SharePoint Saturday Ottawa - How secure is my data in office 365?

1. WELCOME SHAREPOINT SATURDAY OTTAWA December 3rd, 2016 How Secure is My Data in Office 365? Antonio Maio Protiviti | Senior SharePoint Architect Microsoft Office Server and Services MVP Email: antonio.maio@protiviti.com Blog: www.trustsharepoint.com Slide share: http://www.slideshare.net/AntonioMaio2 Twitter: @AntonioMaio2

2. SPS Ottawa is made possible by our Sponsors! Platinum Gold Silver Bronze Bronze

3. Please drink responsibly . We will be happy to call a cab for you

4. How Secure is My Data in Office 365?

5. 1 security patch 9 security patches 9 security patches 2 security patches Reference: Microsoft Security Bulletins: https://technet.microsoft.com/en-us/library/security/dn631937.aspx

6. https://products.office.com/en-us/business/office-365-trust-center-operations

7. https://channel9.msdn.com/Shows/Azure-Friday/Red-vs-Blue-Internal-security-penetration-testing-of-Microsoft-Azure

8. Reference: https://www.microsoft.com/en-us/trustcenter/Compliance/default.aspx Shared Responsibility

9. In a cloud environment, security and information protection must be a Shared Responsibility.

10. Preferred secure communication protocol is TLS 1.2. • Includes all communication from the internet to Office 365 (client desktops, web browsers, apps, mobile devices, etc.) • Includes all communication between servers within the Office 365 data center • Supported protocols: TLS 1.2, 1.1 and 1.0 • When considering on premise deployments, TLS is recommended for secure communication even for intranets • Digital Certificates are completely managed by Microsoft Reference and cipher suites: https://technet.microsoft.com/en-us/library/dn569286.aspx

11. • SSL 3.0 (and earlier) has been considered insecure for years due to inherent vulnerabilities • Deprecated & removed on Dec. 1, 2014 • TLS 1.0 is now also considered insecure due to an inherent vulnerability • Maintained for now for browser compatibility • Only used when TLS 1.2 or 1.1 will not work with the client browser • Will be deprecated and removed from Office 365 later in ??? (rumor) • Regulatory standards are recognizing that SSL 3.0 and TLS 1.0 are no longer secure • Recommendations to remove these protocol versions (ex. PCI DSS standard has a deadline of June 30, 2016 to remove or have mitigation plans in place for these protocols) • On premise SharePoint 2010 and 2013: you may only disable SSL 3.0 • You may not disable TLS 1.0 without adverse side effects • Properly disabling TLS 1.0 requires upgrade to SharePoint 2016 Preferred secure communication protocol is TLS 1.2. We no longer use SSL.

12. • File level encryption strategy used to protect individuals files in the Office 365 data center

13. Files are chunked; the chunks encrypted with unique keys and randomly distributed and stored.

14. Unique keys used to encrypt chunks are themselves encrypted and stored in the content database.

15. The master key is stored in the Key Store, the most secure asset in the Microsoft Office 365 data center.

16. Keys are rotated every 24 hours.

17. An attacker needs to gain access to all 3 assets in order to decrypt a single file. • Each of these three storage components physically separate. • The information held in any one of the components is unusable on its own. • Without access to all three it is impossible to retrieve the keys to the chunks, decrypt the keys to make them usable, associate the keys with their corresponding chunks, decrypt any chunk, or reconstruct a document from its constituent chunks.

18. • OAuth - OAuth is a server-to-server authentication protocol that allows applications to authenticate to each other. With OAuth, user credentials and passwords are not passed from one computer to another. Instead, authentication and authorization is based on the exchange of security tokens, which grant access to a specific set of resources for a specific amount of time. • SAML - Security Assertion Markup Language is an XML-based, open-standard data format for exchanging authentication and authorization data between parties, in particular, between an identity provider and a service provider.

19. Multi-factor authentication helps protect against unauthorized access to the Office 365 environment.

20. Multi-factor authentication helps protect against unauthorized access to the Office 365 environment.

21. • New integrated authentication mechanism built into Office client apps • Cross platform: Windows, Mac OS X, Windows Phone, iOS, Android • Provides advanced sign in features for the Office client applications: • Multi-Factor Authentication (MFA) • SAML third-party identity providers • Smart card • Certificate based authentication • Benefits: • Greater consistency in the user experience for users authenticating to Office 365 services and apps • Greater security across the entire Office 365 service & app suite • Microsoft Outlook no longer requires “basic authentication” Newly launched authentication protocol which became generally available in May 20, 2016.

22. • Application Supported • Office client applications: • Windows: Office 2016, Office 2013 (update in previewnow) • MacOS: Office 2016 (in previewnow) • iOS: Word, Excel & PowerPoint • Androidphone:Word, Excel &PowerPoint • Androidtablet: Word, Excel & PowerPoint (coming soon) • Windows Phone:iOS: Word, Excel & PowerPoint (coming soon) • Outlook • Windows: included with Office client • MacOS: coming soon • iOS, Android:available now • Windows Phone:coming soon • Skype for Business • Windows: included with Office client • MacOS: TBD • iOS, Android,Windows Phone:coming soon • OneDrive for Business • Windows: included with Office client • MacOS: TBD • iOS, Android,Windows Phone(8.1): coming soon • No support planned for: Office 2010 or 2007, Office for Mac 2011, Windows Phone 7, OWA for iOS or Android Modern authentication must be on-boarded for some Office 365 services and environments.

23. • Default enablement in some Office 365 services: • Exchange Online: OFF by default • SharePoint Online: ON by default • Skype for Business: OFF by default • Can be enabled via PowerShell • Support must be enabled on Office Clients and in service for Modern authentication to work • Ex. Outlook 2016 willattempt ModernAuthentication and auto-revert to Basic Authenticationif ExchangeOnlineis not enabled • Azure AD PowerShell has Modern Authentication capabilities now in public preview: http://blogs.technet.com/b/ad/archive/2015/10/20/azure-ad-powershell-public-preview-of-support-for-azure-mfa-new-device-management-commands.aspx References: • ImplicationsforADFSFederatedAuth: http://social.technet.microsoft.com/wiki/contents/articles/30253.office-2013-and-office-365-proplus-modern-authentication-and-client-access-filtering-policies-things-to- know-before-onboarding.aspx • HowtoenableinExchangeOnline: http://social.technet.microsoft.com/wiki/contents/articles/32711.exchange-online-how-to-enable-your-tenant-for-modern-authentication.aspx Modern authentication must be on-boarded for some Office 365 services and environments.

24. Confidentiality Statement and Restriction for Use "This proposal contains confidential material proprietary to Protiviti Inc. ("Protiviti"), a wholly owned subsidiary of Robert Half International Inc. ("RHI"). RHI is a publicly-traded company and as such, the materials, information, ideas, and concepts contained herein are non-public, should be used solely and exclusively to evaluate the capabilities of Protiviti to provide assistance to the client and should not be used in any inappropriate manner or in violation of applicable securities laws. The contents of this proposal are intended for the use of the client and may not be distributed to third parties. This proposal does not constitute an agreement between Protiviti and the client. Any services Protiviti may provide to the client will be governed by the terms of a separate written agreement signed by both Protiviti and client. This proposal is based solely on information provided to us by the client, which we have not verified. Accordingly, we are not responsible for any inaccuracies in that information. Furthermore, changes in the client’s definition of requirements will necessarily affect the proposal set forth herein."