Upload
ricardo-wilkins
View
114
Download
3
Embed Size (px)
Citation preview
When Your CISOSays NOSecurity & Compliance in Office 365
www.ceiamerica.com
CONSULTING | SOLUTIONS | RESULTS2
About Me
Architect; Principal Consultant
Microsoft Solutions Division
Partner Technical Specialist (Purple Badge)
SharePoint | Office365 | Azure
www.sharepointcowbell.com
CONSULTING | SOLUTIONS | RESULTS3
•CISO Objections
•The Path to Yes
•Demos
Talking Points
CONSULTING | SOLUTIONS | RESULTS
Pre-adoption concern
60%cited concerns around data security as a barrier to adoption
45%concerned that the cloud would result in a lack of data control
Benefits realized
94%experienced security benefits they didn’t previously have on-premise
62%said privacy protection increased as a result of moving to the cloud
SECURITY
• Design/Operation
• Infrastructure
• Network
• Identity/access
• Data
PRIVACY
COMPLIANCE
TRANPARENCY
Cloud Innovation: Risks & Benefits
Source: Barriers to Cloud Adoption study, ComScore, Sept 2013
CONSULTING | SOLUTIONS | RESULTS
Compliance
CONSULTING | SOLUTIONS | RESULTS
United States______ CJIS
CSA CCM
DISA
FDA CFR Title 21 Part 11
FEDRAMP
FERPA
FIPS 140-2
FISMA
HIPAA/HITECH
HITRUST
IRS 1075
ISO/IEC 27001, 27018
MARS-E
NIST 800-171
Section 508 VPATs
SOC 1, 2
United Kingdom___ CSA CCM
ENISA IAF
EU Model Clauses
ISO/IEC 27001, 27018
NIST 800-171
SOC 1, 2, 3
UK G-CloudSpain___ CSA CCM
ENISA IAF
EU Model Clauses
EU-U.S. Privacy Shield
ISO/IEC 27001, 27018
SOC 1, 2
Spain ENS
Spain LOPD Auth.
Singapore____CSA CCM
ISO/IEC 27001, 27018
MTCS
SOC 1, 2
New Zealand____CSA CCM
ISO/IEC 27001, 27018
NZCC Framework
SOC 1, 2,
Japan____CSA CCM
CS Mark (Gold)
FISC
ISO/IEC 27001, 27018
Japan My Number Act
SOC 1, 2
European Union___ CSA CCM
ENISA IAF
EU Model Clauses
EU-U.S. Privacy Shield
ISO/IEC 27001, 27018
SOC 1, 2,
China____China GB 18030
China MLPS
China TRUCS
Austrailia____CSA CCM
IRAP (CCSL)
ISO/IEC 27001, 27018
SOC 1, 2
Argentina____Argentina PDPA
CSA CCM
IRAP (CCSL)
ISO/IEC 27001, 27018
SOC 1, 2
Over 900 controls in the Office 365 compliance
framework enable us to stay up to date with the ever-
evolving industry standards across geographies
Microsoft is regularly audited, submits self-assessments
to independent 3rd party auditors and holds key certifications
Compliance
CONSULTING | SOLUTIONS | RESULTS
Comprehensive Compliance
DLP
CONSULTING | SOLUTIONS | RESULTS
“No. The Cloud is easier to hack/breach…”
CONSULTING | SOLUTIONS | RESULTS
Perimeter
Computer room
Building
Seismic
bracing
Security
operations center
24X7
security staff
Days of
backup power
Cameras AlarmsTwo-factor access control:
Biometric readers & card readers
Barriers Fencing
Datacenter Security
CONSULTING | SOLUTIONS | RESULTS
“No. We can’t have our info visible on the open internet…”
CONSULTING | SOLUTIONS | RESULTS
“No. We can’t have our info visible on the open internet…”
Encryption
a. Data at-resti. Volume-level encryption
(BitLocker, AES 128-bit, FIPS-compliant)
ii. File-level encryption (encrypted keys; minimal MS staff access in gov’t cloud)
b. Data in-transiti. TLS/SSL (2048-bit)ii. IPsec encryptioniii.AES 256-bitiv.FIPS validated
CONSULTING | SOLUTIONS | RESULTS
Encrypted in transit between client and service and within service data centers
BitLocker encryption protects drives where content is stored
Contents of each file encrypted with a unique key
Large files are stored in parts with a unique key per par
File contents and encryption key are stored separately
Use Azure RMS to encrypt your secret data before uploading
Works across phones, tablets, and PCs
Information protected both within and outside organization
Master key is used to encrypt/decrypt per-file encryption keys
If it is removed or access is revoked, SharePoint Online can no longer decrypt your content
Does not limit/restrict SharePoint Online functionality when enabled
You upload it to Azure Key Vault and grant access to the Office 365 service
You can remove it or revoke access to it at any time
“No. We can’t have our info visible on the open internet…”
CONSULTING | SOLUTIONS | RESULTS1313
CONSULTING | SOLUTIONS | RESULTS1414
CONSULTING | SOLUTIONS | RESULTS1515
8:40
12:40
CONSULTING | SOLUTIONS | RESULTS
• Private VPN
“No. We can’t have our info visible on the open internet…”
Customers can extend their on-
premises sites using VPN or dedicated
ExpressRoute connections
Customer owns and manage
certificates, policies, and user access
CONSULTING | SOLUTIONS | RESULTS
“No. We’ll never be able to determine Appropriate Usage by our users…”
CONSULTING | SOLUTIONS | RESULTS
Powerful for experts, and easier for generalists to adopt
Scenario oriented workflows with cross-cutting policies spanning features
Powerful content discovery across Office 365 workloads
Proactive suggestions leveraging Microsoft Security Intelligence Graph
Security and Compliance Center
CONSULTING | SOLUTIONS | RESULTS
Azure
Active
Directory
Security &
Compliance
Center
SharePoint Online
Power
BI
Opt-in
for all
O365
tenants
1 billion events
collected daily
Office 365 Auditing
CONSULTING | SOLUTIONS | RESULTS
Office 365 Auditing
CONSULTING | SOLUTIONS | RESULTS
Audited Activities
https://support.office.com/en-us/article/Search-the-audit-log-in-the-Office-365-Security-Compliance-Center-0d4d0f35-390b-4518-800e-0c7ec95e946c
CONSULTING | SOLUTIONS | RESULTS
Tenant-scoped unless noted
Allow sharing via anon access links and to authenticated external users
Allow sharing to authenticated external users only (further limit to existing users)
Don’t allow sharing to external users
Limit external sharing using domains (allow and deny list) –also at site collection level
Prevent external users from sharing files, folders, sites they don’t own
Require external users to accept sharing invitations with the same account the invitations were sent to
Ability to choose default link type from anon, company shareable, restricted
On OneDrive for Business only; When…
Users invite additional external users to shared files
External users accept invitations to access files
Anon access link is created or changed
Prevent sharing of documents marked by DLP to external users
Sharing
CONSULTING | SOLUTIONS | RESULTS
“No. ‘Need To Know’ and ‘Least Privilege’ needs to be supported…”
CONSULTING | SOLUTIONS | RESULTS
SharePoint Permissions – It Works
CONSULTING | SOLUTIONS | RESULTS
• Catch It Before it Happens• The “Minority Report”
Method
• Catch It After it Happens• and discipline the culprit
• Minimize Issues
Other Considerations: Timing
CONSULTING | SOLUTIONS | RESULTS
• Physical Security
• Azure RMS
• Rights Management
• Data Loss Prevention
Catch Before
CONSULTING | SOLUTIONS | RESULTS
Catch Before
CONSULTING | SOLUTIONS | RESULTS
• Data Loss Prevention
• Auditing
Catch After
CONSULTING | SOLUTIONS | RESULTS
Catch After
CONSULTING | SOLUTIONS | RESULTS
• Labels, Tips
• Rights Management
Minimize
CONSULTING | SOLUTIONS | RESULTS
Putting Pieces Together
CONSULTING | SOLUTIONS | RESULTS32
Resources
32
Thank You!Ricardo Wilkins – Architect, Microsoft Solutions Division
Computer Enterprises, Inc. | www.ceiamerica.com
Office 365 Trust Center
Microsoft Trust Center
Microsoft Secure
Security Blogs on Office Blogs
Compliance Blogs on Office Blogs
Office 365 Roadmap