BYOD

The privacy and security environment is becoming more complicated, more risky

and more regulated every day, and is having a substantial

impact on virtually every company.

Forbes, 2013

Cloud Targeted

AttacksCompliance

““

Identity-

centric

Exchange Hosted

Services (part of Office

365)

Hotmail

SSAE-16

U.S.-EU Safe Harbor

European Union

Model Clauses

(EUMC)

Health Insurance Portability and

Accountability Act Business

Associate Agreement (HIPAA BAA)

Data Processing

Agreement (DPA)Active Directory

Microsoft Security Response

Center (MSRC)

Global Foundation

Services (GFS)

ISO 27001

Certification

Microsoft Security

Essentials

1st Microsoft

Data Center

Trustworthy Computing

Initiative (TwC)

Microsoft Security Engineering

Center - Security Development

Lifecycle (SDL)

Xbox Live

MSN

Bill Gates Memo

Windows Azure

FISMA

Windows

Update

Malware

Protection

Center

SAS-70

Microsoft Online

Services (MOS)

CJIS Security

Policy

Agreement

2005 2010 2013

Bing/MSN

Search

1989 1995 2000

Outlook.com

Security Best-in-class security with over a decade of experience building Enterprise software & Online services

• Physical and data security with access control, encryption and strong authentication

• Security best practices like penetration testing, Defense-in-depth to protect against cyber-threats

• Unique customer controls with Rights Management Services to empower customers to protect information

Compliance Commitment to industry standards and organizational compliance

• Enable customers to meet global compliance standards in ISO 27001, EUMC, HIPAA, FISMA

• Contractually commit to privacy, security and handling of customer data through Data Processing Agreements

• Admin Controls like Data Loss Prevention, Legal Hold, E-Discovery to enable organizational compliance

Privacy Privacy by design with commitment to use customers’ information only to provide services

• No mining of data for advertising

• Transparency with the location of customer data, who has access and under what circumstances

• Privacy controls to regulate sharing of sites, libraries, folders and communications with external parties

Built-in Security

Customer Controls

Independent Verification

Office 365 Security

5

24 Hour

Monitored

Physical

Hardware

Isolated

Customer Data

Secure

NetworkEncrypted Data

Automated

operations

Microsoft

security best

practices

Office 365 Built-in Security

6

24 Hour

Monitored

Physical

Hardware

Isolated

Customer Data

Secure

NetworkEncrypted Data

Automated

operations

Microsoft

security best

practices

24 hour monitored physical hardware

Seismic bracing

24x7 onsite security staff

Days of backup power

Tens of thousands of servers

Perimeter security

Extensive monitoring

Multi-factor authentication

Fire suppression

7

Isolated Customer Data

DATA in Server

Multi-tenant environment is designed to support logical isolation of data that multiple customers store in same physical hardware.

Intended or unintended access of data belonging to a different customer/tenant is prevented by data isolation.

Active Directory’s organizational units keep Customer A’s data isolated from Customer B’s data

8

Automated operations

9

Office 365 Datacenter Network

Microsoft Corporate Network

Grants least privilege required

to complete task.

Verify eligibility by checking if

1. Background Check

Completed

2. Fingerprinting Completed

3. Security Training Completed

O365 Admin

Requests Access

Grants temporary

Privilege

Secure network

Internal Network External Network

Network

Separated

Data

Encrypted

Networks within the Office 365 data centers are segmented.

Physical separation of critical, back-end servers & storage devices from public-facing interfaces.

Edge router security allows ability to detect intrusions and signs of vulnerability.

10

Encrypted Data

Encryption of Data at Rest and in Transit

BitLocker AES Encryption on all messaging content

S/MIME for Email messaging content in Q1 FY14

Transport Layer Security (TLS)/ Secure Sockets Layer (SSL)

Third-party technology such as PGP are supported

Office 365 allows encryption of data both at rest & during transit.

11

24 Hour

Monitored

Physical

Hardware

Isolated

Customer Data

Secure Network

Encrypted

Data

Automated

operations

12

Microsoft security best

practices

Security Development Lifecycle

Throttling to Prevent DoS Attacks

Prevent Breach

Mitigate Breach

Reduce vulnerabilities, limit exploit severity

Ongoing Process Improvements

Training Requirements Design Implementation Verification Release Response

Education

Administer and track security training

Process

Guide product teams to meet SDL requirements

Accountability

Establish release criteria & sign-off as part of FSR

IncidentResponse (MSRC)

Core SecurityTraining

Est. SecurityRequirements

Create Quality Gates / Bug Bars

Security & Privacy Risk Assess.

Establish DesignRequirements

Analyze AttackSurface

ThreatModeling

Use Approved Tools

Deprecate UnsafeFunctions

Static Analysis

Dynamic Analysis

Fuzz Testing

Attack Surface Review

Incident Response Plan

Final Security Review

Release Archive

Execute IncidentResponse Plan

13

Exchange Online baselines normal traffic & usage

Ability to recognize DoS traffic patterns

Automatic traffic shaping kicks in when spikes exceed normal

Mitigates: • Non-malicious excessive use

• Buggy clients (BYOD)

• Admin actions

• DoS attacks

Throttling to Prevent DoS attacks

14

15

• Assume Breach

War game exercises (NEW)

Live site pentest (NEW)

Centralized security

logging & monitoring (NEW)

Prevent Breach

Threat model

Code review

Security development

lifecycle (SDL)

Security testing

Assume breach identifies & addresses

significant gaps:

Detect attack & penetration

Respond to attack & penetration

Recover from data leakage or tampering

Scope ongoing live site testing of security

response plans to drastically improve mean

time to detection & recovery

Reduce exposure to internal attack

(once inside, attackers have broad access)

Periodic environment post breach

assessment & clean state

Prevent Breach and Assume Breach

• Wargame• exercises

Blueteaming

Redteaming

Monitor emerging threats

Executepost breach

Insider attack simulation

Assume Breach

Office 365 Customer Controls

24 Hour

Monitored

Physical

Hardware

Isolated

Customer Data

Secure

NetworkEncrypted Data

Automated

operations

Microsoft

security best

practices

Built-in Security

Customer Controls

Independent Verification

19

Data protection at rest

Data protection at rest

Data protection at rest

Data Protection in motion Data Protection in motion

Information can

be protected

with RMS at rest

or in motion

Data protection at rest

FunctionalityRMS in

Office 365S/MIME

ACLs

(Access Control

Lists)

BitLocker

Cloud

Encryption

Gateways (CEGs)

Data is encrypted in the cloud

Encryption persists with content

Protection tied to user identity

Protection tied to Policy (edit, print, do not forward, expire after 30 days)

Secure collaboration with teams and individuals

Native integration with my services (Content Indexing, eDiscovery, BI, Virus/Malware scanning)

Lost or stolen hard disk

RMS can be activated right inside Office 365 Admin console

Enable Rights Management in the tenant admin

RMS can be applied to Emails

Apply RMS to content

RMS can be applied to SharePoint libraries

Files are protected if they are viewed using Webappsor downloaded to a local machine

RMS can be applied to SharePoint libraries

Files are protected if they are downloaded to a local machine and opened using rich clients

RMS can be applied to any Office documents

User Access

Integrated with Active Directory, Azure Active Directory and Active Directory Federation Services

• Federation: Secure SAML token based authentication

• Password Synchronization: Only a one way hash of the password will be synchronized to WAAD such that the original password cannot be reconstructed from it.

Enables additional authentication mechanisms:• Two-Factor Authentication – including phone-based 2FA

• Client-Based Access Control based on devices/locations

• Role-Based Access Control

24

• Enable customers to meet global compliance

standards in ISO 27001, EUMC, HIPAA, FISMA

• Contractually commit to privacy, security and

handling of customer data through Data

Processing Agreements

• Admin Controls like Data Loss Prevention,

Archiving, E-Discovery to enable organizational

compliance

Commitment to industry standards and organizational compliance

Certification Status

CERT MARKET REGION

26

Data Loss Prevention (DLP)

Prevents Sensitive Data From Leaving Organization

Provides an Alert when data such as Social Security & Credit Card Number is emailed.

Alerts can be customized by Admin to catch Intellectual Property from being emailed out.

Empower users to manage their compliance• Contextual policy education

• Doesn’t disrupt user workflow

• Works even when disconnected

• Configurable and customizable

• Admin customizable text and actions

• Built-in templates based on common regulations

• Import DLP policy templates from security partners or

build your own

27

Email archiving and retention

Preserve Search

Secondary mailbox with

separate quota

Managed through EAC

or PowerShell

Available on-premises,

online, or through EOA

Automated and time-

based criteria

Set policies at item or

folder level

Expiration date shown

in email message

Capture deleted and

edited email messages

Time-Based In-Place

Hold

Granular Query-Based

In-Place Hold

Optional notification

Web-based eDiscovery Center

and multi-mailbox search

Search primary, In-Place

Archive, and recoverable items

Delegate through roles-based

administration

De-duplication after discovery

Auditing to ensure controls

are met

In-Place Archive Governance Hold eDiscovery

28

Anti Spam/ Anti Virus

Comprehensive protection• Multi-engine antimalware protects against 100% of known viruses

• Continuously updated anti-spam protection captures 98%+ of all inbound spam

• Advanced fingerprinting technologies that identify and stop new spam and

phishing vectors in real time

Easy to use

• Preconfigured for ease of use

• Integrated administration console

Granular control

• Mark all bulk messages as spam

• Block unwanted email based on language or geographic origin

29

Privacy by design means that we do not use your information for

anything other than providing you services

• No advertising products out of

Customer Data

• No scanning of email or documents to

build analytics or mine data

• Various customer controls at admin and

user level to enable or regulate sharing

• If the customer decides to leave the

service, they get to take to take their

data and delete it in the service

• Access to information about

geographical location of data, who has

access and when

• Notification to customers about

changes in security, privacy and audit

information

We do not mine your data for advertising purposes. It is our policy to not use your data for

purposes other than providing you productivity services.

We design our Office 365 commercial services to be separate from our consumer services so

that there is no mixing of data between the two.

You own your data and retain the rights, title, and interest in the data you store in Office 365.

You can take your data with you, whenever you want.

Learn more about data portability and how we use your data.

Who owns the data I put in your service?

Will you use my data to build advertising products?

Microsoft notifies you of changes in data center locations and any changes to compliance.

Core Customer Data accessed only for troubleshooting and malware prevention purposes

Core Customer Data access limited to key personnel on an exception basis.

How to get notified?

Who accesses and What is accessed?

Clear Data Maps and Geographic boundary information provided

‘Ship To’ address determines Data Center Location

Where is Data Stored?

At Microsoft, our strategy is to consistently set a “high bar” around privacy practices that support global standards for data handling and transfer

Microsoft Online Services Customer Data1 Usage DataAccount andAddress Book Data

Customer Data (excluding Core Customer data)

CoreCustomer Data

Operating and Troubleshooting the Service Yes Yes Yes Yes

Security, Spam and Malware Prevention Yes Yes Yes Yes

Improving the Purchased Service, Analytics Yes Yes Yes No

Personalization, User Profile, Promotions No Yes No No

Communications (Tips, Advice, Surveys, Promotions) No No/Yes No No

Voluntary Disclosure to Law Enforcement No No No No

Advertising5 No No No No

We use customer data for just what they pay us for - to maintain and provide Office 365 Service

Usage Data Address Book DataCustomer Data (excluding Core Customer Data*)

Core Customer Data

Operations Response Team (limited to key personnel only)

Yes. Yes, as needed. Yes, as needed. Yes, by exception.

Support OrganizationYes, only as required in response to Support Inquiry.

Yes, only as required in response to Support Inquiry.

Yes, only as required in response to Support Inquiry.

No.

Engineering Yes.No Direct Access. May Be Transferred During Trouble-shooting.

No Direct Access. May Be Transferred During Trouble-shooting.

No.

PartnersWith customer permission. See Partner for more information.

With customer permission. See Partner for more information.

With customer permission. See Partner for more information.

With customer permission. See Partner for more information.

Others in Microsoft No.No (Yes for Office 365 for small business Customers for marketing purposes).

No. No.

Resources Office 365 Trust Center (http://trust.office365.com)

Office 365 Hub (http://infopedia/Pages/MOD-Office-365-Security.aspx)

34