1 / 48

Achieving compliance by protecting and controlling your data with encryption in Microsoft 365

Achieving compliance by protecting and controlling your data with encryption in Microsoft 365. Jaclynn Hiranaka Aashish Ramdas Senior Program Manager Senior Program Manager. BRK3115. Today’s Digital Estate. Smart cities. Sensors. Energy systems. Vehicles. Partners. Cloud. Citizens.

rosariog
Download Presentation

Achieving compliance by protecting and controlling your data with encryption in Microsoft 365

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Achieving compliance by protecting and controlling your data with encryption in Microsoft 365 Jaclynn Hiranaka Aashish Ramdas Senior Program Manager Senior Program Manager BRK3115

  2. Today’s Digital Estate Smart cities Sensors Energy systems Vehicles Partners Cloud Citizens Marketplaces Equipment Customers Mobile devices On-premises Supply chains Manufacturers

  3. Compliance is challenging Cost of non compliance 3x cost of compliance Data is your biggest risk 200+ updates per day from 750 regulatory bodies Cost of compliance continues to increase year over year

  4. Shared responsibility model Customer management of risk Data Classification and data accountability Responsibility On-Prem IaaS PaaS SaaS Data classification and accountability Client & end-point protection Shared management of risk Identity & access management | End Point Devices Identity & access management Applicationlevel controls Network controls Provider management of risk Physical | Networking Host Infrastructure Physical Security Cloud Customer Cloud Provider

  5. Shared Responsibility Model – Examples NIST 800-53 Access to production environment Access to production environment Implement access controls that prevent standing access to production environment or customer data Set up access control policy and SOP, leverage Customer Lockbox and identity management Organization’s responsibility Protect data Protect data Encrypt data at rest and in transit using industry standard cryptography (BitLocker, Service Encryption, TLS, etc.) Encrypt data based on compliance obligations Microsoft’s responsibility Personnel control Personnel control Strict screening for employees, vendors, and contractors, and security and privacy training throughout onboarding process Allocate enough resources to implement an organization-wide privacy program

  6. Data Encryption Encrypt data at rest and in transit Apply multiple layers of encryption Make data unreadable to unauthorized parties

  7. Encryption options in Microsoft 365 Data in-transit Data at-rest Hardware Content Application Network Emails, Documents Windows Server Disk SharePoint and OneDrive Files Exchange Online Mailboxes* Office 365 Message Encryption BitLocker Service Encryption TLS Azure Information Protection *EXO to be available in CY2019

  8. Encryption key management options in Microsoft 365 Data in-transit Data at-rest Hardware Content Application Network Emails, Documents Windows Server Disk SharePoint and OneDrive Files Exchange Online Mailboxes* Microsoft managed keys, BYOK, HYOK Customer key

  9. Data in TransitAzure Information Protection (AIP) / Office 365 message encryption (OME)

  10. How do AIP and OME help with compliance? • Azure Information Protection and Office 365 Message Encryption provide persistent encryptionon documents and emails. • Access to the encrypted document/email is granted based on the user’s identity • This allows the Admin to enable gated access to sensitive data • This allows the Admin to limit access to sensitive data • Access to the encrypted document/email can also be monitored and revoked • This allows the Admin to audit who has access to the document • This allows the Admin to audit who has previously accessed the document • This allows the Admin to control future access to the document

  11. The decision around keys is important • AIP and OME can act as the means to compliance • Access to your keys == Access to your data Therefore, • Decisions made around key management become critical to compliance.

  12. Keys There are 3 keys that matter in the main encryption workflow document-specific key (symmetric) to encrypt/decrypt the content tenant public key (asymmetric) to encrypt the publishing license tenant private key (asymmetric) to decrypt the publishing license Use Rights + Symmetric key Local processing on PCs/devices aEZQAR]ibr{qU@M]BXNoHp9nMDAtnBfrfC;jx+Tg@XL2,Jzujdi^os!d ()&(*7812(*:kd Microsoft Azure Information Protection Publishing license + Use Rights + Symmetric key Publishing license The security of the tenant private key is essential - it can effectively unlock any publishing license and therefore any protected document.

  13. Key options in AIP There are 3 keys options in Azure Information Protection: Microsoft-managed keys Bring Your Own Key (BYOK) Hold Your Own Key (HYOK) 1 2 3

  14. SKUs and availability AIP P1, EMS E3 AIP P2, EMS E5 O365 E3 + * requires an Azure subscription and Azure Key Vault additionally

  15. Microsoft-managed keys

  16. What are Microsoft-managed keys? “ When the tenant private key is stored and managed by the Azure Information Protection service (Microsoft), the key type is referred to as Microsoft-managed key. ”

  17. Why use Microsoft-managed keys? Simple to manage • No additional subscriptions or configurations needed • No planning required for capacity, performance, or scale Readily available • It’s available by default with every tenant that uses AIP • Great for testing AIP, or for customers that are “pure” Office 365 Sufficient • Security and controls put in place for the keys are adequate for most customers • Most smaller customers don’t need more than this Handled by Microsoft

  18. Bring Your Own Key (BYOK)

  19. What is BYOK? When you use Azure Key Vault, you can import or generate keys in hardware security modules (HSMs) that never leave the HSM boundary. This scenario is often referred to as bring your own key, or BYOK. “ ”

  20. Why use BYOK? Better key control • Show how you have “possession” and “control” over your data via key control Compliance requirements • Data residency requirements and/or crypto regulations make Microsoft-managed keys insufficient for the tenant • For example: verticals like insurance, health can benefit from use of BYOK Organization policies • Large organizations already have hardware, software, and processes in place to manage their own keys – typically HSM-based. They would like to extend this to the cloud as well.

  21. BYOK topology MICROSOFT CLOUD SharePoint Online Exchange Online Azure Key Vault Azure Information Protection Private key ON-PREMISES BYOK is seamless! On-Premises Exchange On-premises AD SharePoint

  22. Important points to note • Use a vault that is different from the vault used with the customer key • Pick a vault location close to your tenant geo location – for performance and latency reasons • Follow instructions called out in the documentation: https://docs.microsoft.com/en-us/information-protection/plan-design/plan-implement-tenant-key https://channel9.msdn.com/Events/Ignite/Microsoft-Ignite-Orlando-2017/BRK2000 • 1-hour session on how to configure BYOK • More drilldown into the protection scenarios • Understand the implication of each key option on how AIP behaves

  23. Hold Your Own Key (HYOK)

  24. What is HYOK? An (isolated) on-premises ADRMS instance is deployed with a different private key to protect secret data. Protection using this ADRMS instance is label-driven. This scenario is often referred to as hold your own key, or HYOK. “ ”

  25. Why use HYOK? Secret content • Certain categories of data cannot be stored on the public cloud. The sensitive nature of the data means that it needs to be stored and protected on-premises. Compliance requirements • BYOK doesn’t meet the security and audit requirements for certain types of data BYOK and HYOK are not mutually exclusive 2 98 % > % < HYOK-protected data is typically less than 2% of an organization’s protected data. The rest are “cloud-friendly” – can be stored and processed by Office 365 and protected by BYOK keys. BYOK HYOK

  26. The HYOK value proposition and limitations Value proposition Limitations (by design) Data must be opaque to cloud services, even if the data is physically stored in the cloud. No inter-op with O365! No indexing, search, web views or any type of “reasoning over data” features will work. Data remains encrypted at all times, inaccessible even to Microsoft services. Exchange Online transport rules and Office 365 DLP cannot decrypt content to inspect it. External sharing is possible in a tightly controlled manner with known and named partners. The metadata around this sharing and the access logs are not disclosed to anyone (including Microsoft). Configuration of external sharing (and HYOK by extension) cannot be done through the AIP service and the Azure portal. Companies can prove physical access and possession of the private key.

  27. Data at RestBitlockerService Encryption

  28. BitLocker

  29. What is BitLocker? • Data at rest encryption at the disk layer • Integrate with the operating system • Prevents data compromise from physical disk theft • Uses the Trusted Platform Module (TPM) for protection • Uses AES 256-bit keys

  30. What is the value proposition of BitLocker? • Data on a lost or stolen disk is not accessible • Enhances file and system protections • Renders data on disks that are decommissioned or recycled inaccessible

  31. Service Encryption

  32. What is Service Encryption? • Application layer encryption in Office 365 for data at rest • Provides strong separation of Windows Server administrators and customer data • Additional protection against physical data theft • Provides an option to customers to use Microsoft-managed or Customer-managed keys, and is effective regardless of who manages encryption keys

  33. What is Service Encryption with Microsoft owned Keys? • Microsoft owned root keys • O365 Customer Data that are not encrypted with Customer Key will be encrypted with Microsoft owned Keys • Already in Sharepoint Online • Will begin rolling out to Exchange Online in January • Root keys stored in Azure Key Vault • Data Encryption Policies (DEPs) will be created per forest

  34. What is Service Encryption with Customer Key? • Helps meet compliance and regulatory demands • Customer controlled keys • Enables irrevocable data destruction • Independently audited • Data Encryption Policy flexibility in Exchange Online • Allows for feature rich O365 experience while still encrypting data in the service

  35. Exchange Online Access Flow SMTP PowerShell OWA EAC Outlook EAS IMAP Telephony Redirect POP IMAP SMTP UM IIS HTTP Proxy HTTP POP IMAP SMTP IIS POP IMAP Transport UM OWA, EAS, EWS, ECP, OAB, MAPI STORE.EXE RPS RpcProxy MDB (ESE) RPC CA

  36. Azure Key Vault Customer Key Setup Create two new Azure Subscriptions with only Azure Key Vaults as resources Place subscriptions on the Mandatory Retention Period list Assign distinct administrators to each subscription HSM protected keys Soft delete enabled Ensure that the subscriptions and vaults have proper retention settings by checking recovery level on keys Should be set to Recoverable+ProtectedSubscription

  37. Exchange Setup • Choose compliance groups • EXO/SPO tenant admins separate from AKV admins • O365 tenant admins create Data Encryption Policies (DEPs) • EXO tenant admins assign DEPs to mailboxes

  38. Licensing Requirements • E5 or Advanced Compliance • EXO checked at the mailbox layer

  39. Value add to customers as they can recovery data from a data-loss scenario Allows for High Availability Controlled by the customer Provides Defense in Depth What is the Availability Key?

  40. Only used if both AKV keys are unavailable in the following scenarios: Transient issues Emergency restore of service System Calls Example: Move mailbox, Content Indexing What is the Availability Key Used for?

  41. Data Purge Path

  42. 4 people have to collude to delete data from the service 2 AKV admins, O365 tenant admin, C-level at the company C-level has to fill out an eDoc and sign it Availability key is deleted in this process Data Purge Path Explained

  43. Summary • The Customer Key feature setup, maintenance and purge path are complicated • Best practices should be followed • Customer Key gives the customer the ability to know when their data will no longer be available in the service • Licensing is enforced at the mailbox layer in EXO • E5 or Advanced Compliance Add-On

  44. Questions

  45. Attend Other Compliance Sessions at Ignite

  46. Please evaluate this sessionYour feedback is important to us! Please evaluate this session through MyEvaluations on the mobile appor website. Download the app:https://aka.ms/ignite.mobileApp Go to the website: https://myignite.techcommunity.microsoft.com/evaluations

More Related