This document discusses security and compliance capabilities in Office 365. It begins with an overview of common compliance regulations businesses face regarding transparency, privacy, and legal issues. It then outlines how Office 365 can meet requirements of regulations in healthcare, high-tech, and finance. Specific Office 365 security features are presented such as multi-factor authentication and encryption of email and files. The presentation concludes with a recommended action plan for organizations to evaluate their compliance needs and Office 365's capabilities to address them.
1. Aptera Presents:
Security and
Compliance in
Office 365
Mark Gordon
Enterprise Architect
How storing your data in the cloud
can be even more secure than
storing them on premises
2. Agenda
• Businesses Security and Compliance needs
• Office 365 Security and Compliance
• Demonstration of Compliance Capabilities
• Next Steps
3. Common Examples of Compliance Regulations
Transparency/Audit
• 21 CFR Part 11 AuditTrail
• SEC
• SAS 70Type I andType II
Privacy/Non Disclosure
•HIPAA
•ITAR
•FISMA
•FERPA
•EU model clauses
•Gramm-Leach-Blily
Legal
• Hold and E Discovery
• Three common types of
compliance concerns
• Most businesses will have
some of all three
• Office 365 can be part of
compliant solutions for these
regulations
4. Common Compliance Requirements that can be met in Office
365
SeeTHIS link for a framework to build your compliance plan
Healthcare
• HIPAA
• FISMA
• Legal Discovery
• 21 CFR Part 11 AuditTrail
HighTech/Manufacturing
• ITAR
• ISO 27001
• Legal Discovery
• EU Model Clauses
Finance
• PCI
• Gramm–Leach–Bliley Act
• Legal Discovery
• Internal/External Audit
• Compliance starts with and is
most importantly corporate
policy
• Compliance is implemented
through IT systems
• If your technology is not
compliant you are not compliant
• Just because your technology is
compliant does not make you
compliant
5. Office 365Trust Center – http:trustoffice365.com
Office 365 Compliance
• HIPAA Business Associate Agreement
• ISO 27001
• EU Model Clauses
• DPA-Data Processing Agreement
• FISMA
• ITAR
• FERPA
• External Audit
6. Office 365 Security
• Modular Datacenters
– No access to individual computing
components
– Very small IT staff onsite
• PhysicalAccess Controls
– Biometric
– RFID – Location known and recorded
at all times
• Physical Security
• Redundancy and Disaster Recovery
• Network
7. SecurityThreats and Countermeasures
Threats
• Stolen Password
• Data Leakage
• UnsecureTransport
• Lost Devices
– Computer
– Mobile
– USB Drive
• Disk Failures
• Internal theft of Data
• Blind Subpoena
• DOS / Unavailability
Countermeasures
• Two FactorAuthentication
• Mail Encryption
• DLP Policy
• Remote DeviceWipe
• Hard Drive Encryption
• Portable File Encryption
• Redundant Storage
• Physical and Employee Security
• Encryption inTransit
• Encryption at Rest
• Throttling / 99.98 quarterly uptime
8. Protecting from Stolen Passwords:
Multi-factor Authentication
Implementation
• Built in to Office 365
• Works with your locally managed AD
accounts
• Simple to implement
• Implement forGlobal Administrators
or any other users who have access
to high risk information
• User can change 2nd factor method
Requirements
• Access to phone or mobile device
• Options
– Text
– Application
– Phone Call
10. Protecting e-mail and documents in transit:
Encryption Options
• E-mail
– Office 365 Mail Encryption
– TLSTransport Rules
• Documents/Communications
– All client traffic encrypted
• Lync
• Outlook
• Office
• Browser
• Encrypted mail is hosted on a
web server from the Microsoft
Datacenter
• Recipients get e-mail with a
link to the message
• TLS is easier for the recipient
and can be secure
12. Protecting against lost or stolen devices
Device Security Policy
• Device Password
• Remote DeviceWipe
• Bad Password Count Lockout
• Bad Password Count Reset
RemoteWipe
• Can be done from any browser
by the device owner or an
administrator
14. Protecting Files on any media or device
Information Rights Management
• Portable Encryption
– Works on any device or storage medium
• Access to document can be revoked
– Person leaves company or project
– Document can expire
• Granular access rights
– Read
– Copy
– Print
– Forward
16. E-Discovery – Hold – Retention Policy
E-Discovery
• DiscoveryAgents
• Email, Documents, Lync
• Search options
• Exporting results
In Place Hold
• By search criteria
• Mailbox legal hold
– Retention period
Retention Policy
• Defines when items are destroyed or
moved
• Can be managed by user and/or set by
policy
18. Encryption at Rest
BYOE – BringYour Own Encryption
Provider Encryption at Rest
• Protects against
– Physical access to disks
• Does not protect against
– Blind Subpoena
– Programmatic Access to your Data
– Administrator Access to your Data
• Native Support for
– Read/Write
– Search and Index
– Remote Access
BYOE
• Protects against
– Physical access to disks
– Blind Subpoena
– Programmatic Access to your Data
– Administrator Access to your Data
• Must Allow Support for
– Read/Write
– Search and Index
– Remote Access
19. BYOE Architecture e-mail
From: Mia To:Vincent
Vincent, attached is the
customer’s SSN and Credit-
Card information.
From: Mia To:Vincent
躎疓拺鴵鍔漼軴唺傖듌鐴
給섐럑蜖虝私乴諡䂸䄙舅
矇潹솴湶썙鑡㨜争껎㾔뻚
From: Mia To:Vincent
躎疓拺鴵鍔漼軴唺傖듌鐴
給섐럑蜖虝私乴諡䂸䄙舅
矇潹솴湶썙鑡㨜争껎㾔뻚
From: Mia To:Vincent
Vincent, attached is the
customer’s SSN and Credit-
Card information.
From: Mia To:Vincent
躎疓拺鴵鍔漼軴唺傖듌鐴
給섐럑蜖虝私乴諡䂸䄙舅
矇潹솴湶썙鑡㨜争껎㾔뻚
20. Action Plan
Identify Owners for
• Document/mail retention
• Legal Hold/Discovery
• Compliance
• Security Policy
• Disaster Recovery
Define your Corporate
• Compliance requirements
• Security Policy
• Retention Policy
• Legal/Discovery-Hold Policy
• Disaster Recovery Plan
Match against currently
systems
• Compliance capabilities
• Security capabilities
• Retention capabilities
• Legal/Discovery-Hold capabilities
Evaluate Office 365 Capabilities
• Compliance
• Security
• Availability/Recovery
• Retention
• Legal
21. Next Step:
Free Aptera
Compliance and
Security Strategy
Review
SurfaceWinner!
Questions?
Email:
secure@apterainc.com
Phone:
260-739-1949
22. References
• Free 30 day Office 365Trial
• Office 365 Service Updates
• Office 365 Service Descriptions
• Office 365 Privacy, Security and Compliance
• Office 365 security white paper