Aptera Presents: Security and Compliance in Office 365 Mark Gordon Enterprise Architect How storing your data in the cloud can be even more secure than storing them on premises
Jun 08, 2015
Aptera Presents:
Security and Compliance in Office 365
Mark GordonEnterprise Architect
How storing your data in the cloud can be even more secure than storing them on premises
Agenda
•Businesses Security and Compliance needs
•Office 365 Security and Compliance
•Demonstration of Compliance Capabilities
•Next Steps
Common Examples of Compliance Regulations
Transparency/Audit
• 21 CFR Part 11 Audit Trail
• SEC
• SAS 70 Type I and Type II
Privacy/Non Disclosure
•HIPAA•ITAR•FISMA•FERPA•EU model clauses•Gramm-Leach-Blily
Legal
• Hold and E Discovery
• Three common types of compliance concerns
• Most businesses will have some of all three
• Office 365 can be part of compliant solutions for these regulations
Common Compliance Requirements that can be met in Office 365
See THIS link for a framework to build your compliance plan
Healthcare
• HIPAA
• FISMA
• Legal Discovery
• 21 CFR Part 11 Audit Trail
High Tech/Manufacturing
• ITAR
• ISO 27001
• Legal Discovery
• EU Model Clauses
Finance
• PCI
• Gramm–Leach–Bliley Act
• Legal Discovery
• Internal/External Audit
• Compliance starts with and is most importantly corporate policy
• Compliance is implemented through IT systems
• If your technology is not compliant you are not compliant
• Just because your technology is compliant does not make you compliant
Office 365 Trust Center – http:trustoffice365.com
Office 365 Compliance• HIPAA Business Associate Agreement
• ISO 27001
• EU Model Clauses
• DPA-Data Processing Agreement
• FISMA
• ITAR
• FERPA
• External Audit
Office 365 Security
• Modular Datacenters– No access to individual computing
components– Very small IT staff onsite
• Physical Access Controls– Biometric– RFID – Location known and recorded
at all times
• Physical Security
• Redundancy and Disaster Recovery
• Network
Security Threats and Countermeasures
Threats
• Stolen Password
• Data Leakage
• Unsecure Transport
• Lost Devices– Computer– Mobile– USB Drive
• Disk Failures
• Internal theft of Data
• Blind Subpoena
• DOS / Unavailability
Countermeasures
• Two Factor Authentication
• Mail Encryption
• DLP Policy
• Remote Device Wipe
• Hard Drive Encryption
• Portable File Encryption
• Redundant Storage
• Physical and Employee Security
• Encryption in Transit
• Encryption at Rest
• Throttling / 99.98 quarterly uptime
Protecting from Stolen Passwords:Multi-factor Authentication
Implementation
• Built in to Office 365
• Works with your locally managed AD accounts
• Simple to implement
• Implement for Global Administrators or any other users who have access to high risk information
• User can change 2nd factor method
Requirements
• Access to phone or mobile device
• Options– Text
– Application
– Phone Call
Multi-factor Authentication Demo
Protecting e-mail and documents in transit:Encryption Options
• E-mail– Office 365 Mail Encryption
– TLS Transport Rules
• Documents/Communications– All client traffic encrypted
• Lync
• Outlook
• Office
• Browser
• Encrypted mail is hosted on a web server from the Microsoft Datacenter
• Recipients get e-mail with a link to the message
• TLS is easier for the recipient and can be secure
DLP - Encrypted E-mail and TLSDemo
Protecting against lost or stolen devices
Device Security Policy
• Device Password
• Remote Device Wipe
• Bad Password Count Lockout
• Bad Password Count Reset
Remote Wipe
• Can be done from any browser by the device owner or an administrator
Remote Device WipeDemo
Protecting Files on any media or device
Information Rights Management
• Portable Encryption– Works on any device or storage medium
• Access to document can be revoked– Person leaves company or project– Document can expire
• Granular access rights– Read– Copy– Print– Forward
Portable File EncryptionDemo
E-Discovery – Hold – Retention Policy
E-Discovery
• Discovery Agents
• Email, Documents, Lync
• Search options
• Exporting results
In Place Hold
• By search criteria
• Mailbox legal hold– Retention period
Retention Policy
• Defines when items are destroyed or moved
• Can be managed by user and/or set by policy
Discovery-Hold-RetentionDemo
Encryption at RestBYOE – Bring Your Own Encryption
Provider Encryption at Rest
• Protects against– Physical access to disks
• Does not protect against– Blind Subpoena– Programmatic Access to your Data– Administrator Access to your Data
• Native Support for– Read/Write– Search and Index– Remote Access
BYOE
• Protects against– Physical access to disks– Blind Subpoena– Programmatic Access to your Data– Administrator Access to your Data
• Must Allow Support for– Read/Write– Search and Index– Remote Access
BYOE Architecture e-mail
From: Mia To:VincentVincent, attached is thecustomer’s SSN and Credit-Card information.
From: Mia To:Vincent躎疓拺鴵鍔漼軴唺傖듌鐴給섐럑蜖虝私乴諡䂸䄙舅矇潹솴湶썙鑡㨜争껎㾔뻚
From: Mia To:Vincent躎疓拺鴵鍔漼軴唺傖듌鐴給섐럑蜖虝私乴諡䂸䄙舅矇潹솴湶썙鑡㨜争껎㾔뻚
From: Mia To:VincentVincent, attached is thecustomer’s SSN and Credit-Card information.
From: Mia To:Vincent躎疓拺鴵鍔漼軴唺傖듌鐴給섐럑蜖虝私乴諡䂸䄙舅矇潹솴湶썙鑡㨜争껎㾔뻚
Action Plan
Identify Owners for
• Document/mail retention
• Legal Hold/Discovery
• Compliance
• Security Policy
• Disaster Recovery
Define your Corporate
• Compliance requirements
• Security Policy
• Retention Policy
• Legal/Discovery-Hold Policy
• Disaster Recovery Plan
Match against currently systems
• Compliance capabilities
• Security capabilities
• Retention capabilities
• Legal/Discovery-Hold capabilities
Evaluate Office 365 Capabilities
• Compliance
• Security
• Availability/Recovery
• Retention
• Legal
Next Step:FreeApteraCompliance and Security Strategy Review
Surface Winner!
Questions?Email:[email protected]
Phone:260-739-1949
References
• Free 30 day Office 365 Trial
• Office 365 Service Updates
• Office 365 Service Descriptions
• Office 365 Privacy, Security and Compliance
• Office 365 security white paper