Notes from Microsoft Ignite Microsoft OneDrive for Business: Most Secure for your Data in the Cloud

Microsoft Ignite is proving to be an exciting conference with new technologies and announcements about how Microsoft is evolving their technology stack to help us collaborate in new and better ways. I'm at the conference attending sessions on security, data protection, migration and other topics and want to share my notes so that they may be a resource to others as well.

Presented: Thursday May 7, 2015
Presenters: Liam Cleary, Protiviti; Denis Minium, Microsoft


- Who poses the threat?

• Initially typically worry about the hackers, external people - people trying to steal our content
  
• Moving to the cloud our infrastructure is under control of someone else - you need to
  
• There s is a gap between your content in the cloud and the edge - this is a good thing that helps protect your content against hackers
  
• But what about the Microsoft operator
  

- Do you trust the Microsoft operator that works in the data center and could be looking at your email, pictures, etc.

Microsoft Cloud Security

• Physical - perimeter security, background checks, biometric auth
• Network - network ACLs, encryption in transit, auditing and monitoring (most important strategy)
• Access - 2-factor auth, just in time access, manager approval
• Application - SDL process, claims based auth, fine grained permissions
• Finely control who gets in and what they can access, including the Microsoft operator
• Data - bit locker, per file encryption, rights management
• Microsoft employee access
• Personnel - background checks, screening
• Account Management - automatic account deletion, unique accounts, zero access privileges
• Training, Policies and Awareness
• Just in time access - zero access privilege & role based access
• Reason - Requests require valid reasons
• Eligible - Access eligibility checklist
• Employment verified?
• Background check?
• Finger printed?
• Security training?
• Manager approval?
• Role - Role Check - identified as someone that has access to these resources
• Activity Logged
  
• Customer Approved - see Customer Lockbox Announcement

Assumed Breach Methodology

• Know thy adversary - annual data breach + threat reports; thorough knowledge of assets and business model
• Ask: is your content valuable to you?
• Continuous Validation
• Penetration testing by Office 365 red team
• Red team activity validates intrusion detection investments

"What is my adversary likely to do, and what evidence will that leave behind?"

• External intruders will attempt to break in...so our full time red team looks to exploit vulnerabilities before they can
• Also use all insider knowledge to test inner defenses
• Microsoft RED TEAM - Half team on inside and half on outside

Each file is uniquely encrypted

• Each file has separate key
• Larger files are split into chunks - each chunk gets its own key
• When files change, the deltas get their own key
• Monitored highly secure key store
• Encrypted chunks are randomly dispersed across different azure storage accounts
• Keys are then encrypted themselves and stored in content DB
• Content DB only contains a map of dispersed chunks and encrypted keys
• Keys in the key store are rotated - not permanent keys
• Most secure store is the key store - even if you get to the key store all you have is a key
• Bit locker used on all disks in the system

- We don't trust the end users
- We don't trust the administrators

- IRM in SharePoint Online

• Admin - simple to provision and configure using Microsoft Azure Rights Management - no on premises RMS server required
• Protection managed at individual library level protecting Office and Adobe PDF file formats
• End users
• Documents are protected at the time fo download from a library and rights given to appropriate user accounts per the library settings
• User can edit the document in supported office clients and protection is removed at time of upload

- Data Loss Protection Policies

• Can selectively choose how DLP poliices are applied - select between SharePoint Online or OneDrive for Business or both
• Customize and create rules - ex. rule called 'sensitive data' and in the rule can specify what is sensitive data
• Actions when policy triggered - Send notifications, display policy tip, override options, report and send email incidents
• Can customize message displayed to the user
• Use reports and auditing

- Retention policies

• New document deletion policies
• Can have multiple deletion policies based on type of content
• Site owners choose policy
• Enforce mandatory policies - helps to minimize the risk; avoids the question of should I do this or not
• Extends to OneDrive for Business
• Conditional Access - Can prevent sync'ing to non-domain devices
• Powershell:
• Get-SPOTenantSyncClientRestriction
• Set-SPOTenantSyncClientRestriction -domainGUIDS "GUID" -enable
• Match occurs by GUID - if machine GUID matches then sync allowed
• If try, get error back when trying to sync a folder that simply says 'Could not sync library'
• Can enforce policies on all site collections

- Mobile Device Management - Built into O365

• User centric approach
• Conditional access - this feature can prevent non-domain joined machines from sync'ing data
• Device management
• Selective wipe and reporting
• Application management
• Powered by Microsoft Intune

Announcements

• Customer Lockbox - client is in control of whether Microsoft has access to data or not
• On roadmap for Q1 2016
• Customer Held Keys - customer provides the key which is used to encrypt Microsoft's keys
• If customer leaves, then Microsoft has no access to any remaining data
• On roadmap for later in 2016
• More detialed audit logs - audit read activity, more in depth operator activity
• Customer Preview in Q3 2015
• Conditional access for Browser - prevent browser access unless accessing from a managed and compliant machine
• No timeline yet

You can watch the entire presentation here: https://channel9.msdn.com/Events/Ignite/2015/BRK3182

Enjoy.
-Antonio