When Your CISO Says No - Security & Compliance in Office 365
-
Upload
ricardo-wilkins -
Category
Technology
-
view
114 -
download
3
Transcript of When Your CISO Says No - Security & Compliance in Office 365
![Page 1: When Your CISO Says No - Security & Compliance in Office 365](https://reader033.fdocument.pub/reader033/viewer/2022051710/5a647f8b7f8b9a6a568b4855/html5/thumbnails/1.jpg)
When Your CISOSays NOSecurity & Compliance in Office 365
www.ceiamerica.com
![Page 2: When Your CISO Says No - Security & Compliance in Office 365](https://reader033.fdocument.pub/reader033/viewer/2022051710/5a647f8b7f8b9a6a568b4855/html5/thumbnails/2.jpg)
CONSULTING | SOLUTIONS | RESULTS2
About Me
Architect; Principal Consultant
Microsoft Solutions Division
Partner Technical Specialist (Purple Badge)
SharePoint | Office365 | Azure
www.sharepointcowbell.com
![Page 3: When Your CISO Says No - Security & Compliance in Office 365](https://reader033.fdocument.pub/reader033/viewer/2022051710/5a647f8b7f8b9a6a568b4855/html5/thumbnails/3.jpg)
CONSULTING | SOLUTIONS | RESULTS3
•CISO Objections
•The Path to Yes
•Demos
Talking Points
![Page 4: When Your CISO Says No - Security & Compliance in Office 365](https://reader033.fdocument.pub/reader033/viewer/2022051710/5a647f8b7f8b9a6a568b4855/html5/thumbnails/4.jpg)
CONSULTING | SOLUTIONS | RESULTS
Pre-adoption concern
60%cited concerns around data security as a barrier to adoption
45%concerned that the cloud would result in a lack of data control
Benefits realized
94%experienced security benefits they didn’t previously have on-premise
62%said privacy protection increased as a result of moving to the cloud
SECURITY
• Design/Operation
• Infrastructure
• Network
• Identity/access
• Data
PRIVACY
COMPLIANCE
TRANPARENCY
Cloud Innovation: Risks & Benefits
Source: Barriers to Cloud Adoption study, ComScore, Sept 2013
![Page 5: When Your CISO Says No - Security & Compliance in Office 365](https://reader033.fdocument.pub/reader033/viewer/2022051710/5a647f8b7f8b9a6a568b4855/html5/thumbnails/5.jpg)
CONSULTING | SOLUTIONS | RESULTS
Compliance
![Page 6: When Your CISO Says No - Security & Compliance in Office 365](https://reader033.fdocument.pub/reader033/viewer/2022051710/5a647f8b7f8b9a6a568b4855/html5/thumbnails/6.jpg)
CONSULTING | SOLUTIONS | RESULTS
United States______ CJIS
CSA CCM
DISA
FDA CFR Title 21 Part 11
FEDRAMP
FERPA
FIPS 140-2
FISMA
HIPAA/HITECH
HITRUST
IRS 1075
ISO/IEC 27001, 27018
MARS-E
NIST 800-171
Section 508 VPATs
SOC 1, 2
United Kingdom___ CSA CCM
ENISA IAF
EU Model Clauses
ISO/IEC 27001, 27018
NIST 800-171
SOC 1, 2, 3
UK G-CloudSpain___ CSA CCM
ENISA IAF
EU Model Clauses
EU-U.S. Privacy Shield
ISO/IEC 27001, 27018
SOC 1, 2
Spain ENS
Spain LOPD Auth.
Singapore____CSA CCM
ISO/IEC 27001, 27018
MTCS
SOC 1, 2
New Zealand____CSA CCM
ISO/IEC 27001, 27018
NZCC Framework
SOC 1, 2,
Japan____CSA CCM
CS Mark (Gold)
FISC
ISO/IEC 27001, 27018
Japan My Number Act
SOC 1, 2
European Union___ CSA CCM
ENISA IAF
EU Model Clauses
EU-U.S. Privacy Shield
ISO/IEC 27001, 27018
SOC 1, 2,
China____China GB 18030
China MLPS
China TRUCS
Austrailia____CSA CCM
IRAP (CCSL)
ISO/IEC 27001, 27018
SOC 1, 2
Argentina____Argentina PDPA
CSA CCM
IRAP (CCSL)
ISO/IEC 27001, 27018
SOC 1, 2
Over 900 controls in the Office 365 compliance
framework enable us to stay up to date with the ever-
evolving industry standards across geographies
Microsoft is regularly audited, submits self-assessments
to independent 3rd party auditors and holds key certifications
Compliance
![Page 7: When Your CISO Says No - Security & Compliance in Office 365](https://reader033.fdocument.pub/reader033/viewer/2022051710/5a647f8b7f8b9a6a568b4855/html5/thumbnails/7.jpg)
CONSULTING | SOLUTIONS | RESULTS
Comprehensive Compliance
DLP
![Page 8: When Your CISO Says No - Security & Compliance in Office 365](https://reader033.fdocument.pub/reader033/viewer/2022051710/5a647f8b7f8b9a6a568b4855/html5/thumbnails/8.jpg)
CONSULTING | SOLUTIONS | RESULTS
“No. The Cloud is easier to hack/breach…”
![Page 9: When Your CISO Says No - Security & Compliance in Office 365](https://reader033.fdocument.pub/reader033/viewer/2022051710/5a647f8b7f8b9a6a568b4855/html5/thumbnails/9.jpg)
CONSULTING | SOLUTIONS | RESULTS
Perimeter
Computer room
Building
Seismic
bracing
Security
operations center
24X7
security staff
Days of
backup power
Cameras AlarmsTwo-factor access control:
Biometric readers & card readers
Barriers Fencing
Datacenter Security
![Page 10: When Your CISO Says No - Security & Compliance in Office 365](https://reader033.fdocument.pub/reader033/viewer/2022051710/5a647f8b7f8b9a6a568b4855/html5/thumbnails/10.jpg)
CONSULTING | SOLUTIONS | RESULTS
“No. We can’t have our info visible on the open internet…”
![Page 11: When Your CISO Says No - Security & Compliance in Office 365](https://reader033.fdocument.pub/reader033/viewer/2022051710/5a647f8b7f8b9a6a568b4855/html5/thumbnails/11.jpg)
CONSULTING | SOLUTIONS | RESULTS
“No. We can’t have our info visible on the open internet…”
Encryption
a. Data at-resti. Volume-level encryption
(BitLocker, AES 128-bit, FIPS-compliant)
ii. File-level encryption (encrypted keys; minimal MS staff access in gov’t cloud)
b. Data in-transiti. TLS/SSL (2048-bit)ii. IPsec encryptioniii.AES 256-bitiv.FIPS validated
![Page 12: When Your CISO Says No - Security & Compliance in Office 365](https://reader033.fdocument.pub/reader033/viewer/2022051710/5a647f8b7f8b9a6a568b4855/html5/thumbnails/12.jpg)
CONSULTING | SOLUTIONS | RESULTS
Encrypted in transit between client and service and within service data centers
BitLocker encryption protects drives where content is stored
Contents of each file encrypted with a unique key
Large files are stored in parts with a unique key per par
File contents and encryption key are stored separately
Use Azure RMS to encrypt your secret data before uploading
Works across phones, tablets, and PCs
Information protected both within and outside organization
Master key is used to encrypt/decrypt per-file encryption keys
If it is removed or access is revoked, SharePoint Online can no longer decrypt your content
Does not limit/restrict SharePoint Online functionality when enabled
You upload it to Azure Key Vault and grant access to the Office 365 service
You can remove it or revoke access to it at any time
“No. We can’t have our info visible on the open internet…”
![Page 13: When Your CISO Says No - Security & Compliance in Office 365](https://reader033.fdocument.pub/reader033/viewer/2022051710/5a647f8b7f8b9a6a568b4855/html5/thumbnails/13.jpg)
CONSULTING | SOLUTIONS | RESULTS1313
![Page 14: When Your CISO Says No - Security & Compliance in Office 365](https://reader033.fdocument.pub/reader033/viewer/2022051710/5a647f8b7f8b9a6a568b4855/html5/thumbnails/14.jpg)
CONSULTING | SOLUTIONS | RESULTS1414
![Page 15: When Your CISO Says No - Security & Compliance in Office 365](https://reader033.fdocument.pub/reader033/viewer/2022051710/5a647f8b7f8b9a6a568b4855/html5/thumbnails/15.jpg)
CONSULTING | SOLUTIONS | RESULTS1515
8:40
12:40
![Page 16: When Your CISO Says No - Security & Compliance in Office 365](https://reader033.fdocument.pub/reader033/viewer/2022051710/5a647f8b7f8b9a6a568b4855/html5/thumbnails/16.jpg)
CONSULTING | SOLUTIONS | RESULTS
• Private VPN
“No. We can’t have our info visible on the open internet…”
Customers can extend their on-
premises sites using VPN or dedicated
ExpressRoute connections
Customer owns and manage
certificates, policies, and user access
![Page 17: When Your CISO Says No - Security & Compliance in Office 365](https://reader033.fdocument.pub/reader033/viewer/2022051710/5a647f8b7f8b9a6a568b4855/html5/thumbnails/17.jpg)
CONSULTING | SOLUTIONS | RESULTS
“No. We’ll never be able to determine Appropriate Usage by our users…”
![Page 18: When Your CISO Says No - Security & Compliance in Office 365](https://reader033.fdocument.pub/reader033/viewer/2022051710/5a647f8b7f8b9a6a568b4855/html5/thumbnails/18.jpg)
CONSULTING | SOLUTIONS | RESULTS
Powerful for experts, and easier for generalists to adopt
Scenario oriented workflows with cross-cutting policies spanning features
Powerful content discovery across Office 365 workloads
Proactive suggestions leveraging Microsoft Security Intelligence Graph
Security and Compliance Center
![Page 19: When Your CISO Says No - Security & Compliance in Office 365](https://reader033.fdocument.pub/reader033/viewer/2022051710/5a647f8b7f8b9a6a568b4855/html5/thumbnails/19.jpg)
CONSULTING | SOLUTIONS | RESULTS
Azure
Active
Directory
Security &
Compliance
Center
SharePoint Online
Power
BI
Opt-in
for all
O365
tenants
1 billion events
collected daily
Office 365 Auditing
![Page 20: When Your CISO Says No - Security & Compliance in Office 365](https://reader033.fdocument.pub/reader033/viewer/2022051710/5a647f8b7f8b9a6a568b4855/html5/thumbnails/20.jpg)
CONSULTING | SOLUTIONS | RESULTS
Office 365 Auditing
![Page 21: When Your CISO Says No - Security & Compliance in Office 365](https://reader033.fdocument.pub/reader033/viewer/2022051710/5a647f8b7f8b9a6a568b4855/html5/thumbnails/21.jpg)
CONSULTING | SOLUTIONS | RESULTS
Audited Activities
https://support.office.com/en-us/article/Search-the-audit-log-in-the-Office-365-Security-Compliance-Center-0d4d0f35-390b-4518-800e-0c7ec95e946c
![Page 22: When Your CISO Says No - Security & Compliance in Office 365](https://reader033.fdocument.pub/reader033/viewer/2022051710/5a647f8b7f8b9a6a568b4855/html5/thumbnails/22.jpg)
CONSULTING | SOLUTIONS | RESULTS
Tenant-scoped unless noted
Allow sharing via anon access links and to authenticated external users
Allow sharing to authenticated external users only (further limit to existing users)
Don’t allow sharing to external users
Limit external sharing using domains (allow and deny list) –also at site collection level
Prevent external users from sharing files, folders, sites they don’t own
Require external users to accept sharing invitations with the same account the invitations were sent to
Ability to choose default link type from anon, company shareable, restricted
On OneDrive for Business only; When…
Users invite additional external users to shared files
External users accept invitations to access files
Anon access link is created or changed
Prevent sharing of documents marked by DLP to external users
Sharing
![Page 23: When Your CISO Says No - Security & Compliance in Office 365](https://reader033.fdocument.pub/reader033/viewer/2022051710/5a647f8b7f8b9a6a568b4855/html5/thumbnails/23.jpg)
CONSULTING | SOLUTIONS | RESULTS
“No. ‘Need To Know’ and ‘Least Privilege’ needs to be supported…”
![Page 24: When Your CISO Says No - Security & Compliance in Office 365](https://reader033.fdocument.pub/reader033/viewer/2022051710/5a647f8b7f8b9a6a568b4855/html5/thumbnails/24.jpg)
CONSULTING | SOLUTIONS | RESULTS
SharePoint Permissions – It Works
![Page 25: When Your CISO Says No - Security & Compliance in Office 365](https://reader033.fdocument.pub/reader033/viewer/2022051710/5a647f8b7f8b9a6a568b4855/html5/thumbnails/25.jpg)
CONSULTING | SOLUTIONS | RESULTS
• Catch It Before it Happens• The “Minority Report”
Method
• Catch It After it Happens• and discipline the culprit
• Minimize Issues
Other Considerations: Timing
![Page 26: When Your CISO Says No - Security & Compliance in Office 365](https://reader033.fdocument.pub/reader033/viewer/2022051710/5a647f8b7f8b9a6a568b4855/html5/thumbnails/26.jpg)
CONSULTING | SOLUTIONS | RESULTS
• Physical Security
• Azure RMS
• Rights Management
• Data Loss Prevention
Catch Before
![Page 27: When Your CISO Says No - Security & Compliance in Office 365](https://reader033.fdocument.pub/reader033/viewer/2022051710/5a647f8b7f8b9a6a568b4855/html5/thumbnails/27.jpg)
CONSULTING | SOLUTIONS | RESULTS
Catch Before
![Page 28: When Your CISO Says No - Security & Compliance in Office 365](https://reader033.fdocument.pub/reader033/viewer/2022051710/5a647f8b7f8b9a6a568b4855/html5/thumbnails/28.jpg)
CONSULTING | SOLUTIONS | RESULTS
• Data Loss Prevention
• Auditing
Catch After
![Page 29: When Your CISO Says No - Security & Compliance in Office 365](https://reader033.fdocument.pub/reader033/viewer/2022051710/5a647f8b7f8b9a6a568b4855/html5/thumbnails/29.jpg)
CONSULTING | SOLUTIONS | RESULTS
Catch After
![Page 30: When Your CISO Says No - Security & Compliance in Office 365](https://reader033.fdocument.pub/reader033/viewer/2022051710/5a647f8b7f8b9a6a568b4855/html5/thumbnails/30.jpg)
CONSULTING | SOLUTIONS | RESULTS
• Labels, Tips
• Rights Management
Minimize
![Page 31: When Your CISO Says No - Security & Compliance in Office 365](https://reader033.fdocument.pub/reader033/viewer/2022051710/5a647f8b7f8b9a6a568b4855/html5/thumbnails/31.jpg)
CONSULTING | SOLUTIONS | RESULTS
Putting Pieces Together
![Page 32: When Your CISO Says No - Security & Compliance in Office 365](https://reader033.fdocument.pub/reader033/viewer/2022051710/5a647f8b7f8b9a6a568b4855/html5/thumbnails/32.jpg)
CONSULTING | SOLUTIONS | RESULTS32
Resources
32
Thank You!Ricardo Wilkins – Architect, Microsoft Solutions Division
Computer Enterprises, Inc. | www.ceiamerica.com
Office 365 Trust Center
Microsoft Trust Center
Microsoft Secure
Security Blogs on Office Blogs
Compliance Blogs on Office Blogs
Office 365 Roadmap