The Modern Workplace Watchdog How Office 365 helps keep your data safe and your team productive.
Introduction Experts estimate that 60% of businesspeople will be working in the cloud by 2022. 1 And with good reason cloud computing allows for unprecedented agility, productivity and cost savings. But information technology, human resources and legal leaders worry that migrating to the cloud will increase their exposure to hackers and other threats. It s no surprise in light of the highly publicized and huge volume of security issues in 2014 which led to more than one billion data records breached. 2 How does an organization innovate and expand with an ever-present concern about security and compliance? That s when it s valuable to have a trusted partner like Microsoft for cloud infrastructure a partner already supporting more than one billion customers around the world with essential features that deliver enhanced security and threat mitigation. According to GSMA Intelligence, there are over 7.2 billion active SIM cards worldwide, and that number increases over 6% every year, five times faster than the human population. 3 1 Gartner. Cloud Office Questions Begin the Shift from If to When. 2015. 2 Gemalto. Gemalto Releases Findings of 2014 Breach Level Index. 2015 3 GSM Intelligence. Measuring mobile penetration. 2014. 02 The Modern Workplace Watchdog
Introduction Imagine a solution and partner that acted as a watchdog over your data and applications. With this protection in place, you could empower your organization to overcome fear and capitalize on the promise of cloud computing. Read on to learn how Office 365 can help you do all of that and actually improve data security and administrative control. Cloud computing offers many benefits The top ways businesses are using cloud to drive business transformation 4 30% 28% 32% 28% 49% Drive cost efficiencies Better enable mobile workforce Improve alignment with customers/partners 42% Better leverage data to provide insight New product development/innovation Develop new business models 37% Shift to a global shared services model 35% Faster time to market 4 KPMG. 2014 Cloud Survey Report: Elevating businesses in the cloud. 2014. 03 The Modern Workplace Watchdog
TABLE OF CONTENTS 05 09 11 13 16 19 22 Chapter 1 A Trusted Partner to Defend Your Privacy Chapter 2 Keeping Constant Watch Over Your Data Chapter 3 Data Access Requires Your Permission Chapter 4 Mobility Unleashed Chapter 5 Your Data Retriever Chapter 6 Keep What s Yours, Yours Chapter 7 Protection That Never Leaves Your Side
Chapter 1 A Trusted Partner to Defend Your Privacy
Chapter 1 A Trusted Partner to Defend Your Privacy We understand that a move to the cloud causes worry about losing control of where your data is stored, who has access to it and how it gets used. After all, the data shared between and generated by your business applications is essential to your operations. You may even be mandated to safeguard that data to comply with industry regulations. Let s be clear, some of that data is what gives your company its competitive edge; that s the last thing you want falling into the wrong hands. Here s how we handle security, privacy and compliance and give you ultimate control over your data. Privacy & the Cloud: ISO/IEC 27018 was created to allow cloud service customers control over how personally identifiable information (PII) is used. For example, it prevents PII entrusted to a cloud service provider from being used for advertising without the customer s consent. Microsoft was among the first to comply with this standard. 5 5 Stephens, Erick. Microsoft gives users confidence to move to the cloud. 2015 06 The Modern Workplace Watchdog
Chapter 1 A Trusted Partner to Defend Your Privacy Own your data Think of Office 365 as the watchdog working to guard your privacy and help prevent any unauthorized access to your data. You are the sole owner of your information we simply manage it for you; even if you decide to leave the service, you take your data with you. 07 The Modern Workplace Watchdog
Chapter 1 A Trusted Partner to Defend Your Privacy Maintain control With Office 365 s built-in privacy controls, every employee can configure Office 365 to grant or deny access to their data across any device. Even those with administrator-level status cannot access your data without your authorization (but they can make sure less proactive employees are protected). And because you can take advantage of multiple proven measures to protect your data in transit, you can better protect users and their managed devices. Stay ahead of the compliance curve Be confident about satisfying key regulations because Office 365 applications help you attain, and maintain, compliance with HIPAA, FISMA and many other regulations. We work with regulatory bodies to comply with the latest standards. Just as important, through our Compliance Center, you can easily locate and save important business content, and help Office 365 users perform their own compliance tasks. If you re resisting the cloud because of security concerns, you re running out of excuses. Forrester. Grading our 2014 Cloud Predictions. 08 The Modern Workplace Watchdog
Chapter 2 Keeping Constant Watch Over Your Data
0.2 0.4 0.6 0.8 1.0 Chapter 2 Keeping Constant Watch Over Your Data Staying ahead of digital attacks is critical to protecting your organization s data. But those security threats are continually evolving. We understand your security concerns and we take them seriously. No industry is immune from cyber attacks IT environments targeted by cyber attacks worldwide in 2014, by industry 6 Retail Food and beverage 9% 64% 27% 5% 95% You can rest easy knowing we are on constant vigil to help ensure your data s security 24/7. We continuously invest in advanced security tactics and recruit world-class experts to quickly detect intrusions, minimize their impact and recover more quickly. We call upon two highly skilled and dedicated teams of security experts: one tasked with launching simulated attacks and the other charged with detecting and defending against intrusions. By constantly testing and challenging our security capabilities, we stay abreast of emerging threats and constantly improve the security measures in Office 365. We ve adapted to today s threats, and stay ahead of the threats of tomorrow. Hospitality Finance and insurance Technology Entertainment Transportation Professional services News and media Other targets 0.0 6% 29% 65% 57% 43% 40% 60% 60% 40% 67% 33% 50% 50% 33% 67% 75% 25% 6 Trustwave. 2015 Trustwave Global Security Report. 2015. Corporate/internal network E-commerce Point-of-sale (POS) 10 The Modern Workplace Watchdog
Chapter 3 Data Access Requires Your Permission
Chapter 3 Data Access Requires Your Permission Your organization understandably wants control over access to content stored in the cloud. That s why we offer the Office 365 Customer Lockbox, a rigorous accesscontrol technology that allows you to decide who has access to your data, at what level and the actions they can take based on their roles. We ve also automated everything possible within Office 365 to prevent the need for Microsoft employees to touch your organization s data. While every tenant of the Office 365 platform adheres to the lockbox process, we offer a special add-on for the administrator seeking complete control. In the rare instances when a Microsoft engineer must examine your data to address a major problem, your explicit approval is a must. This is true even when law enforcement requests access to your organization s data. You Have the Final Word: When you receive a request for access to your organization s data in Office 365, you can scrutinize and either approve or reject it. Simply put: you control who accesses your data. 12 The Modern Workplace Watchdog
Chapter 4 Mobility Unleashed
Chapter 4 Mobility Unleashed Mobile devices like smartphones and tablets are increasingly used to access work email, calendars, contacts and documents. In other words, they play a big part in ensuring that your employees get their work done anytime, from anywhere. But as more businesses adopt a bring your own device approach to phones and tablets, keeping corporate data secure on mobile devices is becoming a top challenge. With Office 365, you can keep your personal and company apps separate using built-in mobile device management (MDM) features. These features allow you to set device security policies and access rules, wipe data and prevent unauthorized users from accessing corporate email and data on lost or stolen mobile devices. Plus, you can set security policies on all your devices and establish protocols to manage your Office 365 apps that are accessed by these devices. And you can handle all of this through the easy-to-use interface featuring a wizard-based setup allowing you to see which devices are connected to Office 365 and identify devices that have been blocked due to non-compliance. 14 The Modern Workplace Watchdog
Chapter 4 Mobility Unleashed And to better protect the data traveling between devices, Office 365 message encryption and rights management services allows any two parties to communicate securely, regardless of the servers or services between them while helping protect your data at every stage. By managing access to Office 365 data across a diverse range of phones and tablets, including ios, Android and Windows Phone devices, you can: Help secure and manage corporate resources: Apply security policies on devices that connect to Office 365 to ensure that corporate email and documents are synchronized only on phones and tablets managed by your company. Preserve productivity: Because MDM is built directly into the productivity apps your employees already know and love, you can better protect company data while keeping employees productive. According to Consumer Reports, 5.2 million smartphones were stolen or lost in 2014. 7 7 Consumer Report. Smartphone thefts drop as kill switch usage grows. 2015. 15 The Modern Workplace Watchdog
Chapter 5 Your Data Retriever
Chapter 5 Your Data Retriever While it s okay to hope for the best, it s always wise to be prepared for the worst. Time is of the essence when responding to legal actions, especially those related to your organization s innovative developments or a competitor s patent. That s why a smooth electronic discovery (or ediscovery) process the process of identifying and delivering electronic information that can be used as evidence is vital. After all, roughly three out of four discovery orders today require e-mail to be produced as part of the discovery process. 8 And the Federal Rules of Civil Procedure guidelines require you to produce this in a timely manner. 8 Osterman. The Growing Importance of E-Discovery on Your Business. 2008. 17 The Modern Workplace Watchdog
Chapter 5 Your Data Retriever Centrally manage the Office 365 Compliance Center With the Equivio Analytics equipped Office 365 Compliance Center, your organization can conduct all ediscovery in-house without the need for external parties or add-on compliance tools. The Compliance Center serves as a portal for managing ediscovery cases, providing a central place where you can discover content in Office 365 applications. Intuitive, built-in search and retention tools make it easy to quickly get up to speed learning ediscovery techniques, and to satisfy legal and business requirements with little disruption to work. Equivio Analytics equips you with an advanced coding and machine learning platform that increases the relevance of your documentation by identifying themes and eliminating the need to move data, helping to enhance protection, minimize risk and save money. Stay compliant Whether you and your colleagues need to store and access data for your daily work or to satisfy legal, corporate 18 The Modern Workplace Watchdog or government requirements, it s critical that you can do so easily and without fail. Using the robust retention and archiving tools in Office 365, you can be sure your content is retained, cataloged and accessible. With Office 365, you can: Handle compliance and retention in a single place Seamlessly access archived content to meet legal requests Manage and search archived and current email Perform compliance tasks as needed Eliminate separate archiving infrastructure By housing all of your data in one location within the Office 365 Compliance Center, you minimize unnecessary search analytics and exports and can easily apply fine-grained permissions to easily control what can and cannot be searched across all Office 365 applications. For example, you can specify certain internal sites and mailboxes that can be searched based on attributes such as their location or distribution group membership. In one case, the Financial Industry Regulatory Authority (FINRA) fined one company and some of its affiliates $1.2 million for email retention and review violations. 9 9 Cirius. FINRA fines highlights compliance problems with traditional encryption products. 2013.
Chapter 6 Keep What s Yours, Yours
Chapter 6 Keep What s Yours, Yours Worrying about accidental data breaches caused by unaware employees can keep a Chief Security Officer up all night. But expecting employees to know every data security policy and whether or not sending a certain file via email is exposing the organization to risk is impractical. Now you can protect sensitive data more easily than ever before and help stop data leakage before it starts, without affecting worker productivity. Data loss prevention at work Imagine being able to identify, monitor and protect sensitive data and even help users understand and manage data risk. Better yet, what if you could notify workers in the context of where they are working and empower them to make the right decisions when dealing with sensitive data? You can. The data loss prevention (DLP) technology embedded into Office 365 helps your employees comply with data protection policies without disrupting their normal routine. Calling upon built-in templates, you can set up and execute data loss prevention policies with little training. You can also define and adapt rules and policies to your organization s needs, such as restricting viewing to the intended recipient and limiting forwarding and printing. Plus, you can quickly respond to any data loss violations. 20 The Modern Workplace Watchdog
Chapter 6 Keep What s Yours, Yours Here s an example of DLP technology within Office 365 in action.? Picture an employee writing an email that contains sensitive information, such as a credit card number. DLP will pick up on the sensitive information and alert the employee before the message is sent. You decide which policies to apply and how to respond. For example, you could simply warn the employee about sensitive information before she sends the email. You could also completely block her from sending sensitive information, and even quarantine suspect messages. 21 The Modern Workplace Watchdog
Chapter 7 Protection That Never Leaves Your Side
Chapter 7 Protection That Never Leaves Your Side To empower everyone to do their jobs anytime and anywhere, cloud-based office productivity applications need to be accessible from virtually any device and help keep your data and enterprise environment safe from exposure and vulnerabilities. With the built-in protection offered by Office 365, you can be sure that you are taking the right steps to help keep your data secure, whether employees are in the office or working remotely. Plus, the service enables you to control access to your environments, data and applications. Sniff out suspicious activity To easily manage user access, take advantage of the cloud-based user authentication service Azure Active Directory. Simply set your personalized security policies and run our advanced thread analytics to identify and eliminate suspicious activity. Strong authentication options provide you with granular control over how users can access and use Office 365. Enable token-based authentication to services. Integrate Azure Active Directory with your on-premises Active Directory, other directory stores and identity systems, or third-party systems. Create additional authentication mechanisms. Control how users access information from specific devices or specific locations or a combination of both (for example, limiting access from public computers or from public open Wi-Fi). Exchange online protection adds advanced threat protection to safeguard against spam, malware and viruses. 23 The Modern Workplace Watchdog
Security Checklist If your organization hasn t yet moved to the cloud, it s only a matter of time. And when you make that move, you want to make sure you and your employees can work without interruption. That s why it s critical to review our top 10 things to consider when choosing a cloud provider. Use the handy checklist below to vet your options and make the best choice for your organization. Who owns the data we store in your service? Will you use our data to build advertising products? Find out if the service provider does anything with your data and in what ways it gives you control over your data. Do you offer privacy controls in your service? What privacy controls are enabled by default and are you allowed to turn off/on privacy-impacting features? Does the service provider contractually commit to its privacy and security promises? Do we have visibility into where you store our data in the service? Ask the service provider where your data is located, who can access it, and how they report on data access. What is your approach to security and which security features do you offer to protect your service from external attacks? What does the service provider do to secure its hardware, software and the physical security of its datacenters? Ask to see its policies and controls, and security verification by independent auditors. Find out which security measures the provider enacts on your behalf and which it allows you to configure to suit your own needs. How do you ensure that your service is reliable? What best practices does the service provider apply in design and operations, such as redundancy, resiliency and distributed services? Can we get our data out of your service? Find out if you can download a copy of your data at any time, for any reason, without any assistance from the service provider. Will you inform us when things change in the service, and will you let us know if our data is compromised? Make sure the service provider informs you of any important changes to the service with respect to security, privacy and compliance. What standards do you comply with? Does the service provider comply with standards like ISO 27001, FISMA and Fedramp? What are your commitments regarding keeping my service up? We offer 99.9% uptime via a financially backed SLA. Customers experiencing monthly uptimes of less than 99.9% are compensated through service credits. For more information and proof points about how Microsoft Office 365 provides assurance to customers about the questions above, please visit the Office 365 Trust Center. 24 The Modern Workplace Watchdog
2015 Microsoft Corporation. All rights reserved. This document is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS SUMMARY. This document is provided as-is. Information and views expressed in this document, including URL and other Internet website references, may change without notice. This document does not provide you with any legal rights to any intellectual property in any Microsoft product. You may copy and use this document for your internal, reference purposes. microsoft.com