The document discusses the shared responsibility model for security and information protection in Office 365, emphasizing the importance of understanding both cloud provider and customer responsibilities. It outlines various security capabilities and features, such as permissions management, multi-factor authentication, and data loss prevention measures. Additionally, it highlights the need for strong information governance policies to effectively manage these responsibilities.

1. Internal Audit, Risk, Business & Technology Consulting
INFORMATION SECURITY IN OFFICE 365:
A SHARED RESPONSIBILITY
March 2017
Antonio Maio
Protiviti | Senior SharePoint Architect
Microsoft Office Server and Services MVP
Email: antonio.maio@protiviti.com
Blog: www.trustsharepoint.com
Slide share: http://www.slideshare.net/AntonioMaio2
Twitter: @AntonioMaio2

2. © 2016 Protiviti Inc. An Equal Opportunity Employer M/F/Disability/Veterans. Protiviti is not licensed or registered as a public accounting firm and
does not issue opinions on financial statements or offer attestation services. All registered trademarks are the property of their respective owners.
SHARED RESPONSIBILITY
2
• Understand Cloud Provider Responsibilities
• Understand Your Responsibilities
In a cloud environment, security and information protection
must be a Shared Responsibility.
Understanding how your responsibilities are managed
requires strong Information Governance policies &
procedures.
SAAS = Office 365
PAAS = Azure Web Services, Azure Functions
IAAS = Azure VMs

3. © 2016 Protiviti Inc. An Equal Opportunity Employer M/F/Disability/Veterans. Protiviti is not licensed or registered as a public accounting firm and
does not issue opinions on financial statements or offer attestation services. All registered trademarks are the property of their respective owners.
• SharePoint Permissions
• Information Rights Management/Azure RMS
• External Sharing Controls
• OneDrive for Business Sharing Controls
• (built in) TLS 1.2 Communication
• (built in) Encrypted Data at Rest
• Multi-Factor Authentication
• Modern Authentication (ADAM)
• Retention Policies
• Site Classification
• Office 365 Trust Center
• Secure Score
• Security and Compliance Center
− Activity Monitoring/Audit Log Search
− Automatic Alerts
− Security Roles & Permissions
− Data Loss Prevention
− Advanced Security Management
− eDiscovery
− Mail Filtering/Anti-Malware/DKIM
− Advanced Threat Protection (ATP for email)
− Compliance Reports/Trust Documents/Audit Controls
• Customer Lockbox
• Threat Intelligence (preview)
• Advanced Data Governance (preview)
• Azure Information Protection
• Azure Key Fault/Bring your Own Key (BYOK)
OFFICE 365 SECURITY
Capabilities & Features
3

4. Internal Audit, Risk, Business & Technology Consulting
DEMONSTRATION
External Sharing Controls
OneDrive for Business Sharing Controls

5. © 2016 Protiviti Inc. An Equal Opportunity Employer M/F/Disability/Veterans. Protiviti is not licensed or registered as a public accounting firm and
does not issue opinions on financial statements or offer attestation services. All registered trademarks are the property of their respective owners.
• SharePoint Permissions
• Information Rights Management/Azure RMS
• External Sharing Controls
• OneDrive for Business Sharing Controls
• (built in) TLS 1.2 Communication
• (built in) Encrypted Data at Rest
• Multi-Factor Authentication
• Modern Authentication (ADAM)
• Retention Policies
• Site Classification
• Office 365 Trust Center
• Secure Score
• Security and Compliance Center
− Activity Monitoring/Audit Log Search
− Automatic Alerts
− Security Roles & Permissions
− Data Loss Prevention
− Advanced Security Management
− eDiscovery
− Mail Filtering/Anti-Malware/DKIM
− Advanced Threat Protection (ATP for email)
− Compliance Reports/Trust Documents/Audit Controls
• Customer Lockbox
• Threat Intelligence (preview)
• Advanced Data Governance (preview)
• Azure Information Protection
• Azure Key Fault/Bring your Own Key (BYOK)
OFFICE 365 SECURITY
Capabilities & Features
5

6. Internal Audit, Risk, Business & Technology Consulting
DEMONSTRATION
Office 365 Security and Compliance Center

7. © 2016 Protiviti Inc. An Equal Opportunity Employer M/F/Disability/Veterans. Protiviti is not licensed or registered as a public accounting firm and
does not issue opinions on financial statements or offer attestation services. All registered trademarks are the property of their respective owners.
• SharePoint Permissions
• Information Rights Management/Azure RMS
• External Sharing Controls
• OneDrive for Business Sharing Controls
• (built in) TLS 1.2 Communication
• (built in) Encrypted Data at Rest
• Multi-Factor Authentication
• Modern Authentication (ADAM)
• Retention Policies
• Site Classification
• Office 365 Trust Center
• Secure Score
• Security and Compliance Center
− Activity Monitoring/Audit Log Search
− Automatic Alerts
− Security Roles & Permissions
− Data Loss Prevention
− Advanced Security Management
− eDiscovery
− Mail Filtering/Anti-Malware/DKIM
− Advanced Threat Protection (ATP for email)
− Compliance Reports/Trust Documents/Audit Controls
• Customer Lockbox
• Threat Intelligence (preview)
• Advanced Data Governance (preview)
• Azure Information Protection
• Azure Key Fault/Bring your Own Key (BYOK)
OFFICE 365 SECURITY
Capabilities & Features
7

8. Internal Audit, Risk, Business & Technology Consulting
DEMONSTRATION
Office 365 Secure Score

9. © 2016 Protiviti Inc. An Equal Opportunity Employer M/F/Disability/Veterans. Protiviti is not licensed or registered as a public accounting firm and
does not issue opinions on financial statements or offer attestation services. All registered trademarks are the property of their respective owners.
• SharePoint Permissions
• Information Rights Management/Azure RMS
• External Sharing Controls
• OneDrive for Business Sharing Controls
• (built in) TLS 1.2 Communication
• (built in) Encrypted Data at Rest
• Multi-Factor Authentication
• Modern Authentication (ADAM)
• Retention Policies
• Site Classification
• Office 365 Trust Center
• Secure Score
• Security and Compliance Center
− Activity Monitoring/Audit Log Search
− Automatic Alerts
− Security Roles & Permissions
− Data Loss Prevention
− Advanced Security Management
− eDiscovery
− Mail Filtering/Anti-Malware/DKIM
− Advanced Threat Protection (ATP for email)
− Compliance Reports/Trust Documents/Audit Controls
• Customer Lockbox
• Threat Intelligence (preview)
• Advanced Data Governance (preview)
• Azure Information Protection
• Azure Key Fault/Bring your Own Key (BYOK)
OFFICE 365 SECURITY
Capabilities & Features
9

10. • Customer must approve access request, beforeMicrosoft engineer gets any access to Customertenant
Customers can control whether Microsoft Office 365 engineers may have access to their tenant.

11. Customers can control whether Microsoft Office 365 engineers may have access to their tenant.

12. Customers can control whether Microsoft Office 365 engineers may have access to their tenant.

13. © 2016 Protiviti Inc. An Equal Opportunity Employer M/F/Disability/Veterans. Protiviti is not licensed or registered as a public accounting firm and
does not issue opinions on financial statements or offer attestation services. All registered trademarks are the property of their respective owners.
FINAL THOUGHTS
• Understand your Responsibilities
• Learn about Office 365 Security Capabilities
−Understand which are relevant to you and your business
• Develop a Security Role Out Plan
• Ensure the selected security procedures (and capabilities) line up with
your Information Governance Plan
13

14. © 2016 Protiviti Inc. An Equal Opportunity Employer M/F/Disability/Veterans. Protiviti is not licensed
or registered as a public accounting firm and does not issue opinions on financial statements or
offer attestation services. All registered trademarks are the property of their respective owners.