Presentation is loading. Please wait.

Presentation is loading. Please wait.

Office 365 Security Features For SharePoint Admins

Published byLorenzo Sevilla Modified over 5 years ago

Similar presentations

Presentation on theme: "Office 365 Security Features For SharePoint Admins"— Presentation transcript:

1 Office 365 Security Features For SharePoint Admins
Dean Gross

2 Diamond Platinum Gold Silver

3 Agenda Protect Information (Data/Files)
Identity and Access Management (User Accounts) Stop Threats Ensure Compliance (Regulatory support)

4 MICROSOFT INFORMATION PROTECTION
Comprehensive set of capabilities AZURE INFORMATION PROTECTION CONDITIONAL ACCESS MICROSOFT CLOUD APP SECURITY OFFICE APPS OFFICE 365 DATA LOSS PREVENTION SHAREPOINT & GROUPS MICROSOFT INFORMATION PROTECTION OFFICE 365 MESSAGE ENCRYPTION AZURE SECURITY CENTER INFORMATION PROTECTION Discover | Classify | Protect | Monitor WINDOWS INFORMATION PROTECTION SDK FOR PARTNER ECOSYSTEM & ISVs OFFICE 365 ADVANCED DATA GOVERNANCE ADOBE PDFs AZURE INFORMATION PROTECTION - Classify, label & protect files – beyond Office 365, including on-premises & hybrid MICROSOFT CLOUD APP SECURITY Visibility into 15k+ cloud apps, data access & usage, potential abuse OFFICE 365 DATA LOSS PREVENTION - Prevent data loss across Exchange Online, SharePoint Online, OneDrive for Business OFFICE 365 MESSAGE ENCRYPTION - Send encrypted s in Office 365 to anyone inside or outside of the company WINDOWS INFORMATION PROTECTION - Separate personal vs. work data on Windows 10 devices, prevent work data from traveling to non-work locations OFFICE 365 ADVANCED DATA GOVERNANCE- Apply retention and deletion policies to sensitive and important data in Office 365 CONDITIONAL ACCESS - Control access to files based on policy, such as identity, machine configuration, geo location OFFICE APPS - Protect sensitive information while working in Excel, Word, PowerPoint, Outlook SHAREPOINT & GROUPS- Protect files in libraries and lists AZURE SECURITY CENTER INFORMATION PROTECTION - Classify & label sensitive structured data in Azure SQL, SQL Server and other Azure repositories SDK FOR PARTNER ECOSYSTEM & ISVs - Enable ISVs to consume labels, apply protection ADOBE PDFs - Natively view and protect PDFs on Adobe Acrobat Reader

5 Inside and Outside of SharePoint
Protect Information Inside and Outside of SharePoint

6 Recommendations Use Azure AD device-based conditional access to block or limit access on unmanaged devices like airport or hotel kiosks Create policies to sign users out of Office 365 web sessions after a period of inactivity Evaluate the need for IP-based sessions Simulate the access model of an on-premises deployment Empower workers to share broadly but safely Require sign-in or use links that expire or grant limited privileges Prevent accidental exposure of sensitive content Create DLP policies to identify documents and prevent them from being shared

7 SharePoint Device Access Policies
Block or limit access to SharePoint and OneDrive content from unmanaged devices (those not hybrid AD joined or compliant in Intune). All users in the organization or only some users or security groups. All sites in the organization or only some site collections. Use SPO Admin Center w/Azure AD Portal PowerShell Set-SPOTenant –ConditionalAccessPolicy AllowLimitedAccess AllowDownlownloadingNonWebViewableFiles is Discontinued (DO NOT USE) Device access policies for SharePoint Online and OneDrive for Business are recommended for protecting sensitive, classified, and regulated data.

8 Session Control

9 Demo Block access using the new SharePoint admin center
Limit access using the new SharePoint admin center Limit access using PowerShell Block or limit access to a specific SharePoint site collection or OneDrive

10 Control Access – Network Location
Define Trusted Network Boundaries One or more authorized IP ranges Need to consider External Sharing – users will be blocked Access from 1st and 3rd party apps SPO only recognizes Yammer, Teams and Exchange Access from dynamic IP ranges Not supported Use SPO Admin Center or PowerShell To AVOID Lockout - Include your own IP Address Set-SPOTenant -IPAddressAllowList " /16" Normally, a SharePoint document can be accessed from apps like Exchange, Yammer, Skype, Teams, Planner, Flow, PowerBI, PowerApps, OneNote, and so on. When a location-based policy is enabled, apps that do not support location-based policies are blocked. The only apps that currently support location-based policies are Teams, Yammer, and Exchange. This means that all other apps are blocked, even when these apps are hosted within the trusted network boundary. This is because SharePoint cannot determine whether a user of these apps is within the trusted boundary.

11 Azure AD B2B – Managing Guests
Provides more control of invitation process With Azure AD B2B, users are added immediately on invitation so that they show up everywhere OneDrive/SharePoint Online adds users to the directory after users have redeemed their invitations Ability to customize invitations Can provide access to other apps Can enforce privacy terms & conditions and Terms of Use In SPO Admin Center, use “Allow sharing only with the external users that already exist in your organization's directory” So, before redemption, you don't see the user in Azure AD portal. If another site invites a user in the meantime, a new invitation is generated.

12 Azure Information Protection (AIP)
Labels can be applied in many clients Office Desktop add-in, Windows Explorer, Adobe Acrobat Not yet available in Office Web apps Scanner finds sensitive information in SP Server

13 Demo SPO with sensitive labels 8/22/2019 12:08 PM
© Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

14 Classifying SharePoint sites and Groups
8/22/ :08 PM Preview EOY Classifying SharePoint sites and Groups © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

15 Classifying SharePoint sites and Groups
Preview EOY Classifying SharePoint sites and Groups

16 Demo SPO with retention labels 8/22/2019 12:08 PM
© Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

17 Available now

18

19

20

21 AIP scanner demo

22 Configure the AIP scanner
Discovery mode! Constantly monitoring!

23 Monitor the scanner nodes at scale

24 Discover the data & sensitivity

25 Drill down to a file-level view

26 Information Protection Recommendations
Create multi-disciplinary team Map sharing, retention and classification policies to M365 technologies DLP/AIP - Unified Labels Create custom Sensitive Information Types Cloud App Security – SharePoint and thousands of others Policies and Alerts

27

28 Identity & Access Management
User Accounts are Valuable

29 Azure Active Directory Conditional Access is your identity security policy hub.
CLICK STEPS) Click the screen to advance the slide.

30 Privileged Identity Management Demo

31 Identity and Access Management Recommendations
Enable Azure Active Directory Identity Protection. For federated identity environments, enforce account security (password length, age, complexity, etc.). Enable and enforce MFA for all users. Implement a set of conditional access and related policies.

32 They come from everywhere
Stop Threats They come from everywhere

33 Alerts Policies Malware campaign detected in SharePoint and OneDrive
Unusual external user file activity Unusual volume of external file sharing Unusual volume of file deletion Generates an alert when an unusually high volume of malware or viruses are detected in files located in SharePoint sites or OneDrive accounts in your organization. This policy has a High severity setting. Generates an alert when an usually large number of activities are performed on files in SharePoint or OneDrive by users outside of your organization. This includes activities such as accessing files, downloading files, and deleting files. This policy has a High severity setting. Generates an alert when an usually large number of files in SharePoint or OneDrive are shared with users outside of your organization. This policy has a Medium severity setting. Generates an alert when an unusually large number of files are deleted in SharePoint or OneDrive within a short time frame. This policy has a Medium severity setting. Need to be in Security Reader role.

34 Office 365 Advanced Threat Protection (1 of many ATPs)
Safe Attachment Policies Office 365 Advanced Threat Protection extends the protection provided by EOP to protect you against advanced threats such as zero-day attacks which involve unknown malware, targeted phishing or whaling campaigns, ransomware, and malicious URLs. By using a combination of machine learning, heuristic clustering, activity events and statistical analysis, files and attachments that are suspicious are routed through a hypervisor environment where they are detonated and analyzed for malicious behavior. With safe attachments, you can protect users from opening or downloading malicious content SharePoint Online, OneDrive for Business, and Teams by simply toggling a checkbox.

35 Cloud App Security Policies

36 Ransomware Protection
OneDrive for Business- Files Restoration Coming to SharePoint

37

38 SPO Conditional Access
Evaluate users Location Machine – phone, tablet or computer Identity

39 Threat Protection Recommendations
Connect Office 365 to Microsoft Cloud App Security  start monitoring using the default threat detection policies for anomalous behaviors Implement protection for admin accounts: • Use dedicated admin accounts for admin activity • Enforce multi-factor authentication (MFA) for admin accounts • Use a highly secure Windows 10 device for admin activity Implement enhanced protections for admin accounts: • Configure Privileged Access Workstations (PAWs) for admin activity • Configure Azure AD Privileged Identity Management. • Configure a security information and event management (SIEM) tool to collect logging data from Office 365, Cloud App Security, and other services, including AD FS. It takes seven days to build a baseline for anomaly detection. The Office 365 Audit Log stores data for only 90 days. Capturing this data in SIEM tool allows you to store data for a longer period.

40 Regulations are Complicated
Ensure Compliance Regulations are Complicated

41 Compliance Features Customer Lockbox – E5 or Advance Compliance
No more than 4 hours of access SharePoint, OneDrive, Exchange Audit Log Reports Finding Personal Data (GDPR Requirement) Retention Labels and Policies Manual or automatic Default label for a document library, folder or document set Consistent across application workloads Use same Sensitive Information Types as DLP Deleted files in OneDrive moved to hidden libraries Replace Records Center, Information Policies, in-place records management Office 365 audit log report You can search the Office 365 audit log for user and admin activity in your Office 365 organization. The report contains entries user and admin activity in Exchange Online, SharePoint Online, OneDrive for Business, and Azure Active Directory, which is the directory service for Office 365. For more information, see Search the audit log in the Office 365 Security & Compliance Center. Finding personal data subject to GDPR relies on using sensitive information types in Office 365. Coming soon — You'll be able to create and modify sensitive information types in a new user interface in the Security and Compliance Center. You can dynamically see matching results and tune sensitive information types to meet your needs. Test Data - You can use retention labels to implement a single, consistent records-management strategy across Office 365, whereas other records-management features such as the Record Center apply only to SharePoint content. And you can enforce retention actions on records, so that they're disposed of automatically at the end of their lifecycle.

42 Compliance Manager Assessments Progress indicators
ISO, NIST & GDPR Progress indicators Compliance score – preventive, detective, or corrective measures Customer Managed Controls – recommended actions Reporting

43 E-Discovery Cases Place holds on ODfB and SPO Sites (and mailboxes)
Can take up to 24 hours Infinite or date range for time period Can use keywords or document properties, such as file names You can use an eDiscovery case to create holds to preserve content that might be relevant to the case. You can place a hold on the mailboxes and OneDrive for Business sites of people who are custodians in the case. You can also place a hold on the group mailbox, SharePoint site, and OneDrive for Business site for an Office 365 Group. Similarly, you can place a hold on the mailbox and site that are associated with Microsoft Teams. When you place content locations on hold, content is held until you remove the hold from the content location or until you delete the hold

44 Compliance Center Demo
Sensitivity Labels Retention Labels

45 Compliance Manager Demo

46 #SPSCLT19 Speaker Survey Session 3

Download ppt "Office 365 Security Features For SharePoint Admins"

Similar presentations

Microsoft Ignite /17/2017 2:11 PM

Microsoft Ignite /17/2017 2:11 PM
Understanding Active Directory

Understanding Active Directory
Welcome to the Exchange 2013 Webcast Archiving, eDiscovery, & Data Loss Prevention.

Welcome to the Exchange 2013 Webcast Archiving, eDiscovery, & Data Loss Prevention.
Module 9 Configuring Messaging Policy and Compliance.

Module 9 Configuring Messaging Policy and Compliance.
Ankur Kothari Microsoft Corporation. In-Place Archive with secondary quota Access documents with SkyDrive Pro Site Mailboxes enable better collaboration.

Ankur Kothari Microsoft Corporation. In-Place Archive with secondary quota Access documents with SkyDrive Pro Site Mailboxes enable better collaboration.
Empowering people-centric IT Unified device management Access and information protection Desktop Virtualization Hybrid Identity.

Empowering people-centric IT Unified device management Access and information protection Desktop Virtualization Hybrid Identity.
Access and Information Protection Product Overview Andrew McMurray Technical Evangelist – Windows Infra @MaccaMSOz.

Access and Information Protection Product Overview Andrew McMurray Technical Evangelist – Windows
Employees use multiple devices Employees use both corporate and personal applications Data is stored in various locations Cybersecurity is a top concern.

Employees use multiple devices Employees use both corporate and personal applications Data is stored in various locations Cybersecurity is a top concern.
One Drive for Business: More Than a File Share Erica Toelle

One Drive for Business: More Than a File Share Erica Toelle
OneDrive for Business: Administration, Security and Compliance

OneDrive for Business: Administration, Security and Compliance
Intro to the Office 365 Security & Compliance Center

Intro to the Office 365 Security & Compliance Center
Your Office 365 Journey Prepare, Migrate, and Operate with Barracuda

Your Office 365 Journey Prepare, Migrate, and Operate with Barracuda
ActiveSync & DLP management in Exchange Online

ActiveSync & DLP management in Exchange Online
Secure your complete data lifecycle using Azure Information Protection

Secure your complete data lifecycle using Azure Information Protection
Deployment Planning Services

Deployment Planning Services
Collaborate outside the firewall with Office 365 Groups

Collaborate outside the firewall with Office 365 Groups
9/12/2018 6:21 PM BRK2203 Protect and control your sensitive emails with new Office 365 Message Encryption capabilities Praveen Vijayaraghavan Principal.

9/12/2018 6:21 PM BRK2203 Protect and control your sensitive s with new Office 365 Message Encryption capabilities Praveen Vijayaraghavan Principal.
Accelerate GDPR compliance with Microsoft 365

Accelerate GDPR compliance with Microsoft 365
Journey to Microsoft Secure Cloud

Journey to Microsoft Secure Cloud
Azure Information Protection Strategy and Roadmap

Azure Information Protection Strategy and Roadmap

Similar presentations

Ads by Google