Upload
others
View
12
Download
0
Embed Size (px)
Citation preview
Microsoft Office 365
Security Requirements for Offshore
Hosted Office Productivity Services:
conformance guide for Office 365.
Published 1/07/2017
Microsoft New Zealand Limited
22 Viaduct Harbour Avenue, Auckland
Table of Contents Introduction ................................................................................................................................................................................................................. 1
How to use this document ................................................................................................................................................................................. 1
Fit with the GCIO Cloud Risk and Assurance Framework ......................................................................................................................... 1
Disclaimer................................................................................................................................................................................................................ 2
Acknowledgement ............................................................................................................................................................................................... 2
Summary ...................................................................................................................................................................................................................... 3
Microsoft Office 365 Solution Map................................................................................................................................................................. 4
Microsoft Guidance on GCIO Security Requirements ............................................................................................................................... 6
1. Information, data or materials classified at CONFIDENTIAL and above must not be stored or processed in
off-shore hosted office productivity services .............................................................................................................................................. 6
2. Agencies must have process controls relating to intrusion detection, prevention, investigations, and
enterprise logging. ............................................................................................................................................................................................... 9
3. Agencies must architect ICT networks to ensure that cloud services can be used safely and effectively. ........................ 10
4. Agencies must have control over the interaction between public cloud services and end user devices. ......................... 11
5. Agencies must ensure compatibility with existing government security technology services such as
SEEMail and, where appropriate, cyber defence capabilities............................................................................................................... 15
6. Agencies must ensure that information and data is encrypted in transit and at rest. ............................................................. 16
7. Agencies must have sole control over the associated cryptographic keys ................................................................................. 18
8. Agencies must ensure that multi-factor authentication is used to control access to the service. ....................................... 23
9. Agencies must identify where data stored by a service is replicated or backed-up. .............................................................. 24
10. Agencies must revise their agency disaster recovery and incident management plans to cater for
offshore hosted office productivity services .............................................................................................................................................. 26
11. Agencies must have decommissioning processes as outlined in the NZISM ........................................................................... 27
12. Agencies must require assurance checks on cloud service providers in accordance with the NZISM ............................ 28
13. Agencies must ensure that there are appropriate security controls over physical access to datacentres...................... 29
14. Agencies must have assurance that appropriate patching and software maintenance is undertaken ........................... 30
15. Agencies must ensure that there are technical protections to prevent data-mingling on shared storage
platforms ............................................................................................................................................................................................................... 31
Office 365 Subscription Plans mapped to Security Technologies ...................................................................................................... 33
Appendix: Office 365 encryption capabilities ............................................................................................................................................... 34
Security Requirements for Offshore Hosted Office Productivity Services: Office 365 conformance guide.
Page 1 of 37
Microsoft New Zealand
July 2017
Introduction
In January 2017, the New Zealand Government Chief Information Officer (GCIO) published Security Requirements for
Offshore Hosted Office Productivity Services Explained (the “GCIO Security Requirements”), a guidance document that
sets out the security requirements New Zealand government agencies must conform to when using offshore hosted
office productivity services. The guidance was developed as part of the GCIO’s work on accelerating public sector
adoption of cloud services, as directed by Cabinet in July 2016 [CAB Min (16) 03/16 refers].
This document provides Microsoft’s response to the GCIO Security Requirements. It is designed to assist agencies to
conform1 to these security control requirements when using Microsoft Office 365.
How to use this document
This document provides agencies with information intended to assist them in determining how to conform with each
of the 15 items in the GCIO Security Requirements document when using Office 365. Where appropriate, it also
identifies additional risks or considerations, and provides advice related to each requirement.
Agencies should note that they are expected to conform to, not comply with, the GCIO Security Requirements.
Accordingly, this document has not been developed as a compliance guide; it does not provide a simple check list of
steps that agencies should take. Rather, for each of the 15 security requirements, it indicates how an agency can either
meet the “baseline” control requirement set out by the GCIO or, where this is not feasible, how to identify
compensating controls that enable conformance.
For each requirement, the document sets out:
• A summary of the GCIO security control requirement.
• Key aspects of conforming to this requirement.
• Guidance on how Microsoft can help agencies conform to the requirement.
• Other information Microsoft feels agencies should consider in relation to the requirement.
• Sources of additional information.
Readers should note that some of the answers assume that the organisation making use of this document is an
“Eligible Agency” under the terms of the Microsoft G2015 all-of-government agreement that is in place with the New
Zealand Department of Internal Affairs.
Fit with the GCIO Cloud Risk and Assurance Framework
The GCIO Security requirements neither stand alone, nor represent the only things that agencies must consider when
adopting Office 365. Rather, as shown in figure 1 below, they fit into the wider GCIO Cloud Risk and Assurance
Framework that agencies should follow when procuring any cloud service.
1 Note: Paragraph 13 of the GCIO Security requirements document states: “New Zealand government agencies may use offshore hosted
office productivity services provided they conform to the security requirements from the Cabinet Minute, and other relevant NZISM
controls, as detailed in this guidance.”
Security Requirements for Offshore Hosted Office Productivity Services: Office 365 conformance guide.
Page 2 of 37
Microsoft New Zealand
July 2017
• Follow GCIO Cloud Risk
Assessment Process.
• Complete GCIO Cloud
Risk Assessment Tool,
using content from
Microsoft New Zealand’s
"GCIO 105" question
responses for O365.
• Obtain O365 risk
assessment and security
certification audit reports
from GCIO.
• Use other GCIO risk
assessment approaches
and tools as appropriate.
• Use guidance in this
document.
• Follow C&A
requirements set out in
NZISM.
• Complete GCIO Cloud
Endorsement by Agency
template
• Provide completed Cloud
Risk Assessment Tool
and Cloud Endorsement
by Agency to GCIO.
• Note: GCIO does not act
as approver but can
request agency to review
if not deemed adequate.
Figure 1 – Fit with GCIO Cloud Risk and Assurance Framework
Disclaimer
The information contained in this document represents the current view of Microsoft Corporation on the issues
discussed, and the current state of both O365 and other Microsoft products and services, as of the date of publication.
Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on
the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information presented after the date of
publication.
This document is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR
STATUTORY, AS TO THE INFORMATION IN THIS DOCUMENT.
Complying with all applicable copyright laws is the responsibility of the user. Without limiting the rights under
copyright, no part of this document may be reproduced, stored in or introduced into a retrieval system, or transmitted
in any form or by any means (electronic, mechanical, photocopying, recording, or otherwise), or for any purpose,
without the express written permission of Microsoft Corporation.
Acknowledgement
Microsoft acknowledges the assistance of Axenic Ltd. in the preparation of this document.
Undertake initial risk assessment
Conform to "GCIO Security Requirements"
Complete agency certification and
accreditationInform GCIO
Security Requirements for Offshore Hosted Office Productivity Services: Office 365 conformance guide.
Page 3 of 37
Microsoft New Zealand
July 2017
Summary
New Zealand government agencies can use Microsoft Office 365 and conform to all but one of the ‘baseline’ security
requirements in the GCIO guidance document (see “Important Note” below), primarily by using the native security
controls available in Office 365.
While agencies remain accountable for ensuring that their security obligations are met, Microsoft provides its Office
365 customers with a comprehensive security ‘toolkit’ to meet these needs. This toolkit consists of five main areas:
Figure 2 - Microsoft Office 365 Security Toolkit
1. Guidance or supporting documentation - Microsoft provides agencies guidance or supporting technical
documentation that they can use to complete a process or activity (e.g. integrate with on-premises
infrastructure);
2. Security features that agencies can integrate - Office 365 can provide a feature (e.g. Office 365 auditing) that
agencies can integrate with their related processes and systems (e.g. security incident response and
management);
3. Ancillary Microsoft security capabilities – alongside capabilities within Office 365, Microsoft can provide
ancillary capabilities or features that agencies can configure or enable (e.g. Azure Information Protection,
Multi-factor Authentication, Mobile Device Management);
4. Service assurance documents - Microsoft provides service assurance artefacts (e.g. content in the Microsoft
Trust Centre) that agencies can review as part of their assurance processes; or
5. Built-in security features - Office 365 provides a capability or feature (e.g. Encryption of Data at Rest) that
agencies can leverage.
Microsoft Office 365
Security Toolkit
1. Guidance or supporting
documentation
2. O365 security features that agencies can
integrate
3. Ancillary Microsoft security
capabilities
4. Service assurance
documents
5. Built-in security features
Security Requirements for Offshore Hosted Office Productivity Services: Office 365 conformance guide.
Page 4 of 37
Microsoft New Zealand
July 2017
Combined with good agency security practice, Microsoft is confident that agencies can meet their obligations to
protect the security and privacy of their information within Office 365, and provides capabilities that can assist them in
achieving this. For example, Office 365 Secure Score is a security analytics service that helps organisations better
understand and improve their security posture and reduce their risk when using Office 365. Secure Score can help
agencies balance their security and productivity needs with guidance to help them enable the right mix of the 71
available security features, and to model what their score would look like after adopting some of these features.
Agencies can also compare their score with other organisations and see how their score has been trending over time.
NOTE: Secure Score displays information from various sources like AAD, but Secure Score does not store any of this
personal information inside the service.
Important Note:
The exception to Microsoft’s ability to enable agencies to conform to the ‘baseline’ security controls in the GCIO
Security Requirements document is requirement 7 that states “Agencies must have sole control over the associated
cryptographic keys”. While Microsoft’s Azure Information Protection with Hold Your Own Key (HYOK) capability
may be utilised for conforming to the baseline requirement, Microsoft believes that doing so is not advisable in most
circumstances.
Counter to the goal of reducing agency risk, if used incorrectly the deployment of any Hold Your Own Key (HYOK)
cryptographic capability, whether provided by Microsoft or any other party, can significantly INCREASE an agency’s risk
profile by introducing the possibility of PERMANENT loss of access to agency data hosted in the cloud. If an agency
wishes to deploy this capability, in-depth discussion with Microsoft is strongly advised.
Microsoft Office 365 Solution Map
The table below summarises this document by listing the Security Control Requirements for Offshore Hosted Office
Productivity Services, and mapping these to relevant elements of the “Microsoft Office 365 Security Toolkit” that
provide capabilities, products and/or services that can help an agency meet the requirement.
ID GCIO Security Control Requirement Office 365 Security Toolkit feature Detailed Guidance
1. G
uid
an
ce
2. S
ecu
rity
Featu
re
3. A
ncil
lary
cap
ab
ilit
y
4. S
erv
ice A
ssu
ran
ce
5. B
uil
t-in
secu
rity
Strategy and Architecture
1 Information, data, or materials classified at
CONFIDENTIAL and above MUST NOT be stored or
processed in off-shore hosted office productivity
services.
✓ ✓ Refer to page 6
2 Agencies MUST have process controls relating to
intrusion detection, prevention, investigations, and
enterprise logging in operation.
✓ ✓ ✓ Refer to page 9
3 Agencies MUST architect their ICT Networks to ensure
that cloud services can be used safely and effectively.
✓ ✓ Refer to page 10
4 Agencies MUST have control over the interaction
between public cloud services and end user devices.
✓ ✓ ✓ ✓ Refer to page 11
Security Requirements for Offshore Hosted Office Productivity Services: Office 365 conformance guide.
Page 5 of 37
Microsoft New Zealand
July 2017
5 Agencies MUST ensure compatibility with existing
government security technology services in use, such
as SEEMail and cyber defence capabilities.
✓ ✓ Refer to page 15
Cryptography
6 Agencies MUST ensure that data is encrypted in
transit and at rest.
✓ ✓ Refer to page 16
7 Agencies MUST have sole control over the
associated cryptographic key.
Not recommended in most instances Refer to page 18
Access Control
8 Agencies MUST ensure that multi-factor
authentication is used to control access to the
service.
✓ ✓ Refer to page 23
Backup and Recovery
9 Agencies MUST identify where data stored by a
service is replicated and/or backed-up.
✓ Refer to page 24
10 Agency MUST revise their agency disaster-recovery
plans to cater for cloud-based services.
✓ ✓ ✓ Refer to page 26
System Decommissioning
11 Agencies MUST have decommissioning processes as
outlined in the NZISM.
✓ ✓ Refer to page 27
3rd party (Independent) Assurance
12 Agencies MUST have assurance checks on cloud
service providers in accordance with the NZISM.
✓ ✓ Refer to page 28
13 Agencies MUST ensure that there are appropriate
security controls over physical access to data centres.
✓ Refer to page 29
14 Agencies MUST have assurance that appropriate
patching and maintenance of software is undertaken.
✓ ✓ Refer to page 30
15 Agencies MUST ensure there are technical
protections to prevent data-mingling on shared
storage platforms.
✓ ✓ Refer to page 31
Security Requirements for Offshore Hosted Office Productivity Services: Office 365 conformance guide.
Page 6 of 37
Microsoft New Zealand
July 2017
Microsoft Guidance on GCIO Security Requirements
1. Information, data or materials classified at CONFIDENTIAL and above must not be stored or processed in
off-shore hosted office productivity services
What is this security control?
Agencies can use Microsoft Office 365 to store or process information, data and materials that is classified at
RESTRICTED or below. This means that information that has been classified at CONFIDENTIAL, SECRET or TOP SECRET
cannot be stored in either Office 365 or any other cloud service (either on- or offshore). However, official information
that does not meet the threshold for a security classification (i.e. information that is referred to as UNCLASSIFIED’) and
information that has been classified at IN-CONFIDENCE, SENSITIVE and/or RESTRICTED can be stored in Office 365.
Readers should note that, on average, respondents to a recent GCIO survey on agency adoption of cloud services
indicated that they have very little (less than 1%) information classified above RESTRICTED. Respondents with
information above RESTRICTED were primarily from the national security and justice sectors.
Security
ClassificationOffice 365
UNCLASSIFIED
IN-CONFIDENCE
SENSITIVE
RESTRICTED
CONFIDENTIAL
SECRET
TOP SECRET
Figure 3 - New Zealand Security Classification System
mapped to Office 365
Key aspects of conforming to this requirement
Agencies must ensure that all information, data and materials are assessed, classified and protectively marked
(labelled) and handled in accordance with the New Zealand Government Security Classification System. A protective
marking indicates the required level of protection to all users of any official information and gives assurances that
information of broadly equivalent worth or value is given an appropriate and consistent level of protection throughout
the New Zealand government. Agencies should have a defined process for achieving this, and agency staff should be
made aware of the data handling process and their obligation to apply it, and provided with sufficient training on how
to apply it correctly.
To conform to with this security requirement, agencies must ensure that they do not store any information, data and
materials classified at or above CONFIDENTIAL in Microsoft Office 365 or its ancillary cloud services (e.g. Azure Active
Directory).
Security Requirements for Offshore Hosted Office Productivity Services: Office 365 conformance guide.
Page 7 of 37
Microsoft New Zealand
July 2017
How can Microsoft help agencies meet this requirement?
Agencies are responsible for assessing and classifying their own information, data, and materials.
Data Loss Prevention (DLP) in Office 365 allows organisations to protect sensitive content in both email and
documents spread across Exchange Online, SharePoint Online and OneDrive for Business.
Examples of sensitive information that you might want to prevent from being improperly disclosed outside your
organisation include financial data or personally identifiable information (PII) such as credit card numbers, health
records, or other sensitive data which you tell the system to protect. With a DLP policy, you can:
• Identify sensitive information across many locations, such as Exchange Online, SharePoint Online, and
OneDrive for Business. For example, you can identify any document containing a credit card number that’s
stored in any OneDrive for Business site, or you can monitor just the OneDrive sites of specific people.
• Prevent the accidental sharing of sensitive information. For example, you can identify any document or
email containing a health record that’s shared with people outside your organisation, and then automatically
block access to that document or block the email from being sent.
• Monitor and protect sensitive information in the desktop versions of Outlook 2016, Excel 2016,
PowerPoint 2016, and Word 2016. Just like in Exchange Online, SharePoint Online, and OneDrive for
Business, these Office 2016 desktop programs include the same capabilities to identify sensitive information
and apply DLP policies. DLP provides continuous monitoring when people share content in these Office 2016
programs.
• Help users learn how to stay compliant without interrupting their workflow. You can educate your users
about DLP policies and help them remain compliant without blocking their work. For example, if a user tries to
share a document containing sensitive information, a DLP policy can both send them an email notification and
show them a policy tip in the context of the document library that allows them to override the policy if they
have a business justification. The same policy tips also appear in Outlook on the web, Office mobile apps,
Outlook 2013 and later, Excel 2016, PowerPoint 2016, and Word 2016.
• View DLP reports showing content that matches your organisation’s DLP policies. To assess how your
organisation is complying with a DLP policy, you can see how many matches each policy and rule has over
time. If a DLP policy allows users to override a policy tip and report a false positive, you can also view what
users have reported.
You create and manage DLP policies through the Office 365 Security & Compliance Centre.
With Azure Information Protection (AIP), classification of data can occur at the time of creation or modification, either
automatically or manually, based on source, context and content. Once data has been classified, a persistent label is
embedded in the data and actions such as visual marking and encryption can be taken based on the classification and
label.
AIP, which uses Azure Rights Management (Azure RMS) as the protection engine, can be used to allow agency staff to
easily apply a label and associated protection policies (use rights and encryption) to documents and emails. AIP
supports whitelisting of domains so that agencies can share information with the appropriate level of data security
without adding the overhead of managing access to the data.
Security Requirements for Offshore Hosted Office Productivity Services: Office 365 conformance guide.
Page 8 of 37
Microsoft New Zealand
July 2017
In Microsoft’s view, all content should be classified and labelled, and agencies should develop a view on when it is
appropriate to apply AIP protection policies and encryption to mitigate risk. For most agencies, this will be for
information classified as SENSITIVE or RESTRICTED, and on an as-required basis for lower classifications.
What else should agencies consider?
Agencies intending to use AIP should carefully plan to define and meet appropriate information classification needs,
and define relevant protection policies, rules, and classification labels BEFORE enforcing data protection. Agencies also
need to ensure that they educate their staff on what information should be classified to what level, and how to label
documents and emails using AIP, even if automatic classification is applied.
It is important to balance flexibility with simplicity when constructing your classification and protection options – aim
to give your people easy, good choices. Too many choices will be counterproductive. Microsoft recommends starting
with 3-5 top level labels across an agency and then scoping any additional labels to targeted users as needed.
Without proper planning and support, agency staff may be reluctant to apply data protection policies. This could result
in incorrectly classified data, leading to its possible disclosure, or rendering it inaccessible for legitimate use. Microsoft
can provide guidance to agencies as they undertake this work.
Where can agencies go for more information?
Additional Information on URL
New Zealand Government Security
Classification System
https://www.protectivesecurity.govt.nz/home/information-security-
management-protocol/new-zealand-government-security-classification-
system/
Azure Information Protection
technical documentation
https://docs.microsoft.com/en-us/information-protection/
Azure RMS Security Evaluation https://aka.ms/rmssec
EMS Solution - Secure data using
classification, labelling, and
protection
https://docs.microsoft.com/en-us/enterprise-mobility-
security/solutions/infoprotect-secure-classify-scenario
Microsoft France information
protection whitepaper series
https://sway.com/yXywe-nYIf9EFpiI
https://www.microsoft.com/en-us/download/details.aspx?id=44565
Classify
•Manually select an appropriate classification
•Auto-suggest (or enforce) classification based on content scan
Label
•Apply in-document labelling
•Tag the file or email with metadata
Protect
•Restrict the ability to copy, print and screen capture content
•Encrypt using Microsoft key, customer-managed or customer-held key
•Limit access to just your organisation, or specific people or groups within your organisation
Share
•Share encrypted content securely with external individuals and organisations
•Auto-expire content
•Monitor who is accessing your protected files and where they are located
•Revoke access to your protected files
Security Requirements for Offshore Hosted Office Productivity Services: Office 365 conformance guide.
Page 9 of 37
Microsoft New Zealand
July 2017
2. Agencies must have process controls relating to intrusion detection, prevention, investigations, and
enterprise logging.
What is this security control?
Agencies must be able to detect, prevent, and respond to information security incidents related to their use of Office
365, and ensure that Office 365 provides an adequate level of logging and reporting so that incidents can be
investigated.
Key aspects of conforming to this requirement
Agencies are responsible for having an information security incident management process so that they can recognise,
respond to and manage information security incidents when using Office 365 (as well as any existing on-premises
infrastructure and cloud services). While Microsoft will detect, prevent, and investigate security incidents in Office 365,
agencies need to define what audit events they want to monitor and be alerted on, and configure their Office 365
instance to report on these events (through Power BI dashboards, Management Activity APIs, Advanced Security
Management, etc.). In addition, agencies need to integrate their incident management processes with Microsoft’s to
ensure that security incidents can be effectively managed throughout their lifecycle.
How can Microsoft help agencies meet this requirement?
Microsoft’s security incident response management processes include technical mechanisms, organisational policies,
and operational procedures to prevent, monitor, detect, and respond to security incidents in Office 365. Microsoft
security teams operate 24 x 7 x 365 security incident monitoring and response services, and are continually looking for
indicators of compromise, including by using continual Red Teaming as part of Microsoft’s ‘assume breach’ strategy’.
Agencies can communicate security incidents to the Microsoft Security Response Center (MSRC) and be notified of any
security incidents by their Technical Account Manager (TAM).
Office 365 produces audit and event logs recording user and administrator activities, exceptions, faults, and security
events. Office 365 has several audit and reporting features that enable agencies to track user and administrative
activity within their Office 365 tenant, including changes made to configuration settings, and changes made to
documents or other items. Some of the auditing and reporting features include:
• Content Search and eDiscovery.
• Unified Audit Log Search.
• Office 365 Management Activity API.
• Office 365 Activity Usage Reports Dashboard.
• Advanced Security Management.
• Customer Lockbox.
Agencies can use their on-premises Security Incident and Event Manager (SIEM) solution - many of which already ship
connectors for Office 365 - with the Office 365 Management Activity API to get the same report information as the
information provided in the Office 365 Security and Compliance Center, but with SIEM integration. They can manage
the on-premises report, and keep this information on premises indefinitely.
Agencies’ Office 365 administrators can use Customer Lockbox to control how a Microsoft support engineer accesses
your data during a support case. In rare scenarios where the engineer requires access to your data to troubleshoot and
fix an issue, Customer Lockbox allows you to approve or reject the access request. If you approve it, the engineer can
access the data. Each request has an expiration time, and once the issue is resolved, the request is closed, and access is
revoked.
Security Requirements for Offshore Hosted Office Productivity Services: Office 365 conformance guide.
Page 10 of 37
Microsoft New Zealand
July 2017
What else should agencies consider?
To use the Office 365 audit and reporting features, agencies need to enable audit logging to record user and
administrator activity. This feature is not enabled by default.
Agencies are responsible for ensuring that they have intrusion detection and prevention measures, and audit and
event logging capabilities in place, for the components they are responsible for managing (e.g. end-user computing
devices, Active Directory servers).
In addition to the events and log data that is available to customers, there is an internal Microsoft log data collection
service called Cosmos that is used by Office 365 engineers. Office 365 service teams upload audit logs into Cosmos
for aggregation and correlation, alerting, and reporting to correct vulnerabilities and improve the performance of
Office 365. To ensure the protection of customer data that may be present in the logs, an automated tool obfuscates
any fields that contain customer data, such as tenant information and end-user identifiable information, and replaces
these fields with a hashed (encrypted) value.
Where can agencies go for more information?
Additional Information
on
URL
Office 365 Security
Incident Management
http://download.microsoft.com/download/2/F/1/2F16A9CA-8D4F-4BB5-8F85-
3A362131A95B/Office%20365%20Security%20Incident%20Management.pdf
Security in Office 365
Whitepaper
https://www.microsoft.com/en-us/download/confirmation.aspx?id=26552
Management API
Reference Guide
https://msdn.microsoft.com/en-us/office-365/office-365-management-activity-api-
reference
3. Agencies must architect ICT networks to ensure that cloud services can be used safely and effectively.
What is this security control?
Agencies need to ensure that their infrastructure supports their adoption and use of Office 365, and that it is
architected to protect information from unauthorised access, disclosure, modification, and loss.
In addition to this, agencies need to ensure that their users can easily and effectively use Office 365 services through
supporting security services (e.g. single sign-on, mobile device management, mobile application management).
Key aspects of conforming to this requirement
Agencies need to ensure that their adoption of Office 365 meets their identified use cases, and create an architecture
to ensure the safe and effective use of the service. Agencies need to identify what Office 365 deployment scenario best
fits their requirements, and how the supporting information services and systems will be secured, before adopting the
service.
Microsoft strongly recommends that New Zealand government agencies plan for a hybrid Office 365 scenario,
where some functionality is provided by online services (e.g. Azure Active Directory) and some is delivered by on-
premises servers (e.g. Active Directory servers). It is expected that most agencies will still need to operate and manage
at least some on-premises infrastructure for the foreseeable future for a variety of reasons, including enabling
integration with SEEMail (if used). For agencies that do not want to manage any server infrastructure and have all
functionality provided by Office 365 and related cloud computing services, it is recommended that they contact
Microsoft New Zealand for advice and guidance on what is possible.
Security Requirements for Offshore Hosted Office Productivity Services: Office 365 conformance guide.
Page 11 of 37
Microsoft New Zealand
July 2017
Agencies need to determine how their users will work, how end-user computing devices will be used and protected,
and how users will be identified and authenticated. Some common user and device decisions include:
• Mobile or office-based – will staff be in an office environment, working from home, or working on the go?
• Managed or personal devices – does the agency want to issue staff with devices, or support the use of personal
devices as part of a BYOD strategy?
• Single sign-on and Identity Federation – will the agency want users to be able to log on to Office 365 with their on-
premises credentials or use a 3rd party identity provider?
Once agencies understand their adoption and use of Office 365, they should gain assurance that it meets their
business requirements (including security requirements). This can be achieved through activities such as formal
security architecture and design reviews, which could be performed internally or through an independent 3rd party.
How can Microsoft help agencies meet this requirement?
To assist with meeting this requirement, Microsoft provides a wide range of independent audit reports and supporting
assurance documentation including the results of Office 365 penetration testing. This is available through the Service
Trust Platform in the Microsoft Trust Center. Microsoft also provides various support, documentation, tools and
resources, and expert services such as FastTrack, to help agencies plan for, adopt and manage Office 365.
Where can agencies go for more information?
Additional Information on URL
FastTrack Productivity Guide https://fasttrack.microsoft.com/office/envision/productivitylibrary
Adoption Guide https://go.microsoft.com/fwlink/?LinkId=690086
Office Training Center Bill of Materials https://www.microsoft.com/en-us/download/details.aspx?id=54088
Office Training Roadmaps https://support.office.com/en-us/article/office-training-roadmaps-
62a4b0dc-beba-4d8e-b79c-0ad200e705a1?ui=en-US&rs=en-
US&ad=US&wt.mc_id=AID573689_QSG_BLOG_140051
Office 365 Blogs https://blogs.office.com/?filter=true&filter-product=office-365
MSIT Worksmart Training Guides https://technet.microsoft.com/en-us/bb687781.aspx
Sample Adoption Guide https://view.officeapps.live.com/op/view.aspx?src=https://fto365dev.blob.c
ore.windows.net:443/media/Default/DocResources/en-
us/Resources/Sample_Adoption_Plan.xlsx
FastTrack Engagement Content http://fasttrack.microsoft.com/office/drive-value/engage
Office Training Center http://aka.ms/O365Learning
FastTrack EMS Guide https://fasttrack.microsoft.com/ems/envision
4. Agencies must have control over the interaction between public cloud services and end user devices.
What is this security control?
Agencies must ensure that end-user computing devices (e.g. workstations, laptops, tablets, and smartphones) used to
access Office 365 are configured, managed, and maintained to protect information from unauthorised access,
disclosure, modification, and loss.
Key aspects of conforming to this requirement
Agencies are responsible for managing the security of the end-user computing devices that their staff use to access
Office 365. Agencies should understand how staff are using devices when accessing Office 365, and determine
Security Requirements for Offshore Hosted Office Productivity Services: Office 365 conformance guide.
Page 12 of 37
Microsoft New Zealand
July 2017
appropriate policies to ensure that those devices can be used safety and effectively. This applies to agency-supplied or
personal devices as part of a Bring-Your-Own-Device (BYOD) strategy.
Agencies are responsible for implementing device management solutions that ensure:
• Devices are configured and hardened, via either a traditional standard operating environment build or
“modern management” deployment).
• Devices are patched and updated.
• A strong authentication mechanism is used to control access to the device.
• Multi-factor authentication is used to authenticate the user to Office 365.
• Devices have encryption of data at rest enabled.
• Data on devices can be protected or securely erased through remote wipe functions.
How can Microsoft help agencies meet this requirement?
Office 365 provides agencies with basic built-in mobile device management for iOS, Android, and Windows Phones.
Office 365 Mobile Device Management functions include being able to enforce passwords, enforce mobile device
encryption, and prevent access from jailbroken/rooted mobile devices. In addition, Office 365 supports secure data
erasure capabilities either through an incorrect number of failed password attempts (local wipe) or by remotely wiping
the device.
Microsoft Intune extends the Mobile Device Management (MDM) capabilities of Office 3652, enabling not only deeper
management of Android and iOS devices but also the management of Mac OS X and Windows PC devices. Intune
provides the same Office 365 MDM capabilities plus the ability to enrol and manage more types of end-user devices,
define, and enforce device configuration policies, and manage user and device profiles (e.g. certificate, Wi-Fi, VPN, and
email profiles).
Intune also provides the ability to protect data at the application and identity level through Intune App Protection
(Mobile Application Management (MAM)) policies for devices that are not enrolled in MDM. This capability is available
for iOS and Android devices. Capabilities include:
• Encrypting the data in apps.
• Securing app access by requiring a PIN/passcode or corporate credentials.
• Blocking copy and paste, or preventing data transfer outside of the work context (work-only apps and work identity
within multi-identity apps).
• Preventing backup to personal cloud storage and preventing "Save as".
• Having all web links open within the Intune Managed Browser.
Intune App Protection can work independently of a MDM solution, providing both an additional layer of protection
and a different model for securing agency apps and data in BYOD scenarios. Importantly, the policies work neatly with
the multi-identity support built into the Office apps – enabling agencies to protect data while letting staff keep using
the apps for personal documents and email.
For devices running Windows 10 Pro or Enterprise, Windows Information Protection (WIP) can be used to protect an
agency from data leakage by providing MAM-style management across applications, data sources and data. Files
arriving onto the device from defined corporate sources (e.g. VPN, SharePoint Online, Exchange) are encrypted at the
file level using Windows Encrypting File System (EFS) and can only be accessed by users with the appropriate
certificates. Flow of information out of applications defined as ‘corporate’ can also be controlled – without the
2 https://support.office.com/en-us/article/Choose-between-MDM-for-Office-365-and-Microsoft-Intune-c93d9ab9-efb2-4349-9b93-
30c30562ee22
Security Requirements for Offshore Hosted Office Productivity Services: Office 365 conformance guide.
Page 13 of 37
Microsoft New Zealand
July 2017
applications needing to be updated or changed. WIP can be managed using either Configuration Manager or a MDM
tool such as Intune.
From an authentication perspective, Office 365 offers Office 365 Multi-Factor Authentication (MFA) which requires that
users must use more than one verification method before being able to access the Office 365 services, regardless of
device and location. This is a useful but basic version of Azure Multi-Factor Authentication (Azure MFA) which is
available as a standalone service or as part of the Enterprise Mobility and Security (EMS) suite. Azure MFA provides
fraud alerting, reporting, the option of trusted IPs/networks and makes the service available for other cloud and on-
premises applications and services.
Azure Active Directory Conditional Access enables you to set specific conditions for a user to access an application or
cloud services including Office 365. Conditional Access helps protect access to an agency's applications and resources
from unknown and/or unmanaged devices, and devices that do not meet the security policy of an agency.
After access requirements are met, the user is authenticated and can access the application. This applies a set of
contextual controls at the user, location/network, session, risk profile, device, and app levels – which can be different
for different services, and applied to all users or just groups or individuals. You can allow or block access or challenge
users with Multi-Factor Authentication, device enrolment, or password change. A key scenario is restricting access to
domain-joined or Intune-enrolled and compliant devices. Additionally, Azure Active Directory Identity Protection
(included in Enterprise Mobility and Security E5) applies machine learning-based identity protection to detect
suspicious behaviour and apply risk-based conditional access that protects your applications and critical company data
in real time.
Office 365 E5 includes Office 365 Advanced Security Management (ASM) which provides more visibility and control
over data flowing in and out of Office 365.
• Threat detection—Helps you identify high-risk and abnormal usage, and security incidents.
• Enhanced control—Shapes your Office 365 environment leveraging granular controls and security policies.
• Discovery and insights—Get enhanced visibility into your Office 365 usage and shadow IT without installing an
endpoint agent.
The Enterprise Mobility and Security suite provides an expanded version of this toolset called Cloud App Security (CAS
– Microsoft’s native Cloud Access Security Broker capability). The key differences are:
• ASM provides protection and monitoring for Office 365 only, while CAS will work across all your cloud services.
• Usage patterns, upload/download traffic anomalies.
• Extended policy engine, policy enforcement and data loss prevention (DLP) features.
• Discovery, security, and risk ratings across 13,000 cloud services.
• Automatic firewall, and application proxy log uploads.
• AIP integration allowing for the protection of files in Office 365 OneDrive and SharePoint Online with Azure RMS
directly.
What else should agencies consider?
Agencies need to understand how their staff operate and use their computing devices, and define appropriate device
and application policies that are in proportion to the risk of having agency information accessible from the device.
Office 365 MDM & MFA
Intune MDM & Azure MFA
w/Conditional Access
Intune MAM
Office 365 Advanced Security
Management
Cloud App Security & Azure
Identity Protection
Increasing sophistication of protection
Security Requirements for Offshore Hosted Office Productivity Services: Office 365 conformance guide.
Page 14 of 37
Microsoft New Zealand
July 2017
Poorly defined and implemented policies will lead to the information not being appropriately protected. Conversely,
overly restrictive policies can lead to the device being unusable, leading to staff being unproductive or finding
alternative (and potentially riskier) ways of working.
Where can agencies go for more information?
Additional Information on URL
Microsoft Identity Driven
Security
http://download.microsoft.com/download/E/C/7/EC78FF06-02BB-4DFD-9EBB-
CADB66BB594F/Microsoft_Identity%20Driven%20Security_Datasheet_EN_US.pdf
Office 365 MDM https://support.office.com/en-us/article/Overview-of-Mobile-Device-Management-
MDM-for-Office-365-faa7d8e5-645d-4d59-839c-c8d4c1869e4a
Intune MDM https://docs.microsoft.com/en-us/intune/
Intune App Protection (MAM
with/out enrolment)
https://docs.microsoft.com/en-us/intune-azure/manage-apps/what-is-app-
protection-policy and
https://msdn.microsoft.com/en-
us/windows/hardware/commercialize/customize/mdm/implement-server-side-
mobile-application-management
Office 365 MFA https://support.office.com/en-us/article/Plan-for-multi-factor-authentication-for-
Office-365-Deployments-043807b2-21db-4d5c-b430-c8a6dee0e6ba
Azure MFA https://docs.microsoft.com/en-us/azure/multi-factor-authentication/index
Azure Active Directory
Conditional Access
https://docs.microsoft.com/en-us/azure/active-directory/active-directory-
conditional-access
Azure Active Directory
Identity Protection
https://docs.microsoft.com/en-us/azure/active-directory/active-directory-
identityprotection
Office 365 Advanced Security
Management
https://support.office.com/en-us/article/Overview-of-Advanced-Security-
Management-in-Office-365-81f0ee9a-9645-45ab-ba56-de9cbccab475?ui=en-
US&rs=en-NZ&ad=NZ
Cloud App Security https://docs.microsoft.com/en-us/cloud-app-security/
Office 365 Secure Score https://support.office.com/en-us/article/Introducing-the-Office-365-Secure-Score-
c9e7160f-2c34-4bd0-a548-5ddcc862eaef?ui=en-US&rs=en-US&ad=US
Controlling Access to Office
365 and Protecting Content
on Devices
https://www.microsoft.com/en-us/download/details.aspx?id=53317
Security Requirements for Offshore Hosted Office Productivity Services: Office 365 conformance guide.
Page 15 of 37
Microsoft New Zealand
July 2017
5. Agencies must ensure compatibility with existing government security technology services such as SEEMail
and, where appropriate, cyber defence capabilities.
What is this security control?
Agencies must identify any government security technology services they currently use that may be affected by their
adoption of Office 365 and determine whether they can be successfully integrated with it.
Key aspects of conforming to this requirement
Agencies must identify and assess whether the government security technology services that they currently use can be
successfully integrated with Office 365. They should also identify whether they need to re-architect and redeploy those
services to support integration (see Requirement 3).
If a security technology service that is currently used by the agency cannot be integrated with Office 365, the agency
must determine whether it can effectively manage the risks associated with its use of Office 365 without the service in
place.
How can Microsoft help agencies meet this requirement?
Microsoft has published the Office 365: SEEMail Integration and Reference Architecture whitepaper that presents some
of the architectural patterns and considerations for integrating SEEMail with Office 365.
Note: the GCIO and Microsoft are working to update this guidance at the time of publication of this document.
What else should agencies consider?
A frequent agency objective when implementing Office 365 is the retirement of all on-premises/locally-hosted
Exchange infrastructure. However, for agencies mastering their identity in Active Directory and synchronising to Azure
Active Directory, the supported configuration is the use of a locally hosted Exchange Server to manage the Exchange
attributes in Active Directory. The Exchange Server(s) can be standalone management consoles or configured as a
hybrid to allow for local hosting of some mailboxes, and to act as a secure mail relay between a SEEMail gateway and
Exchange Online. Please note:
• The SEEMail gateway forwards all mail unencrypted to an agency’s internal mail system – creating the need for a
mail relay to encrypt everything using TLS when forwarding it on to Exchange Online.
• There are other tools (including ADSIEDIT) that can be used to deal with the Exchange attributes in Active Directory,
but this is not a supported method. As such, we cannot recommend this approach.
• A 3rd party mail relay could be used between SEEMail and Exchange Online.
Agencies participating in SEEMail but wishing to pursue a ‘pure’ cloud-only environment with no locally-hosted Active
Directory should contact Microsoft to discuss this approach. A potential approach to cloud-only integration with
SEEMail is use of a 3rd party mail relay. A SEEMail compatible pattern for establishing this is expected to be developed
through work currently occurring with the GCIO (see above).
Security Requirements for Offshore Hosted Office Productivity Services: Office 365 conformance guide.
Page 16 of 37
Microsoft New Zealand
July 2017
Where can agencies go for more information?
Additional Information on URL
SEEMail https://www.ict.govt.nz/services/show/SEEMail
Office 365: SEEMail Integration and
Reference Architecture
http://aka.ms/seemail-gcio
Exchange Online Protection https://technet.microsoft.com/en-us/library/jj723119(v=exchg.150).aspx
Exchange Online Advanced Threat
Protection
https://technet.microsoft.com/en-us/library/exchange-online-advanced-
threat-protection-service-description.aspx
De-commissioning on-premises
Exchange servers
https://technet.microsoft.com/en-us/library/dn931280(v=exchg.150).aspx
6. Agencies must ensure that information and data is encrypted in transit and at rest.
What is this security control?
Encryption of information and data in transit:
Information sent between end-user computing devices (e.g. workstations, laptops, tablets, and smartphones),
integrated agency information services and systems (e.g. Active Directory, Active Directory Federation Services,
SEEMail), and Office 365 must be encrypted. In addition to this, information sent or shared with another party using
Office 365 must be encrypted.
Encryption of information and data at rest:
Agencies need to ensure that information stored at rest in Office 365 is encrypted. Similarly, information that is
synchronised with Office 365 and stored on end-user computing devices (e.g. workstations, laptops, tablets and
smartphones) must be encrypted.
Key aspects of conforming to this requirement
Agencies need to configure their information services or systems (e.g. Mail Relay) to use Transport Layer Security (TLS)
if they choose to integrate with Office 365. Microsoft supports TLS integrations (e.g. forced TLS) that ensure data is
protected while travelling across the agency’s internal network and across the Internet. However, agencies are
responsible for configuring and managing their systems to use TLS.
Note that all email from the SEEMail gateway forwards to your mail system unencrypted, so email going to Office 365
will need to be encrypted by a mail relay (typically an Exchange Server in hybrid configuration – see above).
In addition, agencies need to enable encryption of data at rest for any devices, information services or systems that
connect to and stores information from Office 365.
How can Microsoft help agencies meet this requirement?
Microsoft follows a control and compliance framework that focuses on risks to the Office 365 service and to customer
content. Microsoft implements a large set of technology and process-based methods (referred to as controls) to
mitigate these risks. Identification, evaluation, and mitigation of risks via controls is a continuous process. The
implementation of controls within various layers of our cloud services such as facilities, network, servers, applications,
users (such as Microsoft administrators) and data form a defence-in-depth strategy.
Within this framework all customer content within Microsoft Office 365 is protected by a variety of technologies and
processes, including various forms of encryption. Microsoft uses service-side technologies in Office 365 that encrypt
customer content at rest and in-transit. For content at rest, Office 365 uses both operating system and application
(service) encryption. For content in-transit, Office 365 uses Transport Layer Security (TLS) and Internet Protocol Security
(IPsec). Validation of our encryption policies and processes policy and their enforcement is independently verified
Security Requirements for Offshore Hosted Office Productivity Services: Office 365 conformance guide.
Page 17 of 37
Microsoft New Zealand
July 2017
through third-party auditors. Some risk scenarios, and important details of the currently available Microsoft encryption
technologies that mitigate them, are listed in the tables in the appendix to this document.
Note: As of July 2017 (subject to change) Azure Active Directory will encrypt customer directory data at rest via
encryption (BitLocker) using AES 128-bit encryption. This will be enabled by default for all Azure Active Directory
subscriptions.
From a device perspective, Microsoft recommends that all devices by an agency that interact with Office 365 services
are encrypted – whether they are owned by the agency or BYOD. Encryption can typically be enforced through
management tools such as Microsoft BitLocker Administration and Monitoring (MBAM) for BitLocker device encryption
in Windows and mobile device management tools like Intune. Note that the Windows 10 Creators’ Update has
introduced support for managing BitLocker through Intune MDM policies leveraging the Windows configuration
service provider.
For additional security or where BYOD devices are not enrolled in MDM (and thus may not be encrypted) the
recommendation is to make use of Intune App Protection (MAM) and the MAM-enabled Office Mobile Apps such as
OneDrive, Outlook, Excel, PowerPoint, and Word. These apps support app-level encryption – protecting agency data
on what should be considered a less-trusted device.
Introduced in Windows 10 Anniversary Edition for Enterprise and Pro editions is a new capability called Windows
Information Protection (WIP). Agencies can create policies (using Configuration Manager, Microsoft Intune, or other
MDM tools) defining which applications can work with corporate (agency) data and what locations are sources of
corporate data (e.g. Office 365, VPN sessions, file servers etc.) - and the level of control versus auditing. Corporate data
is automatically encrypted after it’s loaded on a device from an enterprise source or if an employee marks the data as
corporate. Then, when the enterprise data is written to disk, WIP uses the Windows-provided Encrypting File System
(EFS) to protect it and associate it with the agency’s identity. Even if the files are copied to removable media they
remain encrypted and can only be accessed on a WIP-enabled device and by an authenticated agency user. While
useful on agency-owned and managed devices, this can be invaluable on BYOD Windows devices provided they are
running Windows 10 Pro. For this reason, we recommend that BYOD policy should stipulate Windows devices must be
running Windows 10 Pro.
Customer-managed encryption technologies
Office 365 provides additional data encryption technologies that agencies can manage and configure to further
protect their information. These technologies offer a variety of ways to further encrypt customer content at rest or in-
transit, and include:
• Azure Rights Management.
• Office 365 Message Encryption.
• Secure Multipurpose Internet Mail Extension (S/MIME).
What else should agencies consider?
Agencies need to be careful when using 3rd party content filters, web proxies, data loss prevention (DLP) products and
SSL/TLS interception products that detect and protect against malware. Agencies should be aware of security products
or services that intercept secured network traffic by performing a ‘man-in-the-middle (MiTM)’ interception of the
communications. Recent advisories highlight how some of these security products can weaken SSL/TLS, significantly
degrading the security of the network traffic, and increasing the likelihood of an agency user falling victim to MiTM
attacks by malicious third parties. Agencies should thoroughly evaluate the risks associated with inserting such 3rd
party capabilities between themselves and Office 365, as per the requirements of the GCIO’s Cloud Computing Risk
and Assurance Framework.
Security Requirements for Offshore Hosted Office Productivity Services: Office 365 conformance guide.
Page 18 of 37
Microsoft New Zealand
July 2017
Where can agencies go for more information?
Additional Information on URL
Office 365 MDM https://support.office.com/en-us/article/Overview-of-Mobile-Device-
Management-MDM-for-Office-365-faa7d8e5-645d-4d59-839c-c8d4c1869e4a
Intune MDM https://docs.microsoft.com/en-us/intune/
Intune App Protection https://docs.microsoft.com/en-us/intune-azure/manage-apps/what-is-app-
protection-policy
and
https://msdn.microsoft.com/en-
us/windows/hardware/commercialize/customize/mdm/implement-server-side-
mobile-application-management
MBAM https://technet.microsoft.com/en-us/windows/hh826072.aspx
Windows Information Protection https://technet.microsoft.com/en-us/itpro/windows/keep-secure/protect-
enterprise-data-using-wip
Office 365 Content Encryption
Whitepaper
https://www.microsoft.com/en-us/download/confirmation.aspx?id=54652
Data Encryption in SharePoint
and OneDrive
https://technet.microsoft.com/en-us/library/dn905447.aspx
7. Agencies must have sole control over the associated cryptographic keys
What is this security control?
Agencies must be the sole party that controls (generates, owns, and manages) the associated cryptographic keys used
to protect their data within Office 365.
Important:
Agencies cannot meet this requirement and effectively use office productivity services in the public cloud. Microsoft
Office 365 must have access to cryptographic keys to encrypt and decrypt agency data for processing purposes, and
enable functioning of important information protection and security capabilities of the service.
Note: it is essential that agencies consider the following:
1. This is an inherent attribute of any SaaS service, whether provided by Microsoft or any other party.
2. It is not only information protection and security capabilities that are impacted if a SaaS service cannot decrypt
customer data - many or most productivity features would also be impacted.
Microsoft advises agencies to seriously consider the extent to which this baseline control is impractical to implement,
and thoroughly review the associated risks. To conform with the security control requirement, Microsoft advises that
agencies should consider adopting the GCIO approved approach of applying “compensating controls” as defined in
the GCIOs security requirements guidance document.
Key aspects of conforming to this requirement
Agencies need to carefully consider the extent to which they either need or want to have control over the
cryptographic keys used to encrypt their data when using Office 365. Agencies should consider the potential risks and
opportunities associated with who takes responsibility for managing the cryptographic keys used in Office 365.
Security Requirements for Offshore Hosted Office Productivity Services: Office 365 conformance guide.
Page 19 of 37
Microsoft New Zealand
July 2017
Microsoft New Zealand recommends that New Zealand government agencies use the default Microsoft
approach to key management. In a default Office 365 implementation, Microsoft will be the trusted key
management service provider.
Microsoft establishes and manages cryptographic keys for required cryptography employed within the information
system in accordance with defined requirements for key generation, distribution, storage, access, and destruction. In
accordance with the "Public Key Infrastructure Operational Security Standard" component of Microsoft’s Security
Policy, Microsoft Online Services including Office 365 leverage the cryptographic capabilities that are directly a part of
the Windows Operating System for certificates and authentication mechanisms (e.g. Kerberos). These cryptographic
modules have been certified by NIST as being FIPS 140-2 complaint. Relevant NIST certificate numbers are: 1321, 1333,
1334, 1335, 1336, and 1339. Any time cryptographic capabilities are employed to protect the confidentiality, integrity,
or availability of data within Microsoft Online Services, the modules and/or ciphers used are FIPS 140 compliant.
Alternatively, agencies can choose the customer-managed approach. The agency will control (generate, store, and
manage) keys used by Office 365 services, and store these keys in the Azure Key Vault service. Office 365 services can
then be configured to use the customer’s keys that are stored in Azure Key Vault – this feature is called Office 365
Customer Key and will be generally available in Q3 of CY17. To use Customer Key, agencies will need a robust
cryptographic key management capability with appropriate personnel, operational processes, and infrastructure to
ensure that they can manage their tenant keys throughout their lifecycle. Failure to effectively manage tenant keys can
lead to widespread service outage. Microsoft has designed Customer Key so that the risk of permanent customer data
loss due to accidental or malicious actions is very low. The Customer Key feature is designed with best-in-class
protection of customer data, utilizing separation of duties and encryption key diversity to address a range of threat
scenarios. In addition to these crucial protections, Customer Key provides customers with the ability to remove all
cryptographic keys necessary for Microsoft to process customer data stored in Office 365.
Below is a basic summary of the key management options available to Office 365 customers, and key considerations in
their selection, split into tenant/service-level and item/file-level capabilities. Note that the table also includes details
for Microsoft’s Azure Information Protection (AIP) encryption capabilities (both bring your own and hold your own key
options) which agencies may wish to deploy as part of the baseline and/or compensating controls they elect to
implement to conform to this requirement. Note also that, to enable AIP BYOK or HYOK capabilities, agencies will
need to purchase the Azure Key Vault Premium service and operate a supported HSM infrastructure (e.g. Thales
nShield HSM).
Security Requirements for Offshore Hosted Office Productivity Services: Office 365 conformance guide.
Page 20 of 37
Microsoft New Zealand
July 2017
Table 1: Office 365 key management options
Key management
option
Office 365
Default
Office 365
Customer Key
Azure
Information
Protection
Default
Azure
Information
Protection BYOK
Azure
Information
Protection
HYOK
CONSIDERATION SERVICE-LEVEL ITEM/FILE-LEVEL
Applicability All O365
services
Exchange Online,
SharePoint Online
messages, Files
Email messages,
Files
messages, Files
Responsible for
key management
Microsoft Customer +
Microsoft
Microsoft Customer Customer
Responsible for
key operation and
uptime
Microsoft Customer +
Microsoft
Microsoft Microsoft Customer
Thales HSM
required?
No Optional -
agencies can use
Azure Key Vault
for key generation,
or use their own
Thales HSM to
generate keys.
No Yes Yes
(highly
available HSM
solution
strongly
recommended)
Locally hosted
Rights
Management
Service
infrastructure
required?
No No No No Yes
Data transparent
to Office 365
services - SaaS
features work as
designed/expecte
d e.g. search,
Delve, DLP, ASM
etc.?
Yes Yes Yes Yes – with
significant
limitations in
Exchange Online3
No – files are
opaque
Additional privacy
functionality
provided
- Customer can
withdraw the
ability for
Microsoft to
process customer
data
- Service unable to
process AIP
protected items
following customer
withdrawal of key.
Microsoft and
other 3rd
parties cannot
access your
protected data.
How can Microsoft help agencies meet this requirement?
Office 365 is a trustworthy key management service provider. Microsoft has strong cryptographic key management
policies, processes, and technologies in place to ensure the secure use and protection of cryptographic keys
throughout their lifecycle (i.e. generation, distribution, storage, access, and destruction), and has independent,
regularly updated, security certifications and attestations that support it. Office 365 leverages Azure Key Vault, and
also uses the cryptographic modules that are built into the Windows operating system for certificate, authentication
3 Microsoft documentation describes the limitations as ‘Azure RMS BYOK is not compatible with Exchange Online’:
https://docs.microsoft.com/en-us/information-protection/plan-design/byok-price-restrictions
Security Requirements for Offshore Hosted Office Productivity Services: Office 365 conformance guide.
Page 21 of 37
Microsoft New Zealand
July 2017
and encryption mechanisms (e.g. Kerberos, BitLocker), and these cryptographic modules have been certified by NIST as
being FIPS 140-2 validated. Any time cryptographic capabilities are used within Office 365, the modules and/or ciphers
used are FIPS validated.
For customers that do not elect to use Customer Key, Microsoft generates and manages all encryption keys used to
encrypt customer data at rest.
Customers electing to use the Office 365 Customer Key feature will manage the lifecycle of their tenant keys in the
Azure Key Vault service and can choose to either generate their own root key in a Thales HSM and upload it to the
Azure Key Vault FIPS 140-2 Level 2-validated HSMs, or to generate the tenant key directly within Azure Key Vault.
Azure Key Vault provides a REST API so that customers can consume near-real-time logging showing all access and
usage of keys in Azure Key Vault service.
Currently, it is planned that Customer Key will be available in H2 of CY2017, covering Exchange Online, OneDrive for
Business and SharePoint Online services. Skype for Business conversations saved into a user’s conversations folder in
their mailbox will also be included.
Microsoft advises New Zealand government agencies that are contemplating implementing either BYOK or
HYOK capabilities to carefully consider their requirements for doing so from a balance-of-risk perspective.
Implementing such a solution requires the agency to have robust cryptographic key management capabilities in place.
Failure to effectively manage keys used with either Office 365 Customer Key, or Azure Information Protection (BYOK or
HYOK), could lead to widespread service impact and permanent data loss.
Non-technical controls
Alongside technical capabilities that agencies can use as “compensating controls” to conform to this requirement,
Microsoft also makes contractual commitments that allow Office 365 customers to mitigate the type risk that this
control is focused on. These commitments are set out in the Microsoft Online Services Terms (OST).
Specifically, in the OST Microsoft makes the following commitments:
• Use of Customer Data:
“Customer Data will be used only to provide Customer the Online Services including purposes compatible with
providing those services. Microsoft will not use Customer Data or derive information from it for any advertising or
similar commercial purposes. As between the parties, Customer retains all right, title and interest in and to Customer
Data. Microsoft acquires no rights in Customer Data, other than the rights Customer grants to Microsoft to provide
the Online Services to Customer. This paragraph does not affect Microsoft’s rights in software or services Microsoft
licenses to Customer.”
• Disclosure of Customer Data:
“Microsoft will not disclose Customer Data outside of Microsoft or its controlled subsidiaries and affiliates except (1)
as Customer directs, (2) as described in the OST, or (3) as required by law.
Microsoft will not disclose Customer Data to law enforcement unless required by law. If law enforcement contacts
Microsoft with a demand for Customer Data, Microsoft will attempt to redirect the law enforcement agency to request
that data directly from Customer. If compelled to disclose Customer Data to law enforcement, Microsoft will promptly
notify Customer and provide a copy of the demand unless legally prohibited from doing so.
Upon receipt of any other third-party request for Customer Data, Microsoft will promptly notify Customer unless
prohibited by law. Microsoft will reject the request unless required by law to comply. If the request is valid, Microsoft
will attempt to redirect the third party to request the data directly from Customer.
Microsoft will not provide any third party: (a) direct, indirect, blanket or unfettered access to Customer Data; (b)
platform encryption keys used to secure Customer Data or the ability to break such encryption; or (c) access to
Security Requirements for Offshore Hosted Office Productivity Services: Office 365 conformance guide.
Page 22 of 37
Microsoft New Zealand
July 2017
Customer Data if Microsoft is aware that the data is to be used for purposes other than those stated in the third
party’s request.
In support of the above, Microsoft may provide Customer’s basic contact information to the third party.”
Also, to assist agencies to evaluate the overall risk of loss of control of their data that they are exposed to, which this
GCIO security requirement seeks to address, every six months Microsoft publishes its Law Enforcement Requests for
User Data and U.S. National Security Orders for User Data.
What else should agencies consider?
It is important for agencies to understand the implications of the “Additional Considerations” related to this
requirement that are set out in the GCIO Security Requirements document. The use of BYOK still requires the agency
to allow use of its tenant key by Microsoft, as Microsoft needs access to the keys for its services and applications to
encrypt and decrypt data stored in Office 365. Similarly, the use of a 3rd party service provider (e.g. a Cloud Application
Security Broker service, or the TaaS PKI Service Provider) to create a tenant key for BYOK requires the agency to allow
use of its tenant key by both the third party and Microsoft.
In Microsoft’s view, on a balance-of-risk basis, agencies using Office 365 to manage information and data classified
below SENSITIVE or RESTRICTED are best advised to adopt the default Office 365 approach to key management
whereby Microsoft will be the trusted key management service provider. For information or data classified at
SENSITIVE of RESTRICTED level agencies can elect to deploy Azure Information Protection capabilities but should note
the caveats below.
For agencies that are considering Azure Information Protection (AIP) there is an option to implement a Hold Your Own
Key (HYOK) configuration. AIP with HYOK requires an agency to implement additional on-premises infrastructure (e.g.
Active Directory (AD) servers, Active Directory Rights Management Service (AD RMS) servers, HSMs) and will also result
in the agency managing two RMS instances (AD RMS and Azure RMS).
Microsoft does not generally recommended AIP with HYOK for New Zealand government agencies, as
implementing such a solution will substantially degrade the functionality offered by Office 365 and requires the
agency to have confidence that its cryptographic key management processes and infrastructure are utterly robust. Any
data protected with AD RMS policies will become opaque to Office 365, and most functions will not work (e.g. no
search, no web access, no views, no anti-malware, no anti-spam, no eDiscovery, etc.) across this content. In addition,
because Microsoft will have no access to the agency’s tenant or cryptographic keys it cannot recover customer data if
the keys are compromised. If an agency does wish to implement this capability, in depth discussions with
Microsoft are highly advised.
Where can agencies go for more information?
Additional Information on URL
Content Encryption in
Microsoft Office 365
https://www.microsoft.com/en-us/download/confirmation.aspx?id=54652
Whitepaper: Bring Your Own
Key with Azure Key Vault for
Office 365 and Azure
http://download.microsoft.com/download/F/6/3/F63C9623-053F-44DD-BFA8-
C11FA9EA4B61/Bring-Your-Own-Key-with-Azure-Key-Vault-for-Office-365-and-
Azure.docx
Microsoft Azure Information
Protection whitepapers
https://aka.ms/aippapers
Microsoft Online Services
Terms (OST)
https://www.microsoft.com/en-us/Licensing/product-licensing/products.aspx
Security Requirements for Offshore Hosted Office Productivity Services: Office 365 conformance guide.
Page 23 of 37
Microsoft New Zealand
July 2017
8. Agencies must ensure that multi-factor authentication is used to control access to the service.
What is this security control?
Agencies must ensure that agency staff, including administrators, are authenticated using a Multi-Factor
Authentication (MFA) (also called two-factor authentication) method before they are granted access to Office 365.
Traditionally users are authenticated only using a username and a password (i.e. something they know). MFA seeks to
strengthen the authentication process by using one or more additional factors. For example, a onetime password
(OTP) generated by a mobile application (i.e. something they have) and/or a fingerprint (i.e. something they are).
Key aspects of conforming to this requirement
Agencies need to ensure that, for any instance of access from outside of their corporate network, MFA is enforced for
all users, including administrators, before they are granted access to Office 365.
Agencies should also ensure that the mechanism used for staff to use MFA is available to agency staff, such as a cell
phone to receive a OTP SMS code or the Microsoft Authenticator application.
How can Microsoft help agencies meet this requirement?
Microsoft supports the enforcement of MFA for Office 365 using Multi-Factor Authentication for Office 365, Azure
Multi-Factor Authentication or Azure Multi-Factor Authentication Server with Active Directory Federation Services (AD
FS).
Agencies that are using Azure AD to authenticate their users against their on-premises Active Directory must use
Azure Multi-Factor Authentication Server for AD FS, which requires an Azure Multi-Factor Authentication or Azure
Active Directory Premium licence. However, it can be used to secure Office 365, on-premises services, and thousands
of Software as a Service (SaaS) applications from other cloud service providers.
Agencies that are not using Azure AD to authenticate their users can use Multi-Factor Authentication for Office 365 to
secure Office 365 applications at no extra cost.
Both MFA options support the following methods:
• Phone Call – the user receives a call to their registered phone number asking them to verify they are attempting to
sign in. The user can either press the # key on their phone or enter a PIN to authenticate to Office 365.
• SMS Message – the user receives a text message to their registered mobile phone number with a six-digit
verification code. The user must enter the code to authenticate to Office 365.
• Mobile App One-Time Password – the Authenticator app running on the user’s smartphone generates a six-digit
verification code. The user must enter the code to authenticate to Office 365.
• Mobile App Notification – the Authenticator app running on the user’s smartphone presents a verification request.
The user must select Verify or Approve to authenticate to Office 365.
What else should agencies consider?
Agencies need to identify and manage end-user computing devices, applications or custom solutions that do not
natively support Multi-Factor Authentication for Office 365. Office 365 provides support for application passwords that
will need to be used for non-browser clients or applications that do not support modern authentication (e.g. native
email clients).
The Azure MFA user experience is designed to provide easy but secure user access to an agency’s applications and
services. Azure MFA is designed to provide an extra layer of security when strong authentication is required. Using
multi-factor authentication helps protect agency’s applications and services from being accessed by an unauthorised
user whom may have gained access to the credentials of a valid agency user.
Security Requirements for Offshore Hosted Office Productivity Services: Office 365 conformance guide.
Page 24 of 37
Microsoft New Zealand
July 2017
Leveraging Azure Active Directory Premium, agencies can focus MFA to specific applications and services based on the
agencies security context of the application and data within the application. Agencies can also use conditional access
to block access to specific applications when a user is not on a trusted network or IP range. These controls can be
either applied on an application-by-application basis or at top-level, requiring users to always use Azure MFA when
outside of the network.
Azure MFA also has an option to be deployed on-premises in a hybrid configuration to allow for agencies to protect
on-premises resources with the same experience as the Office 365 Azure MFA scenarios.
Azure Active Directory Premium also allows agencies to configure risk-based policies that automatically respond to
detected issues when a specified risk level has been reached. Triggers such as an agency user found on a password
database, users accessing Office 365 (or other cloud applications) from an anonymiser etc. will activate the conditional
access controls provided by Azure Active Directory and Enterprise Mobility and Security (EMS). These can automatically
block or initiate adaptive remediation actions including password resets and multi-factor authentication enforcement
on behalf of an agency.
Agencies can also leverage Azure Active Directory Privileged Identity Management (PIM), to manage, control, and
monitor access to an agency’s resources in Azure AD and Office 365 by administrators. PIM allows for on-demand and
"just in time" administrative access, along with reports about administrator access history and changes in administrator
assignments within the cloud services.
Where can agencies go for more information?
Additional Information on URL
Office 365 MFA https://support.office.com/en-us/article/Plan-for-multi-factor-authentication-for-
Office-365-Deployments-043807b2-21db-4d5c-b430-c8a6dee0e6ba
Azure MFA https://docs.microsoft.com/en-us/azure/multi-factor-authentication/index
Azure MFA Server https://docs.microsoft.com/en-us/azure/multi-factor-authentication/multi-factor-
authentication-get-started-server
Azure Active Directory
Conditional Access
https://docs.microsoft.com/en-us/azure/active-directory/active-directory-
conditional-access
Azure Active Directory
Identity Protection
https://docs.microsoft.com/en-us/azure/active-directory/active-directory-
identityprotection
Azure Active Directory
Privileged Identity
Management
https://docs.microsoft.com/en-us/azure/active-directory/active-directory-privileged-
identity-management-configure?toc=%2fazure%2factive-directory%2fprivileged-
identity-management%2ftoc.json
Modern Authentication -
Active Directory
Authentication Library
(ADAL)
https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-
authentication-libraries https://blogs.office.com/2015/11/19/updated-office-365-
modern-authentication-public-preview/
Microsoft France Azure
Active Directory whitepaper
series
https://sway.com/J-ldpNMIu97EiqYU
https://www.microsoft.com/en-us/download/details.aspx?id=36391
9. Agencies must identify where data stored by a service is replicated or backed-up.
What is this security control?
When using Office 365, agencies must identify the countries where their data will be stored. This includes any
countries where data is replicated or backed-up, to support the agency in meeting compliance, resilience, and disaster
recovery requirements.
Security Requirements for Offshore Hosted Office Productivity Services: Office 365 conformance guide.
Page 25 of 37
Microsoft New Zealand
July 2017
Key aspects of conforming to this requirement
Agencies need to identify and document where the information they store in Office 365 will be located. This includes
services that are available as part of their Office 365 subscription (e.g. Exchange Online, SharePoint Online, etc.), those
that support the use of Office 365 (e.g. Azure Active Directory), as well any additional services that they choose (e.g.
Exchange Online Archiving).
How can Microsoft help agencies meet this requirement?
Microsoft provides information to its customers on the geographic location of data stored in Office 3654,5.
Microsoft has a regionalised datacentre strategy, where the customer’s country or region determines the primary
storage location for their data. Microsoft will replicate customer data to at least two datacentres within the primary
region based on:
• Reducing latency for fast login times for users, and access to data within Office 365.
• Ensuring data availability and resiliency in the case of a major datacentre event.
• Data residency requirements of customers and countries.
For New Zealand government agencies purchasing from New Zealand, the tenant would be automatically placed into
the Australia region for Office 365 and to the Worldwide partition for Azure Active Directory. The Datacentre locations
for these regions are presented in figure 4 below.
Figure 4 - Office 365 and Azure AD Data Locations
What else should agencies consider?
While Australia will be the likely primary region for agency data, Microsoft may need to send some data to Microsoft
personnel or subcontractors outside this region to troubleshoot or investigate specific service issues (e.g. incident
response, service improvement) – generally at the request of the customer. Contractual arrangements regarding such
data movements are set out in the Microsoft Online Services Terms (OST).
4 ‘Where is my data?’ https://www.microsoft.com/online/legal/v2/?docid=25 5 https://www.microsoft.com/en-us/trustcenter/privacy/where-your-data-is-located
Security Requirements for Offshore Hosted Office Productivity Services: Office 365 conformance guide.
Page 26 of 37
Microsoft New Zealand
July 2017
Also, if Microsoft needs to move agency data to a new country (e.g. following a geographical event, region expansion
etc.) agencies will be notified through compliance notifications and asked to opt-in or opt-out depending on their
agreement.
Where can agencies go for more information?
Additional Information on URL
Microsoft Online Services Terms https://www.microsoft.com/en-us/Licensing/product-licensing/products.aspx
10. Agencies must revise their agency disaster recovery and incident management plans to cater for offshore
hosted office productivity services
What is this security control?
Agencies need to ensure that their disaster recovery and incident management plans are updated to account for their
adoption and use of Office 365.
Key aspects of conforming to this requirement
Agencies are responsible for having a documented disaster recovery plan so that they can continue to use Office 365
in the event of a business disruption, and return to normal business operations within their Recovery Time Objectives
and Recovery Point Objectives.
While Office 365 is a highly resilient service providing high levels of service availability, agencies need to integrate their
disaster recovery processes with Microsoft’s to ensure that they can recover quickly from unexpected events such as
hardware or software failure, data corruption, or catastrophic outages. This particularly applies to an agency’s facilities
and services or systems that they choose to integrate with Office 365.
How can Microsoft help agencies meet this requirement?
Microsoft has designed and implemented Office 365 with redundancies and resiliency to maximise reliability and
deliver high service availability. This enables Office 365 to recover quickly from unexpected events such as hardware or
application failure, data corruption, or other incidents that affect users. These provisions will also apply in the event of
low probability but potentially catastrophic events (e.g. a natural disaster or major incident impacting a Microsoft
datacentre), as Office 365 handles failures at the application layer instead of the datacentre layer.
Office 365 has been designed and built around resiliency principles which include:
• Redundancy built into every layer – such as:
o Physical redundancy (e.g. multiple disk/cards, servers, geographical sites, and datacentres).
o Data redundancy (constant replication across datacentres).
o Functional redundancy (the ability for customers to work offline when there is no network connectivity).
• Resiliency - via active load balancing and dynamic prioritisation of tasks based on current loads, constant recovery
testing across failure domains, and both automated failover and manual switchover to healthy resources.
• Distributed functionality of component services - to help limit the scope and impact of a failure in one area and to
simplify all aspects of maintenance and deployment, diagnostics, repair, and recovery.
• Continuous monitoring - with extensive recovery and diagnostic tools to drive automated and manual recovery of
the service.
• Simplification to drive predictability - including the use of standardised components and processes, wherever
possible, loose coupling among the software components for less complex deployment and maintenance, and a
change management process that goes through progressive stages of being deployed worldwide.
Security Requirements for Offshore Hosted Office Productivity Services: Office 365 conformance guide.
Page 27 of 37
Microsoft New Zealand
July 2017
• Human backup - with 24/7 on-call support to provide rapid response and information collection towards problem
resolution.
What else should agencies consider?
Agencies should also consider the disaster recovery requirements for their critical on-premises infrastructure that
integrates with Office 365.
Scenarios that agencies should consider include:
• An outage of Azure Active Directory Connect (previously known as Azure AD Sync or DirSync).
• An outage of Active Directory Federation Services.
• An outage of on-premises Active Directory (for agencies that use their own AD instance for authentication to Office
365).
• Availability of on-premises networks between the agency staff and the Microsoft datacentres.
• Availability of endpoint devices for staff to access Office 365.
An important area to consider is major disaster/event scenarios that are low probability but high impact:
• International network outage – blocking all access to offshore services of any description
• Local disaster crippling local infrastructure hosting, with internet access being restored first
For the first scenario, hybrid configurations (Exchange, Skype for Business) will provide some benefits. In the second
scenario, the offshore, internet-based nature of Office 365 will be an advantage – with the key constraint being
available bandwidth. We recommend the use of password-hash synchronisation through Azure AD Connect for
customers using ADFS, allowing them to cut over and use the hash for authentication in the event of ADFS being
unavailable.
Note: agencies are not obliged to create local backups to conform to the GCIO security control requirements. If an
agency perceives a need to back up any of their O365 data locally, Microsoft will be pleased to discuss approaches or
options for doing this.
Where can agencies go for more information?
Additional Information on URL
Security in Office 365
Whitepaper.docx
https://www.microsoft.com/en-us/download/confirmation.aspx?id=26552
Data Resiliency in Office 365.pdf https://www.microsoft.com/en-us/download/confirmation.aspx?id=53560
Azure AD Connect Health https://docs.microsoft.com/en-nz/azure/active-directory/connect-health/active-
directory-aadconnect-health
Azure AD Connect: Operational
tasks and considerations –
Staging Mode
https://docs.microsoft.com/en-nz/azure/active-directory/connect/active-
directory-aadconnectsync-operations#staging-mode
11. Agencies must have decommissioning processes as outlined in the NZISM
What is this security control?
Agencies need to ensure that they have a decommissioning plan and process, to ensure that they can safely extract
and sanitise data stored in their Office 365 tenant, in accordance with the NZISM.
Key aspects of conforming to this requirement
Agencies need to determine an exit strategy should the need arise to exit their Office 365 tenancy. This includes
having a documented plan for decommissioning their service and securing their data, which will need to include:
Security Requirements for Offshore Hosted Office Productivity Services: Office 365 conformance guide.
Page 28 of 37
Microsoft New Zealand
July 2017
• Migration plans – how will data, users, and licenses be migrated to a replacement service?
• Data retention and archiving requirements – what contractual and legislative requirements exist for retaining data,
and transferring data custodianship for archiving purposes?
• Service decommissioning procedures – what steps are required to end the service subscription, sanitise and delete
agency data, and complete any other decommissioning needs?
How can Microsoft help agencies meet this requirement?
Microsoft offers data deletion as part of its data privacy commitments. For Office 365, at contract termination or
expiration, Microsoft will provide at least 90 days to confirm that all customer data has been migrated, after which the
data will be destroyed to make it unrecoverable.
If a customer prefers, Office 365 provides functions to personally destroy their data following Microsoft guidance. In
addition to this, if the customer revokes the root encryption keys used to secure customer data within the Office 365
(e.g. in a BYOK scenario), then all encrypted data will become permanently unrecoverable.
Microsoft securely disposes of its media using formal media sanitisation and destruction procedures. Microsoft
sanitises and destroys media in accordance with organisational standards and policies and is consistent with NIST 800-
88 (Guidelines for Media Sanitisation).
What else should agencies consider?
Agencies need to understand that once customer content has been destroyed or made unrecoverable, it is
permanently unrecoverable. Microsoft has no ability to recover any customer content or encryption keys.
Where can agencies go for more information?
Additional Information on URL
Content Encryption in Microsoft
Office 365.pdf
https://www.microsoft.com/en-us/download/confirmation.aspx?id=54652
12. Agencies must require assurance checks on cloud service providers in accordance with the NZISM
What is this security control?
Agencies need to undertake assurance activities to confirm that Office 365 has the controls required to effectively
manage their security risks, before certifying and accrediting it for their use.
Key aspects of conforming to this requirement
Agencies are required to undertake assurance activities (e.g. design reviews, penetration testing, controls validation
audits, etc.) as part of the NZISM Certification and Accreditation (C&A) process, and in accordance with the GCIO’s
Cloud Computing Risk and Assurance Framework. These activities are used to provide an agency and its stakeholders
with confidence that the security controls required to manage their risks have been appropriately designed and
implemented.
For security and operational reasons Microsoft does not allow its customers to directly audit its cloud services. Also,
direct auditing of a public cloud service is a very large and costly undertaking. However, agencies can review the large
body of compliance and assurance information, including audit reports, available from Microsoft to gain independent
assurance that it has effective security controls and practices in place for Office 365.
How can Microsoft help agencies meet this requirement?
Every year, Microsoft undergoes 3rd party audits from internationally recognised auditors as an independent validation
that Microsoft complies with their policies and procedures for security, privacy, continuity, and compliance. Office 365
offers one of the most comprehensive set of security certifications and attestations of any cloud service provider,
Security Requirements for Offshore Hosted Office Productivity Services: Office 365 conformance guide.
Page 29 of 37
Microsoft New Zealand
July 2017
including FIPS 140-2, HIPPA, CCSL (IRAP), ISO/IEC 27001, ISO/IEC 27018, SOC 1 and SOC 2. A specialist compliance and
assurance team continuously tracks standards and regulations, developing common control sets for the Microsoft
product team to build into the service.
Microsoft is committed to transparency to help customers meet their compliance needs. Office 365 users are strongly
encourage to access and use the relevant parts of both the Microsoft Trust Centre - especially the industry-leading
Service Trust Platform (STP) – and also the Security & Compliance Center6 embedded within Office 365. These
capabilities allow O365 customers to access security assurance information such as:
• Compliance reports by 3rd party security auditors (e.g. FedRAMP, GRC, ISO, SOC / SSAE 16)
• Trust documents (e.g. whitepapers, FAQ, trust documentation).
• Status of audited controls (further description of Office 365 security controls as part of ISO 27001:2013 and ISO
27018:2014).
• Results of penetration tests.
In addition to this, Microsoft New Zealand is committed to supporting the assurance needs of New Zealand
government and has responded to New Zealand Government Chief Information Officer’s cloud computing security
and privacy considerations questionnaire (i.e. the “GCIO 105”), to help support agencies meet their cloud computing
compliance needs.
What else should agencies consider?
Agencies need to ensure they understand, read, and interpret the service assurance information as part of their
Certification and Accreditation process, to ensure that they are satisfied that Office 365 meets their security
requirements.
Where can agencies go for more information?
Additional Information on URL
Microsoft GCIO 105 response documents –
Office 365, Intune, Azure, Dynamics 365,
Power BI
https://www.microsoft.com/en-us/TrustCenter/Compliance/NZCC
GCIO risk assessment and security audit
reports, and Security Certificates (up to In-
Confidence) for Microsoft Azure, Office 365,
and Azure AD
Available from GCIO on request.
13. Agencies must ensure that there are appropriate security controls over physical access to datacentres
What is this security control?
Agencies need to ensure that Microsoft has implemented appropriate physical security controls to prevent an
unauthorised party gaining physical access to the datacentres hosting Office 365.
Key aspects of conforming to this requirement
For security and operational reasons Microsoft does not allow its customers to directly audit its cloud services. Also,
direct auditing of a public cloud service is a very large and costly undertaking. However, agencies can review the
6 https://support.office.com/en-us/article/Service-assurance-in-the-Office-365-Security-Compliance-Center-47e8b964-4b09-44f7-
a2d7-b8a06e8e389c
Security Requirements for Offshore Hosted Office Productivity Services: Office 365 conformance guide.
Page 30 of 37
Microsoft New Zealand
July 2017
information and 3rd party assurance reports available from Microsoft to gain independent assurance that it has
appropriate physical security in place at the Datacentres that host Office 365.
Agencies are responsible for ensuring the physical security of their end-user computing devices and information
systems, and the locations that they host equipment in or operate from (e.g. Head Office, hot desks, working
remotely).
How can Microsoft help agencies meet this requirement?
Microsoft datacentres around the globe are built from the ground up to protect services and data from harm by
natural disaster or unauthorised access. All datacentres are within scope of the independent and internationally
recognised security audit reports and certifications regularly undertaken on Microsoft Azure.
Microsoft defines and uses security perimeters to protect areas that contain customer information and information
processing facilities. Microsoft implements controls such as perimeter gates, electronic access badge readers,
biometric readers, mantraps, anti-tailgate devices, and anti-pass back controls, as well as alarms, continuous video
surveillance, and security officers to monitor and control access to facilities.
Microsoft protects secure areas within facilities using appropriate entry controls to ensure that only authorised
personnel are allowed access, and to protect infrastructure from accidental damage, disruption and physical
tampering. Microsoft has designed and built secure rooms (e.g. Main Distribution Frame rooms, co-location rooms),
implemented controls such as metal conduits, locked racks or cages, and cable trays, and controls access to secure
areas by requiring two-factor authentication (access badge and biometrics).
In addition to the physical access controls, Microsoft has implemented operational procedures to restrict physical
access to authorised employees, contractors, and visitors. This includes:
• Authorisation to grant temporary or permanent access is limited to authorised staff, and requests and
authorisations are tracked in a ticketing and access control system.
• Visitors are required to be escorted at all times, and access within the facility is logged and audited.
• Access badges are issued to personnel requiring access only after verification of identification, and access is
reviewed on a quarterly basis.
Where can agencies go for more information?
Additional Information on URL
Security in Office 365 Whitepaper.docx https://www.microsoft.com/en-us/download/confirmation.aspx?id=26552
Service Assurance https://support.office.com/en-us/article/Service-assurance-in-the-Office-
365-Security-Compliance-Center-47e8b964-4b09-44f7-a2d7-
b8a06e8e389c
14. Agencies must have assurance that appropriate patching and software maintenance is undertaken
What is this security control?
Agencies need to ensure that Microsoft has implemented a robust and comprehensive product lifecycle, including
effective patch and vulnerability management strategies, to minimise the risk of an unauthorised party exploiting a
known vulnerability to gain access to information stored in Office 365.
Key aspects of conforming to this requirement
Microsoft does not generally allow its customers to directly audit its cloud services. Direct auditing of a public cloud
service is a very large and costly undertaking, and presents potential security risks and operational challenges.
However, to gain independent assurance that it has effective product lifecycle, patch, and vulnerability management
Security Requirements for Offshore Hosted Office Productivity Services: Office 365 conformance guide.
Page 31 of 37
Microsoft New Zealand
July 2017
practices in place for Office 365, agencies can review the extensive information and 3rd party assurance reports and
certifications available via the Microsoft Trust Center.
How can Microsoft help agencies meet this requirement?
Microsoft identifies, reports, and corrects system flaws in Office 365 through vulnerability management, incident
response management, patch and configuration management processes. Microsoft receives vulnerability-related
information from multiple sources which include:
• Microsoft Security Response Centre (MSRC).
• The Microsoft Digital Crimes Unit.
• Vendor websites.
• Other 3rd party services (e.g. Internet Security Systems).
• United States Computer Emergency Readiness Team (US-CERT).
• Internal and external vulnerability scanning of services daily.
Microsoft has implemented procedures to control the installation of software within Office 365. Patches, updates, and
threat mitigations are covered by the Microsoft Security Development Lifecycle (SDL)7. Office 365 has robust patch
management release cycles and engagement models to mitigate new vulnerabilities or threats as quickly as possible.
What else should agencies consider?
Agencies must ensure that they also have a robust and comprehensive product lifecycle, patch and vulnerability
management strategies that cover:
• operating systems and applications on end-user computing devices (e.g. workstations, laptops, tablets, and
smartphones).
• operating system and applications on the infrastructure components they are responsible for managing and
maintaining (e.g. Active Directory servers).
This will ensure that the devices and infrastructure components that are managed by the agency remain compatible
with Office 365 and minimise the risk of malicious party exploiting a known vulnerability in them to gain access to the
information stored in Office 365.
Where can agencies go for more information?
Additional Information on URL
Response to GCIO 105 questions – Microsoft
Office 365 – July 2015 – FINAL.pdf
https://www.microsoft.com/en-us/TrustCenter/Compliance/NZCC
15. Agencies must ensure that there are technical protections to prevent data-mingling on shared storage
platforms
What is this security control?
Agencies need to ensure that Microsoft has implemented technical controls to prevent their data stored in Office 365
from being mixed, blended, or combined with other tenants’ data to protect against unauthorised access, disclosure,
modification, and loss.
Security Requirements for Offshore Hosted Office Productivity Services: Office 365 conformance guide.
Page 32 of 37
Microsoft New Zealand
July 2017
Key aspects of conforming to this requirement
For security and operational reasons, Microsoft does not allow its customers to directly audit its cloud services. Also,
direct auditing of a public cloud service is a very large and costly undertaking. However, agencies can review the
information and 3rd party assurance reports available from Microsoft to gain independent assurance that it has
implemented and maintains controls that prevent data-mingling.
How can Microsoft help agencies meet this requirement?
Microsoft cloud services, including Office 365, have been designed with the assumption that all tenants are potentially
hostile to all other tenants. Microsoft has implemented comprehensive security measures to prevent a tenant from
being able to access content, or affect the security, of another tenant. Multiple forms of protection have been
implemented throughout Office 365 that work together to provide robust logical isolation. These include:
• Logical isolation of tenants, users and services through Azure Active Directory partitions, containers, authorisation
and Role-Based Access Control (RBAC).
• Logical isolation of tenants, users and services within Office 365 through Azure Active Directory and Directory
Services.
• Logical isolation of customer content at the storage level, through operating system ACLs and enforcement by
Azure Active Directory.
• Multi-layered encryption strategy, which combines with the data isolation storage models for each service (e.g.
Exchange Online, Skype for Business, SharePoint Online) to provide additional isolation of customer data.
• SharePoint Online provides additional data isolation mechanisms at the storage level.
Microsoft continuously monitors and explicitly tests for weaknesses and vulnerabilities in tenant boundaries, including
monitoring for intrusion, permission violation attempts, and resource starvation.
Where can agencies go for more information?
Additional Information on URL
Tenant Isolation in
Microsoft Office 365
https://www.microsoft.com/en-us/download/confirmation.aspx?id=54249
Security Requirements for Offshore Hosted Office Productivity Services: Office 365 conformance guide.
Page 33 of 37
Microsoft New Zealand
July 2017
Office 365 Subscription Plans mapped to Security Technologies
The following table details which Office 365 technologies are available in each subscription plan.
Security Feature
Off
ice
36
5 K
1
Off
ice
36
5 E
1
Off
ice
36
5 E
3
Off
ice
36
5 E
5
SP
E E
3
/ EC
S
SP
E E
5
Azure Active Directory ✓ ✓ ✓ ✓ ✓ ✓ Office 365 MFA ✓ ✓ ✓ ✓ ✓ ✓ Office 365 MDM ✓ ✓ ✓ ✓ ✓ ✓ Office 365 Data Loss Prevention ✓ ✓ ✓ ✓
Secure Score ✓ ✓ ✓ ✓ ✓ ✓ Exchange Online Protection - filtering ✓ ✓ ✓ ✓ ✓ ✓ Exchange Online Advanced Threat Protection ✓ ✓
Office 365 Advanced Security Management ✓ ✓
Advanced Threat Intelligence ✓ ✓
Customer Lock Box (process control) ✓ ✓
Skype for Business, OneNote, Outlook and OneDrive
free apps with MAM support ✓ ✓ ✓ ✓ ✓ ✓
Word, Excel and PowerPoint Mobile Apps with MAM
support ✓ ✓ ✓ ✓
Azure AD MFA ✓ ✓
Azure AD Conditional Access ✓ ✓
Azure AD Identity Protection ✓
Azure AD Privileged Identity Management ✓
Intune MDM ✓ ✓
Intune App Protection ✓ ✓
Customer Key (BYOK) in Office 365 ✓ ✓
Azure Information Protection – manual ✓ ✓
Azure Information Protection – automated ✓
Azure Information Protection – BYOK8 ✓ ✓ ✓ ✓
Azure Information Protection – HYOK ✓
Cloud App Security ✓
Windows Information Protection ✓ ✓
• Secure Productive Enterprise E3 (formerly Enterprise Cloud Suite or ‘ECS’) includes Office 365 E3, Enterprise
Mobility and Security E3 and Windows Enterprise E3
• Secure Productive Enterprise E5 includes Office 365 E5, Enterprise Mobility and Security E5 and Windows
Enterprise E5
For more information refer to: https://www.microsoft.com/en-us/secure-productive-enterprise/default.aspx
8 Requires Azure Key Vault - https://docs.microsoft.com/en-us/information-protection/plan-design/byok-price-restrictions
Security Requirements for Offshore Hosted Office Productivity Services: Office 365 conformance guide.
Page 34 of 37
Microsoft New Zealand
July 2017
Appendix: Office 365 encryption capabilities
Table 1: Risk scenarios and relevant encryption capabilities
Risk scenario Encryption
Technology Applies to Implementation Value
Disks or servers in Office
365 are stolen or
improperly recycled.
BitLocker Exchange
Online,
SharePoint
Online,
Skype for
Business
AES 256-bit BitLocker provides a fail-safe approach to
protect against loss of data due to stolen or
improperly recycled hardware (server / disk).
Internal or external hacker
tries to access individual
files / data as a blob.
There is an attempt to
access data across tenant.
Service
encryption
SharePoint
Online
Files or
chunked files,
using AES
256-bit
The encrypted data cannot be decrypted
without access to keys. Helps to mitigate
risk of a hacker accessing data and cross
tenant access of data.
Internal or external hacker
tries to access individual
files / data as a blob.
Skype for
Business
Files, using AES
256-bit
The encrypted data cannot be decrypted
without access to keys. Helps to mitigate
risk of a hacker accessing data.
Man-in-the-middle or
other attack to tap the
data flow between Office
365 and client computers
over Internet.
TLS between
Office 365
and clients
Exchange
Online,
SharePoint
Online,
Skype for
Business,
Yammer
Service
implemented
This implementation provides value to both
Microsoft and customers and assures data
privacy as it flows between Office 365 and
the client.
Data falls into the hands
of a person who should
not have access to the
data.
Azure Rights
Managemen
t (included in
Office 365 or
Azure
Information
Protection)
Exchange
Online,
SharePoint
Online, and
OneDrive for
Business
Customer
managed
Azure Information Protection uses Azure
RMS which provides value to customers by
using encryption, identity, and
authorisation policies to help secure files
and email across multiple devices. Azure
RMS provides value to customers where all
emails originating from Office 365 that
match certain criteria (i.e. all emails to a
certain address) can be automatically
encrypted before they get sent to another
recipient.
Email falls into the hands
of a person who is not
the intended recipient.
S/MIME Exchange
Online
Customer
managed
S/MIME provides value to customers by
assuring that email encrypted with S/MIME
can only be decrypted by the direct
recipient of the email.
Email falls in hands of a
person either within or
outside Office 365 who is
not the intended
recipient of the email.
Office 365
Message
Encryption
Exchange
Online
Customer
managed
OME provides value to customers where all
emails originating from Office 365 that
match certain criteria (i.e. all emails to a
certain address) are automatically
encrypted before they get sent to another
internal or an external recipient.
Email is intercepted via a
man-in-the middle or
other attack while in
transit from an Office 365
tenant to another partner
organisation.
SMTP TLS
with partner
organisation
Exchange
Online
Customer
managed
This scenario provides value to the
customer such that they can send / receive
all emails between their Office 365 tenant
and their partner’s email organisation
inside an encrypted SMTP channel.
Security Requirements for Offshore Hosted Office Productivity Services: Office 365 conformance guide.
Page 35 of 37
Microsoft New Zealand
July 2017
Table 2: details of encryption technologies for data in transit and at rest
Encryption
Technology Implemented
by
Key exchange
algorithm and
strength
Key management9 FIPS 140-2
Validated
BitLocker Exchange
Online
AES 256-bit AES external key is stored in a Secret Safe and in the
registry of the Exchange server. The Secret Safe is a
secured repository that requires high-level elevation
and approvals to access. Access can be requested and
approved only by using an internal tool called Lockbox.
The AES external key is also stored in the Trusted
Platform Module in the server. A 48-digit numerical
password is stored in Active Directory and protected by
Lockbox.
Yes.
SharePoint
Online
AES 256-bit AES external key is stored in a Secret Safe. The Secret
Safe is a secured repository that requires high-level
elevation and approvals to access. Access can be
requested and approved only by using an internal tool
called Lockbox. The AES external key is also stored in
the Trusted Platform Module in the server. A 48-digit
numerical password is stored in Active Directory and
protected by Lockbox.
Yes
Skype for
Business
AES 256-bit AES external key is stored in a Secret Safe. The Secret
Safe is a secured repository that requires high-level
elevation and approvals to access. Access can be
requested and approved only by using an internal tool
called Lockbox. The AES external key is also stored in
the Trusted Platform Module in the server. A 48-digit
numerical password is stored in Active Directory and
protected by Lockbox.
Yes
File-Level
Encryption
SharePoint
Online
AES 256-bit The master keys, which protect the per-blob keys, are
stored in two locations:
1. First, the secured store (a built-in SharePoint secret
repository) which is protected by the Farm Key.
2. Second, the master keys are backed-up in the
central SharePoint Online secret store.
These keys are updated (and the blob keys re-
encrypted) every 42 days.
Yes
Skype for
Business
AES 256-bit Each piece of content is encrypted using a different
randomly generated 256-bit key. The encryption key is
stored in a corresponding metadata XML file which is
also encrypted by a per-conference master key. The
master key is also randomly generated once per
conference.
Yes
TLS between
Office
365 and
clients/partne
rs
Exchange
Online
Opportunistic
TLS supporting
multiple cipher
suites
The TLS certificate for Exchange Online
(outlook.office.com) is a 2048-bit sha256RSA certificate
issued by Baltimore CyberTrust Root.
The TLS root certificate for Exchange Online is a 2048bit
sha1RSA certificate issued by Baltimore CyberTrust
Root.
Be aware that for security reasons, our certificates do
change from time to time.
Yes, when TLS
1.2 with 256-
bit cipher
strength is
used
SharePoint
Online
The TLS certificate for SharePoint Online
(*.sharepoint.com) is a 2048-bit sha256RSA certificate
issued by Baltimore CyberTrust Root.
Yes
9 TLS certificates referenced in this table are for US datacentres; non-US datacentres also use 2048-bit sha256RSA certificates.
Security Requirements for Offshore Hosted Office Productivity Services: Office 365 conformance guide.
Page 36 of 37
Microsoft New Zealand
July 2017
The TLS root certificate for SharePoint Online is a 2048-
bit SHA1RSA certificate issued by Baltimore CyberTrust
Root.
Be aware that for security reasons, our certificates do
change from time to time.
Skype for
Business
TLS for SIP
communications
and PSOM data
sharing sessions
The TLS certificate for Skype for Business (*.lync.com) is
a 2048-bit sha256RSA certificate issued by Baltimore
CyberTrust Root.
The TLS root certificate for Skype for Business is a 2048-
bit sha256RSA certificate issued by Baltimore
CyberTrust Root.
Yes
TLS between
Microsoft
datacentres
Exchange
Online,
SharePoint
Online, and
Skype for
Business
TLS 1.2 with AES
256
Secure Real-
time
Transport
Protocol (SRTP)
Microsoft uses an internally managed and deployed
certification authority for server-to-server
communications between Microsoft datacentres.
Yes
Azure Rights
Management
(included in
Office
365 or Azure
Information
Protection)
Exchange
Online
Supports
Cryptographic
Mode 2, an
updated and
enhanced RMS
cryptographic
implementation.
RSA 2048 for
signature and
encryption, and
SHA-256 for
hash in the
signature.
Managed by Microsoft. Yes
SharePoint
Online
Supports
Cryptographic
Mode 2, an
updated and
enhanced RMS
cryptographic
implementation
. RSA 2048 for
signature and
encryption, and
SHA-256 for
signature.
Managed by Microsoft, which is the default setting; or
Customer-managed (aka BYOK), which is an alternative
to Microsoft-managed keys. Organisation that have an
IT-managed Azure subscription can use BYOK and log
its usage at no extra charge. For more information, see
Implementing bring your own key. In this configuration,
Thales HSMs are used to protect your keys. For more
information, see Thales HSMs and Azure RMS.
Yes
S/MIME Exchange
Online
Cryptographic
Message
Syntax Standard
1.5 (PKCS
#7)
Depends on the customer-managed public key
infrastructure deployed. Key management is performed
by the customer, and Microsoft never has access to the
private keys used for signing and decryption.
Yes, when
configured to
encrypt
outgoing
messages with
3DES or
AES256
Office 365
Message
Encryption
Exchange
Online
Same as Azure
RMS
(Cryptographic
Mode 2 - RSA
2048 for
signature and
encryption,
SHA-256 for
signature)
Uses Azure Information Protection as its encryption
infrastructure. The encryption method used depends on
where you obtain the RMS keys used to encrypt and
decrypt messages.
Yes
Security Requirements for Offshore Hosted Office Productivity Services: Office 365 conformance guide.
Page 37 of 37
Microsoft New Zealand
July 2017
SMTP TLS
with partner
organisation
Exchange
Online
TLS 1.2 with AES
256
The TLS certificate for Exchange Online
(outlook.office.com) is a 2048-bit sha256RSA certificate
issued by Baltimore CyberTrust Root.
The TLS root certificate for Exchange Online is a 2048bit
sha1RSA certificate issued by Baltimore CyberTrust
Root.
Be aware that for security reasons, our certificates do
change from time to time.
Yes, when TLS
1.2 with 256-
bit cipher
strength is
used