4. CONSULTING | SOLUTIONS | RESULTS
Pre-adoption concern
60%cited concerns around
data security as a barrier
to adoption
45%concerned that the cloud
would result in a lack of
data control
Benefits realized
94%experienced security
benefits they didn’t
previously have
on-premise
62%said privacy protection
increased as a result of
moving to the cloud
SECURITY
• Design/Operation
• Infrastructure
• Network
• Identity/access
• Data
PRIVACY
COMPLIANCE
TRANPARENCY
Cloud Innovation: Risks & Benefits
Source: Barriers to Cloud Adoption study, ComScore, Sept 2013
9. CONSULTING | SOLUTIONS | RESULTS
Perimeter
Computer room
Building
Seismic
bracing
Security
operations center
24X7
security staff
Days of
backup power
Cameras Alarms
Two-factor access control:
Biometric readers & card readers
Barriers Fencing
Datacenter Security
10. CONSULTING | SOLUTIONS | RESULTS
“No. We can’t have our
info visible on the open
internet…”
11. CONSULTING | SOLUTIONS | RESULTS
“No. We can’t have our info visible on the open
internet…”
Encryption
a. Data at-rest
i. Volume-level encryption
(BitLocker, AES 128-bit,
FIPS-compliant)
ii. File-level encryption
(encrypted keys; minimal
MS staff access in gov’t
cloud)
b. Data in-transit
i. TLS/SSL (2048-bit)
ii. IPsec encryption
iii.AES 256-bit
iv.FIPS validated
12. CONSULTING | SOLUTIONS | RESULTS
Encrypted in transit between client and service and within
service data centers
BitLocker encryption protects drives where content is stored
Contents of each file encrypted with a unique key
Large files are stored in parts with a unique key per par
File contents and encryption key are stored separately
UseAzure RMStoencrypt your secret databefore uploading
Works across phones, tablets,andPCs
Information protected bothwithinandoutsideorganization
Masterkeyisused toencrypt/decrypt per-fileencryption keys
Ifitisremoved oraccessisrevoked, SharePoint Onlinecannolonger
decrypt your content
Does notlimit/restrict SharePoint Onlinefunctionalitywhen enabled
YouuploadittoAzure KeyVaultandgrantaccesstotheOffice365
service
Youcanremove itorrevoke access toitatanytime
“No. We can’t have our info visible on the open
internet…”
16. CONSULTING | SOLUTIONS | RESULTS
• Private VPN
“No. We can’t have our info visible on the open
internet…”
Customers can extend their on-
premises sites using VPN or dedicated
ExpressRoute connections
Customer owns and manage
certificates, policies, and user access
17. CONSULTING | SOLUTIONS | RESULTS
“No. We’ll never be
able to determine
Appropriate Usage by
our users…”
18. CONSULTING | SOLUTIONS | RESULTS
Powerful for experts, and easier for generalists to
adopt
Scenario oriented workflows with cross-cutting
policies spanning features
Powerful content discovery across Office 365
workloads
Proactive suggestions leveraging Microsoft Security
Intelligence Graph
Security and Compliance Center
19. CONSULTING | SOLUTIONS | RESULTS
Azure
Active
Directory
Security &
Compliance
Center
SharePoint
Online
Power
BI
Opt-in
for all
O365
tenants
1 billion
events
collected
daily
Office 365 Auditing
22. CONSULTING | SOLUTIONS | RESULTS
Tenant-scoped unless noted
Allow sharing via anon access links and to authenticated
external users
Allow sharing to authenticated external users only (further
limit to existing users)
Don’t allow sharing to external users
Limit external sharing using domains (allow and deny list) –
also at site collection level
Prevent external users from sharing files, folders, sites they
don’t own
Require external users to accept sharing invitations with the
same account the invitations were sent to
Abilitytochoose defaultlinktypefromanon,companyshareable,
restricted
OnOneDrive forBusiness only;When…
Users inviteadditionalexternalusers toshared files
Externalusers accept invitationstoaccessfiles
Anon accesslinkiscreated or changed
Prevent sharingofdocuments marked byDLPtoexternal users
Sharing
23. CONSULTING | SOLUTIONS | RESULTS
“No. ‘Need To Know’
and ‘Least Privilege’
needs to be
supported…”
25. CONSULTING | SOLUTIONS | RESULTS
• Catch It Before it Happens
• The “Minority Report”
Method
• Catch It After it Happens
• and discipline the culprit
• Minimize Issues
Other Considerations: Timing
26. CONSULTING | SOLUTIONS | RESULTS
• Physical Security
• Azure RMS
• Rights Management
• Data Loss Prevention
Catch Before
32. CONSULTING | SOLUTIONS | RESULTS32
Resources
32
Thank You!
Ricardo Wilkins – Architect, Microsoft Solutions Division
Computer Enterprises, Inc. | www.ceiamerica.com
rwilkins@ceiamerica.com
Office 365 Trust Center
Microsoft Trust Center
Microsoft Secure
Security Blogs on Office Blogs
Compliance Blogs on Office
Blogs
Office 365 Roadmap
Hinweis der Redaktion
Source: Barriers to Cloud Adoption study, ComScore, Sept 2013
Slide script:
Azure can help reduce the cost, complexity, and risk associated with security and compliance in the cloud. A survey funded by Microsoft and performed by ComScore demonstrates that while many organizations have initial concerns about moving to the cloud, a majority of cloud adopters achieve significant security benefits:
CLICK. Before embarking on cloud computing, 60% cited concerns around data security as a barrier to adoption, and 45% were concerned that the cloud would result in a lack of data control
CLICK. However, after moving to the cloud, a majority of cloud adopters achieve significant security benefits. 94% experienced security benefits they didn’t previously have on-premises and 62% said privacy protection increased as a result of moving to the field.
Few individual customer organizations can replicate the technology and operational processes that Microsoft uses to help safeguard its enterprise cloud services and comply with a wide range of international standards.
When companies use Microsoft Azure, they benefit from Microsoft’s scale and experience running highly secure and compliant online services around the globe. Microsoft’s expertise becomes the customer’s expertise.
Office 365 is a global service and continuous compliance refers to our commitment to evolve the Office 365 controls and stay up to date with standards and regulations that apply to your industry and geography.
Because regulations often share the same or similar controls, this makes it easier for Microsoft to meet the requirements of new regulations or those specific to your organization and industry. We have built a specialist compliance team is continuously tracking standards and regulations, developing common control sets for our product team to build into the service.
· EU Model Clauses: Ensures appropriate safeguards are in place to protect personal data that leaves the European Economic Area (prep for any questions regarding safe harbor by reading this: http://blogs.microsoft.com/on-the-issues/2015/10/06/a-message-to-our-customers-about-eu-us-safe-harbor/
· ISO 27018: Microsoft was the first cloud service provider to comply with this new standard which protects personally identifiable information and ensures your data will not be used for advertising purposes
Slide script:
Microsoft datacenters employ controls at the perimeter, building, and computer room with increasing security at each level, utilizing a combination of technology and traditional physical measures.
Security starts at the perimeter with camera monitoring, security officers, physical barriers and fencing.
At the building, seismic bracing and extensive environmental protections protect the physical structure and integrated alarms, cameras, and access controls (including two-factor authentication via biometrics and smart cards) govern access. The systems are monitored 24x7 from the operations center.
Similar access controls are used at the computer room, which also has redundant power.
Office 365 services follow industry cryptographic standards such as TLS/SSL and AES to protect the confidentiality and integrity of customer data.
For data in transit, all customer-facing servers negotiate a secure session by using TLS/SSL with client machines to secure the customer data. This applies to protocols on any device used by clients, such as Skype for Business Online, Outlook, and Outlook on the web.
For data at rest, Office 365 deploys BitLocker with AES 256-bit encryption on servers that hold all messaging data, including email and IM conversations, as well as content stored in SharePoint Online and OneDrive for Business. BitLocker volume encryption addresses the threats of data theft or exposure from lost, stolen, or inappropriately decommissioned computers and disks.
In some scenarios, we use file-level encryption. For example, the files and presentations uploaded by meeting participants are encrypted by using AES encryption. OneDrive for Business and SharePoint Online also use file-level encryption to encrypt data at rest. Office 365 moves beyond a single encryption key per disk to deliver a unique encryption key so that every file stored in SharePoint Online—including OneDrive for Business folders—is encrypted with its own key. Your organization’s files are distributed across multiple Azure Storage containers, each with separate credentials, rather than storing them in a single database. Spreading encrypted files across storage locations, encrypting the map of file locations itself, and physically separating master encryption keys from both content and the file map make OneDrive for Business and SharePoint Online a highly secure environment for stored files.
Data is moving to the cloud at an increased pace
Employees are bringing their own devices and accessing corporate data to these devices
Multiple ways of sharing the data with both internal and external individuals
Need to be in touch with your tenant and what is happening with your tenant – who is logging in, where are the logging in from,
Increased transparency
Monitor and investigate actions taken on your data, intelligently identify risks, contain and respond to threats, and protect valuable IP.
Continuous activity logging and reporting
User and admin activity events are logged across SharePoint Online, OneDrive for Business, Exchange Online and Azure Active Directory.
The Office 365 activity report enables you to investigate a user’s activity by searching for a user, file or other resource across SharePoint Online, OneDrive for Business, Exchange Online and Azure Active Directory.
Office 365 Management Activity API
The Management Activity API is a RESTful API that provides an unprecedented level of visibility into all user and admin transactions within Office 365.
The Management Activity API allows organizations and other software providers to integrate Office 365 activity data into their security and compliance monitoring and reporting solution
You can create an activity alert that will send you an email notification when users perform specific activities in Office 365. Activity alerts are similar to searching for events in the Office 365 audit log, except that you'll be sent an email message when an event for an activity that you've created an alert for happens.
Why use activity alerts instead of searching the audit log? There might be certain kinds of activity or activity performed by specific users that you really want to know about. Instead of having to remember to search the audit log for those activities, you can use activity alerts to have Office 365 send you an email message when users perform those activities. For example, you can create an activity alert to notify you when a user deletes files in SharePoint or you can create an alert to notify you when a user permanently deletes messages from their mailbox. The email notification sent to you includes information about which activity was performed and the user who performed it.