61
Andy Malone Microsoft Office 365: Security Deep Dive

Andy Malone - Microsoft office 365 security deep dive

Embed Size (px)

DESCRIPTION

 

Citation preview

Page 1: Andy Malone - Microsoft office 365 security deep dive

Andy MaloneMicrosoft Office 365: Security Deep Dive

Page 2: Andy Malone - Microsoft office 365 security deep dive

Microsoft MVP (Enterprise Security)

Founder: Cybercrime Security Forum!

Microsoft International Event Speaker

MCT (18 Years)

Winner: Microsoft Speaker Idol 2006

See me speak @ Microsoft TechEd 2014

Andy Malone

Follow me on Twitter @AndyMalone

Page 3: Andy Malone - Microsoft office 365 security deep dive

The Extras…Follow @AndyMalone & Get my SkyDrive Link

Page 4: Andy Malone - Microsoft office 365 security deep dive

The Inevitable Questions

Is cloud computing secure?

Are Microsoft Online Services secure?

Security

Where is my data?

Who has access to my data ?

Transparency

What does privacy at Microsoft mean?

Are you using my data to build advertising products?

Privacy

What certifications and capabilities does Microsoft hold?

How does Microsoft support customer compliance needs?

Do I have the right to audit Microsoft?

Compliance

Page 5: Andy Malone - Microsoft office 365 security deep dive

The World is changing

• Telecoms Advancements

• Consumerization of mobile devices

• Lower costs in hardware

• Cheap low cost storage

• Massive growth in virtualization

• Low Cost Software development

• Easier support / licensing models

• Elasticity & Scalability

Page 6: Andy Malone - Microsoft office 365 security deep dive

The World is changing• Product is evolving into a Service

• Focus is moving from “location or Work place” to “Any location”

• Huge growth in BYOD

• Users will consume data rather than use a specific device to access it

• New administration & management models. E.g. RBAC, federation

• Will bring new security challenges

Page 7: Andy Malone - Microsoft office 365 security deep dive

We respect your privacy

You know ‘where’ data resides, ‘who’ can access it,

and ‘what’ we do with it

Compliance with World Class Industry standards

verified by 3rd parties

Independently Verified

Your Privacy Matters

Leadership in Transparency

Microsoft Cloud “Trusted Service”

Excellence in cutting edge security practices

Relentless on Security

4 core trust pillars

Page 8: Andy Malone - Microsoft office 365 security deep dive

Cloud PrinciplesUnderstand that this is a two-way trust

Page 9: Andy Malone - Microsoft office 365 security deep dive

Liability represents aggregate amount.

Liability is limited to direct damages.

Microsoft’s liability is capped at 12 months’ services fees.

Understand that Microsoft’s liability is cappedConsistent with industry standard.

Page 10: Andy Malone - Microsoft office 365 security deep dive

First things first - Risk

Risk Management is the name given to a logical and systematic method of identifying, analyzing, treating and monitoring the risks involved in any activity or process.

It is also a methodology that helps managers make best use of their available resources

Page 11: Andy Malone - Microsoft office 365 security deep dive

The threat landscape is changing

• Increased number of malicious threats have increased

• Bot’s, Spam, Viruses, Trojans

• Enterprise software costs very expensive, licensing complex

• Government snooping fears*

• Cybercrime now big business

Page 12: Andy Malone - Microsoft office 365 security deep dive

Cloud Considerations

• Customer Accountability

• Multi-tenancy

• Different responsibilities

• Trust

• Operational support Vs Service support

Page 13: Andy Malone - Microsoft office 365 security deep dive

Protecting Data

• All data & PPI must be protected against:

– Disclosure

– Destruction

– Interruption

– Modification

– Theft

• This requires the organization to create operational, technical, and physical controls to address information protection for both local & hosted stored data.

Page 14: Andy Malone - Microsoft office 365 security deep dive
Page 15: Andy Malone - Microsoft office 365 security deep dive

Microsoft’s Data Centre Locations

Page 16: Andy Malone - Microsoft office 365 security deep dive

Transparency

Microsoft notifies you of changes in data center locations.

Core Customer Data accessed only for troubleshooting and malware prevention purposes

Core Customer Data access limited to key personnel on an exception basis.

How to get notified?

Who accesses and What is accessed?

Clear Data Maps and Geographic boundary information provided

‘Ship To’ address determines Data Center Location

Where is Data Stored?

The Microsoft strategy is to consistently set a “high bar” around privacy practices that support global standards for data handling and transfer

Page 17: Andy Malone - Microsoft office 365 security deep dive

Data Storage & Access

• Microsoft offers transparency around location of customer data

• Microsoft adhere to the requirements from the strictest markets, like the EU Data Protection Directive, so that it can legally store and use data in compliance with legal requirements

• Microsoft tracks major international privacy laws so we know what is coming and are ready to address it

Page 18: Andy Malone - Microsoft office 365 security deep dive
Page 19: Andy Malone - Microsoft office 365 security deep dive

Role-Based Access Control

Role groups define high-level job functions

End-user role assignment policies for self-service

Who What WhereDelegate multiple roles

Limit the scope of the role assignment; e.g., “Legal Department” or “Asia Offices

Assign task-, action-, or feature-based permissions

Systems Administrator

Human Resources

Compliance Officer

Help Desk

Page 20: Andy Malone - Microsoft office 365 security deep dive

RBAC for Office 365 Operations

20

Office 365 Datacenter Network Corporate Network

Lock Box: Role Based Access

Control

Grants least privilege required to complete task.Verify eligibility by checking if1. Background Check Completed2. Fingerprinting Completed3. Security Training Completed

O365 AdminRequests Access

Grants temporary Privilege

Logged as Service Request1. Auditable2. Available as

self-service reports

Page 21: Andy Malone - Microsoft office 365 security deep dive

Product Team

Operations

Traditional IT

• Highly skilled, domain specific IT (not true Tier 1)

• Success depends on static, predictable systems

Service IT

• Tiered IT

• Progressive escalations (tier-to-tier)

• “80/15/5” goal

Direct Support

• Tier 1 used for routing/escalation only

• 10-12 engineering teams provide direct support of service 24x7

Engineered Operations

• Direct escalations

• Operations applied to specific problem spaces (i.e., deployment)

• Emphasize software and automation over human processes

Tier 2 Operations

Tier 1 Operations

Service

Product Team

Tier 1 Operations

Service Service

Software Aided Processes

Pro

du

ct

Team

Op

erat

ion

s

Sup

po

rt

Oth

er

Product Team

Service

Office 365 operations model evolution

Page 22: Andy Malone - Microsoft office 365 security deep dive

DemoOffice 365 RBAC & Admin

Page 23: Andy Malone - Microsoft office 365 security deep dive
Page 24: Andy Malone - Microsoft office 365 security deep dive

Establish SecurityRequirements

Create Quality Gates / Bug Bars

Security & Privacy Risk Assessment

Microsoft Security development lifecycleReduce vulnerabilities, limit exploit severity

Training Requirements

Education

Administer and track security training

Core SecurityTraining

Design Implementation Verification

Process

Guide product teams to meet SDL requirements

Establish DesignRequirements

Analyze AttackSurface

ThreatModeling

Use Approved Tools

Deprecate Unsafe

Functions

Static Analysis

Dynamic Analysis

Fuzz Testing

Attack Surface Review

Incident Response Plan

Final Security Review

Release Archive

Execute Incident

Response Plan

Ongoing Process Improvements

Release Response

IncidentResponse (MSRC)

Establish release criteria and sign-

off as part of FSR

Accountability

Page 25: Andy Malone - Microsoft office 365 security deep dive

Office 365 Built-in Security

Office 365 Customer Controls

Office 365 Independent Verificationand Compliance

Office 365 Security

25

24 Hour Monitored

Physical Hardware

Isolated Customer Data

Secure NetworkEncrypted Data

Automated operations

Microsoft security best

practices

Page 26: Andy Malone - Microsoft office 365 security deep dive

Service security– Defence in depthA risk-based, multi-dimensional approach to safeguarding services and data

SECURITY MANAGEMENT

NETWORK PERIMETER

INTERNAL NETWORK

HOST

APPLICATION

DATA

USER

FACILITY

Threat and vulnerability management, monitoring, and response

Edge routers, intrusion detection, vulnerability scanning

Dual-factor authentication, intrusion detection, vulnerability scanning

Access control and monitoring, anti-malware, patch and configuration management

Secure engineering (SDL), access control and monitoring, anti-malware

Access control and monitoring, file/data integrity

Account management, training and awareness, screening

Physical controls, video surveillance, access control

Page 27: Andy Malone - Microsoft office 365 security deep dive

The Snowden Effect!

Page 28: Andy Malone - Microsoft office 365 security deep dive

Privacy

Page 29: Andy Malone - Microsoft office 365 security deep dive

Choices to keep Office 365 Customer Data separate from consumer services.

Office 365 Customer Data belongs to the customer.

Customers can export their data at any time.

At Microsoft, our strategy is to consistently set a “high bar” around privacy practices that support global standards for data handling and transfer

Privacy in Office 365

No Mingling

Data Portability

No advertising products out of Customer Data.

No scanning of email or documents to build analytics or mine data.

No Advertising

Page 30: Andy Malone - Microsoft office 365 security deep dive

How Privacy of Data is Protected?Microsoft Online Services Customer Data1 Usage Data

Account and

Address Book Data

Customer Data (excluding

Core Customer data)

Core

Customer Data

Operating and Troubleshooting the Service Yes Yes Yes Yes

Security, Spam and Malware Prevention Yes Yes Yes Yes

Improving the Purchased Service, Analytics Yes Yes Yes No

Personalization, User Profile, Promotions No Yes No No

Communications (Tips, Advice, Surveys, Promotions) No No/Yes No No

Voluntary Disclosure to Law Enforcement No No No No

Advertising5 No No No No

Microsoft: We use customer data for just what they pay us for - to maintain and provide Office 365 Service

Usage Data Address Book DataCustomer Data (excluding

Core Customer Data*)Core Customer Data

Operations Response Team

(limited to key personnel only)Yes. Yes, as needed. Yes, as needed. Yes, by exception.

Support OrganizationYes, only as required in response to

Support Inquiry.

Yes, only as required in response to Support

Inquiry.

Yes, only as required in response to

Support Inquiry.No.

Engineering Yes.No Direct Access. May Be Transferred During

Trouble-shooting.

No Direct Access. May Be

Transferred During Trouble-

shooting.

No.

PartnersWith customer permission. See

Partner for more information.

With customer permission. See Partner for

more information.

With customer permission. See

Partner for more information.

With customer permission. See

Partner for more information.

Others in Microsoft No.No (Yes for Office 365 for small business

Customers for marketing purposes).No. No.

Page 31: Andy Malone - Microsoft office 365 security deep dive

Government Subpoenas• Will Microsoft turn over my data to US companies or the US government?

– Microsoft believes customers should control their own information

– When compelled by U.S. law enforcement to produce customer records,

Microsoft will first attempt to redirect these demands to the customer

– Microsoft will notify the customer unless it cannot, either because Microsoft is

unable to reach the customer or is legally prohibited from doing so

– Microsoft will only produce the specific records ordered by law enforcement

and nothing else

• Your organization is most likely already exposed to government

jurisdiction; therefore, for many companies, moving to the cloud doesn’t

represent a huge increase in risk

Page 32: Andy Malone - Microsoft office 365 security deep dive

Compliance

Page 33: Andy Malone - Microsoft office 365 security deep dive

Compliance management framework

Policy

Control Framework

Standards

Operating Procedures

Business rules for protecting information and systems which store and process information

A process or system to assure the implementation of policy

System or procedural specific requirements that must be met

Step-by-step procedures

Page 34: Andy Malone - Microsoft office 365 security deep dive

International Standards & Controls

ISO 27001

All CustomerData Processing Agreement

SSAE 16 (Statement on standards for AttestationEngagement) SOC 1 (Type I & Type II) compliance

Industry Specific Compliance & Standards

FISMA US Government

HIPAA/BAA Healthcare Customers

FERPA EDU Customers

Geography Specific Standards

EU Safe HarborEU Customers

EU Model Clauses

Office 365 Compliance & Standards

Full details available at: Microsoft Office 365 Trust Center

Page 35: Andy Malone - Microsoft office 365 security deep dive

Addressing Audit Concerns• Microsoft offers:

– Alignment and adoption of industry standards

– Comprehensive set of practices and controls in place to protect your data

– Focus on solutions for millions of users worldwide

– Independent third party attestations of Microsoft security, privacy, and continuity controls

• This allows Microsoft Online to provide assurances to customers at scale

Page 36: Andy Malone - Microsoft office 365 security deep dive

This saves customers time and money, and allows Microsoft to provide assurances to customers at scale

• Alignment and adoption of industry standards ensure a comprehensive set of practices and controls in place to protect sensitive data

• While not permitting audits, we provide independent third-party verifications of Microsoft security, privacy, and continuity controls.

Auditing on Your Behalf

Page 37: Andy Malone - Microsoft office 365 security deep dive
Page 38: Andy Malone - Microsoft office 365 security deep dive

Windows Azure / Office 365 Identity Solutions

• No Integration Required

• No Single Sign On

• User logon Via Portal

• No Servers on Premise

• Dirsync Tool – Perfect for Provisioning large groups of Users

• No Single Sign On

• User Login Via Portal

• No Servers on Premise

• Deploy Dirsync

• Implement ADFS

• Users Login with WAD Credentials

• Complex Server Infrastructure on Prem

• Deployed as Part of a Hybrid Solution

No Integration

Dirsync

Password Sync

ADFS & Dirsync

Full Single Sign On (SSO

Hybrid

Page 39: Andy Malone - Microsoft office 365 security deep dive

Office Subscription

Services

Contoso customer premises

Identity Architecture and Integration Options

1. No Integration

2. Directory Data Only

3. Directory and Single sign-on (SSO)

ADMS Online

Directory Sync

Windows Azure Active Directory

Provisioningplatform

LyncOnline

SharePoint Online

Exchange Online

Active Directory Federation Server 3.0

Trust

IdPDirectory

Store

Admin Portal/PowerShell

Authentication platform

Office 365 Desktop Setup

IdP

Page 40: Andy Malone - Microsoft office 365 security deep dive

Limitations of Windows AD• Directory service implemented on MS domain

networks

• Introduced in Windows 2000

• DCs authenticate and authorise users and computers in a domain

• Assigns and enforces security policies

• Deployed in a single domain nor as part of a larger forest

• Can be expanded through Trust Relationships

• Has both physical & logical attributes

• Only one instance per domain

• Active Directory uses LDAP, Kerberos, and DNS

Page 41: Andy Malone - Microsoft office 365 security deep dive

WAD: Potential Issues• As a number of trust limitations in respect

to size & complexity

• Designed primarily to manage in-house networks

• Protocol limitations i.e. LDAP

• Customer security concerns about WAD data in cloud (closed attributes)

• Does not natively support new cloud based protocols

• Solution: Extend AD attributes into cloud…

Page 42: Andy Malone - Microsoft office 365 security deep dive

What is Windows Azure Active Directory?

• Customized Version of ADLDS / ADAM

• Every Office 365 Customer is an Azure AD Tennant

• Designed primarily to meet the needs of cloud applications

• Extends Customers Active Directory into the cloud

• Think of it as a Fish on a Hook!

• Identity as a service: essential part of Platform as a Service

Page 43: Andy Malone - Microsoft office 365 security deep dive

Protocols to Connect to Windows Azure ADProtocol Purpose Details

REST/HTTP directory access

Create, Read, Update, Delete directory objects and relationships

Compatible with OData V3Authenticate with OAuth 2.0

OAuth 2.0 Service to service authenticationDelegated access

JWT token format

Open ID Connect Web application authenticationRich client authentication

Under investigationJWT token format

SAML 2.0 Web application authentication SAML 2.0 token format

WS-Federation 1.3 Web application authentication SAML 1.1 token formatSAML 2.0 token formatJWT token format

Page 44: Andy Malone - Microsoft office 365 security deep dive

• ADFS Server

• ADFS Proxy (Consider UAG)

• Deployment Options: Installed Stand Alone or as Part of a Server Farm

• Additional Servers can be added via GUI or by using FsConfig.exe JoinFarm

Page 45: Andy Malone - Microsoft office 365 security deep dive

DemoIdentity & Federation

Page 46: Andy Malone - Microsoft office 365 security deep dive
Page 47: Andy Malone - Microsoft office 365 security deep dive

Exchange security and protection

Protect communications

Page 48: Andy Malone - Microsoft office 365 security deep dive

eDiscovery

• Unified portal for data across SharePoint, Exchange, and Lync

• Role-based access eliminates IT as a bottleneck

• In-place hold prevents data loss without needing to export or back up data

Use proximity searches to

understand context

Query results across Exchange and SharePoint

Laser-focused refiners to help find the data you need

Get instant statistics

Page 49: Andy Malone - Microsoft office 365 security deep dive

Exchange security and protection

Stop viruses and malware Exchange Online Protection provides multi-engine protection

Protect sensitive data Scan exchange transport for sensitive content with Data Loss Prevention features

Granular control on email using RMS

Anti-spam

Anti-malware

Unified

management Policy

Page 50: Andy Malone - Microsoft office 365 security deep dive

FunctionalityRMS in Office

365S/MIME

ACLs (Access Control

Lists)BitLocker

Cloud Encryption Gateways (CEGs)

Data is encrypted in the cloud

Encryption persists with content

Protection tied to user identity

Protection tied to Policy (edit, print, do not forward, expire after 30 days)

Secure collaboration with teams and individuals

Native integration with my services (Content Indexing, eDiscovery, BI, Virus/Malware scanning)

Helps meet compliance requirements

Mitigate risk of lost or stolen hard disk

Advanced Encryption

Page 51: Andy Malone - Microsoft office 365 security deep dive

• New options

– Rules can be configured to run for a specific time period time

– Rules can be run in Test Mode

• New filters

– Total message size

– Attachment extension keyword matching

– Sender IP address

• New actions

– Criteria based routing

– Forced TLS routing

– Halt processing of remaining rules on a message. (“Stop processing rules”.)

Improved transport rule options

Page 52: Andy Malone - Microsoft office 365 security deep dive

Data protection at rest

Data protection at rest

Data protection at rest

Information protection using RMS

Data Protection in motion Data Protection in motion

Information can be protected with RMS at rest or in motion

Data protection at rest

Page 53: Andy Malone - Microsoft office 365 security deep dive

PersistentProtection

+Encryption Policy: Access Permissions

Use Right Permissions

• Provides identity-based protection for sensitive data

– Controls access to information across the information lifecycle

– Allows only authorized access based on trusted identity

– Secures transmission and storage of sensitive information wherever it goes – policies embedded into the content; documents encrypted

– Embeds digital usage policies (print, view, edit, expiration etc. ) into the content to help prevent misuse after delivery

Rights Management Services

Page 54: Andy Malone - Microsoft office 365 security deep dive

Enabling RMS in Office 365

RMS can be applied to Emails

RMS can be applied to SharePoint libraries

RMS can be applied to any Office documents

Apply RMS to content

Files are protected if they are viewed using Web apps or downloaded to a local machine

Page 55: Andy Malone - Microsoft office 365 security deep dive

Helps to

identify

monitor

protect

sensitive data through deep content analysis.

Data Loss Prevention in Exchange

Easy to use

Monitor

Protect

Identify

Page 56: Andy Malone - Microsoft office 365 security deep dive

Data Loss Prevention (DLP)

• Familiar rules and policy process

• In-product user policy education

• “Degrees” of policy enforcement

Customize user notification as well as internal audit

reporting

For a single data type, create multiple

rules based on recipient

Integrated compliance experience

Page 57: Andy Malone - Microsoft office 365 security deep dive

DemoOffice 365 Security & Compliance

Page 58: Andy Malone - Microsoft office 365 security deep dive

Review

SecurityComplianceTransparencyPrivacy

Page 59: Andy Malone - Microsoft office 365 security deep dive

The Extras…Follow @AndyMalone & Get my SkyDrive Link

Page 60: Andy Malone - Microsoft office 365 security deep dive

Thank you Follow me on Twitter @AndyMalone

Page 61: Andy Malone - Microsoft office 365 security deep dive

Please evaluate the sessionbefore you leave