Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Microsoft Office 365 Compliance Solutions


Published on

Office 365 Trust has three main principles and they are realized in two distinct dimensions – Built-in capabilities and Customer controls

Built-in Capabilities is what we built into the service that is enabled by default:
We have many best practices in design and operations in our data centers to maintain Security, Privacy and Compliance.

Customer Controls is one that our customers have flexibility to implement in their environments:
Over and above what we do in the service, where we are differentiated is with giving flexible controls to achieve Security, Privacy and Compliance based on the needs of their organization. We bring in over two decades of experience to build these capabilities.
Let’s walk through each one of these important aspects one by one.

Microsoft has deep experience in building on premise or workplace environments. Using that knowledge and added operational best practices like regular penetration testing we have built a security hardened service in the cloud

Built-in Capabilities
Physical security with 24 hour monitoring, seismic bracing, multi-factor authentication for physical access to data centers.
Data security with features like encryption, logical isolation of customer data and strong authentication
Operational best practices like prevent breach and assume breach to monitor, anticipate, and mitigate threats to protect your data

Customer Controls
Office 365 provides unique customer controls like Rights Management Services, Group policy settings empower you to tune up or tune down security controls based on your need.
Microsoft is unique among major cloud service providers with over 10 year’s privacy experience and having a cloud specific privacy policy that provides strong commitments to customer data safeguarding and privacy protection.

Built-in Capabilities
We contractually commit to not mine your data for advertising purposes. In fact we do not use your data for anything other than providing you world-class services.
We are transparent with your data about the location where it is stored, who has access to it and when. We make this information accessible to you in
Further we give you flexibility so that if you decide to leave the service, you get to take your data with you – You can get more information in the Data portability section of the Trust Center –
Customer Controls
Office 365 gives you capabilities to collaborate but also give you the ability to regulate information sharing
Rights management allows users to encrypt information and apply policies to give explicit permissions to only do what they are allowed to do with that information (like copy, share, print etc.
When we build features, we consider if privacy controls need to be enabled at the admin level or at the user level
Presence sharing with Lync allows users to let others see their online presence status or block it.

Published in: Technology
  • Be the first to comment

  • Be the first to like this

Microsoft Office 365 Compliance Solutions

  1. 1. Achieving compliance in the modern workplace with Microsoft 365 David J. Rosenthal VP & GM, Digital Business and Microsoft Partner Sales Executive Microsoft Technology Center, New York City January 21, 2019
  2. 2. 73% orgs indicated security as a top challenge holding back SaaS adoption 89% of orgs required to govern content for compliance or business continuity purposes 63% of orgs state transparency challenges restrict them from growing their cloud usage Top 3 cloud concerns
  3. 3. Assess Govern Discover AuditControl 200+ updates per day from 750 regulatory bodies 45% Say lack of data governance leaves organizations open to security and compliance risks $9B+ Spent annually on eDiscovery investigations 63% Of orgs say transparency is holding them back from growing cloud usage 50% YOY growth in data with increasing complexity
  4. 4. At Microsoft, we do not take your trust for granted • We are serious about our commitment to protect customers in a cloud-first world. • We live by standards and practices designed to earn your confidence. • We collaborate with industry and regulators to build trust in the cloud ecosystem. “Businesses and users are going to embrace technology only if they can trust it.” —Satya Nadella
  5. 5. Best-in-class security with over a decade of experience building Enterprise software and online services Privacy by design with a commitment to use customers’ information only to deliver services Office 365 Built-in capabilities and customer controls Commitment to meeting industry standards and delivering a rich set of applications which enable organizational compliance Transparency in our operations so you can monitor the state of your service, track issues, and have historical view of availability
  6. 6. Global, hyper-scale, enterprise-grade infrastructure Enterprise reliability via 100+ data centers and Microsoft’s global network edge No standing access to data, transparent operational model, and financial-backed 99.9% SLA Secure by design operationalized at the physical, logical, and data layers Compliance leadership with standards including ISO 27001/27018, FedRAMP, FISMA, and EU Model Clauses
  7. 7. Over 1,100 controls in the Office 365 compliance framework enable us to stay up to date with the ever-evolving industry standards across geographies. Trust Microsoft’s verified services. Microsoft is regularly audited, submits self-assessments to independent 3rd party auditors, and holds key certifications. Key certifications Commitmentto meetingindustrystandards
  8. 8. Compliance vision Productivity first Educate and empower end users to be compliant without affecting productivity In-place Deliver rich, low cost compliance via built in features Suite wide Easily apply compliance controls and access reports via a consistent UX across Office 365 workloads
  9. 9. Office 365 compliance solutions Intelligent,inplaceandcomprehensive Assess Govern Discover AuditControl Govern your data and reduce risk with auto-applied labels and retention policies for sensitive and custom data types Stay up to date with new regulations and your organizations compliance posture Investigate, hold and refine data relevant to legal cases in place with advanced tools to reduce total volume required for defensible review Control data access via encryption keys and own the lockbox process in order to ensure transparent data handling and operations Establish activity alerts and query audit logs directly to maintain visibility into organization activities Advanced Data Governance Compliance Manager Advanced eDiscovery Customer Key Customer Lockbox Archiving Management Activity API
  10. 10. How do you manage an already complex compliance landscape when standards and regulations are constantly changing? of executives were unsure what data compliance standards applied to their organizations 47% Assess
  11. 11. Compliance Manager Manageyourcompliancefrom one place • Real-time risk assessment An intelligent score shows your compliance posture against evolving regulations • Actionable insights Recommended actions to improve your data protection capabilities • Simplified compliance Streamlined workflow and audit-ready reports
  12. 12. How can you govern your data to keep what you need and get rid of everything else? of organizations say that enforcing a data governance policy is their biggest issue 41% Govern
  13. 13. 1 4 Traditional Data Governance Challenges Point in time data Captures data at a point in time which miss any edits in place or from transport agents in flight Increased risks Content may be compromised moving from one environment to another Increased time Waiting for indexing increases time required to find relevant data Increased costs Having a separate copy of the data being stored significantly increases costs No service wide insights Unable to leverage service wide machine learning to draw correlations between the data Exchange Data Outsourced Data Journaling Third party outsourced journaling Many organizations transfer data to a third party hosted archiving service which has challenges
  14. 14. Office 365 Data Governance Datastaysin-placeanddoesnotneedtobecontinuallytransferredoutofOffice365providingbenefits Advanced data governance enables organizational compliance by intelligently leveraging machine assisted insights to find, import, classify, set policy and take action on the data most important to you IT Administrator Compliance Officer Records Manager Information Worker Building Blocks of Office 365 Data Governance: Personas of Office 365 Data Governance:
  15. 15. Retention policies Unified Retention and Disposition Policy for workloads in Office 365 Records management End user classification in Outlook, SharePoint, OneDrive and Groups. Manual review and disposition, reporting and permissions SEC 17A-4 compliant SEC 17A-4 whitepaper covering SharePoint, OneDrive, Groups, Skype, Preservation Lock, immutability, Supervisory Review Import Drive Shipping, Network Upload and 3rd Party Data Ingestion (Facebook, Twitter, Bloomberg) through partners to provide cross platform compliance and governance Security and Compliance Center Office 365 experience to bring together all compliance and security experiences Data Governance: Core Capabilities
  16. 16. Advanced Data Governance in Office 365 Intelligent Policies Policy recommendations based on machine learning and cloud intelligence Take Action Apply actions to preserve high value data in-place and purge what’s redundant, trivial or obsolete Automatic Classification Classify data based on automatic analysis (age, user, type, sensitive data and user provided fingerprints) Leverageintelligencetoautomatedataretentionanddeletion
  17. 17. Automatic Classification Queries Specific words or phrases with the ability to refine your query by using search operators such as AND, OR, NOT, etc. 2 Find Data Quickly Use Content Search in the Security & Compliance Center to find all content that’s classified with a specific label Sensitive Data Over 80 sensitive built in content types supported such as credit cards, national identification numbers, passport numbers, etc. 1 Applylabelstocontentthatmatchescertainconditions 1. Sensitive data types are only available for SharePoint and OneDrive 2. Queries are available across Exchange, SharePoint, OneDrive and Groups
  18. 18. Intelligent Policies Recommended Policies System automatically detects certain data types in documents and recommends retention policies Policyrecommendationsbasedonmachinelearningandcloudintelligence Included Policies HIPPA and US Tax recommendations are currently surfaced in the Security and Compliance Center with additional types coming
  19. 19. Take Action Applyactionstopreservehighvaluedatain-placeandpurgewhat’sredundant,trivialorobsolete In-place Data remains in its original location and users can continue to work with their documents or mail, but a copy of the content as it existed when you initiated the policy is preserved Retention Retain content in sites, mailboxes, and public folders indefinitely or for a specific duration Deleting Data A retention policy can both retain and then delete data, or simply delete old data without retaining it
  20. 20. Supervision in Advanced Data Governance Captureemployeecommunicationsforexaminationbyinternalorexternalreviewers
  21. 21. Disposition Review and Events based retention
  22. 22. Protecting data in the boundary-less world Data lifecycle protection: MIP protects sensitive data throughout the lifecycle, within and outside the enterprise Built in within the platform itself Native On premises, cloud, devices, mobile, partners, and customers Anywhere Control continuously Lifecycle Unified building blocks Unified Microsoft Information Protection OFFICE •Client / Mobile •O365 Services •Productivity AZURE •Hybrid Policy •Conditional Access •Structured Data WINDOWS •Endpoint •File System (EDP) •Web Browser Third parties
  23. 23. How can you effectively investigate, manage and reduce the volume of content required for defensible review? Of eDiscovery costs are in the review process 73% Discover
  24. 24. Beyond litigation: Investigations Self service case management tools Investigators can create & manage cases, put data on hold, perform searches and export Wide range of scenarios Regulatory compliance, employment law, HR, financial, internal business requirements Enable collaboration Between investigators & attorneys overseeing the case Identify subjects, witnesses, custodians Search for relevant subjects or witnesses or custodians Identify relevant data Search for data relevant to the investigation across Office 365 and imported data Secure access Provide access based on role, delegated access and enable security filters to scope access
  25. 25. eDiscovery model implemented in Office 365 Identify and Preserve Data Search for Documents that might be relevant Rank documents by their relevance Organize documents & recognize topics View and tag documents sorted by relevance, similarity Do all of these activities within a specific case
  26. 26. Real time indexing in Office 365 Significant enhancements to increase limits across Exchange Online and SharePoint Online Index Limit Changes (EXO) Limit Old New Maximum depth of attachments 1 30 Maximum number of attachments 10 250 Maximum attachment size 32 MB 150 MB Maximum annotation tokens (WordBreaker) 130,000 2 million Maximum body size in index (mail body + attachments) 1 million characters 67 million characters Maximum unique tokens in body 10,000 1,000,000 Maximum Excel file size 4 MB 4 MB (also numbers) Index Limit Changes (SPO) Limit Old New Maximum attachment size 32 MB 150 MB Maximum Excel file size 4 MB 4 MB
  27. 27. Export Options 3rd party tools to extend the Office 365 eDiscovery process
  28. 28. Actionable Intelligence with Advanced eDiscovery Intelligently explore and analyze unstructured data to quickly identify what’s relevant Use predictive coding to train the system to find likely relevant documents and reduce what’s sent to review Minimize Use near duplicate detection to organize the data and email threading to reconstruct email conversations Organize Use Themes to understand the topics represented in the unstructured data set Recognize Ad-hoc searches, ability to save search queries, and tag search results with case specific labels Search and Tagging
  29. 29. Office 365 eDiscovery partners Help to ensure the success, usage and adoption of all O365 Compliance capabilities
  30. 30. How can I have insight into when and how Microsoft needs to access my data? of executives say concerns about transparency are holding them back from growing cloud usage 63% Control
  31. 31. Service encryption with Customer Key Helps meet compliance obligations that require you to provide and manage your own keys used to encrypt Office 365 data at-rest Provides added control over service’s ability to reason over your data when key is revoked-initiating path towards data deletion Built into the service for seamless integration with no disruption to end user and added protections against unintended key loss Auditable and verified. Actions are auditable and controls will be verified in next upcoming SOC audit
  32. 32. Meet Compliance Needs Customer Lockbox can help customers meet compliance obligations by demonstrating that they have procedures in place for explicit data access authorization Extended access Control Use Customer Lockbox to control access to customer content for service operations Visibility into actions Actions taken by Microsoft engineers in response to Customer Lockbox requests are logged and accessible via the Management Activity API and the Security and Compliance Center Microsoft Engineer Microsoft Manager Microsoft Approved CustomerMicrosoft EngineerLockbox systemCustomer Submits request 100101 011010 100011 Customer Approved Customer Lockbox
  33. 33. How can I get alerts and insights into activity in my organization that may increase my risk? YOY in organizational data with increasing complexity and variety 50% Audit
  34. 34. Azure Active Directory Security & Compliance Center SharePoint Online Power BI Opt-in for all O365 tenants 1 billion events collected daily Office 365 Auditing
  35. 35. Architecture
  36. 36. Activity API See our Microsoft IT case study for DIY ideas 300+ third party apps 2 TB downloaded each month AvePoint 4ward Sharegate Sumologic Symantec Cogmotive Palerra JiJi TechnologiesPalo Alto Knowledge Vault Barracuda CloudLock Varonis HPE ArcSight Rapid7 Splunk Netskope IBM SkyHigh NetworksDell
  37. 37. This interactive data map provide specific geographic locations of our datacenters throughout the world where customer data is stored in Office 365 and Dynamics CRM Online. Where is my data?
  38. 38. © 2019 Razor Technology, LLC @DavidJRosenthal Slideshare 5 Tower Bridge 300 Barr Harbor Dr., Suite 705 West Conshohocken, PA 19428 Cell: 215.801.4430 Office: 866.RZR.DATA LETS KEEP IN TOUCH