Alistair Speirs Sr Program Manager Bharath Rambadran Sr Product Marketing Manager Microsoft Corporation OSP323 Brings together cloud versions of our most trusted communications and collaboration products with the latest version of our desktop ID: 617416
Download Presentation The PPT/PDF document "Microsoft Office 365 Security, Privacy, ..." is the property of its rightful owner. Permission is granted to download and print the materials on this web site for personal, non-commercial use only, and to display it on your personal computer provided you do not modify the materials and that you retain all copyright notices contained in the materials. By downloading content from our website, you accept the terms of this agreement.
Slide1
Microsoft Office 365 Security, Privacy, and Trust
Alistair Speirs, Sr. Program ManagerBharath Rambadran, Sr. Product Marketing ManagerMicrosoft Corporation
OSP323Slide2
Brings together
cloud versions of our most
trusted communications and
collaboration products with the latest version of our desktop
suiteSlide3
Office 365
Delivers World Class Capabilities
Pay-as-you-go, per-user licensing
Complete Office experience with services integration
Always the latest version of Office and Office Web Apps
Familiar Office user experience
My Sites to manage and share documents
Access documents offline
Document-level permissions
Share documents securely with Extranet Sites
25Gb mailbox with voicemail & unified messaging
Integrated personal archiving
Retention policies and legal hold
Free/busy coexistence
IM & Presence across firewalls
GAL/Skill search in SharePoint
Online meeting with desktop sharing
Windows Live federationSlide4
Trusting The Cloud
It’s all over the news – “Can I trust the cloud?”
4
Privacy
Loss of Control
Regulatory
Physical/Logical Security
Key Concerns
CLOUDY WITH A
CHANCE OF RAIN
“
What is holding IT managers back (from
going
to the cloud)
is
fear about security.”
— The Economist, March 5, 2010Slide5
The Trust Questions…
5
What does privacy at Microsoft mean?
Are you using my data to build advertising products?
What certifications and capabilities does Microsoft hold?
How does Microsoft support customer compliance needs?
Do I have the right to audit Microsoft?
Where is my
data
?
Who has access to my data ?
Is cloud computing secure?
Are Microsoft Online Services secure?
Privacy
Transparency
Compliance
SecuritySlide6
Office 365 Trust Center
Clear
messaging with plain English
Details for security experts
Links videos
,
whitepapers
http://trust.office365.comSlide7
We Respect
your
Privacy
You know
‘where’ data resides, ‘who’ can access it and ‘what’ we do
with it
The Trust Principles
Excellence in Cutting edge security practices
Relentless on
Security
Compliance with World Class Industry standards verified by
3
rd
parties
Independently
Verified
Your
Privacy
Matters
Leadership in
Transparency
7
Cohesive Process Combining 4 PillarsSlide8
Your Privacy Matters
PrivacySlide9
What Do We Mean by “Privacy”?
Repudiation
Elevation of Privilege
Information
Disclosure
Tampering
Spoofing
Denial of
Service
PII Controls
Notice and
Consent
Breach
Response
Data
Minimization
Transnational
Data Flows
PRIVACY
SECURITYSlide10
Choices to keep Office 365 Customer Data separate from consumer services.
Office 365 Customer Data belongs to the customer.
Customers can
export their data
at any time.
At Microsoft, our strategy is to consistently set a “high bar” around privacy practices that support global standards for data handling and
transfer
10
Privacy at Office 365
No
Mingling
Data Portability
No advertising products out of Customer Data.
No scanning of email or documents to build analytics or mine data.
No
AdvertisingSlide11
11
How Privacy of Data is Protected?
Microsoft Online Services Customer Data
1
Usage Data
Account and
Address Book Data
Customer
Data
(excluding
Core
Customer data)
CoreCustomer Data
Operating and Troubleshooting the Service
Yes
Yes
Yes
Yes
Security, Spam and Malware Prevention
Yes
Yes
Yes
Yes
Improving the Purchased Service, Analytics
Yes
Yes
Yes
No
Personalization, User Profile, Promotions
No
Yes
No
No
Communications (Tips, Advice, Surveys, Promotions)
No
No/Yes
No
No
Voluntary Disclosure to Law Enforcement
No
No
No
No
Advertising
5
No
No
No
No
We use customer data for just what they pay us for - to maintain
and
provide Office 365 Service
Usage Data
Address Book Data
Customer Data (excluding
Core
Customer Data
*
)
Core Customer Data
Operations Response Team (limited to key personnel only)
Yes.
Yes, as needed.
Yes, as needed.
Yes, by exception.
Support Organization
Yes, only as required in response to Support Inquiry.
Yes, only as required in response to Support Inquiry.
Yes, only as required in response to Support Inquiry.
No.
Engineering
Yes.
No Direct Access. May Be Transferred During Trouble-shooting.
No Direct Access. May Be Transferred During Trouble-shooting.
No.
Partners
With customer permission. See Partner for more information.
With customer permission. See Partner for more information.
With customer permission. See Partner for more information.
With customer permission. See Partner for more information.
Others in Microsoft
No.
No (Yes for Office 365 for small business Customers for marketing purposes).
No.
No.Slide12
You know ‘where’ data resides, ‘who’ can access it and ‘what’ we do with it.
TransparencySlide13
13
Transparency
Microsoft notifies you of changes in data center locations.
Core Customer Data accessed only for troubleshooting and malware prevention purposes
Core Customer Data access limited to key personnel on an exception basis.
How to get notified?
Who accesses and What is
accessed
?
Clear Data Maps and Geographic boundary information provided
‘Ship To’ address determines Data Center Location
Where is Data Stored?
At Microsoft, our strategy is to consistently set a “high bar” around privacy practices that support global standards for data handling and transferSlide14
Excellence in
cutting edge security practices
SecuritySlide15
Microsoft Security Development Lifecycle
Reduce vulnerabilities, limit exploit severity
Education
Process
Accountability
Training
Requirements
Design
Implementation
Verification
Release
Response
Administer and track
security training
Guide product teams to meet
SDL requirements
Establish release criteria and sign-off as part of FSR
Incident
Response (MSRC)
Core Security
Training
Establish Security
Requirements
Create Quality
Gates / Bug Bars
Security & Privacy
Risk Assessment
Establish Design
Requirements
Analyze Attack
Surface
Threat
Modeling
Use Approved
Tools
Deprecate
Unsafe
Functions
Static Analysis
Dynamic
Analysis
Fuzz Testing
Attack Surface
Review
Incident
Response Plan
Final
Security
Review
Release
Archive
Execute
Incident
Response
Plan
Ongoing Process ImprovementsSlide16
Office Security Progress
9%
Office 2007
Default setting changes
Reduced security prompts
XML file format support
Trust Center & Message Bar
Trusted locations
Active content security
Block file format settings
Document Inspector
Office XP
Macro security levels
Office 2003
CryptoAPI supportTrusted publishers
ActiveX control security
Office 2010
Protected View
Office File Validation
Trusted Documents
Crypto Improvements
Unique Security Issues ReportedSlide17
Core security improvements: file fuzzing
A method to identify previously unknown vulnerabilities in file formats
Office teams fuzzed millions of files 10’s of millions of timesLed to hundreds of new bugs being fixedUsed to create XML Schema Definitions (XSD) for binary Office filesXSDs allow binary files to be quickly scanned for potential problemsSlide18
Industry-recognized security improvements
https://www.cert.org/blogs/certcc/2011/04/office_shootout_microsoft_offi.html
Slide19
User protection starts with authentication
Active Directory at the coreControl user password policies across devices and services
Use Group Policies to configure operating environmentExtensible management with FIM, ADFSCloud integration optionsCloud managed user accounts managed via web portal
On premises directory synchronized to web portal
Single sign on capability using AD federation services
1-way trust
Directory Sync
Cloud ID
Active DirectorySlide20
Securing users with
Group PolicyAdministrators can use Group Policy to mandate
user settings for OfficeAdministrators can use settings to create highly restricted or lightly managed desktop configurationsGroup Policy settings have precedence over OCT settingsAdministrators can use settings to disable file formats that are not secure across the networkOver 4000 group policy control objectsSlide21
Service Security – Defense in Depth
a risk-based, multi-dimensional approach to safeguarding services and data
SECURITY
MANAGEMENT
NETWORK PERIMETER
INTERNAL NETWORK
HOST
APPLICATION
DATA
USER
FACILITY
Threat and vulnerability management,
monitoring,
and response
Edge routers,
intrusion detection, vulnerability scanning
Dual-factor
authentication,
intrusion detection, vulnerability scanning
Access control and monitoring, anti-malware, patch and
configuration management
Secure engineering (SDL), access control and monitoring, anti-malware
Access control and monitoring, file/data integrity
Account management, training and awareness, screening
Physical controls, video surveillance, access controlSlide22
Physical Security – Sample facility
24x7 guarded facility
700,000 square
feet
10s of 1000s of servers
Days of backup powerSlide23
Integrated administration, reporting, and auditing
Granular control over user
access and permissions
Mobile security policies and remote device wipe
Multi-layered protection against spam and malware
Effectiveness guaranteed by
5 financially-backed
SLAs
In-product controls that help protect
users from
threats
23
Business Productivity
Visibility
and
Control
Comprehensive Protection
Communicate and collaborate more securely using
Exchange
, SharePoint,
Lync
, and Office
Policy rules that inspect
emails in transit
Integration with AD RMS
to safeguard sensitive data
End-to-end encryption
of communications
Information
SecuritySlide24
24
Common Security Concern
Customer data at rest is not encrypted
For
“sensitive” data, implementation of
Active
Directory Rights Management Services (RMS)
For “sensitive” externally sent/received e-mail, customers employ
S/MIME
Encryption
impacts service functionality (e.g. search and indexing)
Identity/key
management issues
The customer makes the decisionSlide25
Compliance with World Class Industry standards verified by 3
rd parties
Independently VerifiedSlide26
26
Why Get Independently Verified?
“I need to know Microsoft is doing the right things”
Alignment and adoption of industry standards ensure a comprehensive set of practices and controls in place to
protect
sensitive
data
While
not permitting audits,
we
provide independent
third-party
verifications of Microsoft security, privacy, and continuity controls
This saves customers time and money, and allows
Office 365 to
provide assurances to
customers
at scale
Microsoft provides transparencySlide27
27
Compliance Management Framework
Policy
Control
Framework
Standards
Operating Procedures
Business rules for protecting
information
and systems which store
and process
information
A process or system to assure the implementation of policy
System or procedural specific requirements that must be met
Step-by-step proceduresSlide28
28
Office 365 Compliance
Address
privacy, security and handling of Customer Data.
Going above and beyond the EU Model Clauses to address additional requirements from individual EU member states
Enables
customers to comply with their local regulations.
Office 365 is the first major business productivity public cloud service provider willing to sign EU Model Clauses with all customers.
EU Model Clauses a set of stringent European Union wide data protection requirements
Data Processing Agreement
EU Model Clauses
ISO27001 is one of the best security benchmarks available across the world.
Office 365 first major business productivity public cloud service to implement rigorous ISO security controls on physical, logical, process and management
ISO27001
We are the first and only major cloud based productivity to offer the following:Slide29
29
Office 365 Compliance
EU
generally prohibits personal data from crossing borders into other countries except under circumstances in which the transfer has been legitimated by a recognized mechanism, such as the "Safe Harbor" certification
Microsoft was first certified under the Safe Harbor program in 2001, and we recertify compliance with the Safe Harbor Principles every twelve months
EU Safe Harbor
HIPAA is a U.S. law that requires HIPAA covered entities to meet certain privacy and security standards with respect to individually identifiable health
information
Microsoft is offering
to sign the Business Associate Agreement (BAA) for any Microsoft Enterprise Agreement customer. The BAA helps enables our customers to comply with
HIPAA
concerning protected health information.
US Health
Insurance Portability and Accountability Act
Comply with additional
i
ndustry leading
s
tandardsSlide30
Compliance Update
Compliance with Key Standards
Certification
Audience
BPOS Standard
Office 365
ISO 27001
All customers
Yes
Available Now
EU Safe Harbor
EU customers
Yes
Available
Now
SSAE 16 (Statement on standards for Attestation Engagement)
Type I compliance
Primarily
US customers
Yes
Available
Now
FISMA
US Government
No
Available Now
HIPAA/BAA
EA Customers
No
Available
Now
EU Model
Clauses
EU Customers
No
Available Now
Data Processing Agreement
EA Customers
No
Available NowSlide31
Compliance Update
HIPAA Business Associate Agreement (BAA)
Protects Protected Health Information (PHI) covering patient only information not end users
Security incident notification within 30 days of unauthorized access
Office 365 is not intended to be used as a PHI repository, customer should make their decision on how to best comply with HIPAA. More information can be found in the regulatory compliance section of the Trust Center.
Available today for all customers.
What does it cover?
What is it?
Who and how to get it?
HIPAA is a U.S. law that requires HIPAA covered entities to meet certain privacy and security standards with respect to individually identifiable health information
To comply with HIPAA, in certain cases Microsoft is required to sign BAA with HIPAA covered entities which assures adherence to certain privacy and security requirementsSlide32
demo
The Office 365 Trust Center
Bharath RambadranSr. Product ManagerSlide33
33
How To Sign Up For EU Model Clauses
Office 365 Trust Center Compliance Section
Link to EU Model Clause sign-up Page
EU Model Clause Sign up Page
Located in MOSP Portal
Requires Admin Access
Customer enters Admin details and
Agreement I.DSlide34
Step 2: Sign in to Online Services PortalSlide35
Step 3: Select Contract and AcceptSlide36
Step 4: Confirmation PageSlide37
Related Content
Code
Title
Schedule
OSP221
Microsoft Office 365 for Enterprises
6/11/2012 3:00 PM
OSP305
The Modern Compatibility Process to Accelerate Microsoft Office Deployment
6/11/2012 4:45 PM
OSP321
Active Directory Integration with Microsoft Office 365
6/12/2012 10:15 AM
OSP224
Microsoft Office 365 Management and Deployment
6/12/2012 1:30 PM
OSP223
Microsoft Office 365 for Education
6/12/2012 3:15 PM
OSP303
Supporting Microsoft Office in an Enterprise Environment
6/12/2012 3:15 PM
OSP202
Microsoft Excel: A Web Development Tool?
6/12/2012 5:00 PM
OSP306
Microsoft Office Deployment for the Elite
6/13/2012 10:15 AM
OSP325
To the Cloud, from the Trenches: Best Practices for Migrating to Microsoft Office 365
6/13/2012 1:30 PM
OSP302
Building Integrated Microsoft Office 365, SharePoint Online, and Office Solutions Using BCS and LOB Data
6/13/2012 3:15 PM
OSP323
Microsoft Office 365 Security, Privacy, and Trust
6/13/2012 5:00 PM
OSP324
Microsoft Office 365 Service Reliability and Disaster Recovery
6/14/2012 8:30 AM
OSP304
Optimized Desktop Deployment Jeopardy Live Game Show
6/14/2012 1:00 PM
OSP222
Empowering Small Businesses: Microsoft Office 365 P-Suite
6/14/2012 4:30 PMSlide38
Resources
Office 365 Trust Center (http://trust.office365.com)Office 365 Privacy Whitepaper (New!)
Office 365 Security Whitepaper and Service DescriptionOffice 365 Standard Responses to Request for InformationOffice 365 Information Security Management Framework38Slide39
Related Resources
Office 365 TechCenter: technet.microsoft.com/Office365
Office Client TechCenter: technet.microsoft.com/office
Office, Office 365 and SharePoint Demo Area Includes:
Office 365 IT Pro Command Center
Office 365 Data Center ExhibitSlide40
Please Complete an Evaluation
Your feedback is important!
Multiple
ways to
E
valuate
S
essions
Be eligible
to win great daily prizes and the grand prize of a $5,000 Travel Voucher!
Scan the Tag
to evaluate this
session now
on
myTechEd
MobileSlide41
Questions?Slide42
©
2012 Microsoft
Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.
The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation.
MICROSOFT
MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.Slide43