabilities
44.
45.
46. WithumSmith+Brown, PC | BE IN A POSITION OF STRENGTH 46SM
Enhanced information protection analytics
Better visibility into classified, labeled
and protected files – across workloads
Help identify information protection
anomalies and risks
View by label type, service/app and
label method (e.g. manual, automatic)
Recommendations to tune policy
settings
47. WithumSmith+Brown, PC | BE IN A POSITION OF STRENGTH 47SM
Track Everything
History of Security Take 2
Know Your Users Protect Your Content
QUESTIONS Adam Levithan
Alevithan@Withum.com
@collabadam
Microsoft 365 meets the diverse needs of teams with an integrated solution that is secure
We’ve designed Microsoft 365 to meet the unique needs of every group
For each of those categories of teamwork, Microsoft 365 includes a purpose-built application
Teams as a hub for teamwork where groups that actively engage and are working on core projects can connect and collaborate
Yammer for people to connect across their company, sharing ideas on common topics of interest
Outlook where teams can communicate in a familiar place, and can easily create modern distribution list with groups in Outlook
SharePoint for keeping content at the center of teamwork, making files, sites and all types of content easily shareable and accessible across teams
Office Apps – enabling co-authoring in familiar apps like Word, Excel, and PowerPoint
With these tools coming together in Microsoft 365 – teams get a holistic solution
What’s unique about teamwork in Microsoft 365 is that all of these applications are built on an intelligent fabric - suite-wide membership service with O365 Groups; suite-wide discovery and intelligence with Microsoft Graph, and suite-wide security and compliance
Office 365 Groups - A membership service providing a single identity for teams across Office applications and services
Microsoft Graph - Suite-wide intelligence that maps the connection of people and content to surface insights
Security and Compliance - Proactive security that simplifies IT management with intelligence built-in