Microsoft office 365 security privacy and trust
1 / 44

Microsoft Office 365 Security, Privacy, and Trust - PowerPoint PPT Presentation

  • Updated On :

OSP323. Microsoft Office 365 Security, Privacy, and Trust. Alistair Speirs , Sr. Program Manager Bharath Rambadran, Sr. Product Marketing Manager Microsoft Corporation.

I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
Download Presentation

PowerPoint Slideshow about 'Microsoft Office 365 Security, Privacy, and Trust' - amalia

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
Microsoft office 365 security privacy and trust


Microsoft Office 365 Security, Privacy, and Trust

Alistair Speirs, Sr. Program Manager

Bharath Rambadran, Sr. Product Marketing Manager

Microsoft Corporation

Brings together cloud versions of our most trusted communications and collaboration products with the latest version of our desktop suite

Office 365 Delivers World Class Capabilities

  • Pay-as-you-go, per-user licensing

  • Complete Office experience with services integration

  • Always the latest version of Office and Office Web Apps

  • Familiar Office user experience

  • IM & Presence across firewalls

  • GAL/Skill search in SharePoint

  • Online meeting with desktop sharing

  • Windows Live federation

  • My Sites to manage and share documents

  • Access documents offline

  • Document-level permissions

  • Share documents securely with Extranet Sites

  • 25Gb mailbox with voicemail & unified messaging

  • Integrated personal archiving

  • Retention policies and legal hold

  • Free/busy coexistence

Trusting the cloud it s all over the news can i trust the cloud
Trusting The CloudIt’s all over the news – “Can I trust the cloud?”

Key Concerns

  • Privacy

  • Loss of Control

  • Regulatory

  • Physical/Logical Security


    • “What is holding IT managers back (from going to the cloud) is fear about security.”

    • — The Economist, March 5, 2010

The trust questions
The Trust Questions…



  • What does privacy at Microsoft mean?

  • Are you using my data to build advertising products?

  • Where is my data?

  • Who has access to my data ?



  • What certifications and capabilities does Microsoft hold?

  • How does Microsoft support customer compliance needs?

  • Do I have the right to audit Microsoft?

  • Is cloud computing secure?

  • Are Microsoft Online Services secure?

Office 365 trust center
Office 365 Trust Center

  • Clear messaging with plain English

  • Details for security experts

  • Links videos, whitepapers


The trust principles
The Trust Principles

Cohesive Process Combining 4 Pillars

Leadership in Transparency






Relentless on


We Respect your


You know ‘where’ data resides, ‘who’ can access it and ‘what’ we do with it

Compliance with World Class Industry standards verified by 3rdparties

Excellence in Cutting edge security practices

What do we mean by privacy
What Do We Mean by “Privacy”?



PII Controls

Elevation of Privilege

Notice and Consent


Denial of Service

Information Disclosure


Data Minimization


Transnational Data Flows


Privacy at office 365
Privacy at Office 365

At Microsoft, our strategy is to consistently set a “high bar” around privacy practices that support global standards for data handling and transfer

No Advertising

  • No advertising products out of Customer Data.

  • No scanning of email or documents to build analytics or mine data.

Data Portability

  • Office 365 Customer Data belongs to the customer.

  • Customers can export their data at any time.

No Mingling

  • Choices to keep Office 365 Customer Data separate from consumer services.

How privacy of data is protected
How Privacy of Data is Protected?

We use customer data for just what they pay us for - to maintain and provide Office 365 Service

You know where data resides who can access it and what we do with it
You know ‘where’ data resides, ‘who’ can access it and ‘what’ we do with it.

  • Transparency

Transparency and ‘what’ we do with it.

At Microsoft, our strategy is to consistently set a “high bar” around privacy practices that support global standards for data handling and transfer

Where is Data Stored?

  • Clear Data Maps and Geographic boundary information provided

  • ‘Ship To’ address determines Data Center Location

Who accesses and What is accessed?

  • Core Customer Data accessed only for troubleshooting and malware prevention purposes

  • Core Customer Data access limited to key personnel on an exception basis.

How to get notified?

  • Microsoft notifies you of changes in data center locations.

Excellence in cutting edge security practices
Excellence in and ‘what’ we do with it.cutting edge security practices


Microsoft security development lifecycle reduce vulnerabilities limit exploit severity
Microsoft Security Development Lifecycle and ‘what’ we do with it.Reduce vulnerabilities, limit exploit severity




Administer and track security training

Guide product teams to meet SDL requirements

Establish release criteria and sign-off as part of FSR


Response (MSRC)








Core SecurityTraining

Establish SecurityRequirements

Create Quality Gates / Bug Bars

Security & Privacy Risk Assessment

Establish DesignRequirements

Analyze AttackSurface


Use Approved Tools

Deprecate UnsafeFunctions

Static Analysis

Dynamic Analysis

Fuzz Testing

Attack Surface Review

Incident Response Plan

Final Security Review

Release Archive

Execute IncidentResponse Plan

Ongoing Process Improvements

Office security progress
Office Security Progress and ‘what’ we do with it.

  • Unique Security Issues Reported

  • Office XP

  • Macro security levels

    • Office 2007

  • Default setting changes

  • Reduced security prompts

  • XML file format support

  • Trust Center & Message Bar

  • Trusted locations

  • Active content security

  • Block file format settings

  • Document Inspector

  • 9%

    • Office 2003

  • CryptoAPI support

  • Trusted publishers

  • ActiveX control security

    • Office 2010

  • Protected View

  • Office File Validation

  • Trusted Documents

  • Crypto Improvements

  • Core security improvements file fuzzing
    Core security improvements: file fuzzing and ‘what’ we do with it.

    A method to identify previously unknown vulnerabilities in file formats

    Office teams fuzzed millions of files 10’s of millions of times

    Led to hundreds of new bugs being fixed

    Used to create XML Schema Definitions (XSD) for binary Office files

    XSDs allow binary files to be quickly scanned for potential problems

    Industry recognized security improvements
    Industry-recognized security improvements and ‘what’ we do with it.

    User protection starts with authentication
    User protection starts with authentication and ‘what’ we do with it.

    Active Directory at the core

    Control user password policies across devices and services

    Use Group Policies to configure operating environment

    Extensible management with FIM, ADFS

    Cloud integration options

    Cloud managed user accounts managed via web portal

    On premises directory synchronized to web portal

    Single sign on capability using AD federation services

    Active Directory

    Cloud ID

    Directory Sync

    1-way trust

    Securing users with group policy
    Securing and ‘what’ we do with it.users with Group Policy

    • Administrators can use Group Policy to mandate user settings for Office

    • Administrators can use settings to create highly restricted or lightly managed desktop configurations

    • Group Policy settings have precedence over OCT settings

    • Administrators can use settings to disable file formats that are not secure across the network

    • Over 4000 group policy control objects

    Service Security – Defense in Depth and ‘what’ we do with it.a risk-based, multi-dimensional approach to safeguarding services and data


    Threat and vulnerability management, monitoring, and response

    Access control and monitoring, file/data integrity


    Account management, training and awareness, screening


    Secure engineering (SDL), access control and monitoring, anti-malware


    Access control and monitoring, anti-malware, patch and configuration management


    Dual-factor authentication, intrusion detection, vulnerability scanning



    Edge routers, intrusion detection, vulnerability scanning


    Physical controls, video surveillance, access control

    Physical security sample facility
    Physical Security – Sample facility and ‘what’ we do with it.

    24x7 guarded facility

    700,000 square feet

    10s of 1000s of servers

    Days of backup power

    Business productivity
    Business Productivity and ‘what’ we do with it.

    Communicate and collaborate more securely using Exchange, SharePoint, Lync, and Office

    Visibility and Control

    Information Security

    Comprehensive Protection

    • Policy rules that inspectemails in transit

    • Integration with AD RMS to safeguard sensitive data

    • End-to-end encryption of communications

    • Integrated administration, reporting, and auditing

    • Granular control over user access and permissions

    • Mobile security policies and remote device wipe

    • Multi-layered protection against spam and malware

    • Effectiveness guaranteed by 5 financially-backed SLAs

    • In-product controls that help protect users from threats

    Common security concern customer data at rest is not encrypted
    Common Security Concern and ‘what’ we do with it.Customer data at rest is not encrypted

    • For “sensitive” data, implementation of Active Directory Rights Management Services (RMS)

    • For “sensitive” externally sent/received e-mail, customers employ S/MIME

    • Encryption impacts service functionality (e.g. search and indexing)

    • Identity/key management issues

    The customer makes the decision

    Compliance with world class industry standards verified by 3 rd parties
    Compliance with World Class Industry standards verified by 3 and ‘what’ we do with it.rd parties

    Independently Verified

    Why get independently verified i need to know microsoft is doing the right things
    Why Get Independently Verified? and ‘what’ we do with it.“I need to know Microsoft is doing the right things”

    Alignment and adoption of industry standards ensure a comprehensive set of practices and controls in place to protect sensitive data

    While not permitting audits, we provide independent third-party verifications of Microsoft security, privacy, and continuity controls

    Microsoft provides transparency

    This saves customers time and money, and allows Office 365 to provide assurances to customers at scale

    Compliance management framework
    Compliance Management Framework and ‘what’ we do with it.


    Business rules for protecting information and systems which store and process information

    Control Framework

    A process or system to assure the implementation of policy


    System or procedural specific requirements that must be met

    Operating Procedures

    Step-by-step procedures

    Office 365 compliance
    Office 365 Compliance and ‘what’ we do with it.

    We are the first and only major cloud based productivity to offer the following:

    • ISO27001

    • ISO27001 is one of the best security benchmarks available across the world.

    • Office 365 first major business productivity public cloud service to implement rigorous ISO security controls on physical, logical, process and management

    • EU Model Clauses

    • Office 365 is the first major business productivity public cloud service provider willing to sign EU Model Clauses with all customers.

    • EU Model Clauses a set of stringent European Union wide data protection requirements

    • Data Processing Agreement

    • Address privacy, security and handling of Customer Data.

    • Going above and beyond the EU Model Clauses to address additional requirements from individual EU member states

    • Enables customers to comply with their local regulations.

    Office 365 compliance1
    Office 365 Compliance and ‘what’ we do with it.

    Comply with additional industry leading standards

    • US Health Insurance Portability and Accountability Act

    • HIPAA is a U.S. law that requires HIPAA covered entities to meet certain privacy and security standards with respect to individually identifiable health information

    • Microsoft is offering to sign the Business Associate Agreement (BAA) for any Microsoft Enterprise Agreement customer. The BAA helps enables our customers to comply with HIPAA concerning protected health information.

    • EU Safe Harbor

    • EU generally prohibits personal data from crossing borders into other countries except under circumstances in which the transfer has been legitimated by a recognized mechanism, such as the "Safe Harbor" certification

    • Microsoft was first certified under the Safe Harbor program in 2001, and we recertify compliance with the Safe Harbor Principles every twelve months

    Compliance update compliance with key standards
    Compliance Update and ‘what’ we do with it.Compliance with Key Standards



    BPOS Standard

    Office 365

    Compliance update hipaa business associate agreement baa
    Compliance Update and ‘what’ we do with it.HIPAA Business Associate Agreement (BAA)

    What is it?

    What does it cover?

    Who and how to get it?

    • HIPAA is a U.S. law that requires HIPAA covered entities to meet certain privacy and security standards with respect to individually identifiable health information

    • To comply with HIPAA, in certain cases Microsoft is required to sign BAA with HIPAA covered entities which assures adherence to certain privacy and security requirements

    • Protects Protected Health Information (PHI) covering patient only information not end users

    • Security incident notification within 30 days of unauthorized access

    • Office 365 is not intended to be used as a PHI repository, customer should make their decision on how to best comply with HIPAA. More information can be found in the regulatory compliance section of the Trust Center.

    • Available today for all customers.

    demo and ‘what’ we do with it.

    The Office 365 Trust Center

    Bharath Rambadran

    Sr. Product Manager

    How to sign up for eu model clauses
    How To Sign Up For EU Model Clauses and ‘what’ we do with it.

    Office 365 Trust Center Compliance Section

    Link to EU Model Clause sign-up Page

    EU Model Clause Sign up Page

    • Located in MOSP Portal

    • Requires Admin Access

    • Customer enters Admin details and

    • Agreement I.D

    Step 2 sign in to online services portal
    Step 2: Sign in to Online Services Portal and ‘what’ we do with it.

    Step 3 select contract and accept
    Step 3: Select Contract and Accept and ‘what’ we do with it.

    Step 4 confirmation page
    Step 4: Confirmation Page and ‘what’ we do with it.

    Related content
    Related Content and ‘what’ we do with it.

    Resources and ‘what’ we do with it.

    Office 365 Trust Center (

    • Office 365 Privacy Whitepaper (New!)

    • Office 365 Security Whitepaper and Service Description

    • Office 365 Standard Responses to Request for Information

    • Office 365 Information Security Management Framework

    Related resources
    Related Resources and ‘what’ we do with it.

    • Office 365 TechCenter:

    • Office Client TechCenter:

    • Office, Office 365 and SharePoint Demo Area Includes:

      • Office 365 IT Pro Command Center

      • Office 365 Data Center Exhibit

    Resources and ‘what’ we do with it.



    • Connect. Share. Discuss.

    • Microsoft Certification & Training Resources

    • Resources for IT Professionals

    • Resources for Developers


    Submit your evals online

    Evaluations and ‘what’ we do with it.

    Submit your evals online

    Questions? and ‘what’ we do with it.

    © and ‘what’ we do with it.2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.

    The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.