(Nie)Bezpieczeństwo danych w Office 365 - fakty i mity Kamil Bączyk Senior Infrastructure & Security Expert
Senior Infrastructure & Security Expert Technologie: Office 365, SharePoint, Windows Server, Microsoft Azure, Security Prelegent na wielu konferencjach, spotkaniach i wydarzeniach Autor artykułów (media online i tradycyjne) oraz webcastów Twitter @KamilBaczyk Mail: baczyk.kamil@gmail.com Kamil Bączyk Ponad 10 lat doświadczenia w IT MCSE, MCSA, MCT CEH ITIL
Agenda 1. Jak to robi Microsoft? 2. (Nie)Bezpieczeństwo fakty i mity a) Bezpieczeństwo Centrum Danych? b) Office w chmurze? (Bezpieczny Word z przeglądarki?) c) Lokalna serwerownia (Moje jest mojsze) d) Cyber Bezpieczeństwo (la la la NSA) 3. Podsumowanie
Jak robi to Microsoft? Idea Bezpieczeństwo - rozwiązania Gdzie są moje serwery?
Microsoft security platform components
Multi-factor authentication Data encryption User accounts Device log-ins Malware Unauthorized data access Attacks User log-ins Phishing Denial of service Enterprise security System updates
Our unique intelligence 300B 1B 200B
Global compliance with focus Foundational FedRAMP JAB P-ATO ISO 27001 SOC 1 Type 2 SOC 2 Type 2 Cloud Controls Matrix ISO 27018 Industry HIPAA / HITECH 21 CFR FIPS 140-2 FERPA DISA Level 2 CJIS IRS 1075 Part 11 ITAR-ready Focused European Union Model Clauses EU Safe Harbor United Kingdom G-Cloud China Multi Layer Protection Scheme China GB 18030 China CCCPPF Singapore MTCS Level 1 Australian Signals Directorate New Zealand GCIO Japan Financial Services ENISA IAF
Key certifications Over 900 controls in the Office 365 compliance framework enable us to stay up to date with the ever-evolving industry standards across geographies. Trust Microsoft s verified services. Microsoft is regularly audited, submits self-assessments to independent 3rd party auditors, and holds key certifications. Spain CSA CCM ENISA IAF EU Model Clauses EU-U.S. Privacy Shield ISO/IEC 27001, 27018 SOC 1, 2 Spain ENS United Kingdom CSA CCM ENISA IAF EU Model Clauses ISO/IEC 27001, 27018 NIST 800-171 SOC 1, 2, 3 UK G-Cloud China China GB 18030 China MLPS China TRUCS Singapore CSA CCM ISO/IEC 27001, 27018 MTCS SOC 1, 2 Japan CSA CCM CS Mark (Gold) FISC ISO/IEC 27001, 27018 Japan My Number Act SOC 1, 2 United States CJIS CSA CCM DISA FDA CFR Title 21 Part 11 FEDRAMP FERPA FIPS 140-2 FISMA HIPPA/HITECH HITRUST IRS 1075 ISO/IEC 27001, 27018 MARS-E NIST 800-171 Section 508 VPATs SOC 1, 2 Argentina Argentina PDPA CSA CCM IRAP (CCSL) ISO/IEC 27001, 27018 SOC 1, 2 European Union CSA CCM ENISA IAF EU Model Clauses EU-U.S. Privacy Shield ISO/IEC 27001, 27018 SOC 1, 2, Australia CSA CCM IRAP (CCSL) ISO/IEC 27001, 27018 SOC 1, 2 New Zealand CSA CCM ISO/IEC 27001, 27018 NZCC Framework SOC 1, 2
Microsoft s Secure Approach Industry Partners Antivirus Network INTELLIGENT SECURITY GRAPH CERTs Cyber Defense Operations Center Malware Protection Center Cyber Hunting Teams Security Response Center Digital Crimes Unit PaaS IaaS SaaS Identity Apps and Data Infrastructure Device
Demo Gdzie są moje serwery?
(Nie)Bezpieczeństwo fakty i mity Bezpieczeństwo Centrum Danych? Office w chmurze? Lokalna serwerownia Logi aktywności Cyber Bezpieczeństwo
Zero access privilege and automated operations O365 Admin requests access Office 365 Datacenter Network Microsoft Corporate Network Grants temporary privilege Grants least privilege required to complete task Verify eligibility by checking if: 1. Background check completed 2. Fingerprinting completed 3. Security training completed
Działa z : Exchange Online, SharePoint Online, OneDrive for Business Bezpieczeństwo Centrum Danych? - Customer Lockbox Musi być dodatkowo włączony Office 365 support musi poczekać na zatwierdzenie dostępu Można określić na jak długo (czas) suport ma dostęp do danych klienta
Defense in depth Security Management Data User Application Host Internal network Network perimeter Facility Threat and vulnerability management, security monitoring, and response, access control and monitoring, file/data integrity, encryption Account management, training and awareness, screening Secure engineering (SDL), access control and monitoring, anti-malware Access control and monitoring, anti-malware, patch and configuration management Dual-factor authentication, intrusion detection, vulnerability scanning Edge routers, firewalls, intrusion detection, vulnerability scanning Physical controls, video surveillance, access control
Office w chmurze? DLP + RMS Szyfrowanie wiadomości na żądanie lub stworzenie reguł Szyfrowana treść działa tylko po uwierzytelnieniu i obrębie organizacji Własne reguły które można łączyć (DLP + szyfrowanie) Działa z : Exchange Online, SharePoint Online, OneDrive for Business
Demo DLP + RMS
Alerting architecture Azure Audit Data Service Event enrichment Big data and machine learning based alerts engine Anomaly detection Activity policy evaluation Users Admins Microsoft Admins Alert investigation & notification You have mail! SMS Advanced Security Management Portal
Anomaly Detection Architecture Risks: Location User- Agent Session #1 Session #2 Session #3 Session #4 Admin user? Anonym ous proxy? Time since last activity ISP... Session Risk 39 71 100 0 68 84 97 97 56 0 100 50 34 80 39 5 0 0 2 26 49 59 85 0 0 48 50 29 Threshold Session #N 5 76 0 0 39 40 14 Session-based: Recent user activities across apps, devices and locations are combined to create a user session Risk score: Risk factors are calculated for each session and combined to calculate the total session risk score Alert trigger: sessions above risk threshold trigger an alert (top k sessions) containing risk breakdown & related activities User feedback: anomaly engine is customized by turning on/off risk factors for specific users/groups
App discovery architecture On-Premise Network Advanced Security Management Log parser Azure Discovery Use traffic logs to discover and analyze which cloud apps are in use Network logs manually uploaded Log analysis (SaaS DB) Discovery aggregations SaaS DB Tenant DB Office 365 Discovery Categories Collaboration: SharePoint Web proxy Firewall Cloud Storage: OneDrive WebMail: Exchange Social Network: Yammer Cloud apps Online Meeting: Skype
Log Format Compatibility Network traffic logs include a notification/ disclaimer that explains if there is missing data in the chosen format.
App permissions architecture All 3 rd party apps in tenant App permissions aggregation App permissions dashboard Azure App permissions Enterprise apps can integrate to Azure Active Directory to provide secure sign in and authorization for Office 365 services. We provide a dashboard for the security admin to get visibility and control for all third party apps that users or admins consented to.
Introducing Microsoft Cloud App Security Enterprise-grade security for your cloud apps Cloud-delivered service bringing visibility and control to cloud apps Committed to support third-party cloud apps Based on the Adallom acquisition Standalone / E5
Działa z : Exchange Online, SharePoint Online, OneDrive for Business Lokalna serwerownia ASM, ATP, CloudApp Security Raporty z aktywności serwisów, użytkowników, logowań, skompromitowanych kont i lokalizacji Import i analiza logów Personalizacja danych w raportach
Demo CloudApp Security, ASM, ATP
Office 365 Security Built-in security Customer controls Independent verification Microsoft security best practices 24-hour monitored physical hardware Automated operations Isolated customer data Encrypted data Secure network
Isolated Customer Data Data in Cloud
Encryption: In transit and at rest In transit SSL/TLS encryption protects: Client to server communications Server to server communications Datacenter to datacenter communications At rest protects: Unauthorized physical access to servers/hardware in datacenters Theft or inappropriate handling of a disk or server Server to server: SSL/TLS protected server Data disk server Data disk Windows server Data disk Customer Client server: SSL/TLS protected Customer Windows PC Windows computer
Kamil Bączyk Q and A Twitter @KamilBaczyk Mail: baczyk.kamil@gmail.com