Learning about Security and Compliance in Office 365
-
Upload
aptera-inc -
Category
Software
-
view
186 -
download
1
description
Transcript of Learning about Security and Compliance in Office 365
![Page 1: Learning about Security and Compliance in Office 365](https://reader033.fdocuments.net/reader033/viewer/2022060115/557576edd8b42adb7e8b4873/html5/thumbnails/1.jpg)
Aptera Presents:
Security and Compliance in Office 365
Mark GordonEnterprise Architect
How storing your data in the cloud can be even more secure than storing them on premises
![Page 2: Learning about Security and Compliance in Office 365](https://reader033.fdocuments.net/reader033/viewer/2022060115/557576edd8b42adb7e8b4873/html5/thumbnails/2.jpg)
Agenda
•Businesses Security and Compliance needs
•Office 365 Security and Compliance
•Demonstration of Compliance Capabilities
•Next Steps
![Page 3: Learning about Security and Compliance in Office 365](https://reader033.fdocuments.net/reader033/viewer/2022060115/557576edd8b42adb7e8b4873/html5/thumbnails/3.jpg)
Common Examples of Compliance Regulations
Transparency/Audit
• 21 CFR Part 11 Audit Trail
• SEC
• SAS 70 Type I and Type II
Privacy/Non Disclosure
•HIPAA•ITAR•FISMA•FERPA•EU model clauses•Gramm-Leach-Blily
Legal
• Hold and E Discovery
• Three common types of compliance concerns
• Most businesses will have some of all three
• Office 365 can be part of compliant solutions for these regulations
![Page 4: Learning about Security and Compliance in Office 365](https://reader033.fdocuments.net/reader033/viewer/2022060115/557576edd8b42adb7e8b4873/html5/thumbnails/4.jpg)
Common Compliance Requirements that can be met in Office 365
See THIS link for a framework to build your compliance plan
Healthcare
• HIPAA
• FISMA
• Legal Discovery
• 21 CFR Part 11 Audit Trail
High Tech/Manufacturing
• ITAR
• ISO 27001
• Legal Discovery
• EU Model Clauses
Finance
• PCI
• Gramm–Leach–Bliley Act
• Legal Discovery
• Internal/External Audit
• Compliance starts with and is most importantly corporate policy
• Compliance is implemented through IT systems
• If your technology is not compliant you are not compliant
• Just because your technology is compliant does not make you compliant
![Page 5: Learning about Security and Compliance in Office 365](https://reader033.fdocuments.net/reader033/viewer/2022060115/557576edd8b42adb7e8b4873/html5/thumbnails/5.jpg)
Office 365 Trust Center – http:trustoffice365.com
Office 365 Compliance• HIPAA Business Associate Agreement
• ISO 27001
• EU Model Clauses
• DPA-Data Processing Agreement
• FISMA
• ITAR
• FERPA
• External Audit
![Page 6: Learning about Security and Compliance in Office 365](https://reader033.fdocuments.net/reader033/viewer/2022060115/557576edd8b42adb7e8b4873/html5/thumbnails/6.jpg)
Office 365 Security
• Modular Datacenters– No access to individual computing
components– Very small IT staff onsite
• Physical Access Controls– Biometric– RFID – Location known and recorded
at all times
• Physical Security
• Redundancy and Disaster Recovery
• Network
![Page 7: Learning about Security and Compliance in Office 365](https://reader033.fdocuments.net/reader033/viewer/2022060115/557576edd8b42adb7e8b4873/html5/thumbnails/7.jpg)
Security Threats and Countermeasures
Threats
• Stolen Password
• Data Leakage
• Unsecure Transport
• Lost Devices– Computer– Mobile– USB Drive
• Disk Failures
• Internal theft of Data
• Blind Subpoena
• DOS / Unavailability
Countermeasures
• Two Factor Authentication
• Mail Encryption
• DLP Policy
• Remote Device Wipe
• Hard Drive Encryption
• Portable File Encryption
• Redundant Storage
• Physical and Employee Security
• Encryption in Transit
• Encryption at Rest
• Throttling / 99.98 quarterly uptime
![Page 8: Learning about Security and Compliance in Office 365](https://reader033.fdocuments.net/reader033/viewer/2022060115/557576edd8b42adb7e8b4873/html5/thumbnails/8.jpg)
Protecting from Stolen Passwords:Multi-factor Authentication
Implementation
• Built in to Office 365
• Works with your locally managed AD accounts
• Simple to implement
• Implement for Global Administrators or any other users who have access to high risk information
• User can change 2nd factor method
Requirements
• Access to phone or mobile device
• Options– Text
– Application
– Phone Call
![Page 9: Learning about Security and Compliance in Office 365](https://reader033.fdocuments.net/reader033/viewer/2022060115/557576edd8b42adb7e8b4873/html5/thumbnails/9.jpg)
Multi-factor Authentication Demo
![Page 10: Learning about Security and Compliance in Office 365](https://reader033.fdocuments.net/reader033/viewer/2022060115/557576edd8b42adb7e8b4873/html5/thumbnails/10.jpg)
Protecting e-mail and documents in transit:Encryption Options
• E-mail– Office 365 Mail Encryption
– TLS Transport Rules
• Documents/Communications– All client traffic encrypted
• Lync
• Outlook
• Office
• Browser
• Encrypted mail is hosted on a web server from the Microsoft Datacenter
• Recipients get e-mail with a link to the message
• TLS is easier for the recipient and can be secure
![Page 11: Learning about Security and Compliance in Office 365](https://reader033.fdocuments.net/reader033/viewer/2022060115/557576edd8b42adb7e8b4873/html5/thumbnails/11.jpg)
DLP - Encrypted E-mail and TLSDemo
![Page 12: Learning about Security and Compliance in Office 365](https://reader033.fdocuments.net/reader033/viewer/2022060115/557576edd8b42adb7e8b4873/html5/thumbnails/12.jpg)
Protecting against lost or stolen devices
Device Security Policy
• Device Password
• Remote Device Wipe
• Bad Password Count Lockout
• Bad Password Count Reset
Remote Wipe
• Can be done from any browser by the device owner or an administrator
![Page 13: Learning about Security and Compliance in Office 365](https://reader033.fdocuments.net/reader033/viewer/2022060115/557576edd8b42adb7e8b4873/html5/thumbnails/13.jpg)
Remote Device WipeDemo
![Page 14: Learning about Security and Compliance in Office 365](https://reader033.fdocuments.net/reader033/viewer/2022060115/557576edd8b42adb7e8b4873/html5/thumbnails/14.jpg)
Protecting Files on any media or device
Information Rights Management
• Portable Encryption– Works on any device or storage medium
• Access to document can be revoked– Person leaves company or project– Document can expire
• Granular access rights– Read– Copy– Print– Forward
![Page 15: Learning about Security and Compliance in Office 365](https://reader033.fdocuments.net/reader033/viewer/2022060115/557576edd8b42adb7e8b4873/html5/thumbnails/15.jpg)
Portable File EncryptionDemo
![Page 16: Learning about Security and Compliance in Office 365](https://reader033.fdocuments.net/reader033/viewer/2022060115/557576edd8b42adb7e8b4873/html5/thumbnails/16.jpg)
E-Discovery – Hold – Retention Policy
E-Discovery
• Discovery Agents
• Email, Documents, Lync
• Search options
• Exporting results
In Place Hold
• By search criteria
• Mailbox legal hold– Retention period
Retention Policy
• Defines when items are destroyed or moved
• Can be managed by user and/or set by policy
![Page 17: Learning about Security and Compliance in Office 365](https://reader033.fdocuments.net/reader033/viewer/2022060115/557576edd8b42adb7e8b4873/html5/thumbnails/17.jpg)
Discovery-Hold-RetentionDemo
![Page 18: Learning about Security and Compliance in Office 365](https://reader033.fdocuments.net/reader033/viewer/2022060115/557576edd8b42adb7e8b4873/html5/thumbnails/18.jpg)
Encryption at RestBYOE – Bring Your Own Encryption
Provider Encryption at Rest
• Protects against– Physical access to disks
• Does not protect against– Blind Subpoena– Programmatic Access to your Data– Administrator Access to your Data
• Native Support for– Read/Write– Search and Index– Remote Access
BYOE
• Protects against– Physical access to disks– Blind Subpoena– Programmatic Access to your Data– Administrator Access to your Data
• Must Allow Support for– Read/Write– Search and Index– Remote Access
![Page 19: Learning about Security and Compliance in Office 365](https://reader033.fdocuments.net/reader033/viewer/2022060115/557576edd8b42adb7e8b4873/html5/thumbnails/19.jpg)
BYOE Architecture e-mail
From: Mia To:VincentVincent, attached is thecustomer’s SSN and Credit-Card information.
From: Mia To:Vincent躎疓拺鴵鍔漼軴唺傖듌鐴給섐럑蜖虝私乴諡䂸䄙舅矇潹솴湶썙鑡㨜争껎㾔뻚
From: Mia To:Vincent躎疓拺鴵鍔漼軴唺傖듌鐴給섐럑蜖虝私乴諡䂸䄙舅矇潹솴湶썙鑡㨜争껎㾔뻚
From: Mia To:VincentVincent, attached is thecustomer’s SSN and Credit-Card information.
From: Mia To:Vincent躎疓拺鴵鍔漼軴唺傖듌鐴給섐럑蜖虝私乴諡䂸䄙舅矇潹솴湶썙鑡㨜争껎㾔뻚
![Page 20: Learning about Security and Compliance in Office 365](https://reader033.fdocuments.net/reader033/viewer/2022060115/557576edd8b42adb7e8b4873/html5/thumbnails/20.jpg)
Action Plan
Identify Owners for
• Document/mail retention
• Legal Hold/Discovery
• Compliance
• Security Policy
• Disaster Recovery
Define your Corporate
• Compliance requirements
• Security Policy
• Retention Policy
• Legal/Discovery-Hold Policy
• Disaster Recovery Plan
Match against currently systems
• Compliance capabilities
• Security capabilities
• Retention capabilities
• Legal/Discovery-Hold capabilities
Evaluate Office 365 Capabilities
• Compliance
• Security
• Availability/Recovery
• Retention
• Legal
![Page 21: Learning about Security and Compliance in Office 365](https://reader033.fdocuments.net/reader033/viewer/2022060115/557576edd8b42adb7e8b4873/html5/thumbnails/21.jpg)
Next Step:FreeApteraCompliance and Security Strategy Review
Surface Winner!
Questions?Email:[email protected]
Phone:260-739-1949
![Page 22: Learning about Security and Compliance in Office 365](https://reader033.fdocuments.net/reader033/viewer/2022060115/557576edd8b42adb7e8b4873/html5/thumbnails/22.jpg)
References
• Free 30 day Office 365 Trial
• Office 365 Service Updates
• Office 365 Service Descriptions
• Office 365 Privacy, Security and Compliance
• Office 365 security white paper