Aptera Presents:
Security and
Compliance in
Office 365
Mark Gordon
Enterprise Architect
How storing your data in the cloud...
Agenda
• Businesses Security and Compliance needs
• Office 365 Security and Compliance
• Demonstration of Compliance Capab...
Common Examples of Compliance Regulations
Transparency/Audit
• 21 CFR Part 11 AuditTrail
• SEC
• SAS 70Type I andType II
P...
Common Compliance Requirements that can be met in Office
365
SeeTHIS link for a framework to build your compliance plan
He...
Office 365Trust Center – http:trustoffice365.com
Office 365 Compliance
• HIPAA Business Associate Agreement
• ISO 27001
• ...
Office 365 Security
• Modular Datacenters
– No access to individual computing
components
– Very small IT staff onsite
• Ph...
SecurityThreats and Countermeasures
Threats
• Stolen Password
• Data Leakage
• UnsecureTransport
• Lost Devices
– Computer...
Protecting from Stolen Passwords:
Multi-factor Authentication
Implementation
• Built in to Office 365
• Works with your lo...
Multi-factor Authentication
Demo
Protecting e-mail and documents in transit:
Encryption Options
• E-mail
– Office 365 Mail Encryption
– TLSTransport Rules
...
DLP - Encrypted E-mail andTLS
Demo
Protecting against lost or stolen devices
Device Security Policy
• Device Password
• Remote DeviceWipe
• Bad Password Coun...
Remote DeviceWipe
Demo
Protecting Files on any media or device
Information Rights Management
• Portable Encryption
– Works on any device or stora...
Portable File Encryption
Demo
E-Discovery – Hold – Retention Policy
E-Discovery
• DiscoveryAgents
• Email, Documents, Lync
• Search options
• Exporting ...
Discovery-Hold-Retention
Demo
Encryption at Rest
BYOE – BringYour Own Encryption
Provider Encryption at Rest
• Protects against
– Physical access to dis...
BYOE Architecture e-mail
From: Mia To:Vincent
Vincent, attached is the
customer’s SSN and Credit-
Card information.
From: ...
Action Plan
Identify Owners for
• Document/mail retention
• Legal Hold/Discovery
• Compliance
• Security Policy
• Disaster...
Next Step:
Free Aptera
Compliance and
Security Strategy
Review
SurfaceWinner!
Questions?
Email:
secure@apterainc.com
Phone...
References
• Free 30 day Office 365Trial
• Office 365 Service Updates
• Office 365 Service Descriptions
• Office 365 Priva...
Upcoming SlideShare
Loading in …5
×

Learning about Security and Compliance in Office 365

599 views

Published on

You will learn:
The type of businesses that are well suited for a move to the cloud
How to decide when you should make the move to the cloud
Ways the cloud can help your business meet government compliance recommendations
How storing your data in the cloud can be even more secure than storing them on premises
Why Microsoft's datacenter can be more secure than your companies datacenter
A unified discovery center for all of the following:
E-mail (Exchange)
Documents (SharePoint)
IM/Chat (Lync)

Published in: Software
  • Be the first to comment

  • Be the first to like this

Learning about Security and Compliance in Office 365

  1. 1. Aptera Presents: Security and Compliance in Office 365 Mark Gordon Enterprise Architect How storing your data in the cloud can be even more secure than storing them on premises
  2. 2. Agenda • Businesses Security and Compliance needs • Office 365 Security and Compliance • Demonstration of Compliance Capabilities • Next Steps
  3. 3. Common Examples of Compliance Regulations Transparency/Audit • 21 CFR Part 11 AuditTrail • SEC • SAS 70Type I andType II Privacy/Non Disclosure •HIPAA •ITAR •FISMA •FERPA •EU model clauses •Gramm-Leach-Blily Legal • Hold and E Discovery • Three common types of compliance concerns • Most businesses will have some of all three • Office 365 can be part of compliant solutions for these regulations
  4. 4. Common Compliance Requirements that can be met in Office 365 SeeTHIS link for a framework to build your compliance plan Healthcare • HIPAA • FISMA • Legal Discovery • 21 CFR Part 11 AuditTrail HighTech/Manufacturing • ITAR • ISO 27001 • Legal Discovery • EU Model Clauses Finance • PCI • Gramm–Leach–Bliley Act • Legal Discovery • Internal/External Audit • Compliance starts with and is most importantly corporate policy • Compliance is implemented through IT systems • If your technology is not compliant you are not compliant • Just because your technology is compliant does not make you compliant
  5. 5. Office 365Trust Center – http:trustoffice365.com Office 365 Compliance • HIPAA Business Associate Agreement • ISO 27001 • EU Model Clauses • DPA-Data Processing Agreement • FISMA • ITAR • FERPA • External Audit
  6. 6. Office 365 Security • Modular Datacenters – No access to individual computing components – Very small IT staff onsite • PhysicalAccess Controls – Biometric – RFID – Location known and recorded at all times • Physical Security • Redundancy and Disaster Recovery • Network
  7. 7. SecurityThreats and Countermeasures Threats • Stolen Password • Data Leakage • UnsecureTransport • Lost Devices – Computer – Mobile – USB Drive • Disk Failures • Internal theft of Data • Blind Subpoena • DOS / Unavailability Countermeasures • Two FactorAuthentication • Mail Encryption • DLP Policy • Remote DeviceWipe • Hard Drive Encryption • Portable File Encryption • Redundant Storage • Physical and Employee Security • Encryption inTransit • Encryption at Rest • Throttling / 99.98 quarterly uptime
  8. 8. Protecting from Stolen Passwords: Multi-factor Authentication Implementation • Built in to Office 365 • Works with your locally managed AD accounts • Simple to implement • Implement forGlobal Administrators or any other users who have access to high risk information • User can change 2nd factor method Requirements • Access to phone or mobile device • Options – Text – Application – Phone Call
  9. 9. Multi-factor Authentication Demo
  10. 10. Protecting e-mail and documents in transit: Encryption Options • E-mail – Office 365 Mail Encryption – TLSTransport Rules • Documents/Communications – All client traffic encrypted • Lync • Outlook • Office • Browser • Encrypted mail is hosted on a web server from the Microsoft Datacenter • Recipients get e-mail with a link to the message • TLS is easier for the recipient and can be secure
  11. 11. DLP - Encrypted E-mail andTLS Demo
  12. 12. Protecting against lost or stolen devices Device Security Policy • Device Password • Remote DeviceWipe • Bad Password Count Lockout • Bad Password Count Reset RemoteWipe • Can be done from any browser by the device owner or an administrator
  13. 13. Remote DeviceWipe Demo
  14. 14. Protecting Files on any media or device Information Rights Management • Portable Encryption – Works on any device or storage medium • Access to document can be revoked – Person leaves company or project – Document can expire • Granular access rights – Read – Copy – Print – Forward
  15. 15. Portable File Encryption Demo
  16. 16. E-Discovery – Hold – Retention Policy E-Discovery • DiscoveryAgents • Email, Documents, Lync • Search options • Exporting results In Place Hold • By search criteria • Mailbox legal hold – Retention period Retention Policy • Defines when items are destroyed or moved • Can be managed by user and/or set by policy
  17. 17. Discovery-Hold-Retention Demo
  18. 18. Encryption at Rest BYOE – BringYour Own Encryption Provider Encryption at Rest • Protects against – Physical access to disks • Does not protect against – Blind Subpoena – Programmatic Access to your Data – Administrator Access to your Data • Native Support for – Read/Write – Search and Index – Remote Access BYOE • Protects against – Physical access to disks – Blind Subpoena – Programmatic Access to your Data – Administrator Access to your Data • Must Allow Support for – Read/Write – Search and Index – Remote Access
  19. 19. BYOE Architecture e-mail From: Mia To:Vincent Vincent, attached is the customer’s SSN and Credit- Card information. From: Mia To:Vincent 躎疓拺鴵鍔漼軴唺傖듌鐴 給섐럑蜖虝私乴諡䂸䄙舅 矇潹솴湶썙鑡㨜争껎㾔뻚 From: Mia To:Vincent 躎疓拺鴵鍔漼軴唺傖듌鐴 給섐럑蜖虝私乴諡䂸䄙舅 矇潹솴湶썙鑡㨜争껎㾔뻚 From: Mia To:Vincent Vincent, attached is the customer’s SSN and Credit- Card information. From: Mia To:Vincent 躎疓拺鴵鍔漼軴唺傖듌鐴 給섐럑蜖虝私乴諡䂸䄙舅 矇潹솴湶썙鑡㨜争껎㾔뻚
  20. 20. Action Plan Identify Owners for • Document/mail retention • Legal Hold/Discovery • Compliance • Security Policy • Disaster Recovery Define your Corporate • Compliance requirements • Security Policy • Retention Policy • Legal/Discovery-Hold Policy • Disaster Recovery Plan Match against currently systems • Compliance capabilities • Security capabilities • Retention capabilities • Legal/Discovery-Hold capabilities Evaluate Office 365 Capabilities • Compliance • Security • Availability/Recovery • Retention • Legal
  21. 21. Next Step: Free Aptera Compliance and Security Strategy Review SurfaceWinner! Questions? Email: secure@apterainc.com Phone: 260-739-1949
  22. 22. References • Free 30 day Office 365Trial • Office 365 Service Updates • Office 365 Service Descriptions • Office 365 Privacy, Security and Compliance • Office 365 security white paper

×