1 / 46

Office 365 Security Features For SharePoint Admins

Learn about the comprehensive set of security features in Office 365 for SharePoint admins. Discover how to protect information, manage identities and access, stop threats, and ensure compliance.

jgore
Download Presentation

Office 365 Security Features For SharePoint Admins

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Office 365 Security Features For SharePoint Admins Dean Gross

  2. Diamond Platinum Gold Silver

  3. Agenda • Protect Information (Data/Files) • Identity and Access Management (User Accounts) • Stop Threats • Ensure Compliance (Regulatory support)

  4. Comprehensive set of capabilities CONDITIONAL ACCESS AZURE INFORMATION PROTECTION MICROSOFT CLOUD APP SECURITY OFFICE APPS OFFICE 365 DATA LOSS PREVENTION SHAREPOINT & GROUPS MICROSOFT INFORMATION PROTECTION OFFICE 365 MESSAGE ENCRYPTION AZURE SECURITY CENTER INFORMATION PROTECTION Discover | Classify | Protect | Monitor WINDOWS INFORMATION PROTECTION SDK FOR PARTNER ECOSYSTEM & ISVs OFFICE 365 ADVANCED DATA GOVERNANCE ADOBE PDFs

  5. Protect Information Inside and Outside of SharePoint

  6. Recommendations • Use Azure AD device-based conditional access to block or limit access on unmanaged devices like airport or hotel kiosks • Create policies to sign users out of Office 365 web sessions after a period of inactivity • Evaluate the need for IP-based sessions • Simulate the access model of an on-premises deployment • Empower workers to share broadly but safely • Require sign-in or use links that expire or grant limited privileges • Prevent accidental exposure of sensitive content • Create DLP policies to identify documents and prevent them from being shared

  7. SharePoint Device Access Policies • Block or limit access to SharePoint and OneDrive content from unmanaged devices (those not hybrid AD joined or compliant in Intune). • All users in the organization or only some users or security groups. • All sites in the organization or only some site collections. • Use SPO Admin Center w/Azure AD Portal • PowerShell • Set-SPOTenant –ConditionalAccessPolicyAllowLimitedAccess • AllowDownlownloadingNonWebViewableFiles is Discontinued (DO NOT USE)

  8. Session Control

  9. Demo • Block access using the new SharePoint admin center • Limit access using the new SharePoint admin center • Limit access using PowerShell • Block or limit access to a specific SharePoint site collection or OneDrive

  10. Control Access – Network Location • Define Trusted Network Boundaries • One or more authorized IP ranges • Need to consider • External Sharing – users will be blocked • Access from 1st and 3rd party apps • SPO only recognizes Yammer, Teams and Exchange • Access from dynamic IP ranges • Not supported • Use SPO Admin Center or PowerShell • To AVOID Lockout - Include your own IP Address • Set-SPOTenant -IPAddressAllowList "131.102.0.0/16"

  11. Azure AD B2B – Managing Guests • Provides more control of invitation process • With Azure AD B2B, users are added immediately on invitation so that they show up everywhere • OneDrive/SharePoint Online adds users to the directory after users have redeemed their invitations • Ability to customize invitations • Can provide access to other apps • Can enforce privacy terms & conditions and Terms of Use • In SPO Admin Center, use “Allow sharing only with the external users that already exist in your organization's directory”

  12. Azure Information Protection (AIP) • Labels can be applied in many clients • Office Desktop add-in, Windows Explorer, Adobe Acrobat • Not yet available in Office Web apps • Scanner finds sensitive information in SP Server

  13. Demo SPO with sensitive labels

  14. Preview EOY Classifying SharePoint sites and Groups

  15. Preview EOY Classifying SharePoint sites and Groups

  16. Demo SPO with retention labels

  17. Available now

  18. AIP scanner demo

  19. Configure the AIP scanner Discovery mode! Constantly monitoring!

  20. Monitor the scanner nodes at scale

  21. Discover the data & sensitivity

  22. Drill down to a file-level view

  23. Information Protection Recommendations • Create multi-disciplinary team • Map sharing, retention and classification policies to M365 technologies • DLP/AIP - Unified Labels • Create custom Sensitive Information Types • Cloud App Security – SharePoint and thousands of others • Policies and Alerts

  24. Identity & Access Management User Accounts are Valuable

  25. Privileged Identity Management Demo

  26. Identity and Access Management Recommendations • Enable Azure Active Directory Identity Protection. • For federated identity environments, enforce account security (password length, age, complexity, etc.). • Enable and enforce MFA for all users. • Implement a set of conditional access and related policies.

  27. Stop Threats They come from everywhere

  28. Alerts Policies • Malware campaign detected in SharePoint and OneDrive • Unusual external user file activity • Unusual volume of external file sharing • Unusual volume of file deletion

  29. Office 365 Advanced Threat Protection (1 of many ATPs) • Safe Attachment Policies

  30. Cloud App Security • Policies

  31. Ransomware Protection • OneDrive for Business- Files Restoration • Coming to SharePoint

  32. SPO Conditional Access • Evaluate users • Location • Machine – phone, tablet or computer • Identity

  33. Threat Protection Recommendations Connect Office 365 to Microsoft Cloud App Security • start monitoring using the default threat detection policies for anomalous behaviors Implement protection for admin accounts:• Use dedicated admin accounts for admin activity• Enforce multi-factor authentication (MFA) for admin accounts• Use a highly secure Windows 10 device for admin activity Implement enhanced protections for admin accounts:• Configure Privileged Access Workstations (PAWs) for admin activity• Configure Azure AD Privileged Identity Management.• Configure a security information and event management (SIEM) tool to collect logging data from Office 365, Cloud App Security, and other services, including AD FS.

  34. Ensure Compliance Regulations are Complicated

  35. Compliance Features • Customer Lockbox – E5 or Advance Compliance • No more than 4 hours of access • SharePoint, OneDrive, Exchange • Audit Log Reports • Finding Personal Data (GDPR Requirement) • Retention Labels and Policies • Manual or automatic • Default label for a document library, folder or document set • Consistent across application workloads • Use same Sensitive Information Types as DLP • Deleted files in OneDrive moved to hidden libraries • Replace Records Center, Information Policies, in-place records management

  36. Compliance Manager • Assessments • ISO, NIST & GDPR • Progress indicators • Compliance score – preventive, detective, or corrective measures • Customer Managed Controls – recommended actions • Reporting

  37. E-Discovery Cases • Place holds on ODfB and SPO Sites (and mailboxes) • Can take up to 24 hours • Infinite or date range for time period • Can use keywords or document properties, such as file names

  38. Compliance Center Demo

  39. Compliance Manager Demo

  40. #SPSCLT19 Speaker Survey Session 3

More Related