1 / 44

Microsoft Office 365 Security, Privacy, and Trust

OSP323. Microsoft Office 365 Security, Privacy, and Trust. Alistair Speirs , Sr. Program Manager Bharath Rambadran, Sr. Product Marketing Manager Microsoft Corporation.

amalia
Télécharger la présentation

Microsoft Office 365 Security, Privacy, and Trust

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. OSP323 Microsoft Office 365 Security, Privacy, and Trust Alistair Speirs, Sr. Program Manager Bharath Rambadran, Sr. Product Marketing Manager Microsoft Corporation

  2. Brings together cloud versions of our most trusted communications and collaboration products with the latest version of our desktop suite

  3. Office 365 Delivers World Class Capabilities • Pay-as-you-go, per-user licensing • Complete Office experience with services integration • Always the latest version of Office and Office Web Apps • Familiar Office user experience • IM & Presence across firewalls • GAL/Skill search in SharePoint • Online meeting with desktop sharing • Windows Live federation • My Sites to manage and share documents • Access documents offline • Document-level permissions • Share documents securely with Extranet Sites • 25Gb mailbox with voicemail & unified messaging • Integrated personal archiving • Retention policies and legal hold • Free/busy coexistence

  4. Trusting The CloudIt’s all over the news – “Can I trust the cloud?” Key Concerns • Privacy • Loss of Control • Regulatory • Physical/Logical Security • CLOUDY WITH A CHANCE OF RAIN • “What is holding IT managers back (from going to the cloud) is fear about security.” • — The Economist, March 5, 2010

  5. The Trust Questions… Privacy Transparency • What does privacy at Microsoft mean? • Are you using my data to build advertising products? • Where is my data? • Who has access to my data ? Compliance Security • What certifications and capabilities does Microsoft hold? • How does Microsoft support customer compliance needs? • Do I have the right to audit Microsoft? • Is cloud computing secure? • Are Microsoft Online Services secure?

  6. Office 365 Trust Center • Clear messaging with plain English • Details for security experts • Links videos, whitepapers • http://trust.office365.com

  7. The Trust Principles Cohesive Process Combining 4 Pillars Leadership in Transparency Your Privacy Matters Independently Verified Relentless on Security We Respect your Privacy You know ‘where’ data resides, ‘who’ can access it and ‘what’ we do with it Compliance with World Class Industry standards verified by 3rdparties Excellence in Cutting edge security practices

  8. Your Privacy Matters Privacy

  9. What Do We Mean by “Privacy”? PRIVACY SECURITY PII Controls Elevation of Privilege Notice and Consent BreachResponse Denial of Service Information Disclosure Spoofing Data Minimization Tampering Transnational Data Flows Repudiation

  10. Privacy at Office 365 At Microsoft, our strategy is to consistently set a “high bar” around privacy practices that support global standards for data handling and transfer No Advertising • No advertising products out of Customer Data. • No scanning of email or documents to build analytics or mine data. Data Portability • Office 365 Customer Data belongs to the customer. • Customers can export their data at any time. No Mingling • Choices to keep Office 365 Customer Data separate from consumer services.

  11. How Privacy of Data is Protected? We use customer data for just what they pay us for - to maintain and provide Office 365 Service

  12. You know ‘where’ data resides, ‘who’ can access it and ‘what’ we do with it. • Transparency

  13. Transparency At Microsoft, our strategy is to consistently set a “high bar” around privacy practices that support global standards for data handling and transfer Where is Data Stored? • Clear Data Maps and Geographic boundary information provided • ‘Ship To’ address determines Data Center Location Who accesses and What is accessed? • Core Customer Data accessed only for troubleshooting and malware prevention purposes • Core Customer Data access limited to key personnel on an exception basis. How to get notified? • Microsoft notifies you of changes in data center locations.

  14. Excellence in cutting edge security practices Security

  15. Microsoft Security Development LifecycleReduce vulnerabilities, limit exploit severity Education Process Accountability Administer and track security training Guide product teams to meet SDL requirements Establish release criteria and sign-off as part of FSR Incident Response (MSRC) Training Requirements Design Implementation Verification Release Response Core SecurityTraining Establish SecurityRequirements Create Quality Gates / Bug Bars Security & Privacy Risk Assessment Establish DesignRequirements Analyze AttackSurface ThreatModeling Use Approved Tools Deprecate UnsafeFunctions Static Analysis Dynamic Analysis Fuzz Testing Attack Surface Review Incident Response Plan Final Security Review Release Archive Execute IncidentResponse Plan Ongoing Process Improvements

  16. Office Security Progress • Unique Security Issues Reported • Office XP • Macro security levels • Office 2007 • Default setting changes • Reduced security prompts • XML file format support • Trust Center & Message Bar • Trusted locations • Active content security • Block file format settings • Document Inspector 9% • Office 2003 • CryptoAPI support • Trusted publishers • ActiveX control security • Office 2010 • Protected View • Office File Validation • Trusted Documents • Crypto Improvements

  17. Core security improvements: file fuzzing A method to identify previously unknown vulnerabilities in file formats Office teams fuzzed millions of files 10’s of millions of times Led to hundreds of new bugs being fixed Used to create XML Schema Definitions (XSD) for binary Office files XSDs allow binary files to be quickly scanned for potential problems

  18. Industry-recognized security improvements https://www.cert.org/blogs/certcc/2011/04/office_shootout_microsoft_offi.html

  19. User protection starts with authentication Active Directory at the core Control user password policies across devices and services Use Group Policies to configure operating environment Extensible management with FIM, ADFS Cloud integration options Cloud managed user accounts managed via web portal On premises directory synchronized to web portal Single sign on capability using AD federation services Active Directory Cloud ID Directory Sync 1-way trust

  20. Securing users with Group Policy • Administrators can use Group Policy to mandate user settings for Office • Administrators can use settings to create highly restricted or lightly managed desktop configurations • Group Policy settings have precedence over OCT settings • Administrators can use settings to disable file formats that are not secure across the network • Over 4000 group policy control objects

  21. Service Security – Defense in Deptha risk-based, multi-dimensional approach to safeguarding services and data SECURITY MANAGEMENT Threat and vulnerability management, monitoring, and response Access control and monitoring, file/data integrity DATA Account management, training and awareness, screening USER Secure engineering (SDL), access control and monitoring, anti-malware APPLICATION Access control and monitoring, anti-malware, patch and configuration management HOST Dual-factor authentication, intrusion detection, vulnerability scanning INTERNAL NETWORK NETWORK PERIMETER Edge routers, intrusion detection, vulnerability scanning FACILITY Physical controls, video surveillance, access control

  22. Physical Security – Sample facility 24x7 guarded facility 700,000 square feet 10s of 1000s of servers Days of backup power

  23. Business Productivity Communicate and collaborate more securely using Exchange, SharePoint, Lync, and Office Visibility and Control Information Security Comprehensive Protection • Policy rules that inspectemails in transit • Integration with AD RMS to safeguard sensitive data • End-to-end encryption of communications • Integrated administration, reporting, and auditing • Granular control over user access and permissions • Mobile security policies and remote device wipe • Multi-layered protection against spam and malware • Effectiveness guaranteed by 5 financially-backed SLAs • In-product controls that help protect users from threats

  24. Common Security ConcernCustomer data at rest is not encrypted • For “sensitive” data, implementation of Active Directory Rights Management Services (RMS) • For “sensitive” externally sent/received e-mail, customers employ S/MIME • Encryption impacts service functionality (e.g. search and indexing) • Identity/key management issues The customer makes the decision

  25. Compliance with World Class Industry standards verified by 3rd parties Independently Verified

  26. Why Get Independently Verified?“I need to know Microsoft is doing the right things” Alignment and adoption of industry standards ensure a comprehensive set of practices and controls in place to protect sensitive data While not permitting audits, we provide independent third-party verifications of Microsoft security, privacy, and continuity controls Microsoft provides transparency This saves customers time and money, and allows Office 365 to provide assurances to customers at scale

  27. Compliance Management Framework Policy Business rules for protecting information and systems which store and process information Control Framework A process or system to assure the implementation of policy Standards System or procedural specific requirements that must be met Operating Procedures Step-by-step procedures

  28. Office 365 Compliance We are the first and only major cloud based productivity to offer the following: • ISO27001 • ISO27001 is one of the best security benchmarks available across the world. • Office 365 first major business productivity public cloud service to implement rigorous ISO security controls on physical, logical, process and management • EU Model Clauses • Office 365 is the first major business productivity public cloud service provider willing to sign EU Model Clauses with all customers. • EU Model Clauses a set of stringent European Union wide data protection requirements • Data Processing Agreement • Address privacy, security and handling of Customer Data. • Going above and beyond the EU Model Clauses to address additional requirements from individual EU member states • Enables customers to comply with their local regulations.

  29. Office 365 Compliance Comply with additional industry leading standards • US Health Insurance Portability and Accountability Act • HIPAA is a U.S. law that requires HIPAA covered entities to meet certain privacy and security standards with respect to individually identifiable health information • Microsoft is offering to sign the Business Associate Agreement (BAA) for any Microsoft Enterprise Agreement customer. The BAA helps enables our customers to comply with HIPAA concerning protected health information. • EU Safe Harbor • EU generally prohibits personal data from crossing borders into other countries except under circumstances in which the transfer has been legitimated by a recognized mechanism, such as the "Safe Harbor" certification • Microsoft was first certified under the Safe Harbor program in 2001, and we recertify compliance with the Safe Harbor Principles every twelve months

  30. Compliance UpdateCompliance with Key Standards Certification Audience BPOS Standard Office 365

  31. Compliance UpdateHIPAA Business Associate Agreement (BAA) What is it? What does it cover? Who and how to get it? • HIPAA is a U.S. law that requires HIPAA covered entities to meet certain privacy and security standards with respect to individually identifiable health information • To comply with HIPAA, in certain cases Microsoft is required to sign BAA with HIPAA covered entities which assures adherence to certain privacy and security requirements • Protects Protected Health Information (PHI) covering patient only information not end users • Security incident notification within 30 days of unauthorized access • Office 365 is not intended to be used as a PHI repository, customer should make their decision on how to best comply with HIPAA. More information can be found in the regulatory compliance section of the Trust Center. • Available today for all customers.

  32. demo The Office 365 Trust Center Bharath Rambadran Sr. Product Manager

  33. How To Sign Up For EU Model Clauses Office 365 Trust Center Compliance Section Link to EU Model Clause sign-up Page EU Model Clause Sign up Page • Located in MOSP Portal • Requires Admin Access • Customer enters Admin details and • Agreement I.D

  34. Step 2: Sign in to Online Services Portal

  35. Step 3: Select Contract and Accept

  36. Step 4: Confirmation Page

  37. Related Content

  38. Resources Office 365 Trust Center (http://trust.office365.com) • Office 365 Privacy Whitepaper (New!) • Office 365 Security Whitepaper and Service Description • Office 365 Standard Responses to Request for Information • Office 365 Information Security Management Framework

  39. Related Resources • Office 365 TechCenter: technet.microsoft.com/Office365 • Office Client TechCenter: technet.microsoft.com/office • Office, Office 365 and SharePoint Demo Area Includes: • Office 365 IT Pro Command Center • Office 365 Data Center Exhibit

  40. Resources Learning TechNet • Connect. Share. Discuss. • Microsoft Certification & Training Resources http://europe.msteched.com www.microsoft.com/learning • Resources for IT Professionals • Resources for Developers • http://microsoft.com/technet http://microsoft.com/msdn

  41. Evaluations Submit your evals online http://europe.msteched.com/sessions

  42. Questions?

  43. © 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

More Related