Office 365 Data Security & Compliancy

Office 365Data Security & Compliancy Jethro Seghers

MVP Office 365MCITP SharePoint 2010ITILv3 Certified

@jseghers – http://www.j-solutions.be/blog

Blogger

Twitter: @jseghersE-mail: [email protected]: http://www.j-solutions.be/blog

Consultant

Jethro Seghers

Trainer


J-Solutions.be Located in Belgium Provides IT Business Consultancy

SharePoint 2010 and Online Cloud Services – Office 365 and Windows Intune IT as a service – MOF and ITIL v3


Agenda Office 365 Terminology Infrastructure settings Exchange Online Lync Online SharePoint Online Sources of Information

Data Security

The protection of data from unauthorized (accidental or intentional) modification, destruction, or disclosure

Data Compliance

Compliance is either a state of being in accordance with established guidelines, specifications, or legislation or the process of becoming so

BRINGING TOGETHER CLOUD VERSIONS OF OUR MOST TRUSTED COMMUNICATIONS AND COLLABORATION PRODUCTS WITH THE LATEST

VERSION OF OUR DESKTOP SUITE FOR BUSINESSES OF ALL SIZES.

Infrastructure


Overview Microsoft Datacenters & their locations DataFlow Privacy Encryption Identity Protection Password Policies


Microsoft Datacenters . Physical Security

Secure physical access for authorized personnel only State of the Art datacenters

Hosted Applications Security Anti SPAM Encryption Mail

Security Development Lifecycle Potential threats while running a service Exposed aspects of the service that are open to attack


Microsoft Datacenters .. Secured Office 365 Services Infrastructure

Server Monitoring via System Center Secure Remote Access via RDS Intrusion Detection

Network-level Security Measures Customer Access via SSL Uptime 99,9 %

Identity & Access Management Access control follows the separation of duties

principle and granting least privilege.


Where is our data stored: Example: EMEA A primary data center is where the application

software and the customer data running on the application software are hosted.

A backup data center is used for failover purposes Data center Dublin: Primary for F.O.P.E. Data center The Netherlands: SharePoint Online Dublin + The Netherlands: interchangeably

Exchange Online + Lync Online


What is stored in the US: EMEA Customer Information Microsoft Online Portal Routing Lync Online Communications Office 365 Authentication

Additionally, Microsoft abides by the Safe Harbor Framework for transfer of data between the European Union and the United States.


Privacy .Microsoft Online Services Customer Data

Usage Data Account andAddress Book Data

Customer Data(excluding CoreCustomer Data)

CoreCustomer Data

Operating and Troubleshooting the Service

Yes Yes Yes Yes

Security, Spam and Malware Prevention

Yes Yes Yes Yes

Improving the Purchased Service, Analytics

Yes Yes Yes No

Personalization, User Profile Promotions

No Yes No No

Communications (Tips, Advice, Surveys, Promotions)

No Yes No No


Privacy ..Microsoft Online Services Customer Data

Usage Data Account andAddress Book Data

Customer Data(excluding CoreCustomer Data)

CoreCustomer Data

Voluntary Disclosure to Law Enforcement

No No No No

Advertising No No No No


Encryption HTTPS Communication with

portal.microsoftonline.com HTTPS Communication between clients and

Exchange Online for all protocols PGP: Transportation and storage of Exchange

Online Messages Lync Online: Instant Messaging, IM Federation SharePoint Online: HTTPS Connection (only for

Enterprise)


Identity Protection Identity stored in Microsoft Online Identity federation via SSO Granular Licenses Different Administrator Roles

Bronze Sky customer premises

Identity architecture: Identity options1. Microsoft Online IDs

ADMS Online

Directory Sync

Identity platform

Provisioningplatform Lync

Online

SharePoint Online

Exchange Online

FederationGateway

Active Directory Federation Server

2.0

Trust

IdP DirectoryStore

Admin Portal

Authentication platform IdP

Service connector

Microsoft Office 365 Services

2. Microsoft Online IDs + DirSync3. Federated IDs + DirSync

Identity options comparison1. MS Online IDs

Appropriate for• Smaller organizations

without AD on-premise

Pros• No servers required on-

premise

Cons• No SSO• 2 sets of credentials to

manage with differing password policies

• Users and groups mastered in the cloud

2. MS Online IDs + Dir Sync

Appropriate for• Orgs with AD on-premise

Pros• Users and groups mastered

on-premise• Enables co-existence

scenarios

Cons• No SSO• 2 sets of credentials to

manage with differing password policies

• Single server deployment

3. Federated IDs + Dir Sync

Appropriate for• Larger enterprise

organizations with AD on-premise

Pros• SSO with corporate cred• Users and groups mastered

on-premise• Password policy controlled

on-premise• Enables co-existence

scenarios

Cons• High availability server

deployments required


Password Policy Password Restriction: 8 characters minimum and

16 characters maximum Values allowed:

A-Z a-z 0-9 ! @ # $ % ^ & * - _ + = [ ] { } | \ : ‘ , . ? / ` ~ “ < > ( ) ; No UNICODE

Cannot contain the username alias (part before @ symbol) Password expiry duration:

This is set to 90 days and is not configurable


Password Policy Password expiry:

Can be enabled/disable via powershell at user level Password strength

Strong passwords require 3 out of 4 of the following: Lowercase characters Uppercase characters Numbers (0-9) Symbols (see password restrictions above)

Password history Last password cannot be used again


Password Policy Account Lockout

After 10 unsuccessful logon attempts (wrong password), the user will need to solve a CAPTCHA dialog as part of logon.

Is this Independently Verified?


MS Online Certification and Compliance Finder Certified for ISO 27001 EU Safe Harbor HIPAA-Business Associate Agreement Data Processing Agreement FISMA

Exchange Online


Exchange Online . Archiving

100 GB for E Subscriptions – 25 GB for P Subscriptions Moderation Security/Distribution Groups Item Level Recovery

14 days Transport Rules Retention Policies – Managed Folder Assistent Deleted Mailbox Recovery

Within 30 days


Exchange Online .. Journaling F.O.P.E. Auditing Retention Hold

Only via PowerShell Disables Retention Policies on Mailbox

Litigation Hold Only via PowerShell Logging of every change on a Mailbox

Mobile Device

DEMO

Lync Online


Lync Online Privacy Settings External Communications User Defined Settings

Sending files via IM Make audio and video calls Record Call and conferences Federation with Lync users in other organizations Federation with Users of public IM service providers Dial-in Conferencing

DEMO

SharePoint Online


SharePoint Online . Information Management Policy – Records Use Of Term Store & Required Fields – Content

Types Drop Off Library Audit Blocked File Types Security Versioning Recycle Bin Backup: 14 days


SharePoint Online .. Governance defines your security and compliancy

Very hard to maintain and to make it required. Missing functionalities that are available on Premise.

DEMO


3rd Party Tools Backup SharePoint Online:

Metavis AvePoint: DocAve Online

Compliance Tools: Axceler: Control Point AvePoint: DocAve Online


Sources Of Information Office 365 Trust Center : http://

www.microsoft.com/en-us/office365/trust-center.aspx

Service Description Office 365 Password Policy Security White Paper Data Boundaries

http://www.microsoft.com/en-us/office365/trust-center.aspx



Questions

Documents

Office 365 Data Security & Compliancy