Meeting your Compliance objectives with ease and without incurring a high cost
Learning Gateway Conference: A look at live@edu
1. A look at Live@edu Chris Rothwell chris.rothwell@microsoft.com @crothwell 14th July 2010
2. London Grid for Learning “Amongst the 25,000 students we have been piloting the system with, we have enabled an increase in teamwork across schools, which is extremely positive. And, practically speaking, using this service has helped schools make significant savings. We estimate the average secondary school could save around £18,000 a year using London Mail, so across the 2,500 schools in London, it’s a multi-million-pound reduction in costs” Brian Durrant, CEO of London Grid for Learning
39. 24x7x365 phone and online supportFirewalls Intrusion Detection System System Level Security Application Authentication Application Level Counter-measures Virus Scanning Separate Data Networks Authentication to Data
40. But…. Data Storage? Management and Control? Integration? Exit Strategies? Complianceand eSafety? Support? SLA?
41. Data Access and Integration POP IMAP MAPI Active Sync Windows Live Power Shell Exchange Web Services
43. But…. Data Storage? Management and Control? Integration? Exit Strategies? Complianceand eSafety? Support? SLA?
44. Regulation and Compliance Roles and responsibilities outlined in the Terms of Use Managed: Customer – data controller, Microsoft – data processor Consumer: Relationship is direct between Microsoft and the Students Email and SharePointdata stored within the EU Signed up to the Safe Harbour Agreement
45. But…. Data Storage? Management and Control? Integration? Exit Strategies? Complianceand eSafety? Support? SLA?
46. Support and Uptime End-user support http://help.outlook.com Email support IT Support 24x7 Phone Support Web submissions Initial Response SLA based on severity Target Uptime: 99.9% No financially backed SLA
47. But…. Data Storage? Management and Control? Integration? Exit Strategies? Complianceand eSafety? Support? SLA?
50. Easy to Manage Live@edu has three management tool options to help you provision and manage your accounts Exchange Control Panel Windows PowerShell GALSync 2010 (OLMA R4) Fast Fast Fast Amount of programming Amount of programming Amount of programming Automated Automated Automated Simple Automated A powerful web tool used to create, delete and modify user mailboxes, groups and external contacts. A command-line shell and scripting language you can use to manage your organization. Management and deployment A highly automated tool, GALSync 2010 synchronizes your domain with your Active Directory on premises
51. But…. Data Storage? Management and Control? Integration? Exit Strategies? Complianceand eSafety? Support? SLA?
88. Communications and Operations Managementhttp://www.globalfoundationservices.com/documents/MicrosoftComplianceFramework1009.pdf
89.
90. 1. Enroll Domain Registrar microsoft.com/liveatedu Register domain Enroll Specify Administrator Email Invite With Link 2. Registration eduadmin.live.com Create DNS Records Select Outlook Live Create Windows Live Accept Terms of Use (ToU) Wait for DNS to propagate Verify Domain Ownership 3. Configuration Configure domain outlook.com/ecp Domain Settings Co-branding Users & Groups Membership type SDK Mail Controls Accounts Reporting Reporting
93. New User: - User ID creation - Credentials issuance - Access rights - Application Access/Roles Account Changes: - Promotions - Transfers - New Privileges - Attribute Changes Password Management: - Strong password - Lost password - Password Reset Retire User: - Delete/Freeze Accounts - Delete/Freeze Entitlements - Manage files & shares
Editor's Notes
London Grid – RBC for schools across London – now have well over 100k students deployed on the service. They’ve been live on the service since the end of 2008.LGfL have deployed three services; StaffMail, LondonMail and SafeMail.StaffMail is what it sounds like – it’s for staff. LondonMail and SafeMail are both for students – the difference is that one is closed campus and one is open campus. At launch – SafeMail had a long waiting list of schools that wanted to deploy within a locked down environment.London Grid for Learning worked closely with some of the development teams to help inform some of the supervision policy capabilities that we now have within Outlook Live.
Slide Objective: Clearly define the core services that are part of the free Live@edu offer – email, storage, and collaboration services. Provide overview of the IT and end user experience. High level overview of business model – why are we doing this?Talking Points:Live@edu meets and supports your users where they already are – online. Live@edu starts with a school branded and managed Windows Live ID – providing access to both IT managed email services and self managed storage & collaboration services. They have access to their “digital campus” – co-branded email, storage, as well as access to collaboration and productivity services:With Outlook Live, users can have a 10GB inbox, calendar, and contacts that they canaccess anywhere. Outlook Live interoperates with Live Messenger to enable users to keep in touch with friends and family using communication methods they want to use (e-mail or chat)With SkyDrive they have an additional 25 GB in online storage space to share documents among devices and with others.Office Live Workspace enables students and faculty to create their own sites to store, access, and share documents and files. Specifically designed to work with Microsoft Office applications, Office Live Workspace has room for more than 1000 files and enhances a student’s ability to work efficiently and collaborate with peers. For end users, they can sign on with a single identity to access these services, as well school services you choose to integrate with. These services will be co-branded with your school logo and colors to be consistent with your brand and school identity. Students also want to share information seamlessly between services – for example, viewing a fellow student’s calendar or starting a live chat from their Outlook Live account – Live @edu facilitates these seamless interactions. Live@edu also provides a great experience for the IT organization. Live@edu is secure and reliable…see talking points from previous slide and review here. However, on the occasion you need assistance, we provide 24x7 phone support for your IT staff. ADD BUSINESS MODEL TALKING POINTSAnd it must be going through your minds: Why is a profit making company like Microsoft doing this?Answer: Point out that software usage in college/school drives long term preferences for students. And we want to provide both brand awareness and brand value to students around Microsoft. Point out education is always the trend setter in adopting new delivery mechanisms and school plays a important role in helping solidify their partnership with Microsoft, as Microsoft becomes a software and services companyPoint that we totally expect schools to see the value in adopting our premium service offerings for a certain segment. For example, we see tremendous value in schools adopting Unified Messaging and OCS for long term cost savings for faculty and staff. Similarly, data archiving is a requirement for faculty and staff – we want to ensure that we provide such capabilities through our premium service while providing the essential service to your students.
Slide Objective: Establish Microsoft as a serious cloud services playerSlide Overview/Detailed Notes:One area that we are very conscious of is the importance of security and availability. We want to ensure that customer feel confident that we are protecting their data and the service is highly available. Our service runs on a set of datacenters that are managed by a centralized organization within Microsoft that are making major investments in datacenter spaces and capabilities. We deploy our service on the latest hardware and network equipments in a N+1 architecture to enable failover capabilities as well as saving your data in a separate geo-redundant location. We are regularly tested by a third party CyberTrust to ensure our infrastructure is secure against attacks. We follow ITIL/MOF in our operational processes and we are in the process of getting our SAS-70 audit to ensure we have strictest level of control. Above all, we will provide 24x7 IT Pro support and we have target 99.9% uptime which we have met over the last 6 months for Outlook Live.Physical security is but one part it. When you look, we ultimately need to make sure that since we are providing an internet based service, we are protecting customer’s data in a variety of ways. We look at this as multiple layers of protection. Microsoft is actually providing 9 layers of logical security for our customers and their service and data. Filtering Routers: these are implemented to protect against any traffic we do not see as well constructed. One of the great benefits of providing a focused service like BPOS is we actually set up the routers to protect against any form of malform data. We block at an aggregate at the edge. Firewalls are set up as deny all. Behind the firewalls we have an Intrusion Detection System. We have a very sophisticated correlation engine for any intrusion alert that we’re tracking 24 hours a day. Below the IDS, we have a level System Level Security. When you look, the service operations organization actually has broad based, dual factor authentication. This means each individual within a support and service operations team have either some sort of secure ID card or a RSH secure ID token that is coupled with their role. Each individual must have a user ID and password and must apply a pin with their secure ID token. Based on the role they have, we grant access per individuals to the service. Application Authentication: when you get below the System Level Security, the customers actually have application level authentication. We have a very sophisticated mechanism by which we provide access to data. The structure of the service provides users access to only those capabilities they are designed to have. In the reseller model where a partner is actually providing the service to the customer, they have a level of application authentication that sits over top of that which the customers have. So we’re able to provide a very rich set of security protocols for our customers, as it relates to authentication to the different services.Microsoft, as most people know, has a good history as relates to security and trustworthy computing. Our services are actually designed to make sure that we apply those security methods not only to the software, but we also treat that software as a service. So when we do our threat walling and follow the Windows initiative, we’re thinking about our applications as if they are delivered through the Internet. We apply a significant level of counter measures, such as buffer overflows and SQL injection, we make sure that the applications we’re running are sandboxed so you can’t activate elevated levels of security or access a higher level of authentication when you’re actually doing work within our application. Virus Scanning is provided for multiple set of capabilities. We actually virus scan at all over our server levels, we have in place intrusion detection at the host and we’re scanning our content via Microsoft ForeFront.Then we have Separate Data Networks. When you look inside the data center, So what when we do our threat walling and follow the Windows initiative. These are implemented in a form that breaks it apart. For example, the data bases are on a separate sub net then from the actual content server or something that is an internet facing device.When you look, even though we are an internet facing service, very few devices have direct access to the internet. All of the servers are on some form of non-routable subnet space. Finally you are authenticated into the data. The data itself is never stored on the physical servers, we run separate data networks and the data is stored on dedicated storage devices. So when you look at the content, the content is actually being sent from dedicated storage devices, which allows us to provide significant levels of backup as well.
Structure choice and flexibility:Choices to make about:What domain you want to use? Do you want to have Shared Address Space? Sub Domains? Top-Level Domain (TLD)? Other domain of your choice (ourstudentemail.com)?How do you want to structure user names? Anonymously? First.last.enrollment?Do you want to migrate accounts? Just the accounts, or the mail as well?How do you want to administer the domains? Do you want a single tenancy with multiple accepted domains, or multiple tenancies.Provisioning Choices.
Slide Objective: Illustrate Live@edu’s ease of mgt with our mgt tool optionsTalking Points:We provide multiple ways to manage accounts, whether it be through web (manual), shell (programmatic or script) or through automated management agents (still not widely available but slated to come out this year). Available today, Live@edu has two management tools options for Outlook Live to help you provision and management your accounts with ease. These options provides different levels of capabilities around speed, programming required, and automation to provide options for each customer. Exchange Control PanelExchange Control Panel is a powerful web tool used to create, delete and modify user mailboxes, groups and external contacts. This tool is best fit for IT managers who don’t want any programming.Windows PowerShellWindows PowerShell is a command-line shell and scripting language you can use to manage your organization. This tool is the best fit for schools managing a larger user base (e.g., <10K mailboxes) and do not want to pay for any software/management tools. GAL Sync 2010GAL Sync 2010 is a setup-once automated solution to provision accounts from your on premises system into Outlook Live. This tool is best fit for school managing a large user base and wanting limited ongoing maintenance updates for provisioning.More on GALSync. GALSync 2010 pulls user, contact, group, and dynamic distribution group data from your on premises Active Directory and replicates and synchronizes it with your Outlook Live domain Benefits of GALSync2010:GALSync2010 utilizes Microsoft Identity Lifecycle Manager (ILM) and allows you to “set it and forget it,” eliminating the hassles of manual directory synchronization. After GALSync 2010 pulls in the data, it creates, manages, and deletes accounts in Outlook Live, a process called "auto-provisioning." In addition, GALSync 2010 populates the shared address book in the corresponding Outlook Live domain. Requirements:On-premises Active Directory The user and group objects that you want to synchronize with Outlook Live will originate in your on-premises Active Directory.If you're running Exchange 2003 or later versions of Microsoft Exchange, you can use the native Exchange and Active Directory user management tools to auto-provision users. If you aren't running Active Directory on-premises, you can use components of the GALSync 2010 solution to automate address book synchronization and provisioning as part of your own customized solution. However, a customized solution isn't supported by GALSync2010 and requires expertise with ILM 2007.Identity Lifecycle Manager 2007 FP1 ILM is Microsoft's identity management software solution. To run ILM 2007 FP1, you may need to purchase the appropriate license.Windows Server 2008 for the installation of install ILM 2007 with the GALSync and auto-provisioning rule sets.Microsoft SQL Server ILM 2007 FP1 requires Microsoft SQL Server to store and manage the replicated data. To run SQL Server, you have to purchase the appropriate license.
Statement of Auditing Standards 70Type I assesses the description of the controls we have in placeType II assesses whether they were working correctly when assessed.ISO 27001Information Security Management System standardSystematically assess information security risks, threats, vulnerabilities and impactDesign and implement a coherent suite of information security contolsAdopt an overarching management process to ensure that the information security controls continue to meet the requirments.The Compliance Framework pictured gives us a scalable approach to managing online security and compliance, including audit, certification and attestations. It smooths the workload for Microsoft, while giving a rigourous and managed approach that works for multiple services.Microsoft Online Services Security and Compliance (OSSC) Team are responsible for this areaPlan, Do, Check , Act
Delivery Reports interface
We want to emphasize that the R4 process is streamlined and improved evolution of the R3 process…
These are the common activities around managing the lifecycle of user identities. As any other identity it has it’s beginning and it’s endAccent on dual-nature of educational sector. Students AND faculty are generally stored in a deferent data-repositories. Roles can blur between student and faculty member and can reverse on several occasions.