Office 365 Security Features For SharePoint Admins Dean Gross
Diamond Platinum Gold Silver
Agenda Protect Information (Data/Files) Identity and Access Management (User Accounts) Stop Threats Ensure Compliance (Regulatory support)
MICROSOFT INFORMATION PROTECTION Comprehensive set of capabilities AZURE INFORMATION PROTECTION CONDITIONAL ACCESS MICROSOFT CLOUD APP SECURITY OFFICE APPS OFFICE 365 DATA LOSS PREVENTION SHAREPOINT & GROUPS MICROSOFT INFORMATION PROTECTION OFFICE 365 MESSAGE ENCRYPTION AZURE SECURITY CENTER INFORMATION PROTECTION Discover | Classify | Protect | Monitor WINDOWS INFORMATION PROTECTION SDK FOR PARTNER ECOSYSTEM & ISVs OFFICE 365 ADVANCED DATA GOVERNANCE ADOBE PDFs AZURE INFORMATION PROTECTION - Classify, label & protect files – beyond Office 365, including on-premises & hybrid MICROSOFT CLOUD APP SECURITY Visibility into 15k+ cloud apps, data access & usage, potential abuse OFFICE 365 DATA LOSS PREVENTION - Prevent data loss across Exchange Online, SharePoint Online, OneDrive for Business OFFICE 365 MESSAGE ENCRYPTION - Send encrypted emails in Office 365 to anyone inside or outside of the company WINDOWS INFORMATION PROTECTION - Separate personal vs. work data on Windows 10 devices, prevent work data from traveling to non-work locations OFFICE 365 ADVANCED DATA GOVERNANCE- Apply retention and deletion policies to sensitive and important data in Office 365 CONDITIONAL ACCESS - Control access to files based on policy, such as identity, machine configuration, geo location OFFICE APPS - Protect sensitive information while working in Excel, Word, PowerPoint, Outlook SHAREPOINT & GROUPS- Protect files in libraries and lists AZURE SECURITY CENTER INFORMATION PROTECTION - Classify & label sensitive structured data in Azure SQL, SQL Server and other Azure repositories SDK FOR PARTNER ECOSYSTEM & ISVs - Enable ISVs to consume labels, apply protection ADOBE PDFs - Natively view and protect PDFs on Adobe Acrobat Reader
Inside and Outside of SharePoint Protect Information Inside and Outside of SharePoint
Recommendations Use Azure AD device-based conditional access to block or limit access on unmanaged devices like airport or hotel kiosks Create policies to sign users out of Office 365 web sessions after a period of inactivity Evaluate the need for IP-based sessions Simulate the access model of an on-premises deployment Empower workers to share broadly but safely Require sign-in or use links that expire or grant limited privileges Prevent accidental exposure of sensitive content Create DLP policies to identify documents and prevent them from being shared
SharePoint Device Access Policies Block or limit access to SharePoint and OneDrive content from unmanaged devices (those not hybrid AD joined or compliant in Intune). All users in the organization or only some users or security groups. All sites in the organization or only some site collections. Use SPO Admin Center w/Azure AD Portal PowerShell Set-SPOTenant –ConditionalAccessPolicy AllowLimitedAccess AllowDownlownloadingNonWebViewableFiles is Discontinued (DO NOT USE) Device access policies for SharePoint Online and OneDrive for Business are recommended for protecting sensitive, classified, and regulated data.
Session Control
Demo Block access using the new SharePoint admin center Limit access using the new SharePoint admin center Limit access using PowerShell Block or limit access to a specific SharePoint site collection or OneDrive https://docs.microsoft.com/en-us/sharepoint/control-access-from-unmanaged-devices
Control Access – Network Location Define Trusted Network Boundaries One or more authorized IP ranges Need to consider External Sharing – users will be blocked Access from 1st and 3rd party apps SPO only recognizes Yammer, Teams and Exchange Access from dynamic IP ranges Not supported Use SPO Admin Center or PowerShell To AVOID Lockout - Include your own IP Address Set-SPOTenant -IPAddressAllowList "131.102.0.0/16" Normally, a SharePoint document can be accessed from apps like Exchange, Yammer, Skype, Teams, Planner, Flow, PowerBI, PowerApps, OneNote, and so on. When a location-based policy is enabled, apps that do not support location-based policies are blocked. The only apps that currently support location-based policies are Teams, Yammer, and Exchange. This means that all other apps are blocked, even when these apps are hosted within the trusted network boundary. This is because SharePoint cannot determine whether a user of these apps is within the trusted boundary.
Azure AD B2B – Managing Guests Provides more control of invitation process With Azure AD B2B, users are added immediately on invitation so that they show up everywhere OneDrive/SharePoint Online adds users to the directory after users have redeemed their invitations Ability to customize invitations Can provide access to other apps Can enforce privacy terms & conditions and Terms of Use In SPO Admin Center, use “Allow sharing only with the external users that already exist in your organization's directory” So, before redemption, you don't see the user in Azure AD portal. If another site invites a user in the meantime, a new invitation is generated.
Azure Information Protection (AIP) Labels can be applied in many clients Office Desktop add-in, Windows Explorer, Adobe Acrobat Not yet available in Office Web apps Scanner finds sensitive information in SP Server
Demo SPO with sensitive labels 8/22/2019 12:08 PM © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
Classifying SharePoint sites and Groups 8/22/2019 12:08 PM Preview EOY Classifying SharePoint sites and Groups © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
Classifying SharePoint sites and Groups Preview EOY Classifying SharePoint sites and Groups
Demo SPO with retention labels 8/22/2019 12:08 PM © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
Available now
AIP scanner demo
Configure the AIP scanner Discovery mode! Constantly monitoring!
Monitor the scanner nodes at scale
Discover the data & sensitivity
Drill down to a file-level view
Information Protection Recommendations Create multi-disciplinary team Map sharing, retention and classification policies to M365 technologies DLP/AIP - Unified Labels Create custom Sensitive Information Types Cloud App Security – SharePoint and thousands of others Policies and Alerts
Identity & Access Management User Accounts are Valuable
Azure Active Directory Conditional Access is your identity security policy hub. CLICK STEPS) Click the screen to advance the slide.
Privileged Identity Management Demo
Identity and Access Management Recommendations Enable Azure Active Directory Identity Protection. For federated identity environments, enforce account security (password length, age, complexity, etc.). Enable and enforce MFA for all users. Implement a set of conditional access and related policies.
They come from everywhere Stop Threats They come from everywhere
Alerts Policies Malware campaign detected in SharePoint and OneDrive Unusual external user file activity Unusual volume of external file sharing Unusual volume of file deletion Generates an alert when an unusually high volume of malware or viruses are detected in files located in SharePoint sites or OneDrive accounts in your organization. This policy has a High severity setting. Generates an alert when an usually large number of activities are performed on files in SharePoint or OneDrive by users outside of your organization. This includes activities such as accessing files, downloading files, and deleting files. This policy has a High severity setting. Generates an alert when an usually large number of files in SharePoint or OneDrive are shared with users outside of your organization. This policy has a Medium severity setting. Generates an alert when an unusually large number of files are deleted in SharePoint or OneDrive within a short time frame. This policy has a Medium severity setting. Need to be in Security Reader role.
Office 365 Advanced Threat Protection (1 of many ATPs) Safe Attachment Policies Office 365 Advanced Threat Protection extends the protection provided by EOP to protect you against advanced threats such as zero-day attacks which involve unknown malware, targeted phishing or whaling campaigns, ransomware, and malicious URLs. By using a combination of machine learning, heuristic clustering, activity events and statistical analysis, files and attachments that are suspicious are routed through a hypervisor environment where they are detonated and analyzed for malicious behavior. With safe attachments, you can protect users from opening or downloading malicious content SharePoint Online, OneDrive for Business, and Teams by simply toggling a checkbox.
Cloud App Security Policies
Ransomware Protection OneDrive for Business- Files Restoration Coming to SharePoint
SPO Conditional Access Evaluate users Location Machine – phone, tablet or computer Identity
Threat Protection Recommendations Connect Office 365 to Microsoft Cloud App Security start monitoring using the default threat detection policies for anomalous behaviors Implement protection for admin accounts: • Use dedicated admin accounts for admin activity • Enforce multi-factor authentication (MFA) for admin accounts • Use a highly secure Windows 10 device for admin activity Implement enhanced protections for admin accounts: • Configure Privileged Access Workstations (PAWs) for admin activity • Configure Azure AD Privileged Identity Management. • Configure a security information and event management (SIEM) tool to collect logging data from Office 365, Cloud App Security, and other services, including AD FS. It takes seven days to build a baseline for anomaly detection. The Office 365 Audit Log stores data for only 90 days. Capturing this data in SIEM tool allows you to store data for a longer period.
Regulations are Complicated Ensure Compliance Regulations are Complicated
Compliance Features Customer Lockbox – E5 or Advance Compliance No more than 4 hours of access SharePoint, OneDrive, Exchange Audit Log Reports Finding Personal Data (GDPR Requirement) Retention Labels and Policies Manual or automatic Default label for a document library, folder or document set Consistent across application workloads Use same Sensitive Information Types as DLP Deleted files in OneDrive moved to hidden libraries Replace Records Center, Information Policies, in-place records management Office 365 audit log report You can search the Office 365 audit log for user and admin activity in your Office 365 organization. The report contains entries user and admin activity in Exchange Online, SharePoint Online, OneDrive for Business, and Azure Active Directory, which is the directory service for Office 365. For more information, see Search the audit log in the Office 365 Security & Compliance Center. Finding personal data subject to GDPR relies on using sensitive information types in Office 365. Coming soon — You'll be able to create and modify sensitive information types in a new user interface in the Security and Compliance Center. You can dynamically see matching results and tune sensitive information types to meet your needs. Test Data - https://docs.microsoft.com/en-us/office365/securitycompliance/gdpr-discovery-protection-reporting-in-office365-dev-test-environment You can use retention labels to implement a single, consistent records-management strategy across Office 365, whereas other records-management features such as the Record Center apply only to SharePoint content. And you can enforce retention actions on records, so that they're disposed of automatically at the end of their lifecycle.
Compliance Manager Assessments Progress indicators ISO, NIST & GDPR Progress indicators Compliance score – preventive, detective, or corrective measures Customer Managed Controls – recommended actions Reporting
E-Discovery Cases Place holds on ODfB and SPO Sites (and mailboxes) Can take up to 24 hours Infinite or date range for time period Can use keywords or document properties, such as file names You can use an eDiscovery case to create holds to preserve content that might be relevant to the case. You can place a hold on the mailboxes and OneDrive for Business sites of people who are custodians in the case. You can also place a hold on the group mailbox, SharePoint site, and OneDrive for Business site for an Office 365 Group. Similarly, you can place a hold on the mailbox and site that are associated with Microsoft Teams. When you place content locations on hold, content is held until you remove the hold from the content location or until you delete the hold
Compliance Center Demo Sensitivity Labels Retention Labels https://compliance.microsoft.com/#/homepage
Compliance Manager Demo https://servicetrust.microsoft.com/ComplianceManager
#SPSCLT19 Speaker Survey Session 3