Microsoft office 365 security privacy and trust
This presentation is the property of its rightful owner.
Sponsored Links
1 / 44

Microsoft Office 365 Security, Privacy, and Trust PowerPoint PPT Presentation


  • 199 Views
  • Uploaded on
  • Presentation posted in: General

OSP323. Microsoft Office 365 Security, Privacy, and Trust. Alistair Speirs , Sr. Program Manager Bharath Rambadran, Sr. Product Marketing Manager Microsoft Corporation.

Download Presentation

Microsoft Office 365 Security, Privacy, and Trust

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Presentation Transcript


Microsoft office 365 security privacy and trust

OSP323

Microsoft Office 365 Security, Privacy, and Trust

Alistair Speirs, Sr. Program Manager

Bharath Rambadran, Sr. Product Marketing Manager

Microsoft Corporation


Microsoft office 365 security privacy and trust

Brings together cloud versions of our most trusted communications and collaboration products with the latest version of our desktop suite


Microsoft office 365 security privacy and trust

Office 365 Delivers World Class Capabilities

  • Pay-as-you-go, per-user licensing

  • Complete Office experience with services integration

  • Always the latest version of Office and Office Web Apps

  • Familiar Office user experience

  • IM & Presence across firewalls

  • GAL/Skill search in SharePoint

  • Online meeting with desktop sharing

  • Windows Live federation

  • My Sites to manage and share documents

  • Access documents offline

  • Document-level permissions

  • Share documents securely with Extranet Sites

  • 25Gb mailbox with voicemail & unified messaging

  • Integrated personal archiving

  • Retention policies and legal hold

  • Free/busy coexistence


Trusting the cloud it s all over the news can i trust the cloud

Trusting The CloudIt’s all over the news – “Can I trust the cloud?”

Key Concerns

  • Privacy

  • Loss of Control

  • Regulatory

  • Physical/Logical Security

  • CLOUDY WITH A CHANCE OF RAIN

    • “What is holding IT managers back (from going to the cloud) is fear about security.”

    • — The Economist, March 5, 2010


The trust questions

The Trust Questions…

Privacy

Transparency

  • What does privacy at Microsoft mean?

  • Are you using my data to build advertising products?

  • Where is my data?

  • Who has access to my data ?

Compliance

Security

  • What certifications and capabilities does Microsoft hold?

  • How does Microsoft support customer compliance needs?

  • Do I have the right to audit Microsoft?

  • Is cloud computing secure?

  • Are Microsoft Online Services secure?


Office 365 trust center

Office 365 Trust Center

  • Clear messaging with plain English

  • Details for security experts

  • Links videos, whitepapers

  • http://trust.office365.com


The trust principles

The Trust Principles

Cohesive Process Combining 4 Pillars

Leadership in Transparency

Your

Privacy

Matters

Independently

Verified

Relentless on

Security

We Respect your

Privacy

You know ‘where’ data resides, ‘who’ can access it and ‘what’ we do with it

Compliance with World Class Industry standards verified by 3rdparties

Excellence in Cutting edge security practices


Your privacy matters

Your Privacy Matters

Privacy


What do we mean by privacy

What Do We Mean by “Privacy”?

PRIVACY

SECURITY

PII Controls

Elevation of Privilege

Notice and Consent

BreachResponse

Denial of Service

Information Disclosure

Spoofing

Data Minimization

Tampering

Transnational Data Flows

Repudiation


Privacy at office 365

Privacy at Office 365

At Microsoft, our strategy is to consistently set a “high bar” around privacy practices that support global standards for data handling and transfer

No Advertising

  • No advertising products out of Customer Data.

  • No scanning of email or documents to build analytics or mine data.

Data Portability

  • Office 365 Customer Data belongs to the customer.

  • Customers can export their data at any time.

No Mingling

  • Choices to keep Office 365 Customer Data separate from consumer services.


How privacy of data is protected

How Privacy of Data is Protected?

We use customer data for just what they pay us for - to maintain and provide Office 365 Service


You know where data resides who can access it and what we do with it

You know ‘where’ data resides, ‘who’ can access it and ‘what’ we do with it.

  • Transparency


Transparency

Transparency

At Microsoft, our strategy is to consistently set a “high bar” around privacy practices that support global standards for data handling and transfer

Where is Data Stored?

  • Clear Data Maps and Geographic boundary information provided

  • ‘Ship To’ address determines Data Center Location

Who accesses and What is accessed?

  • Core Customer Data accessed only for troubleshooting and malware prevention purposes

  • Core Customer Data access limited to key personnel on an exception basis.

How to get notified?

  • Microsoft notifies you of changes in data center locations.


Excellence in cutting edge security practices

Excellence in cutting edge security practices

Security


Microsoft security development lifecycle reduce vulnerabilities limit exploit severity

Microsoft Security Development LifecycleReduce vulnerabilities, limit exploit severity

Education

Process

Accountability

Administer and track security training

Guide product teams to meet SDL requirements

Establish release criteria and sign-off as part of FSR

Incident

Response (MSRC)

Training

Requirements

Design

Implementation

Verification

Release

Response

Core SecurityTraining

Establish SecurityRequirements

Create Quality Gates / Bug Bars

Security & Privacy Risk Assessment

Establish DesignRequirements

Analyze AttackSurface

ThreatModeling

Use Approved Tools

Deprecate UnsafeFunctions

Static Analysis

Dynamic Analysis

Fuzz Testing

Attack Surface Review

Incident Response Plan

Final Security Review

Release Archive

Execute IncidentResponse Plan

Ongoing Process Improvements


Office security progress

Office Security Progress

  • Unique Security Issues Reported

  • Office XP

  • Macro security levels

    • Office 2007

  • Default setting changes

  • Reduced security prompts

  • XML file format support

  • Trust Center & Message Bar

  • Trusted locations

  • Active content security

  • Block file format settings

  • Document Inspector

  • 9%

    • Office 2003

  • CryptoAPI support

  • Trusted publishers

  • ActiveX control security

    • Office 2010

  • Protected View

  • Office File Validation

  • Trusted Documents

  • Crypto Improvements


  • Core security improvements file fuzzing

    Core security improvements: file fuzzing

    A method to identify previously unknown vulnerabilities in file formats

    Office teams fuzzed millions of files 10’s of millions of times

    Led to hundreds of new bugs being fixed

    Used to create XML Schema Definitions (XSD) for binary Office files

    XSDs allow binary files to be quickly scanned for potential problems


    Industry recognized security improvements

    Industry-recognized security improvements

    https://www.cert.org/blogs/certcc/2011/04/office_shootout_microsoft_offi.html


    User protection starts with authentication

    User protection starts with authentication

    Active Directory at the core

    Control user password policies across devices and services

    Use Group Policies to configure operating environment

    Extensible management with FIM, ADFS

    Cloud integration options

    Cloud managed user accounts managed via web portal

    On premises directory synchronized to web portal

    Single sign on capability using AD federation services

    Active Directory

    Cloud ID

    Directory Sync

    1-way trust


    Securing users with group policy

    Securing users with Group Policy

    • Administrators can use Group Policy to mandate user settings for Office

    • Administrators can use settings to create highly restricted or lightly managed desktop configurations

    • Group Policy settings have precedence over OCT settings

    • Administrators can use settings to disable file formats that are not secure across the network

    • Over 4000 group policy control objects


    Microsoft office 365 security privacy and trust

    Service Security – Defense in Deptha risk-based, multi-dimensional approach to safeguarding services and data

    SECURITY MANAGEMENT

    Threat and vulnerability management, monitoring, and response

    Access control and monitoring, file/data integrity

    DATA

    Account management, training and awareness, screening

    USER

    Secure engineering (SDL), access control and monitoring, anti-malware

    APPLICATION

    Access control and monitoring, anti-malware, patch and configuration management

    HOST

    Dual-factor authentication, intrusion detection, vulnerability scanning

    INTERNAL NETWORK

    NETWORK PERIMETER

    Edge routers, intrusion detection, vulnerability scanning

    FACILITY

    Physical controls, video surveillance, access control


    Physical security sample facility

    Physical Security – Sample facility

    24x7 guarded facility

    700,000 square feet

    10s of 1000s of servers

    Days of backup power


    Business productivity

    Business Productivity

    Communicate and collaborate more securely using Exchange, SharePoint, Lync, and Office

    Visibility and Control

    Information Security

    Comprehensive Protection

    • Policy rules that inspectemails in transit

    • Integration with AD RMS to safeguard sensitive data

    • End-to-end encryption of communications

    • Integrated administration, reporting, and auditing

    • Granular control over user access and permissions

    • Mobile security policies and remote device wipe

    • Multi-layered protection against spam and malware

    • Effectiveness guaranteed by 5 financially-backed SLAs

    • In-product controls that help protect users from threats


    Common security concern customer data at rest is not encrypted

    Common Security ConcernCustomer data at rest is not encrypted

    • For “sensitive” data, implementation of Active Directory Rights Management Services (RMS)

    • For “sensitive” externally sent/received e-mail, customers employ S/MIME

    • Encryption impacts service functionality (e.g. search and indexing)

    • Identity/key management issues

    The customer makes the decision


    Compliance with world class industry standards verified by 3 rd parties

    Compliance with World Class Industry standards verified by 3rd parties

    Independently Verified


    Why get independently verified i need to know microsoft is doing the right things

    Why Get Independently Verified?“I need to know Microsoft is doing the right things”

    Alignment and adoption of industry standards ensure a comprehensive set of practices and controls in place to protect sensitive data

    While not permitting audits, we provide independent third-party verifications of Microsoft security, privacy, and continuity controls

    Microsoft provides transparency

    This saves customers time and money, and allows Office 365 to provide assurances to customers at scale


    Compliance management framework

    Compliance Management Framework

    Policy

    Business rules for protecting information and systems which store and process information

    Control Framework

    A process or system to assure the implementation of policy

    Standards

    System or procedural specific requirements that must be met

    Operating Procedures

    Step-by-step procedures


    Office 365 compliance

    Office 365 Compliance

    We are the first and only major cloud based productivity to offer the following:

    • ISO27001

    • ISO27001 is one of the best security benchmarks available across the world.

    • Office 365 first major business productivity public cloud service to implement rigorous ISO security controls on physical, logical, process and management

    • EU Model Clauses

    • Office 365 is the first major business productivity public cloud service provider willing to sign EU Model Clauses with all customers.

    • EU Model Clauses a set of stringent European Union wide data protection requirements

    • Data Processing Agreement

    • Address privacy, security and handling of Customer Data.

    • Going above and beyond the EU Model Clauses to address additional requirements from individual EU member states

    • Enables customers to comply with their local regulations.


    Office 365 compliance1

    Office 365 Compliance

    Comply with additional industry leading standards

    • US Health Insurance Portability and Accountability Act

    • HIPAA is a U.S. law that requires HIPAA covered entities to meet certain privacy and security standards with respect to individually identifiable health information

    • Microsoft is offering to sign the Business Associate Agreement (BAA) for any Microsoft Enterprise Agreement customer. The BAA helps enables our customers to comply with HIPAA concerning protected health information.

    • EU Safe Harbor

    • EU generally prohibits personal data from crossing borders into other countries except under circumstances in which the transfer has been legitimated by a recognized mechanism, such as the "Safe Harbor" certification

    • Microsoft was first certified under the Safe Harbor program in 2001, and we recertify compliance with the Safe Harbor Principles every twelve months


    Compliance update compliance with key standards

    Compliance UpdateCompliance with Key Standards

    Certification

    Audience

    BPOS Standard

    Office 365


    Compliance update hipaa business associate agreement baa

    Compliance UpdateHIPAA Business Associate Agreement (BAA)

    What is it?

    What does it cover?

    Who and how to get it?

    • HIPAA is a U.S. law that requires HIPAA covered entities to meet certain privacy and security standards with respect to individually identifiable health information

    • To comply with HIPAA, in certain cases Microsoft is required to sign BAA with HIPAA covered entities which assures adherence to certain privacy and security requirements

    • Protects Protected Health Information (PHI) covering patient only information not end users

    • Security incident notification within 30 days of unauthorized access

    • Office 365 is not intended to be used as a PHI repository, customer should make their decision on how to best comply with HIPAA. More information can be found in the regulatory compliance section of the Trust Center.

    • Available today for all customers.


    Microsoft office 365 security privacy and trust

    demo

    The Office 365 Trust Center

    Bharath Rambadran

    Sr. Product Manager


    How to sign up for eu model clauses

    How To Sign Up For EU Model Clauses

    Office 365 Trust Center Compliance Section

    Link to EU Model Clause sign-up Page

    EU Model Clause Sign up Page

    • Located in MOSP Portal

    • Requires Admin Access

    • Customer enters Admin details and

    • Agreement I.D


    Step 2 sign in to online services portal

    Step 2: Sign in to Online Services Portal


    Step 3 select contract and accept

    Step 3: Select Contract and Accept


    Step 4 confirmation page

    Step 4: Confirmation Page


    Related content

    Related Content


    Resources

    Resources

    Office 365 Trust Center (http://trust.office365.com)

    • Office 365 Privacy Whitepaper (New!)

    • Office 365 Security Whitepaper and Service Description

    • Office 365 Standard Responses to Request for Information

    • Office 365 Information Security Management Framework


    Related resources

    Related Resources

    • Office 365 TechCenter: technet.microsoft.com/Office365

    • Office Client TechCenter: technet.microsoft.com/office

    • Office, Office 365 and SharePoint Demo Area Includes:

      • Office 365 IT Pro Command Center

      • Office 365 Data Center Exhibit


    Resources1

    Resources

    Learning

    TechNet

    • Connect. Share. Discuss.

    • Microsoft Certification & Training Resources

    http://europe.msteched.com

    www.microsoft.com/learning

    • Resources for IT Professionals

    • Resources for Developers

    • http://microsoft.com/technet

    http://microsoft.com/msdn


    Submit your evals online

    Evaluations

    Submit your evals online

    http://europe.msteched.com/sessions


    Microsoft office 365 security privacy and trust

    Questions?


    Microsoft office 365 security privacy and trust

    © 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.

    The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.


  • Login