Whether you’re new to security and compliance in Office 365 or a seasoned veteran, we’ll have something for you in this session. Hear about Microsoft’s overall security story from Microsoft MVP Richard Harbridge, and better understand how it relates to SharePoint services, catch up on new developments over the past year, and learn about the new capabilities Microsoft provides. From advanced security management and threat intelligence to sensitive content encryption, governance and sharing there is plenty to discuss.
A Journey Into the Emotions of Software Developers
Security and Compliance with SharePoint and Office 365
1. Security and Compliance: A
Whole New World with
SharePoint and Office 365
Presented By: Richard Harbridge (@RHarbridge)
#ILTASPS
2. RICHARD
HARBRIDGE
My twitter handle is @RHarbridge, blog is on http://2toLead.com, and I work at
CTO & MVP | SPEAKER & AUTHOR | SUPER FRIENDLY
3. Great, we know who you are, but what do you do on a daily basis?
MAXIMIZE SECURITY INVESTMENTS…
Typically the work centers around…
4. RICHARD
HARBRIDGE
My twitter handle is @RHarbridge, blog is on http://2toLead.com, and I work at
CTO & MVP | SPEAKER & AUTHOR | SUPER FRIENDLY
5. What are the big trends in security, compliance and transparency?
TOP THREE CLOUD CONCERNS…
Security
73% of orgs indicated security as a top challenge holding back SaaS adoption
Compliance
89% of orgs required to govern content for compliance or business continuity purposes
Transparency
63% of orgs state transparency challenges restrict them from growing their cloud usage
6. Let’s Talk About User Control…
WHATWEWILLTALKABOUTTODAY…
Let’s Talk About Security Services…
Let’s Talk About Compliance Services…
7. MANAGING ACCESS & CONTROL…
While core documents are managed and controlled many other places
like team or departmental collaboration suffer from permission challenges.
8. MANAGING ACCESS & CONTROL…
Throughout the Office 365 experience for SharePoint or OneDrive content
access control is readily available and easy to understand as an end user.
9. MANAGING ACCESS & CONTROL…
We use dynamic groups with membership defined as a rule, rather
than as a static list of members. We expire groups (if need not attested).
Expiring Groups
Admins set a duration after
creation when group owners
need to attest the continuing
need for their group. Else it’s
deleted.
One Identity
Azure Active Directory (AAD) is
the master for group identity
and membership across Office
365 (Exchange, SharePoint,
Yammer, Teams, Planner, Power
BI, etc.)
10. MANAGING ACCESS & CONTROL…
Make it easy to manage access and ensure the wrong kind of sharing
doesn’t take place – whether internal or external.
11. Better site management at a service level makes this easier to target and notify
owners based on site activity, classifications, sharing status or more.
MANAGING ACCESS & CONTROL…
12. Let’s Talk About User Control…
WHATWEWILLTALKABOUTTODAY…
Let’s Talk About Security Services…
Let’s Talk About Compliance Services…
13. Let’s Talk About User Control…
WHATWEWILLTALKABOUTTODAY…
Let’s Talk About Security Services…
Let’s Talk About Compliance Services…
14. You need both defense in breadth and depth to mitigates product vulnerabilities,
user education mitigates human vulnerabilities and continuous monitoring shortens attack
times (because at some point, you will be attacked).
BEST WAY TO PROTECT YOUR DATA?
Breadth
Depth
User
Education
Systematic
Security
15. Microsoft’s security platform is quite a bit more than just Office 365, and
the modern security platform has considerably more capability today.
THE BIGGER PICTURE…
16. SECURESCORE…
One place to understand your security position and what features you
have enabled. Targeted guidance to increase your security level.
17. Broad visibility into attack trends
Billions of data points from Office, Windows, and
Azure
Integrated data from external cyber threat hunters
Proactive security policy management
Intuitive dashboards with drill-down capabilities
THREATINTELLIGENCE…
Microsoft Advanced Threat Analytics brings the behavioral analytics
concept to IT and the organization’s users.
18. THREATINTELLIGENCE…
Abnormal resource access
Account enumeration
Net Session enumeration
DNS enumeration
Directory Services enumeration (ATA 1.7)
Abnormal working hours
Brute force using NTLM, Kerberos or LDAP
Sensitive accounts exposed in plain text authentication
Service accounts exposed in plain text authentication
Honey Token account suspicious activities
Unusual protocol implementation
Malicious Data Protection Private Information (DPAPI) Request
Abnormal authentication
Abnormal resource access
Pass-the-Ticket
Pass-the-Hash
Overpass-the-Hash
MS14-068 exploit (Forged PAC)
MS11-013 exploit (Silver PAC)
Skeleton key malware
Golden ticket
Remote execution
Malicious replication requests
Reconnaissance
Compromised
Credential
Lateral
Movement
Privilege
Escalation
Domain
Dominance
19. ADVANCEDTHREATPROTECTION…
This is integrated across apps and services (across Exchange Online,
SharePoint Online, OneDrive for Business, Office Apps, etc.)
Time-of-click protection against malicious URLs
URL reputation checks along with detonation of
attachments at destination URLs.
Zero-day protection against malicious attachments
Attachments with unknown virus signatures are assessed
using behavioral analysis.
Critical insights into external threats
Rich reporting and tracking features provide critical
insights into the targets and categories of attacks.
Intelligence sharing with devices
Integration with Windows Advanced Threat Protection to
correlate data across users and devices.
20. Dynamic delivery for Safe Attachments URL Detonation (not just links but even files that have links).
ADVANCEDTHREATPROTECTION…
This is integrated across apps and services (across Exchange Online,
SharePoint Online, OneDrive for Business, Office Apps, etc.)
21. SENSITIVECONTENTENCRYPTION…
O365 instead of RMS allows us to secure and transfer it but put
responsibility on receiving party via secure portal to view, reply (or take).
Secure email that works across organizations and
with anyone you wish to reach
Remove the complexity of getting started
Simplify manual or automatic protection
Ensure that all recipients can read and respond/
23. Multi-geo support where you can control data residency (store in that
geo) & control settings (distinct settings on sharing etc.)
WHAT CAN I DO IN THE ADMIN?
24. ADVANCEDSECURITYMANAGEMENT…
Advanced security management is a great way to be more pro-active
with your policy enforcement and evaluating risks.
Threat detection
Identify high-risk and abnormal usage, security
incidents, and threats.
Enhanced control
Shape your Office 365 environment with granular
security controls and policies.
Discovery and insights
Gain enhanced visibility and context into your
Office 365 usage and shadow IT.
27. Device access = conditional access (by IP, by manage or unmanaged) by
blocking, allow read-only capabilities or even specific time out settings.
CONDITIONAL ACCESS…
28. POWERBI…
It’s not just about enabling the sharing of reports and dashboards.
Policy Controls
I want to…
I should use…
Control who uses Power BI Office 365 Portal to assign licenses
Prevent access off corp. network AAD Conditional Access
View/control usage PBI features Power BI Admin Portal
Control usage of mobile features Intune MAM
Audit Power BI activity Power BI auditing in Office 365 Portal
29. Let’s Talk About User Control…
WHATWEWILLTALKABOUTTODAY…
Let’s Talk About Security Services…
Let’s Talk About Compliance Services…
30. Let’s Talk About User Control…
WHATWEWILLTALKABOUTTODAY…
Let’s Talk About Security Services…
Let’s Talk About Compliance Services…
31. 50%
year over year
growth rate in
electronic data
45%
of orgs state lack of
governance opens
them to security &
compliance risks
41%
of orgs state enforcing
a governance policy is
their biggest issue
DATAISGROWING…
Achieving organizational compliance is challenging.
32. Preserve vital data
Organization needs
Find relevant data Monitor activity
Data Governance
Import, store, preserve and expire data
eDiscovery
Quickly identify the most relevant data
Auditing
Monitor and investigate actions taken on data
Security & Compliance Center
Manage compliance for all your data across Office 365
IN-PLACECOMPLIANCE…
Microsoft is evolving beyond the core preservation and monitoring.
33. In-Place Office 365 Data Governance Benefits of In-Place Office over Journaling
Location, query or policy based
Apply preservation to mailbox or SharePoint site, apply a
query to hold less content, or use preservation policies
Higher fidelity and lower costs
Content stays in Exchange and SharePoint, which results in
lower storage costs, and higher fidelity data
No impact to users
Seamlessly create, edit, and delete without knowing
data is being preserved
Reduce risk
Data is not duplicated to another provider or compliance
boundary. Record all actions taken on the data
Insights
Insights to enable you to keep what’s important, delete
what’s not, and to share according to policy
IN-PLACEDATALIFE-CYCLE…
Microsoft is prioritizing in-place models and offers many capabilities that fit
with this model. Going beyond legal hold into preservation policy etc.
4
1
34. COMPLIANCELIFE-CYCLE…
You can bring in data today into Office 365 for preservation and to apply
compliance. Once it’s in all the in-place capabilities are applicable.
4
2
35. DATALOSSPREVENTION…
Protect sensitive information taking into account content, users and the
dynamic operating environment. Detailed story for how this can be used.
Sophisticated, built-in content protection across
Office 365
Insights and automatic safeguards
End user empowerment to maintain productivity
and enforcement
36. Unified policy definition Unified reporting
DATALOSSPREVENTION…
DLP can be applied to more targeted and a wider variety of sources.
The reporting is also improved and unified.
37. Leverage intelligence to automate data retention
Classify data based on age, type, user, or sensitivity
Policy recommendations based on machine learning
Apply actions to preserve high value data
Purge redundant, obsolete, and trivial data
ADVANCEDDATAGOVERNANCE…
Helping customers understand how to better improve their data
governance and giving the tools you need to do it.
43. AUDITLOG…
It’s not just that everything is audited. It’s that we can have alerts, that
we can extend this with the API, and that this can be helpful.
44. AUDITLOG…
Be sure to use the API to store this data if you want to use it at a later time.
Exchange Online
Admin activity, end-user (mailbox) activity
Security and Compliance Center
Admin activity
Azure Active Directory
Office 365 logins, directory activity
Power BI
Admin activity
SharePoint Online and OneDrive for Business
File activity, sharing activity
46. Identify relevant documents
Predictive coding enables you to train the system
to automatically distinguish between likely relevant
and non-relevant documents.
Identify data relationships
Use clustering technology to look at documents in
context and identify relationships between them.
Organize and reduce the data prior to review
Use near duplicate detection to organize the data
and reconstruct email threads from unstructured
data to reduce what’s sent to review.
EDISCOVERY…
Still an area that is continuing to improve.
47. Last year Feature Pack 1 was released. It improved experiences and hybrid capabilities. It also
includes a hybrid auditing capability that is unified w/ O365. Feature pack 2 coming later this
fall is all about a better development pattern across on-premises and O365.
WHAT ABOUT SHAREPOINT 2016?
48. CUSTOMERLOCKBOX…
Can help customers meet compliance obligations by demonstrating
that they have procedures in place for explicit data access authorization.
Extended access Control
Use Customer Lockbox to control access to customer
content for service operations
Visibility into actions
Actions taken by Microsoft engineers in response to
Customer Lockbox requests are logged and accessible
via the Management Activity API and the Security and
Compliance Center
Microsoft Engineer Microsoft Manager
Microsoft
Approved
CustomerMicrosoft EngineerLockbox systemCustomer
Submits
request
100101
011010
100011
Customer
Approved
“Only time we touch data is when you call with a
support incident. Not something everyone
needs. Example in a recent month there was ~9
requests (5 were MSFT IT, 4 were customers out
of millions and millions of customers).”
49. ENCRYPTIONKEYS…
BYOK is for service exit! Remember: Contractual terms have clear
obligations with fraud, negligence and breach of contract liabilities.
50. ENCRYPTION
KEYS…
BYOK is for service exit! Remember: Contractual terms have clear
obligations with fraud, negligence and breach of contract liabilities.
51. The Trust Center is still a great resource, but now in your security and compliance center you
have all the reports, trust documents, controls and more available for inspection (you can
even share access).
SERVICE TRUST & TRUST CENTER…
Rich information on how Microsoft implements
security, privacy and compliance controls
including details of testing by independent third-
party auditors
Third-party audit reports including: SOC 1 / SSAE
16, SOC 2 / AT 101, ISO 27001, ISO 27018 and
many more
Deep insights into how we implement
encryption, incident management, tenant
isolation and data resiliency
Information on how you can leverage Microsoft
cloud security controls and configurations to
protect your data
52. Let’s Talk About User Control…
WHATWEWILLTALKABOUTTODAY…
Let’s Talk About Security Services…
Let’s Talk About Compliance Services…
53. There are a few high level recommendations that I wanted to leave you with.
• Configure Secure Score:
• Weekly performance of activities to increase secure score is highly recommended.
• Multi-factor authentication for global/non-global admins is a must!
• Recommended weekly report checks also a must.
• Increase the target score slider to include a few more defense in breadth activities.
• DKIM/DMARC/SPF
• Ensure that all three are enabled for the default domain not the onMicrosoft.com domain.
• Also, check Spoof mail report weekly (requires E5 or Advanced Threat Protection SKU)
• Exchange Online
• Weekly checks on all mailboxes with last login date (PowerShell script).
• Enable common attachments type filter & notifications for protection > malware
• Verify list of allowed/blocked Ips under protection > connection filter.
• Verify block/allow list in spam filter policy.
• Threat Management (Requires E5)
• Check the dashboard and individual reports weekly.
• Data Loss Prevention
• At minimum, set up a DLP policy for mitigating access to documents that have Personally Identifiable Information (PII).
• SharePoint Online
• Always use Groups and where possible use dynamic memberships!
• If on premises – consider SharePointURLBrute or SharePoint UserDispEnum
DEFAULT CONFIGURATION IS NOT ENOUGH…
54. Information
protection
Identity-driven
security
Managed mobile
productivity
Identity and access
management
Azure Information
Protection Premium P2
Intelligent classification and
protection for files and emails
shared inside and outside
your organization
(includes all capabilities in P1)
Azure Information
Protection Premium P1
Manual classification and
protection for files and emails
shared inside and outside
your organization
Cloud-based file tracking
Microsoft Cloud
App Security
Enterprise-grade visibility,
control, and protection for
your cloud applications
Microsoft Advanced
Threat Analytics
Protection from advanced
targeted attacks leveraging
user and entity behavioral
analytics
Microsoft Intune
Mobile device and app
management to protect
corporate apps and data on
any device
Azure Active Directory
Premium P2
Identity and access
management with advanced
protection for users and
privileged identities
(includes all capabilities in P1)
Azure Active Directory
Premium P1
Secure single sign-on to
cloud and on-premises apps
MFA, conditional access, and
advanced security reporting
EMS
E3
EMS
E5
UNLOCKMORECAPABILITIES…
Understand your current investments and what you already own today!
Whether you’re new to security and compliance in Office 365 or a seasoned veteran, we’ll have something for you in this session. Hear about Microsoft’s overall security story from Microsoft MVP Richard Harbridge, and better understand how it relates to SharePoint services, catch up on new developments over the past year, and learn about the new capabilities Microsoft provides. From advanced security management and threat intelligence to sensitive content encryption, governance and sharing there is plenty to discuss.
Richard Harbridge is the Chief Technology Officer and an owner at 2toLead. Richard works as a trusted advisor with hundreds of organizations, helping them understand their current needs, their future needs, and what actions they should take in order to grow and achieve their bold ambitions.
Richard remains hands on in his work and has led, architected, and implemented hundreds of business and technology solutions that have helped organizations transform both digitally and organizationally. Richard has a passion for helping organizations achieve more; whether it is helping an organization build beautiful websites to support great content and social strategy, or helping an organization leverage emerging cloud and mobile technology to better service their members or the communities that they serve.
Richard is an author and an internationally recognized expert in Microsoft technology, marketing and professional services. As a sought-after speaker, Richard has often had the opportunity to share his insights, experiences, and advice around branding, partner management, social networking, collaboration, ROI, technology/process adoption, and business development at numerous industry events in around the globe. When not speaking at industry events, Richard works with Microsoft, partners, and customers as an advisor around business and technology, and serves on multiple committees, leads user groups, and is a Board Member of the Microsoft Community Leadership Board.
Richard Harbridge is the Chief Technology Officer and an owner at 2toLead. Richard works as a trusted advisor with hundreds of organizations, helping them understand their current needs, their future needs, and what actions they should take in order to grow and achieve their bold ambitions.
Richard remains hands on in his work and has led, architected, and implemented hundreds of business and technology solutions that have helped organizations transform both digitally and organizationally. Richard has a passion for helping organizations achieve more; whether it is helping an organization build beautiful websites to support great content and social strategy, or helping an organization leverage emerging cloud and mobile technology to better service their members or the communities that they serve.
Richard is an author and an internationally recognized expert in Microsoft technology, marketing and professional services. As a sought-after speaker, Richard has often had the opportunity to share his insights, experiences, and advice around branding, partner management, social networking, collaboration, ROI, technology/process adoption, and business development at numerous industry events in around the globe. When not speaking at industry events, Richard works with Microsoft, partners, and customers as an advisor around business and technology, and serves on multiple committees, leads user groups, and is a Board Member of the Microsoft Community Leadership Board.
There is no charge for inviting B2B users and assigning them to an application in Azure AD. Every invited user gets the rights that the Azure AD Free edition offers if no paid Azure AD license exists in the tenant.
The inviting tenant will get 5 B2B user rights with each Azure AD paid license. That is, each Azure AD paid license providing the rights to Azure AD paid features to one employee user in a tenant, will now also provide the rights to those same Azure AD paid features to an additional 5 B2B users invited to the tenant.
Preservation is about protecting your data, archiving is about managing your storage.