Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Andy Malone - Microsoft office 365 security deep dive


Published on

Published in: Technology, Business
  • Be the first to comment

Andy Malone - Microsoft office 365 security deep dive

  1. 1. Andy Malone Microsoft Office 365: Security Deep Dive
  2. 2. Follow me on Twitter @AndyMalone Andy Malone Microsoft MVP (Enterprise Security) Founder: Cybercrime Security Forum! Microsoft International Event Speaker MCT (18 Years) Winner: Microsoft Speaker Idol 2006 See me speak @ Microsoft TechEd 2014
  3. 3. The Extras… Follow @AndyMalone & Get my SkyDrive Link
  4. 4. The Inevitable Questions Privacy What does privacy at Microsoft mean? Are you using my data to build advertising products? Compliance What certifications and capabilities does Microsoft hold? How does Microsoft support customer compliance needs? Do I have the right to audit Microsoft? Transparency Where is my data? Who has access to my data ? Security Is cloud computing secure? Are Microsoft Online Services secure?
  5. 5. The World is changing • • • • • • • • Telecoms Advancements Consumerization of mobile devices Lower costs in hardware Cheap low cost storage Massive growth in virtualization Low Cost Software development Easier support / licensing models Elasticity & Scalability
  6. 6. The World is changing • Product is evolving into a Service • Focus is moving from “location or Work place” to “Any location” • Huge growth in BYOD • Users will consume data rather than use a specific device to access it • New administration & management models. E.g. RBAC, federation • Will bring new security challenges
  7. 7. Microsoft Cloud “Trusted Service” 4 core trust pillars Your Privacy Matters Leadership in Transparency Independently Verified Relentless on Security We respect your privacy You know ‘where’ data resides, ‘who’ can access it, and ‘what’ we do with it Compliance with World Class Industry standards verified by 3rd parties Excellence in cutting edge security practices
  8. 8. Cloudthat this is a two-way trust Principles Understand
  9. 9. Understand that Microsoft’s liability is capped Consistent with industry standard. Microsoft’s liability is capped at 12 months’ services fees. Liability represents aggregate amount. Liability is limited to direct damages.
  10. 10. First things first - Risk Risk Management is the name given to a logical and systematic method of identifying, analyzing, treating and monitoring the risks involved in any activity or process. It is also a methodology that helps managers make best use of their available resources
  11. 11. The threat landscape is changing • Increased number of malicious threats have increased • Bot’s, Spam, Viruses, Trojans • Enterprise software costs very expensive, licensing complex • Government snooping fears* • Cybercrime now big business
  12. 12. Cloud Considerations • • • • • Customer Accountability Multi-tenancy Different responsibilities Trust Operational support Vs Service support
  13. 13. Protecting Data • All data & PPI must be protected against: – – – – – Disclosure Destruction Interruption Modification Theft • This requires the organization to create operational, technical, and physical controls to address information protection for both local & hosted stored data.
  14. 14. Microsoft’s Data Centre Locations
  15. 15. Transparency The Microsoft strategy is to consistently set a “high bar” around privacy practices that support global standards for data handling and transfer Where is Data Stored? Clear Data Maps and Geographic boundary information provided ‘Ship To’ address determines Data Center Location Who accesses and What is accessed? Core Customer Data accessed only for troubleshooting and malware prevention purposes Core Customer Data access limited to key personnel on an exception basis. How to get notified? Microsoft notifies you of changes in data center locations.
  16. 16. Data Storage & Access • Microsoft offers transparency around location of customer data • Microsoft adhere to the requirements from the strictest markets, like the EU Data Protection Directive, so that it can legally store and use data in compliance with legal requirements • Microsoft tracks major international privacy laws so we know what is coming and are ready to address it
  17. 17. Role-Based Access Control Who What Role groups define highlevel job functions Where Assign task-, action-, or feature-based permissions End-user role assignment policies for self-service Systems Administrator Human Resources Compliance Officer Delegate multiple roles Limit the scope of the role assignment; e.g., “Legal Department” or “Asia Offices Help Desk
  18. 18. RBAC for Office 365 Operations Lock Box: Role Based Access Control O365 Admin Requests Access Logged as Service Request 1. Auditable 2. Available as self-service reports Grants temporary Privilege Office 365 Datacenter Network 20 Grants least privilege required to complete task. Verify eligibility by checking if 1. Background Check Completed 2. Fingerprinting Completed 3. Security Training Completed Corporate Network
  19. 19. Office 365 operations model evolution 24x7 Product Team Operations Product Team Product Team • Direct escalations • Operations applied to specific problem spaces (i.e., deployment) • Emphasize software and automation over human processes Other • Tier 1 used for routing/escalation only • 10-12 engineering teams provide direct support of service Engineered Operations Support • Tiered IT • Progressive escalations (tier-totier) • “80/15/5” goal Direct Support Operations • Highly skilled, domain specific IT (not true Tier 1) • Success depends on static, predictable systems Service IT Product Team Traditional IT Tier 2 Operations Tier 1 Operations Service Tier 1 Operations Software Aided Processes Service Service Service
  20. 20. Demo Office 365 RBAC & Admin
  21. 21. Microsoft Security development lifecycle Reduce vulnerabilities, limit exploit severity Education Process Administer and track security training Guide product teams to meet SDL requirements Training Establish release criteria and signoff as part of FSR Design Implementation Verification Release Establish Security Requirements Core Security Training Requirements Accountability Establish Design Requirements Use Approved Tools Dynamic Analysis Incident Response Plan Create Quality Gates / Bug Bars Analyze Attack Surface Deprecate Unsafe Functions Fuzz Testing Final Security Review Security & Privacy Risk Assessment Threat Modeling Attack Surface Review Release Archive Incident Response (MSRC) Static Analysis Ongoing Process Improvements Response Execute Incident Response Plan
  22. 22. Office 365 Security Office 365 Built-in Security Office 365 Customer Controls Microsoft security best practices Automated operations 24 Hour Monitored Physical Hardware Isolated Customer Data Office 365 Independent Verification and Compliance Encrypted Data 25 Secure Network
  23. 23. Service security– Defence in depth A risk-based, multi-dimensional approach to safeguarding services and data Threat and vulnerability management, monitoring, and response SECURITY MANAGEMENT DATA USER APPLICATION HOST INTERNAL NETWORK NETWORK PERIMETER FACILITY Access control and monitoring, file/data integrity Account management, training and awareness, screening Secure engineering (SDL), access control and monitoring, anti-malware Access control and monitoring, anti-malware, patch and configuration management Dual-factor authentication, intrusion detection, vulnerability scanning Edge routers, intrusion detection, vulnerability scanning Physical controls, video surveillance, access control
  24. 24. The Snowden Effect!
  25. 25. Privacy
  26. 26. Privacy in Office 365 At Microsoft, our strategy is to consistently set a “high bar” around privacy practices that support global standards for data handling and transfer No Advertising No advertising products out of Customer Data. No scanning of email or documents to build analytics or mine data. Data Portability Office 365 Customer Data belongs to the customer. Customers can export their data at any time. No Mingling Choices to keep Office 365 Customer Data separate from consumer services.
  27. 27. Microsoft: We use customer data for just what they pay us for - to maintain and provide Office 365 Service Microsoft Online Services Customer Data1 Usage Data Account and Address Book Data Customer Data (excluding Core Customer data) Core Customer Data Operating and Troubleshooting the Service Yes Yes Yes Yes Security, Spam and Malware Prevention Yes Yes Yes Yes Improving the Purchased Service, Analytics Yes Yes Yes No Personalization, User Profile, Promotions No Yes No No Communications (Tips, Advice, Surveys, Promotions) No No/Yes No No Voluntary Disclosure to Law Enforcement No No No No Advertising5 No How Privacy of Data is Protected? Usage Data Address Book Data No No Customer Data (excluding Core Customer Data*) No Core Customer Data Yes, as needed. Yes, by exception. Yes, only as required in response to Support Inquiry. No. Operations Response Team (limited to key personnel only) Yes. Support Organization Yes, only as required in response to Yes, only as required in response to Support Support Inquiry. Inquiry. Engineering Yes. No Direct Access. May Be Transferred During Trouble-shooting. No Direct Access. May Be Transferred During Troubleshooting. No. Partners With customer permission. See Partner for more information. With customer permission. See Partner for more information. With customer permission. See Partner for more information. With customer permission. See Partner for more information. Others in Microsoft No. No (Yes for Office 365 for small business Customers for marketing purposes). No. No. Yes, as needed.
  28. 28. Government Subpoenas • Will Microsoft turn over my data to US companies or the US government? – Microsoft believes customers should control their own information – When compelled by U.S. law enforcement to produce customer records, Microsoft will first attempt to redirect these demands to the customer – Microsoft will notify the customer unless it cannot, either because Microsoft is unable to reach the customer or is legally prohibited from doing so – Microsoft will only produce the specific records ordered by law enforcement and nothing else • Your organization is most likely already exposed to government jurisdiction; therefore, for many companies, moving to the cloud doesn’t represent a huge increase in risk
  29. 29. Compliance
  30. 30. Compliance management framework Policy Control Framework Standards Business rules for protecting information and systems which store and process information A process or system to assure the implementation of policy System or procedural specific requirements that must be met Step-by-step procedures Operating Procedures
  31. 31. Office 365 Compliance & Standards ISO 27001 International Standards & Controls Data Processing Agreement SSAE 16 (Statement on standards for Attestation Engagement) SOC 1 (Type I & Type II) compliance All Customer Industry Specific Compliance & Standards FISMA US Government HIPAA/BAA Healthcare Customers FERPA EDU Customers Geography Specific Standards EU Safe Harbor EU Model Clauses Full details available at: Microsoft Office 365 Trust Center EU Customers
  32. 32. Addressing Audit Concerns • Microsoft offers: – Alignment and adoption of industry standards – Comprehensive set of practices and controls in place to protect your data – Focus on solutions for millions of users worldwide – Independent third party attestations of Microsoft security, privacy, and continuity controls • This allows Microsoft Online to provide assurances to customers at scale
  33. 33. Auditing on Your Behalf • Alignment and adoption of industry standards ensure a comprehensive set of practices and controls in place to protect sensitive data • While not permitting audits, we provide independent third-party verifications of Microsoft security, privacy, and continuity controls. This saves customers time and money, and allows Microsoft to provide assurances to customers at scale
  34. 34. Windows Azure / Office 365 Identity Solutions • • • • No Integration Required No Single Sign On User logon Via Portal No Servers on Premise • • • • Dirsync Tool – Perfect for Provisioning large groups of Users No Single Sign On User Login Via Portal No Servers on Premise No Integration ADFS & Dirsync Full Single Sign On (SSO Dirsync • • • • • Deploy Dirsync Implement ADFS Users Login with WAD Credentials Complex Server Infrastructure on Prem Deployed as Part of a Hybrid Solution Password Sync Hybrid
  35. 35. Identity Architecture and Integration Options 1. No Integration 2. Directory Data Only 3. Directory and Single sign-on (SSO) Contoso customer premises Active Directory Federation Server 3.0 IdP AD MS Online Directory Sync Office 365 Desktop Setup Exchange Online Windows Azure Active Directory SharePoint Online Authentication platform Trust Admin Portal/ PowerShell Provisioning platform IdP Directory Store Lync Online Office Subscription Services
  36. 36. Limitations of Windows AD • • • • • • • • • Directory service implemented on MS domain networks Introduced in Windows 2000 DCs authenticate and authorise users and computers in a domain Assigns and enforces security policies Deployed in a single domain nor as part of a larger forest Can be expanded through Trust Relationships Has both physical & logical attributes Only one instance per domain Active Directory uses LDAP, Kerberos, and DNS
  37. 37. WAD: Potential Issues • As a number of trust limitations in respect to size & complexity • Designed primarily to manage in-house networks • Protocol limitations i.e. LDAP • Customer security concerns about WAD data in cloud (closed attributes) • Does not natively support new cloud based protocols • Solution: Extend AD attributes into cloud…
  38. 38. What is Windows Azure Active Directory? • Customized Version of ADLDS / ADAM • Every Office 365 Customer is an Azure AD Tennant • Designed primarily to meet the needs of cloud applications • Extends Customers Active Directory into the cloud • Think of it as a Fish on a Hook! • Identity as a service: essential part of Platform as a Service
  39. 39. Protocols to Connect to Windows Azure AD Protocol Purpose Details REST/HTTP directory access Create, Read, Update, Delete directory objects and relationships Compatible with OData V3 Authenticate with OAuth 2.0 OAuth 2.0 Service to service authentication Delegated access JWT token format Open ID Connect Web application authentication Rich client authentication Under investigation JWT token format SAML 2.0 Web application authentication SAML 2.0 token format WS-Federation 1.3 Web application authentication SAML 1.1 token format SAML 2.0 token format JWT token format
  40. 40. • • • • ADFS Server ADFS Proxy (Consider UAG) Deployment Options: Installed Stand Alone or as Part of a Server Farm Additional Servers can be added via GUI or by using FsConfig.exe JoinFarm
  41. 41. Demo Identity & Federation
  42. 42. Exchange security and protection Protect communications
  43. 43. eDiscovery • Unified portal for data across SharePoint, Exchange, and Lync • Role-based access eliminates IT as a bottleneck • In-place hold prevents data loss without needing to export or back up data Laser-focused refiners to help find the data you need Use proximity searches to understand context Get instant statistics Query results across Exchange and SharePoint
  44. 44. Exchange security and protection Anti-spam Stop viruses and malware Exchange Online Protection provides multi-engine protection Protect sensitive data Anti-malware Scan exchange transport for sensitive content with Data Loss Prevention features Granular control on email using RMS Unified management Policy
  45. 45. Advanced Encryption RMS in Office 365 S/MIME Data is encrypted in the cloud  Encryption persists with content   Protection tied to user identity   Protection tied to Policy ACLs (Access Control Lists)   Functionality (edit, print, do not forward, expire after 30 days) Secure collaboration with teams and individuals  Native integration with my services BitLocker Cloud Encryption Gateways (CEGs)     (Content Indexing, eDiscovery, BI, Virus/Malware scanning) Helps meet compliance requirements Mitigate risk of lost or stolen hard disk     
  46. 46. Improved transport rule options • New options – Rules can be configured to run for a specific time period time – Rules can be run in Test Mode • New filters – Total message size – Attachment extension keyword matching – Sender IP address • New actions – Criteria based routing – Forced TLS routing – Halt processing of remaining rules on a message. (“Stop processing rules”.)
  47. 47. Information protection using RMS Data Protection in motion Data Protection in motion Information can be protected with RMS at rest or in motion Data protection at rest Data protection at rest Data protection at rest Data protection at rest
  48. 48. Rights Management Services • Provides identity-based protection for sensitive data – Controls access to information across the information lifecycle – Allows only authorized access based on trusted identity – Secures transmission and storage of sensitive information wherever it goes – policies embedded into the content; documents encrypted – Embeds digital usage policies (print, view, edit, expiration etc. ) into the content to help prevent misuse after delivery + Persistent Protection Encryption Policy: Access Permissions Use Right Permissions
  49. 49. Enabling RMS in Office 365 Apply RMS to content RMS can be applied to Emails RMS can be applied to SharePoint libraries Files are protected if they are viewed using Web apps or downloaded to a local machine RMS can be applied to any Office documents
  50. 50. Data Loss Prevention in Exchange Helps to identify Identify Monitor monitor protect sensitive data through deep content analysis. Protect Easy to use
  51. 51. Integrated compliance experience Data Loss Prevention (DLP) • Familiar rules and policy process • In-product user policy education • “Degrees” of policy enforcement For a single data type, create multiple rules based on recipient Customize user notification as well as internal audit reporting
  52. 52. Demo Office 365 Security & Compliance
  53. 53. Review Privacy Transparency Compliance Security
  54. 54. The Extras… Follow @AndyMalone & Get my SkyDrive Link
  55. 55. Thank you  Follow me on Twitter @AndyMalone
  56. 56. Please evaluate the session before you leave 