Download Office 365 Security and Compliance

Survey
yes no Was this document useful for you?
   Thank you for your participation!

* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project

Document related concepts

Data Protection Act, 2012 wikipedia , lookup

Data model wikipedia , lookup

Data center wikipedia , lookup

Data analysis wikipedia , lookup

Next-Generation Secure Computing Base wikipedia , lookup

Data vault modeling wikipedia , lookup

3D optical data storage wikipedia , lookup

Business intelligence wikipedia , lookup

Information privacy law wikipedia , lookup

Transcript
Office 365 Trust Center
• Answer key
questions of Security
Compliance Officers
• Dynamic engaging
content that is
refreshed every two
weeks
www.trust.office365.com
It’s your data
You own it, you control it
We run the service for you
We are accountable to you
Physical controls, video surveillance, access control
Facility
Edge routers, firewalls, intrusion detection, vulnerability scanning
Network perimeter
Dual-factor authentication, intrusion detection, vulnerability scanning
Internal network
Host
Application
Admin
Data
Access control and monitoring, anti-malware, patch and
configuration management
Secure engineering (SDL), access control and monitoring, anti-malware
Account management, training and awareness, screening
Threat and vulnerability management, security monitoring, and response, access
control and monitoring, file/data integrity, encryption
Why do you care about
Compliance?
Independent verification
Regulatory requirements
From Principles to practice
Principles become
Policy
Standards
Control Framework
Technologies and
Operating procedures
Business rules for protecting information
and systems which store and process
information
System or procedural specific
requirements that must be met
A process or system to assure the
implementation of policy
Step-by-step procedures
Standards & Certifications also inform
our actions
SSAE/SOC
ISO27001
EUMC
FISMA
HIPAA
HITECH
ITAR
HMG IL2
CJIS
Finance
Global
Europe
Government
Healthcare
Healthcare
Defense
Government
Law Enforcement
Global
Global
Europe
U.S.
U.S.
U.S.
U.S.
UK
U.S.
The result is a rich fabric
More than 950 Office 365 controls,
which are complemented by
customer controls
Our controls cover topics like
Customer Controls Augment
Compliance
Control framework
Designed for efficiency
One requirement satisfies multiple regulations
Requirement
NIST Base Control ID
ISO ID
Access Control-0107
AC-02
A.11.02.01
Example topics covered by controls
•
•
•
•
•
•
Where can data be stored?
Who can access data?
How do we control access?
When and where is data encrypted?
Is your data encrypted?
…
Where is the data stored?
trust.office365.com has detailed data maps
Who has access to data?
We use customer data for just what they pay us for - to maintain and provide Office 365 Service
Usage Data
Operations Response
Team (limited to key Yes.
personnel only)
Support
Organization
Address Book Data
Yes, as needed.
Yes, only as required Yes, only as required in
in response to
response to Support
Support Inquiry.
Inquiry.
Customer Data
(excluding
Core Customer Data*)
Core Customer Data
Yes, as needed.
Yes, by exception.
Yes, only as required in
response to Support
Inquiry.
No.
Engineering
Yes.
No Direct Access. May Be
No Direct Access. May Be
Transferred During Trouble- Transferred During
shooting.
Trouble-shooting.
Partners
With customer
permission.
With customer permission.
With customer permission.
With customer
permission.
No.
No (Yes for Office 365 for
small business Customers
for marketing purposes).
No.
No.
Others in Microsoft
www.trust.office365.com has more information on this.
No.
Controlling Access to data
We use customer data for just what they pay us for - to maintain and provide Office 365 Service
Manager
Request
Approve
Temporary
access
granted
•
•
•
Request
with
reason
Zero standing privileges
Data at Rest
Disks encrypted with Bitlocker
Encrypted shredded storage
Data in-transit
SSL/TLS Encryption
Client to Server
Data center to Data center
User
Audit cadence
Control Effectiveness Assessments (Audits) Performed
First Half of 2013
ITAR FedRamp
SSAE 16 SOC
Second half of 2013
MT FedRamp
ISO
Customers can
request a copy of
the latest audit
reports
‘Right to Examine’
We offer a wide range of
accreditation artifacts
Compliance
Program
Signed agreements:
•
Data Processing
Agreement
(including EU
Model clauses)
•
Business Associate
Agreement
Ever Evolving Approach to Compliance
Market &
Competitive
Intelligence
Remediation
Independent
verification
(Audits)
Regulatory
Impact
Analysis
Compliance
Management
Framework
Define
Security, and
Privacy
controls
Determine
Implementation
Requirements
Continuous
Monitoring
Document
Implementation
Implement
Controls
Microsoft experience and credentials
1st Microsoft
Data Center
Fort Knox
Microsoft Security Engineering
Center - Security Development
Lifecycle (SDL)
Hotmail
1989
Exchange Hosted
Services (part of Office
365)
Active Directory
MSN
1995
HIPAA BAA
Malware
Protection
Center
Xbox Live
2000
2005
ISO 27001
Certification
SAS-70
Windows
Update
Microsoft Security Response
Center (MSRC)
Global Foundation
Services (GFS)
Trustworthy Computing
Initiative (TwC)
U.S.-EU Safe Harbor
CJIS Security
Policy
Agreement
Windows Azure
2010
Bill Gates Memo
Bing/MSN
Search
SSAE-16
Microsoft Online
Services (MOS)
2013
2014
Outlook.com
Microsoft Security
Essentials
FISMA
One of the world’s largest cloud providers & datacenter/network operators
European Union
Model Clauses
(EUMC)
Article 29
Working
Committee
Compliance controls
Helps to
Identify
Monitor
identify
monitor
protect
Sensitive data through
deep content analysis
Protect
End user education
Data Loss Prevention (DLP)
Prevents sensitive data from
leaving organization
Provides an Alert when data such as
Social Security & Credit Card Number
is emailed.
Alerts can be customized by Admin
to catch Intellectual Property from
being emailed out.
Empower users to manage their
compliance
•
Contextual policy education
•
Doesn’t disrupt user workflow
•
Works even when disconnected
•
Configurable and customizable
•
Admin customizable text and actions
•
Built-in templates based on common regulations
•
Import DLP policy templates from security partners or
build your own
Scan email and attachments to
look for patterns that match
document templates
Protect sensitive documents
from being accidently shared
outside your organization
No coding required; simply
upload sample documents to
create fingerprints
Email archiving and retention
Preserve
In-Place Archive
Search
Governance
Hold
eDiscovery
Secondary mailbox with
separate quota
Automated and timebased criteria
Capture deleted and
edited email messages
Web-based eDiscovery Center
and multi-mailbox search
Managed through EAC
or PowerShell
Set policies at item or
folder level
Time-Based In-Place
Hold
Search primary, In-Place
Archive, and recoverable items
Available on-premises,
online, or through EOA
Expiration date shown
in email message
Granular Query-Based
In-Place Hold
Delegate through roles-based
administration
Optional notification
De-duplication after discovery
Auditing to ensure controls
are met
Privacy
Privacy means that we do not use your information for anything
other than providing you services
No advertising products out
of Customer Data
No scanning of email or documents
to build analytics or mine data
Access to information about
geographical location of data, who
has access and when
Various customer controls at admin
and user level to enable or regulate
sharing
Notification to customers about
changes in security, privacy and
audit information
If the customer decides to leave the
service, they get to take their data
and delete it in the service
By default, no one has access to a customer’s data
without authorization
We do not provide any government with direct and
unfettered access to our customer’s data
We must be served with a court order or subpoena for
content or account information
We only respond to requests for specific accounts and
identifiers
All requests are explicitly reviewed by the Microsoft
compliance team, we make every attempt redirect requests to
the customer
For more information, please see the official Microsoft blog, "
Protecting customer data from government snooping"
To be clear, here’s what we do, and what we don’t do:
Resources
• Answer key
questions of Security
Compliance Officers
• Dynamic engaging
content that is
refreshed every two
weeks
FISMA is a federal law, requires U.S. federal
agencies and their partners to procure
information systems from organizations that
adhere to the specific requirements
FedRAMP speeds up federal agencies’ adoption
and purchase of cloud computing
Office 365 has a
comprehensive
approach towards
CJIS compliance
© 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.
The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not
be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED
OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
At Microsoft, our strategy is to consistently set a “high bar” around privacy practices that support global
standards for data handling and transfer
Where is Data Stored?
Clear Data Maps and Geographic boundary information provided
‘Ship To’ address determines Data Center Location
Who accesses and What is accessed?
Core Customer Data accessed only for troubleshooting and malware prevention purposes
Core Customer Data access limited to key personnel on an exception basis.
How to get notified?
Microsoft notifies you of changes in data center locations and any changes to compliance.
How Privacy of Data is Protected?
We use customer data for just what they pay us for - to maintain and provide Office 365 Service
Microsoft Online Services Customer Data1
Usage Data
Account and
Address Book Data
Customer Data (excluding
Core Customer data)
Core
Customer Data
Operating and Troubleshooting the Service
Yes
Yes
Yes
Yes
Security, Spam and Malware Prevention
Yes
Yes
Yes
Yes
Improving the Purchased Service, Analytics
Yes
Yes
Yes
No
Personalization, User Profile, Promotions
No
Yes
No
No
Communications (Tips, Advice, Surveys, Promotions)
No
No/Yes
No
No
Voluntary Disclosure to Law Enforcement
No
No
No
No
Advertising5
No
No
No
No
Usage Data
Address Book Data
Customer Data (excluding
Core Customer Data*)
Core Customer Data
Operations Response Team
(limited to key personnel only)
Yes.
Yes, as needed.
Yes, as needed.
Yes, by exception.
Support Organization
Yes, only as required in response
to Support Inquiry.
Yes, only as required in response to Support
Inquiry.
Yes, only as required in response to
Support Inquiry.
No.
Engineering
Yes.
No Direct Access. May Be Transferred
During Trouble-shooting.
No Direct Access. May Be Transferred
During Trouble-shooting.
No.
Partners
With customer permission. See
Partner for more information.
With customer permission. See Partner for
more information.
With customer permission. See Partner
for more information.
With customer permission. See
Partner for more information.
Others in Microsoft
No.
No (Yes for Office 365 for small business
Customers for marketing purposes).
No.
No.
http://channel9.msdn.com/Events/TechEd
www.microsoft.com/learning
http://microsoft.com/technet
http://microsoft.com/msdn