Presentation is loading. Please wait.

Presentation is loading. Please wait.

Security Best-in-class security with over a decade of experience building Enterprise software & Online services Physical and data security with.

Published byDinah Warner Modified over 9 years ago

Similar presentations

Presentation on theme: "Security Best-in-class security with over a decade of experience building Enterprise software & Online services Physical and data security with."— Presentation transcript:

1

2

3

4

5 Security Best-in-class security with over a decade of experience building Enterprise software & Online services Physical and data security with access control, encryption and strong authentication Security best practices like penetration testing, defense-in-depth to protect against cyber-threats Unique customer controls with Rights Management Services to empower customers to protect information The Office 365 Trust narrative Compliance Commitment to industry standards and organizational compliance Enable customers to meet global compliance standards in ISO 27001, EUMC, HIPAA, FISMA Contractually commit to privacy, security and handling of customer data through Data Processing Agreements Admin Controls like Data Loss Prevention, Legal Hold, E-Discovery to enable organizational compliance Privacy Privacy by design with commitment to use customers’ information only to provide services No mining of data for advertising Transparency with the location of customer data, who has access and under what circumstances Privacy controls to regulate sharing of sites, libraries, folders and communications with external parties

6 Exchange Hosted Services (part of Office 365) Hotmail SSAE-16 U.S.-EU Safe Harbor European Union Model Clauses (EUMC) Health Insurance Portability and Accountability Act Business Associate Agreement (HIPAA BAA) Data Processing Agreement (DPA) Active Directory Microsoft Security Response Center (MSRC) Global Foundation Services (GFS) ISO 27001 Certification Microsoft Security Essentials 1 st Microsoft Data Center Trustworthy Computing Initiative (TwC) Microsoft Security Engineering Center - Security Development Lifecycle (SDL) Xbox Live MSN Bill Gates Memo Windows Azure FISMA Windows Update Malware Protection Center SAS-70 Microsoft Online Services (MOS) One of the world’s largest cloud providers & datacenter/network operators CJIS Security Policy Agreement 20052010 2013 Bing/MSN Search 1989 1995 2000 Outlook.com

7

8 Security best practices like penetration testing, Defense-in-depth to protect against cyber-threats Built in Capabilities Flexible Customer Controls Physical and data security with access control, encryption and strong authentication Unique customer controls with Rights Management Services to empower customers to protect information

9

10 Network perimeter Internal network Host Application Data User Facility Threat and vulnerability management, security monitoring, and response, access control and monitoring, file/data integrity, encryption Edge routers, firewalls, intrusion detection, vulnerability scanning Dual-factor authentication, intrusion detection, vulnerability scanning Access control and monitoring, anti-malware, patch and configuration management Secure engineering (SDL), access control and monitoring, anti-malware Account management, training and awareness, screening Physical controls, video surveillance, access control

11 Facility Seismic bracing 24x7 onsite security staff Days of backup power Tens of thousands of servers Perimeter security Extensive monitoring Multi-factor authentication Fire suppression 11

12

13 Network perimeter Internal Network 13 Physical separation between backend and public facing interfaces Edge router security / firewalls implemented to secure network edge Port scanning Perimeter Vulnerability scanning Network level DDOS & intrusion detection and prevention

14

15 Internal network 15 Network level DDOS & intrusion detection and prevention Networks within the Office 365 data centers are segmented 2FA for service access Microsoft Corporate Network Isolation between corporate environment and production access environment for all employees

16

17 Account management Automatic account deletion Unique accounts Zero access privileges Training, policies and awareness Background checks, screening

18 Zero access privilege & automated operations 18 Office 365 Datacenter Network Microsoft Corporate Network Grants least privilege required to complete task. Verify eligibility by checking if 1.Background Check Completed 2.Fingerprinting Completed 3.Security Training Completed O365 Admin Requests Access Grants temporary Privilege

19 Account management Automatic account deletion Unique accounts Zero access privileges Training, policies and awareness Background checks, screening

20 Isolated Customer Data DATA in Server Multi-tenant environment is designed to support logical isolation of data that multiple customers store in same physical hardware. Intended or unintended access of data belonging to a different customer/tenant is prevented by data isolation. ` 20

21 Backend: Customer side Windows computer Windows server Data disk BitLocker protected

22 Customer Windows PC server Client server: SSL/TLS protected Data disk Server to server: SSL/TLS protected

23 Network perimeter Internal network Host Application Data User Facility Threat and vulnerability management, monitoring, and response Edge routers, intrusion detection, vulnerability scanning Dual-factor authentication, intrusion detection, vulnerability scanning Access control and monitoring, anti-malware, patch and configuration management Secure engineering (SDL), access control and monitoring, anti-malware Access control and monitoring, file/data integrity, encryption Account management, training and awareness, screening Physical controls, video surveillance, access control

24 Reduce vulnerabilities, limit exploit severity Ongoing Process Improvements TrainingRequirementsDesignImplementationVerificationReleaseResponse Education Administer and track security training Process Guide product teams to meet SDL requirements Accountability Establish release criteria & sign-off as part of FSR Incident Response (MSRC) Core Security Training Est. Security Requirements Create Quality Gates / Bug Bars Security & Privacy Risk Assess. Establish Design Requirements Analyze Attack Surface Threat Modeling Use Approved Tools Deprecate Unsafe Functions Static Analysis Dynamic Analysis Fuzz Testing Attack Surface Review Incident Response Plan Final Security Review Release Archive Execute Incident Response Plan 24

25

26 26 Assume Breach War game exercises (NEW) Live site pentest (NEW) Centralized security logging & monitoring (NEW) Prevent Breach Threat model Code review Security development lifecycle (SDL) Security testing Assume breach identifies & addresses significant gaps:  Detect attack & penetration  Respond to attack & penetration  Recover from data leakage or tampering Scope ongoing live site testing of security response plans to drastically improve mean time to detection & recovery Reduce exposure to internal attack (once inside, attackers have broad access) Periodic environment post breach assessment & clean state Prevent Breach and Assume Breach

27 Wargame exercises Assume Breach Red teaming Blue teaming Monitor emerging threats Execute post breach Insider attack simulation

28 We do our own penetration testing which is quite effective as we can test a number of rogue admin scenarios Red Team / Blue Team war games We also provide auditors with reports and communications to keep them apprised of the status of the system. Furthermore, we validate the external surface of the service using third party penetration testing based upon the OWASP top ten.

29 Outside In PEN testing Weekly port scanning  Only protocol ports open to the world (over SSL) Daily perimeter vuln scanning OS Patching Message hygiene  Antispam, Antivirus through FOPE Network level DDOS detection and prevention  Arbor Peakflow 0-human set engineer passwords  No weak/reused passwords

30 2FA required for service access Auditing of all operator access and actions 0-standing permissions in the service  Just in time elevations  Automatic rejection of non-background check employees to high privilege access  Scrutinized manual approval for background checked employees Automatic account deletion  When employee leaves  When employee moves groups  Lack of use Automated tooling for routine activities  Deployment, Debugging, Diagnostic collection, Restarting services Passwords encrypted in password store  Automation has access to passwords  Highly scrutinized, manually approved access for humans

31 31 Incidents Security IncidentSecurity Breach Escalations Federated Security Analysis O365 Security Analysis Escalations from engineering teams Alerts Automated Detections Human AnalysisCustomer Identification DETECTIONRESPONSE Breach A malicious act against the environment that results in unauthorized disclosure, or alteration and/or denial of data or service Initiate Breach Response procedures Declaration of Breach CommunicationRemediation Executive Reporting Media Relatio ns PrivacyContainmentEradicationRecovery Closure Post mortemDocumentationProcess Improvement Customer Notification

32 User Access Integrated with Active Directory, Azure Active Directory and Active Directory Federation Services Federation: Secure SAML token based authentication Password Synchronization: Only a one way hash of the password will be synchronized to WAAD such that the original password cannot be reconstructed from it. Enables additional authentication mechanisms: Two-Factor Authentication – including phone-based 2FA Client-Based Access Control based on devices/locations Role-Based Access Control 32

33 Type of RiskProtection mechanismsImplementation Malicious or unauthorized physical access to data center / server / disks BitLocker implemented on servers. Facility access restrictions to servers/ datacenter Backend control implemented in the service. External malicious or unauthorized access to service and customer data Zero standing access privileges Automated operations Auditing of all access and actions Network level DDOS / intrusion detection and prevention Threat management / Assume breach Backend control implemented in the service. Gaps in software that make the data & service to be vulnerable Security Development LifecycleBackend control implemented in the service. Rogue administrators / employees in the service or data center Zero standing access privileges Automated operations Auditing of all access and actions Training Background checks / screening Threat management / Assume breach Backend control implemented in the service. Microsoft Admin credentials get compromised Multi factor authentication Zero standing access privileges Requires Microsoft trusted computers to get onto management servers Threat management / Assume breach Backend control implemented in the service.

34 Type of RiskProtection mechanismsImplementation Encryption keys get compromised Secure key management processes Access to key is limited or removed for people Backend control implemented in the service. Administrator’s computer gets compromised/lost BitLocker on the disks of the computer. Remote desktop session Different credentials Zero standing access privileges Backend control implemented in the service. Law authorities accessing customer data. Redirect request to customer Threat management and assume breach Backend control implemented in the service. Service and hence customer data becomes inaccessible due to an attack. Network level DDOS / intrusion detection and prevention Backend control implemented in the service. MalwareAnti Malware at host, application and transient data layers Backend control implemented in the service. Malfunction of software which enables unauthorized access to other user’s data in the tenant / other tenant / with no authentication Security Development Lifecycle Configuration management Backend control implemented in the service.

35 Type of RiskProtection mechanismsImplementation Interception of email to partners over Internet*SMTP session to partners could be protected using opportunistic or forced TLS Control available to customers. Interception of client / server communicationSSL / TLS is implemented in all workloads.Backend control implemented in the service. Interception of communication between datacenters or between servers Office 365 applications use SSL / TLS to secure various server-server communication. All communication is on Microsoft owned networks. Backend control implemented in the service. Interception or access of content in transit or at rest by other people.** Rights Management could be applied to the content. Control available to customers. Interception of email in transit or rest between users within organization* S/MIME could be implemented and applied to emails Control available to customers. Interception of email in transit and rest to an external user* Office 365 Message Encryption may be applied to messages Control available to customers

36

37 Privacy by design means that we do not use your information for anything other than providing you services No Advertising TransparencyPrivacy controls No advertising products out of Customer Data No scanning of email or documents to build analytics or mine data Various customer controls at admin and user level to enable or regulate sharing If the customer decides to leave the service, they get to take to take their data and delete it in the service Access to information about geographical location of data, who has access and when Notification to customers about changes in security, privacy and audit information

38 We do not mine your data for advertising purposes. It is our policy to not use your data for purposes other than providing you productivity services. We design our Office 365 commercial services to be separate from our consumer services so that there is no mixing of data between the two. You own your data and retain the rights, title, and interest in the data you store in Office 365. You can take your data with you, whenever you want. Learn more about data portability and how we use your data.data portabilityhow we use your data Who owns the data I put in your service? Will you use my data to build advertising products?

39 Microsoft notifies you of changes in data center locations and any changes to compliance. Core Customer Data accessed only for troubleshooting and malware prevention purposes Core Customer Data access limited to key personnel on an exception basis. How to get notified? Who accesses and What is accessed? Clear Data Maps and Geographic boundary information provided ‘Ship To’ address determines Data Center Location Where is Data Stored? At Microsoft, our strategy is to consistently set a “high bar” around privacy practices that support global standards for data handling and transfer

40 Microsoft Online Services Customer Data 1 Usage Data Account and Address Book Data Customer Data (excluding Core Customer data) Core Customer Data Operating and Troubleshooting the ServiceYes Security, Spam and Malware PreventionYes Improving the Purchased Service, AnalyticsYes No Personalization, User Profile, PromotionsNoYesNo Communications (Tips, Advice, Surveys, Promotions)NoNo/YesNo Voluntary Disclosure to Law EnforcementNo Advertising 5 No We use customer data for just what they pay us for - to maintain and provide Office 365 Service Usage DataAddress Book Data Customer Data (excluding Core Customer Data * ) Core Customer Data Operations Response Team (limited to key personnel only) Yes.Yes, as needed. Yes, by exception. Support Organization Yes, only as required in response to Support Inquiry. No. EngineeringYes. No Direct Access. May Be Transferred During Trouble-shooting. No. Partners With customer permission. See Partner for more information. Others in MicrosoftNo. No (Yes for Office 365 for small business Customers for marketing purposes). No.

41

42 What does compliance mean to customers? What standards do we meet? What is regulatory compliance and organizational compliance?

43 Enable customers to meet global compliance standards in ISO 27001, EUMC, HIPAA, FISMA Contractually commit to privacy, security and handling of customer data through Data Processing Agreements Admin Controls like Data Loss Prevention, Archiving, E-Discovery to enable organizational compliance Built-in Capabilities for Global Compliance Customer controls for compliance with internal policies

44 Independent verification Regulatory compliance Peace of mind

45 45 SSAE/SOC ISO27001 EUMC FERPA FISMA PCI HIPAA HITECH ITAR HMG IL2 CJIS Global Europe U.S. Global U.S. UK U.S. Finance Global Europe Education Government CardData Healthcare Defense Government Law Enforcement ISO SOC HIPAAFedRAMPFERPA HMG IL2 EUMC TC260 MLPS

46 Physical Security Security Best Practices Secure Network Layer Data Encryption Office 365 has over 900 controls Today! Built-in Capabilities Office 365 Service | Master GRC Control Sets | Certifications DLP OME SMIME RBAC RMS Account Mgmt. Incident Monitoring Data Encryption Encryption of stored data and more… Data Minimization & Retention New Cert’s and more … Access Control

47 Market & Competitive Intelligence Compliance Management Framework Regulatory Impact Analysis (RSIA) Define Security, and Privacy controls Determine Implementation Requirements Implement Controls Document Implementation Continuous Monitoring Independent verification (Audits) Remediation

48 Microsoft is the Data Custodian/Processor Customer is the Data Controller

49 We satisfy various requirements for security, privacy and handling of customer data Examples are DPAs with EU Model clauses, ISO, FISMA etc. Customers would still have to do their part for components that run on-premises Client side / desktop security and encryption standards Physical access End user secret management

50

51 Trust and Confidence We take privacy seriously and provide customer data only in response to specific, targeted lawful demands.

52 By default, no one has access to a customer’s data without authorization. We provide contractual guarantees concerning how access requests are handled. We’re obligated to comply with applicable governmental laws i.e. we respond to legal demands for customer data and do not provide any government with direct and unfettered access to our customer’s data We only pull/provide the specific data mandated by the relevant legal demand i.e. we must be served with a court order or subpoena for content or account information We only respond to requests for specific accounts and identifiers All requests are explicitly reviewed by the Microsoft compliance team, who ensures that the requests are valid, rejects For more information, please see the official Microsoft blog, " Protecting customer data from government snooping " Protecting customer data from government snooping

53

54

55

56

57

58

59

60

61

62

Download ppt "Security Best-in-class security with over a decade of experience building Enterprise software & Online services Physical and data security with."

Similar presentations

The Threat Within September 2004. Copyright © 2004 Q1 Labs. All Rights Reserved Agenda Customer Pain Industry Solutions Network Behavior Enforcement Example.

The Threat Within September Copyright © 2004 Q1 Labs. All Rights Reserved Agenda Customer Pain Industry Solutions Network Behavior Enforcement Example.
Common Question Who can benefit from Cloud? Every enterprise today can benefit from Cloud.

Common Question Who can benefit from Cloud? Every enterprise today can benefit from Cloud.
Notes: Update as of 1/13/2010. Vulnerabilities are included for SQL Server 2000, SQL Server 2005, SQL Server 2008. Oracle (8i, 9i, 9iR2, 10g, 10gR2,11g),

Notes: Update as of 1/13/2010. Vulnerabilities are included for SQL Server 2000, SQL Server 2005, SQL Server Oracle (8i, 9i, 9iR2, 10g, 10gR2,11g),
How do I handle major objections to Office 365?

How do I handle major objections to Office 365?
HIPAA: FEDERAL REGULATIONS REGARDING PATIENT SECURITY.

HIPAA: FEDERAL REGULATIONS REGARDING PATIENT SECURITY.
Provide a platform built on security, privacy, and trust Maintain an evergreen service Offer highly configurable and scalable services.

Provide a platform built on security, privacy, and trust Maintain an evergreen service Offer highly configurable and scalable services.
© 2005, QEI Inc. all characteristics subject to change. For clarity purposes, some displays may be simulated. Any trademarks mentioned remain the exclusive.

© 2005, QEI Inc. all characteristics subject to change. For clarity purposes, some displays may be simulated. Any trademarks mentioned remain the exclusive.
Security Controls – What Works

Security Controls – What Works
Information Security Policies and Standards

Information Security Policies and Standards
Defense-in-Depth Against Malicious Software Jeff Alexander IT Pro Evangelist Microsoft Australia

Defense-in-Depth Against Malicious Software Jeff Alexander IT Pro Evangelist Microsoft Australia
Respond to customer feedback through agile development Deliver new features and valueTrust and compliance Cloud value Continuous innovation with confidence.

Respond to customer feedback through agile development Deliver new features and valueTrust and compliance Cloud value Continuous innovation with confidence.
Kevin R Perry August 12, 2014. Part 1: High Level Changes & Clarifications.

Kevin R Perry August 12, Part 1: High Level Changes & Clarifications.
Pre-adoption concern 60% cited concerns around data security as a barrier to adoption 45% concerned that the cloud would result in a lack of data control.

Pre-adoption concern 60% cited concerns around data security as a barrier to adoption 45% concerned that the cloud would result in a lack of data control.
Stephen S. Yau CSE 465-591, Fall 2006 1 Security Strategies.

Stephen S. Yau CSE , Fall Security Strategies.
Payment Card Industry (PCI) Data Security Standard

Payment Card Industry (PCI) Data Security Standard
Brian Bradley.  Data is any type of stored digital information.  Security is about the protection of assets.  Prevention: measures taken to protect.

Brian Bradley.  Data is any type of stored digital information.  Security is about the protection of assets.  Prevention: measures taken to protect.
Network security policy: best practices

Network security policy: best practices
Office 365 Trust Center Answer key questions of Security Compliance Officers Dynamic engaging content that is refreshed every two weeks www.trust.office365.com.

Office 365 Trust Center Answer key questions of Security Compliance Officers Dynamic engaging content that is refreshed every two weeks
OSP214. SECURITY PRIVACY RELIABILITY & SERVICE CONTINUITY COMPLIANCE.

OSP214. SECURITY PRIVACY RELIABILITY & SERVICE CONTINUITY COMPLIANCE.
What are your questions and feedback? How can you best manage change or if there’s a service incident? What tools do you have at your disposal? What’s.

What are your questions and feedback? How can you best manage change or if there’s a service incident? What tools do you have at your disposal? What’s.

Similar presentations

Ads by Google