280 likes | 604 Views
OSP214. Security and Compliance on the Microsoft Business Productivity Online Standard Suite and Microsoft Office 365 Platforms. David Hayden BOS Solution Architect Microsoft Corporation. Common questions…. COMPLIANCE. How does Microsoft support customer compliance needs?
E N D
OSP214 Security and Compliance on the Microsoft Business Productivity Online Standard Suite and Microsoft Office 365 Platforms David Hayden BOS Solution Architect Microsoft Corporation
Common questions… COMPLIANCE • How does Microsoft support customer compliance needs? • What Certifications and does Microsoft hold? • Do I have the right to audit Microsoft? SECURITY • Is cloud computing secure? • Is Microsoft online services secure? RELIABILITY & SERVICE CONTINUITY PRIVACY • What drives the need to have a continuity plan? • Formalized continuity program in place? • Recovery from a disastrous event? • Recovery plans in place and exercised regularly? • Where’s my data? • Who has access to my data? • Why is Privacy important?
Microsoft Online Risk Management Program Overview Information Security Policy Security Privacy & Regulatory Service Continuity Compliance Management 3
Microsoft Confidential MS Online Security 4
Multi-Layered Defense Strategy: employ a risk-based, multi-dimensional approach to safeguarding services and data Security Management Threat & Vulnerability Management, Monitoring & Response Data Access Control & Monitoring, File/Data Integrity User Account Mgmt, Training & Awareness, Screening Application Secure Engineering (SDL), Access Control & Monitoring, Anti-Malware Host Access Control & Monitoring, Anti-Malware, Patch & Config Mgmt Internal Network Dual-factor Auth, Intrusion Detection, Vulnerability scanning Network perimeter Facility Edge Routers, Firewalls, Intrusion Detection, Vulnerability scanning Physical controls, video surveillance, Access Control 5
Security Development Lifecycle Microsoft believes that delivering secure software requires Executive commitment SDL a mandatory policy at Microsoft since 2004 Education Technology and Process Accountability Ongoing Process Improvements
Certifications • More to come … 7
Data Encryption at Rest • Customer data is stored non-encrypted • Encryption impacts service functionality (e.g. search) • Technical solutions are challenging, e.g. identity and key management issues • Policies and control are in place to destroy replaced, defective disks • Solution • For “sensitive” data, customers implement Rights Management • For “sensitive” externally sent/received email, customers employ message encryption 8
Enhanced Email Security Features • Require TLS for all mail between customer and partner domain (in and outbound) • Centralized mail control (all mail for domain sent/received from customer servers) • Enables custom filtering and archiving • Outbound mail delivery to a smarthost • Enables additional processing, e.g. DLP • Optional integration with Exchange Hosted Encryption • Future: Expanded DLP capabilities in Forefront Online Protection for Exchange (FOPE) 9
Privacy 10
What is “Privacy”? • Our approach to protecting customer privacy: we ensure we use the right policy and principles that help customers and end-users maintain control over their personal information (PII) • “Control over PII”means we respect our customer’s information by: • being transparent about how we gather and use PII • allowing customers to direct how we use their PII • limiting our use of PII • providing a means by which customers can update their PII to ensure accuracy • striving to keep PII secure • working to ensure customers can access their data • Common privacy regulations customers comply with while using Microsoft Online: • HIPAA, GLBA,FERPA, Mass 201, PIPEDA, and the EU Data Protection Directive and security requirements in EU national privacy laws 11
Global Privacy Regulations • Microsoft Online Services has been built focusing on transparency, allowing customers control over their data, and enabling them to adhere to recognized privacy principles • Example: Many locales require a privacy notice and a recording notice. It's ultimately the responsibility of the customer to comply, but we built one in as a default so customers are assisted • Microsoft complies with global privacy norms. It abides by the Safe Harbor privacy framework regarding the collection, use, transfer, and retention of data from the European Union, the European Economic Area, and Switzerland • Each of Microsoft Online Services has a privacy statement that details how customers’ data will be treated • Longer term We work with governments and partners to adapt regulations to our type of services 12
Government Subpoenas • Will Microsoft turn over my data to US companies or the US government? • Microsoft believes customers should control their own information • When compelled by U.S. law enforcement to produce customer records, Microsoft will first attempt to redirect these demands to the customer • Microsoft will notify the customer unless it cannot, either because Microsoft is unable to reach the customer or is legally prohibited from doing so • Microsoft will only produce the specific records ordered by law enforcement and nothing else • Your organization is most likely already exposed to government jurisdiction, therefore for many companies moving to the cloud doesn’t represent a huge increase in risk 13
Data Transfers • Microsoft set the bar high across the service – we adhere to the requirements from the strictest markets, like the EU Data Protection Directive, so that we can legally store and use data in compliance with legal requirements • Microsoft offers transparency around location of customer data • Microsoft tracks major international privacy laws so we know whatis coming and are ready to address it 14
Microsoft Confidential Compliance 15
Compliance Management Framework Business Rules for protecting information and systems which store and process information A process or system to assure the implementation of policy System or procedural specific requirements that must be met Step by step procedures 16
Addressing Audit Needs • Microsoft offers: • Alignment and adoption of industry standards • Comprehensive set of practices and controls in place to protect your data • Focus on solutions for millions of users worldwide • Independent third party attestations of Microsoft security, privacy, and continuity controls • This allows Microsoft Online to provide assurances to customers at scale 17
Supporting Customer Compliance • Customizable and feature-rich Microsoft Online offerings to suit a customer’s compliance needs • Use our features to implement your policies • Retention policies, archiving, legal hold, etc. • Third party audits and attestations • Compliance from end to end (physical infrastructure to services development & operation) 18
Microsoft Confidential Service Continuity 19
Service Continuity Program Framework • Based on Business Continuity Industry Best Practices • Provides a standardized approach across the enterprise • Ensures consistent and sustainable processes • Focusing on internal core competencies • Identifies impacts, dependencies, and gaps • Implements solutions and plans for remediation • Exercises on a regular basis to ensure processes are operating as intended • Meet established RTOs and RPOs Governance Business Impact Analysis Training & Awareness Service Continuity Management Maintaining & Exercising Dependency Analysis Gap Analysis & Reporting Planning Strategies & Solutions 20
Continuity Concerns • What drives the need to have a continuity plan in place? • To protect the customer and the service from any major outage • Does Microsoft have a formalized continuity program in place? • Yes, a robust service continuity program is in place based on industry best practices and provides the ability to recover subscribed services in a timely manner • Does each service have the ability to recover from a disastrous event? • Yes, all offerings have redundancy and resiliency to ensure that any major outage is minimized • Is the plan exercised (tested) on a regular basis? • The plan and solution are validated at least on an annual basis 21
Office 365 security and compliance featuresExchange Online Preserve • Retention tags • Personal Archive • Multi-mailbox search • Litigation hold • Journaling for integration with external archive services • Rights Management support • Decrypt to journal • S/MIME support • Mail tips • Transport rules • Filtering • Disclaimers • Supervision/Ethical walls • AV/AS using Forefront Online Protection for Exchange • Role based Access controls • Audit reports • Non-owner access report • Admin configuration change report Personal Archive Move and Delete Policies Hold Policy Multi-Mailbox Search • Secondary mailbox with separate quota • Appears in Outlook and OutlookWeb App • Automated and time-based criteria • Set policies at item or folder level • Expiry date shown in email message • EWS Support • Capture deleted and edited email messages • Offers single item restore • Notify user on hold • Web-based UI • Search primary, archive, and recoverable items • Delegate through roles-based admin • Annotate content • De-duplication after discovery Discover Protect Control IRM Integration MailTips Transport Rules • Apply IRM automatically • Access messages in OWA, EAS • Decrypt protected messages to enable search, filtering, journaling, transport rules • Protect sensitive voicemail • Extend access to partners • Inspect both messages and attachments • Apply controls to all email sent and received • Delegate through roles-based admin • Alert sender about possible risks or policy violations • Option of customized MailTips
Office 365 security and compliance featuresSharePoint Online • Information Management Policy • Expiration • Audit Policies • Business Taxonomies & Tagging • Site Columns • Content Types • Taxonomy term store • Document Sets & ID’s • Cross-site Collection Search • Document level access controls • Site collection and site level audit reports • Content Activity Reports • Information Management Policy • Security and Site Settings reports • In place Records management • Records declaration • Litigation hold
Track Resources • Read more about Microsoft Online Services – www.microsoft.com/online • Learn about the next release of BPOS, the Microsoft Office 365 Suite - http://office365.microsoft.com • Continue the conversation • Microsoft Online Services Team Blog – http://blogs.technet.com/msonline • Facebook Fan Page – http://www.facebook.com/MicrosoftOnlineServices • You Tube Channel – http://www.youtube.com/user/msonlineservices • Twitter – http://twitter.com/msonline
© 2011 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.