Upload
metalogix
View
55
Download
3
Embed Size (px)
Citation preview
1 Confidential and Proprietary © Metalogix1 Confidential and Proprietary © Metalogix Move, Manage, Protect
Welcome!!The Essential Roadmap to DFARS Compliance
Start Time: 11:00 AM ET
2 Confidential and Proprietary © Metalogix2 Confidential and Proprietary © Metalogix
ABOUT BRIAN LEVENSON
• Office 365 US Government• 8+ years at Microsoft• Son of a software engineer, beta testing since childhood• Worked in various IT roles including help desk• Prolific speaker, photographer, and puppy cuddler• Twitter @brian_levenson
• Q&A #O365Security
Product Marketing Manager
ABOUT BEN CURRY
• Summit 7 Systems Lead Architect• Eleven time Microsoft MVP • CISSP, MCP, MCT• Author of several SharePoint books by Microsoft PRESS• Master SCUBA Diver Trainer• [email protected]• Twitter @curryben
• Q&A #O365Security
Principal Architect
Outline• Introduction
• DFARS Policy and Compliance
• Microsoft Cloud Security and Compliance
• Microsoft Cloud Platforms
• Lessons Learned
• Supporting Technical Features
Copyright ©2017 Summit 7 Systems, Inc. All rights reserved.
Executive Order 13556
• November 4, 2010
• Established the Controlled Unclassified Information Program in order to unify government wide policies, procedures, markings and controls for CUI
• Rescinded the May 2008 “Designation and Sharing of CUI” Presidential Memorandum
• Designates the National Archives and Records Administration (NARA) as the Executive Agent
• NARA delegated authority over the program to the Information Security Oversight Office (ISOO)
• Program Implemented via 32 CFR 2002 and Calls NIST SP 800-171
Copyright ©2017 Summit 7 Systems, Inc. All rights reserved.
CUI, CTI, CDI
• CUI – Controlled Unclassified Information
• CTI – Controlled Technical Information
• CDI – Covered Defense Information (Umbrella term that encompasses all CUI and CTI)
• Gone…• UCTI
• FOUO
• SBU
• Etc.
Copyright ©2017 Summit 7 Systems, Inc. All rights reserved.
CUI / CDI• Replaced designations such as UCTI, SBU, Etc
• Unclassified information that is provided by or on behalf of the DoD in connection with a contract.
• CUI/CDI/CTI may also be developed in the performance of a contract
• 24 Separate Categories listed in the CUI Registry at https://www.archives.gov/cui
• 2 Categories that almost all companies have• Controlled Technical Information
• DoD 5230.24 “Distribution Statements on Technical Documents”• Engineering drawings and Data, Technical Reports, Specifications, Data Sets, Analysis, etc
• Procurement and Acquisition Information• Information related to acquisition actions• Cost and Pricing Information• Contract Information• Indirect Costs and Direct Labor Rates
• CUI Basic• Protect CUI Basic at the Moderate level with the controls in NIST 800-171
• CUI Specified (ITAR / HIPAA / etc)• May only be upgraded to “CUI Specified” by a designating agency” • May require additional controls beyond NIST 800-171 and FISMA Moderate
• Marking guidance from the Government is available at https://fas.org/sgp/cui/marking-2016.pdf
Copyright ©2017 Summit 7 Systems, Inc. All rights reserved.
DFARS 252.204-7012
Copyright ©2017 Summit 7 Systems, Inc. All rights reserved.
87% of all DoD Contracts in 2017 3 Major Components
Provide Adequate Security on all Covered Contractor Information Systems*
• FedRAMP Moderate• NIST SP 800-171 with mapping to
NIST 800-53 Relevant Security Controls
Rapidly Report Cyber Incidents to DoD at http://dibnet.dod.mil
• 72 Hours• Medium Assurance Certificate• Meet Paragraphs C-G
Contract Flowdown Requirements3
1.
2.
3.
Key Dates
December 31, 2017
2017-2018Precursor to Expected FAR changes
POA&M and SSP must be completed
* Defined as: an unclassified information system that is owned, or operated by or for, a contractor and that processes, stores, or transmits CDI
DFARS Rules
Copyright ©2017 Summit 7 Systems, Inc. All rights reserved.
• “Compliance with Safeguarding Covered Defense Information Controls”
• If you plan to vary from NIST 800-171 you must submit explanation for consideration to the DoD CIO via the Contracting Officer
• “Limitations on the use or disclosure of third-party contractor reported cyber incident information”
• How to handle sub-contractor incident information
• “Cloud Computing Services”• Only Applicable to GoCo or “Type 1” systems
252.239-7010
252.204-7009
252.204-7008
What Does Adequate Security Mean?
• Type 1 System• Operated on Behalf of the Government
• Must Comply with 252.239-7010• Calls out the DISA Security Requirements Guide v1R3
• Specifies that the NIST 800-53r4 Control Set must be Used
• If leveraging a Cloud Service Provider, the CSP must be FedRAMP Moderate and SRG L4
• Type 2 System• Operated by a Contractor, but not on behalf of the Government
• Specifies NIST 800-171 Control Set must be Used
• If leveraging a Cloud Service Provider, the CSP must be FedRAMP Moderate
Copyright ©2017 Summit 7 Systems, Inc. All rights reserved.
Chapter 3
Security Control Families
• Access Control
• Awareness and Training
• Audit and Accountability
• Configuration Management
• Identification and Authentication
• Incident Response
• Maintenance
• Media Protection
• Personnel Security
• Physical Protection
• Risk Assessment
• Security Assessment
• System and Communications Protection
• System and Information Integrity
Policy Controls
Technical Controls
NIST 800-171 Compliance
NIST SP800-171 DFARS/FAR Timeline
Copyright ©2017 Summit 7 Systems, Inc. All rights reserved.
2015 2016 2017 2018
FAR 52.204-21Modified & Added15 NIST Controls
FAR 32 CFR 2002 Federal Agencies begin 2 year effort of implementing and requiring NIST 800-171
New Contracts and Mods will add NIST 800-171 to Fed Contracts
Anticipated Release of new FAR requiring full NIST 800-171 Compliance
Anticipated: Full NIST 800-171 Compliance in all Federal Contracts
DFARS 252.204-7012 DoD Agencies begin 2 year effort of implementing and requiring NIST SP 800-171
New Contracts and Mods add DFARS 7012 to DoD Contracts
DFARS 7012 Requires Compliance including SSP and POA&M
Functional, Technical and 800-171 Compliance Requirements
Corporate Technology Policies
Chosen Platform Capabilities
Corporate Security Policies
Compliant Platform
How do you approach compliance?
Copyright ©2017 Summit 7 Systems, Inc. All rights reserved.
CSP manages
You manage (shared responsibility to protect)
You or CSP manages (Depends on Provider and Configuration)
Data Governance and Rights Management
Client End-points
Account and Access Management
Identity and Directory Infrastructure
Application
Network Controls
Operating System
Physical Hosts
Physical Network
Physical Datacenter
SaaS PaaS IaaS On-Prem
Microsoft’s Commitment to the Cloud
Copyright ©2017 Summit 7 Systems, Inc. All rights reserved.
Security
• State-of-the-Art Physical Security
• 24x7 Incident Response
• Encrypted at Rest and Transit
Privacy
• You Control Access to Your Data
• You Control where your Data is stored
• Content Cannot be used for Marketing or Commercial Purposes
Compliance
• Industry Leading Compliance Portfolio
• Regular Independent Audits
• Access to all Certification Documentation
Transparency
• Clear and Strict Policies on how Customer data is managed
• Vigorous defense of customer privacy rights
• Easy to Understand Info on where customer data resides
Availability
• Financially Backed SLAs
• Robust DR, Backup, Monitoring and Management tools
• Easy to access Service Health Information
Microsoft Office 365 Security & Compliance
Threat Protection
Exchange Online Protection
Advanced Threat Protection
Threat Intelligence
Information Protection
Azure Information Protection
Data Loss Prevention
Office Message Encryption
Security Management
S&C Center
Cloud App Security
Secure Score
Compliance Solutions
Advanced Data Governance
Advanced eDiscovery
Customer Lockbox
Compliance Manager
Copyright ©2017 Summit 7 Systems, Inc. All rights reserved.
Multifactor Authentication
Microsoft is meeting customer security needs with the industry's largest compliance portfolio
ISO
27001PCI DSS Level 1 *
SOC 2 Type
2
ISO
27018
Cloud Controls
Matrix
Content Delivery and
Security Association *
Shared
Assessments
SOC 1 Type
2Worldwide
National
European Union
Model Clauses
Singapore
MTCS Level 3
New Zealand
GCIO
Australian Signals
Directorate
Japan
Financial
Services
Spain ENSENISA
IAFHIPAA /
HITECH
Government
FIPS 140-2DISA Level 2
DISA Level 4
DISA Level 5
FERPAFedRAMP
JAB P-ATO
FISMACJIS21 CFR
Part 11
IRS 1075Section 508
VPAT
United Kingdom
G-Cloud
EU-U.S.
Privacy Shield
NIST 800-
171
China MLPS*,
TRUCS*, GB
18030*
Microsoft Office 365 Commercial• Available for all Organizations
• Certified to FedRAMP Moderate
• Certified to DISA Level 2
• Not DFARS C-G Compliant*
• Is NOT ITAR Capable*
* Official Microsoft Position
Copyright ©2017 Summit 7 Systems, Inc. All rights reserved.
Office 365 Government
Office 365 GCC
Office 365 GCC High
Office 365 GCC High DoD
Customer Access Government / Contractors
Government / Contractors
DoD Agencies
FedRAMP Moderate Moderate Moderate
DISA Level 2 Level 4 Level 5
ITAR Capable No* Yes Yes
NIST 800-171 Capable
Yes Yes Yes
DFARS C-G No* Yes Yes
Copyright ©2017 Summit 7 Systems, Inc. All rights reserved.
• GCC High can be fully DFARS Compliant with Proper licensing, design, configuration and policy control.
• All Contractors must be approved as having a verified need
• Some Capabilities Available in Office 365 Commercial are not yet available
• Requires a Minimum of 500 licenses
*Official Microsoft Position
Copyright ©2016 Summit 7 Systems, Inc. All rights reserved.
Key Office 365 Features and NIST 800-171Security Control Family Section Requirement Office 365 Feature and Office 365 License
Configuration Management 3.4.9 Control and Monitor user-installed software Intune in EM+S E3
Identification and Authentication 3.5.3Use multifactor authentication for local and network access to privileged accounts and for network access to non-privileged accounts
Standard in E1, E3 and E5 Licenses
Incident Response 3.6.1Establish an operational incident-handling capability for organizational information systems that includes adequate preparation, detention, analysis, containment, recovery, and user response activities.
Data Loss Prevention (DLP) and eDiscovery in E3 License
Incident Response 3.6.2Track, document, and report incidents to appropriate officials and/or authorities both internal and external to the organization.
Data Loss Prevention (DLP) and eDiscovery in E3 License
System and Communications Protection
3.13.1Monitor, control, and protect organizational communications (i.e., information transmitted or received by organizational information systems) at the external boundaries and key internal boundaries of the information systems.
Azure Information Protection P1 in EM+S E3 License
Maintenance 3.7.6Supervise the maintenance activities of maintenance personnel without required access authorization. Customer Lockbox in E5 or as an Add On License
System and Communications Protection
3.13.8Implement cryptographic mechanisms to prevent unauthorized disclosure of CUI during transmission unless otherwise protected by alternative physical safeguards.
Azure Information Protection P1 in EM+S E3 License
System and Information Integrity 3.14.4 Update malicious code protection mechanisms when new releases are available.Advanced Threat Protection in E5 or as an Add
On License
System and Information Integrity 3.14.6Monitor the information system including inbound and outbound communications traffic, to detect attacks and indicators of potential attacks.
Advanced Threat Analytics in EM+S E3
Microsoft Azure(Commercial)
• Available for Organizations
• Certified to FedRAMP Moderate
• Certified to DISA Level 2
• Is Not ITAR Capable
• Not Compliant with DFARS C-G
• No Minimum service required
* Official Microsoft Position
Copyright ©2017 Summit 7 Systems, Inc. All rights reserved.
Azure Government Community Cloud
• DFARS Compliant with proper services, design, configuration and policy control
• Is ITAR Capable
• All Contractors must be approved by Microsoft and have a verified need
• Some Capabilities Available in Azure Commercial are not yet available
• No Minimum Service Requirement
Copyright ©2017 Summit 7 Systems, Inc. All rights reserved.
Azure Government
Azure Government DoD
Customer Access Government / Contractors
DoD Agencies
FedRAMP High High
DISA Level 4 Level 5
ITAR Capable Yes Yes
DFARS Compliant Yes Yes
Lessons Learned
Copyright ©2016 Summit 7 Systems, Inc. All rights reserved.
CUI / CDI Lessons Learned
Every Defense Industrial Base (DIB) company has CUI / CDI content
Outside of basic CUI / CDI needs, ITAR content is a major driver.
Office 365 Lessons Learned
Office 365 GCC High (Level 4) Environments take 6 weeks to provision
Custom Office 365 Deployment and Migration takes 4 – 12 Months
Templated Office 365 Deployments take 4 - 6 Weeks
Industry Lessons Learned
87% of all contracts released in 2017 have the DFARS 7012 Clause
Every DIB company has at least 1 contract with the DFARS 7012 clause in it
Corporate IT and Security Policies are not well understood or implemented
Mobile Devices are ubiquitous and BYOD is the standard
With these lessons learned, and our continual discovery cycles, we have simplified the equation for total solution success…
Compliance is a Risk Management Exercise. Risk Acceptance and Mitigation is common.
Key Decision Points – 2 Driver Categories
Copyright ©2016 Summit 7 Systems, Inc. All rights reserved.
Driver 1: Environmental
ITAR Data Timeline Risk Acceptance
Driver 2: Licensing
Mobility NIST 800-171
Requirementsdrive licensing
Desktop License Availability
Where do I get that licensing matrix?!?!
• http://info.summit7systems.com/office-365-licensing-guide-for-dod-contractors
Copyright ©2017 Summit 7 Systems, Inc. All rights reserved.
Resources
• DoD Contractor Office 365 Licensing Guide
• Webinar: Updates and Lessons Learned on DFARS/NIST/ITAR Compliance
• Thursday November 16, 2017 from 10-11AM CST
• http://info.summit7systems.com/blog/webinar-dfars
• http://microsoft.com/trust
Copyright ©2017 Summit 7 Systems, Inc. All rights reserved.
Multifactor Authentication (MFA)
• NIST Maintenance 3.7.5• Require multifactor authentication to establish nonlocal maintenance
sessions via external network connections and terminate such connections when nonlocal maintenance is complete.
• MFA is configurable on a user by user basis.
• MFA is available for all Office 365 enterprise license types across all user roles.
• Advanced MFA options are available with Enterprise Mobility + Security
Copyright ©2017 Summit 7 Systems, Inc. All rights reserved.
MFA Verification Methods
Office 365 Identity Management
• Included with Standard User Licensing• Mobile App Notification
• Verification Code with Mobile App
• Phone Call
• Text Message
Hybrid Identity Management• Standard User Licensing
• Phone Call• Text Message• Mobile App Notification• Verification Code with Mobile App
• Azure MFA (Additional Licensing)• Over 20 Third Party Providers• Can Secure On-Premises Apps• Includes Reporting Capabilities• Includes Fraud Alerts• Customized Greetings and Caller ID for
Phone Calls
• AD Federation Services
Copyright ©2017 Summit 7 Systems, Inc. All rights reserved.
Azure AD Identity Protection
• Users with leaked credentials• Found in the dark Web by Microsoft Systems and Staff
• Sign-ins from anonymous IP addresses
• Impossible travel to atypical locations
• Sign-ins from unfamiliar locations (IP and Latitude/Longitude)
• Sign-ins from infected devices (known BOT IPs)
• Sign-ins from IP addresses with suspicious activity
Advanced Threat Protection
• Enhancement to Exchange Online Protection
• Safe Links • Active protection for links in email messages after mail delivery• Protection is continual• Configured to not allow clicking on a hyperlink that is determined to be malicious
• Safe Attachments• Protects against unknown malware and zero-day malware• Attachment behavior analysis in an external hypervisor environment
• Reporting• Tracking allows you to track malicious links that have been clicked• Reporting allows you to investigate potential attacks
Copyright ©2017 Summit 7 Systems, Inc. All rights reserved.
Advanced Security Management (ASM)• Focus Families
• 3.1 Access Control• 3.3 Audit and Accountability• 3.6 Incident Response
• Advanced Security Management Capabilities• Investigate Office 365 Activity• Investigate Application Permissions and Use• Create Anomaly Detection Policies (Anomalous logins, Unknown threats, Password
sharing, Lateral movement)• Create Activity Policies• Create Anomaly Alerts• Leverage Cloud App Discovery to determine potential attack vectors
• Capabilities are Available in the E5 License or as a Standalone License
Copyright ©2017 Summit 7 Systems, Inc. All rights reserved.
ExchangeNetwork File
Share
Intune
Managed
apps
Unmanaged
apps
DLP Policy
Applied
Retention
Policy Tag
Client AIP
Client No AIP
Client with
Sharing app
MDM Policy
Intune
MAM Policy
Location
Retention Policy
DLP
Tenant Retention
Policy
Application Policy
Device Policy
• Office 365 Data Loss Prevention (DLP) provides real-time protection of sensitive content.
• Office 365 Labels provide a way to tag document within Office 365 for the purpose of retention, identification, search, and eDiscovery.
• Azure Information Protection (AIP) adds additional security to documents in addition to the container they are already secured within.
• Azure Intune controls how information is consumed, copied, saved, and forwarded on mobile devices and laptops.
Data Security
Azure Information Protection (and Rights Management Service) • Focus Families
• 3.1 Access Control• 3.13 System and Communications Protection
• Azure Information Protection Capabilities• Classify and Protect (Encrypt) Files Internally or Externally• Audit and monitor Usage of Protected Files• Create Custom Rights Policies• Leverage your own Cryptographic Keys or Cryptographic Keys Managed by MS
• Baseline RMS capabilities are available in the E3 and E5 Licenses
• Additional capabilities are available in Azure Information Protection as an stand alone add in or as part of EM+S E3 or E5.
Copyright ©2017 Summit 7 Systems, Inc. All rights reserved.
AIP Global Configuration
Copyright ©2016 Summit 7 Systems, Inc. All rights reserved.
• AIP will primarily be used to protect access to files on the client• The following options can be configured on any label:
• Restricted Actions• Encryption• Group-scoped Policies (security trimmed labels)• Labels apply metadata that can be seen by other systems,
i.e. DLP, eDiscovery, Search.• Force justification when classifying down, such as with
CUI/CDI changes seen in the accompanying graphic:• A full version of the AIP client must be installed to author and
classify documents. • Office Online allows read-only access to AIP protected files – co-
authoring is not allowed. • Only a Windows machine with the full AIP client will be able to
edit AIP documents.
Azure protected file management
Copyright ©2016 Summit 7 Systems, Inc. All rights reserved.
• When a file is moved between systems, the ability to read the file will vary based on location.
• Protected files moving between SPO/ODB and ExchO will lose any related permissions.
• Protected files moving between a file share, external drive or external cloud resource and SPO/ODB or ExchO will only retain the AIP and RMS policies associated with that object.
• A superuser account must be created so that it is always added to the item’s security, this is what allows DLP, search, eDiscovery, and more to keep on working.
Azure Information Protection
Copyright ©2017 Summit 7 Systems, Inc. All rights reserved.
Ease of use- Right click- Direct access in the application
Classification and Protection
Filetypes Supported for Classification• Legacy Microsoft (97/00/03/07/10)
• XPS
• Photoshop
• Solidworks
• Autodesk
• Others
Copyright ©2017 Summit 7 Systems, Inc. All rights reserved.
Filetypes Supported for Classification and Protection (Encryption)• Microsoft Office 2013/2016• Adobe PDF• Text and Image
Data Loss Prevention (DLP)
• Focus Families• 3.1 Access Control
• 3.13 System and Communications Protection
• DLP capabilities in Exchange Online, SharePoint Online and OneDrive for Business• Create DLP Policies to Identify sensitive information
• Prevent accidental sharing
• Notify Users of Policies or Block them from sharing
• Create Compliance Reports and Notify Administrators on DLP incidents
Copyright ©2017 Summit 7 Systems, Inc. All rights reserved.
Data Loss Prevention (DLP)
Copyright ©2016 Summit 7 Systems, Inc. All rights reserved.
• DLP allows us to control access to content based on many configurable options using policies.
• Policies can be created 4 ways:• With the built-in sensitive information types
found in Azure.• Programmed via XML and uploaded to the
tenant.• Based on managed search properties and
document tagging.• Based on Office 365 labels
Office 365 DLP Policy Templates
Copyright ©2017 Summit 7 Systems, Inc. All rights reserved.
Includes 41 DLP Policy Templates• Financial Regulations• Medical and Health Regulations• Privacy Regulations
Examples• Patriot Act• PII Data• PCI Data Security Standard• SSN Confidentiality• HIPAA• US Financial Data
Azure Intune data security
Copyright ©2016 Summit 7 Systems, Inc. All rights reserved.
• Azure Intune will add enhanced protection of files on mobile devices.
• Office 365 data can only be consumed in Managed Device applications and not by unapproved (unmanaged) applications.
• Office 365 content cannot be moved between Managed apps to Unmanaged applications. • Only unmanaged content can be moved into
managed apps.• Any user can use unmanaged applications all they want,
they cannot use those unmanaged applications to access corporate content.
Device Compliance (MDM)• Options differ based on OS
• At least one policy per OS required if you want MDM• Be sure to encrypt Android! (iOS is already encrypted)
• Configure Compliance• Device Health• OS Properties• Password Complexity
• Set Validity Period in days• After X days, the device will be treated as noncompliance
• Monitor Compliance
• Enforce Compliance / Remove Corporate Data
Device Configuration (MDM)
• Create Profiles and Deploy to groups/users
• Based on Platform Type
• Profile Types change based on Platform
• Win 10 has most options
• Mac OS has fewest options
Managed Apps Policies – Limit Data Relocation / Exfiltration• Prevent backup to Cloud (iCloud, etc)
• Allow Data Transfer (All, none, managed apps)
• Receive data from other apps (All, none, managed apps)
• Prevent “Save As”• Select None, or a combination of ODB, SharePoint Online, and Local
• Copy/Paste (Blocked, Any App, managed apps)
• Encrypt App data
• Disable Contacts sync
• Disable Printing
57 Confidential and Proprietary © Metalogix57 Confidential and Proprietary © Metalogix
Missed something?
• This session will be recorded, so you will have the opportunity to watch it again or share with your colleagues.
• You will also receive an email tomorrow with the link to the recoding and the PowerPoint slide.
• The recording can also be found on the Metalogix webinar page.
58 Confidential and Proprietary © Metalogix58 Confidential and Proprietary © Metalogix58 Confidential and Proprietary © Metalogix58 Confidential and Proprietary © Metalogix
Thank you for Joining us Today!
• You can find the webinar recording on Metalogix.com/webinars
• You can find the follow blog on Metalogix.com/blog
• Our next webinar will cover the _______________seats are going fast so follow this link to register today.
I hope you all enjoy the rest of your week!