Targeted Attacks. Identitycentric. Compliance. Cloud BYOD

Size: px

Start display at page:

Download "Targeted Attacks. Identitycentric. Compliance. Cloud BYOD"

Beverley James
5 years ago
Views:

2 BYOD Cloud Compliance Targeted Attacks Identitycentric The privacy and security environment is becoming more complicated, more risky and more regulated every day, and is having a substantial impact on virtually every company. Forbes, 2013

3 1 st Microsoft Data Center Microsoft Security Engineering Center - Security Development Lifecycle (SDL) SSAE-16 Health Insurance Portability and Accountability Act Business Associate Agreement (HIPAA BAA) MSN Hotmail Active Directory Xbox Live Exchange Hosted Services (part of Office 365) Malware Protection Center SAS-70 ISO Certification Windows Azure Data Processing Agreement (DPA) CJIS Security Policy Agreement Bing/MSN Search Windows Update Microsoft Security Response Center (MSRC) Global Foundation Services (GFS) U.S.-EU Safe Harbor Bill Gates Memo Trustworthy Computing Initiative (TwC) Microsoft Online Services (MOS) Outlook.com Microsoft Security Essentials FISMA European Union Model Clauses (EUMC)

Security Best-in-class security with over a decade of experience building Enterprise software & Online services Physical and data security with access control, encryption and strong

customers to protect information Compliance Commitment to industry standards and organizational compliance Enable customers to meet global compliance standards in ISO 27001, EUMC,

E-Discovery to enable organizational compliance Privacy Privacy by design with commitment to use customers information only to provide services No mining of data for advertising

4 Security Best-in-class security with over a decade of experience building Enterprise software & Online services Physical and data security with access control, encryption and strong authentication Security best practices like penetration testing, Defense-in-depth to protect against cyber-threats Unique customer controls with Rights Management Services to empower customers to protect information Compliance Commitment to industry standards and organizational compliance Enable customers to meet global compliance standards in ISO 27001, EUMC, HIPAA, FISMA Contractually commit to privacy, security and handling of customer data through Data Processing Agreements Admin Controls like Data Loss Prevention, Legal Hold, E-Discovery to enable organizational compliance Privacy Privacy by design with commitment to use customers information only to provide services No mining of data for advertising Transparency with the location of customer data, who has access and under what circumstances Privacy controls to regulate sharing of sites, libraries, folders and communications with external parties

5 Office 365 Security Built-in Security Customer Controls Independent Verification Microsoft security best practices 24 Hour Monitored Physical Hardware Automated operations Isolated Customer Data Encrypted Data Secure Network 5

6 Office 365 Built-in Security Microsoft security best practices 24 Hour Monitored Physical Hardware Automated operations Isolated Customer Data Encrypted Data Secure Network 6

7 24 hour monitored physical hardware Seismic bracing 24x7 onsite security staff Perimeter security Fire suppression Multi-factor authentication Extensive monitoring Days of backup power Tens of thousands of servers 7

8 Isolated Customer Data Multi-tenant environment is designed to support logical isolation of data that multiple customers store in same physical hardware. Intended or unintended access of data belonging to a different customer/tenant is prevented by data isolation. DATA in Server Active Directory s organizational units keep Customer A s data isolated from Customer B s data 8

9 Automated operations O365 Admin Requests Access Office 365 Datacenter Network 9 Grants temporary Privilege Grants least privilege required to complete task. Verify eligibility by checking if 1. Background Check Completed 2. Fingerprinting Completed 3. Security Training Completed Microsoft Corporate Network

10 Secure network Network Separated Internal Network Data Encrypted External Network Networks within the Office 365 data centers are segmented. Physical separation of critical, back-end servers & storage devices from public-facing interfaces. Edge router security allows ability to detect intrusions and signs of vulnerability. 10

11 Encrypted Data Office 365 allows encryption of data both at rest & during transit. Encryption of Data at Rest and in Transit BitLocker AES Encryption on all messaging content S/MIME for messaging content in Q1 FY14 Transport Layer Security (TLS)/ Secure Sockets Layer (SSL) Third-party technology such as PGP are supported 11

12 Security Development Lifecycle Throttling to Prevent DoS Attacks Prevent Breach Mitigate Breach Microsoft security best practices Automated operations Encrypted Data 24 Hour Monitored Physical Hardware Isolated Customer Data Secure Network 12

Reduce vulnerabilities, limit exploit severity Education Process Accountability Administer and track security training Guide product teams to meet SDL requirements Establish release criteria &

13 Reduce vulnerabilities, limit exploit severity Education Process Accountability Administer and track security training Guide product teams to meet SDL requirements Establish release criteria & sign-off as part of FSR Incident Response (MSRC) Training Requirements Design Implementation Verification Release Response Core Security Training Est. Security Requirements Create Quality Gates / Bug Bars Security & Privacy Risk Assess. Establish Design Requirements Analyze Attack Surface Threat Modeling Use Approved Tools Deprecate Unsafe Functions Static Analysis Dynamic Analysis Fuzz Testing Attack Surface Review Incident Response Plan Final Security Review Release Archive Execute Incident Response Plan 13 Ongoing Process Improvements

14 Throttling to Prevent DoS attacks Exchange Online baselines normal traffic & usage Ability to recognize DoS traffic patterns Automatic traffic shaping kicks in when spikes exceed normal Mitigates: Non-malicious excessive use Buggy clients (BYOD) Admin actions DoS attacks 14

15 Prevent Breach and Assume Breach Prevent Breach Threat model Code review Security testing Security development lifecycle (SDL) Assume Breach War game exercises (NEW) Live site pentest (NEW) Centralized security logging & monitoring (NEW) Assume breach identifies & addresses significant gaps: Detect attack & penetration Respond to attack & penetration Recover from data leakage or tampering Scope ongoing live site testing of security response plans to drastically improve mean time to detection & recovery Reduce exposure to internal attack (once inside, attackers have broad access) Periodic environment post breach assessment & clean state 15

16 Assume Breach Wargame exercises Monitor emerging threats Red teaming Execute post breach Insider attack simulation Blue teaming

17 Office 365 Customer Controls Built-in Security Customer Controls Independent Verification Microsoft security best practices 24 Hour Monitored Physical Hardware Automated operations Isolated Customer Data Encrypted Data Secure Network 19

18 Data Protection in motion Data Protection in motion Information can be protected with RMS at rest or in motion Data protection at rest Data protection at rest Data protection at rest Data protection at rest

19 Functionality RMS in Office 365 S/MIME ACLs (Access Control Lists) BitLocker Cloud Encryption Gateways (CEGs) Data is encrypted in the cloud Encryption persists with content Protection tied to user identity Protection tied to Policy (edit, print, do not forward, expire after 30 days) Secure collaboration with teams and individuals Native integration with my services (Content Indexing, ediscovery, BI, Virus/Malware scanning) Lost or stolen hard disk

20 RMS can be activated right inside Office 365 Admin console Enable Rights Management in the tenant admin

21 Apply RMS to content RMS can be applied to any Office s SharePoint documents libraries Files are protected if they are viewed downloaded using to Webapps a local or machine downloaded and opened to a local machine using rich clients

22 User Access Integrated with Active Directory, Azure Active Directory and Active Directory Federation Services Federation: Secure SAML token based authentication Password Synchronization: Only a one way hash of the password will be synchronized to WAAD such that the original password cannot be reconstructed from it. 24 Enables additional authentication mechanisms: Two-Factor Authentication including phone-based 2FA Client-Based Access Control based on devices/locations Role-Based Access Control

23 Commitment to industry standards and organizational compliance Enable customers to meet global compliance standards in ISO 27001, EUMC, HIPAA, FISMA Contractually commit to privacy, security and handling of customer data through Data Processing Agreements Admin Controls like Data Loss Prevention, Archiving, E-Discovery to enable organizational compliance

24 Certification Status CERT MARKET REGION

25 Data Loss Prevention (DLP) Prevents Sensitive Data From Leaving Organization Provides an Alert when data such as Social Security & Credit Card Number is ed. Alerts can be customized by Admin to catch Intellectual Property from being ed out. Empower users to manage their compliance Contextual policy education Doesn t disrupt user workflow Works even when disconnected Configurable and customizable Admin customizable text and actions Built-in templates based on common regulations Import DLP policy templates from security partners or build your own 27

26 archiving and retention Preserve Search In-Place Archive Governance Hold ediscovery Secondary mailbox with separate quota Managed through EAC or PowerShell Available on-premises, online, or through EOA Automated and timebased criteria Set policies at item or folder level Expiration date shown in message Capture deleted and edited messages Time-Based In-Place Hold Granular Query-Based In-Place Hold Optional notification Web-based ediscovery Center and multi-mailbox search Search primary, In-Place Archive, and recoverable items Delegate through roles-based administration De-duplication after discovery Auditing to ensure controls are met 28

identify and stop new spam and phishing vectors in real time Easy to use Preconfigured for ease of use Integrated

27 Anti Spam/ Anti Virus Comprehensive protection Multi-engine antimalware protects against 100% of known viruses Continuously updated anti-spam protection captures 98%+ of all inbound spam Advanced fingerprinting technologies that identify and stop new spam and phishing vectors in real time Easy to use Preconfigured for ease of use Integrated administration console Granular control Mark all bulk messages as spam Block unwanted based on language or geographic origin 29

Privacy by design means that we do not use your information for anything other than providing you services No advertising products out of Customer Data No scanning of email or documents to build

28 Privacy by design means that we do not use your information for anything other than providing you services No advertising products out of Customer Data No scanning of or documents to build analytics or mine data Access to information about geographical location of data, who has access and when Notification to customers about changes in security, privacy and audit information Various customer controls at admin and user level to enable or regulate sharing If the customer decides to leave the service, they get to take to take their data and delete it in the service

29 Will you use my data to build advertising products? We do not mine your data for advertising purposes. It is our policy to not use your data for purposes other than providing you productivity services. We design our Office 365 commercial services to be separate from our consumer services so that there is no mixing of data between the two. Who owns the data I put in your service? You own your data and retain the rights, title, and interest in the data you store in Office 365. You can take your data with you, whenever you want. Learn more about data portability and how we use your data.

30 At Microsoft, our strategy is to consistently set a high bar around privacy practices that support global standards for data handling and transfer Where is Data Stored? Clear Data Maps and Geographic boundary information provided Ship To address determines Data Center Location Who accesses and What is accessed? Core Customer Data accessed only for troubleshooting and malware prevention purposes Core Customer Data access limited to key personnel on an exception basis. How to get notified? Microsoft notifies you of changes in data center locations and any changes to compliance.

31 We use customer data for just what they pay us for - to maintain and provide Office 365 Service Microsoft Online Services Customer Data 1 Usage Data Account and Address Book Data Customer Data (excluding Core Customer data) Operating and Troubleshooting the Service Yes Yes Yes Yes Security, Spam and Malware Prevention Yes Yes Yes Yes Improving the Purchased Service, Analytics Yes Yes Yes No Personalization, User Profile, Promotions No Yes No No Communications (Tips, Advice, Surveys, Promotions) No No/Yes No No Voluntary Disclosure to Law Enforcement No No No No Advertising 5 No No No No Core Customer Data Operations Response Team (limited to key personnel only) Support Organization Engineering Partners Others in Microsoft Usage Data Address Book Data Customer Data (excluding Core Customer Data * ) Core Customer Data Yes. Yes, as needed. Yes, as needed. Yes, by exception. Yes, only as required in response to Support Inquiry. Yes. With customer permission. See Partner for more information. No. Yes, only as required in response to Support Inquiry. No Direct Access. May Be Transferred During Trouble-shooting. With customer permission. See Partner for more information. No (Yes for Office 365 for small business Customers for marketing purposes). Yes, only as required in response to Support Inquiry. No Direct Access. May Be Transferred During Troubleshooting. With customer permission. See Partner for more information. No. No. No. With customer permission. See Partner for more information. No.

32 Resources Office 365 Trust Center ( Office 365 Hub ( 34

Amit Panchal Enterprise Technology Strategist

Amit Panchal Enterprise Technology Strategist amitp@microsoft.com Who is Amit Panchal IT Industry Personal Education Executive Experience MORE DEVICES I love my PC, my phone, and my slate. MORE MOBILE