Follow me on Twitter @AntonioMaio2

Monday, October 17, 2016

How Secure Is My Data in Office 365?

A few weeks ago, on September 21, I gave a session at the DFW user group meeting called How Secure is My Data in Office 365?  Thank you to all those that attended and my apologies for the delay in posting my presentation.  Life has been busy.

I actually get asked this question quite often from clients that are concerned about migrating their data and workloads to Office 365.  Organizations tend to have an easier time when it comes to moving Exchange to Office 365.  However, the question tends to come more from clients considering moving SharePoint team sites or OneDrive for Business to the cloud.

Its important to consider the question from various angles.  Here is a summary of the points I make during my session to help answer the question...

How secure is my data in Office 365?




My slides from that evening can be found here:



Data Center Security, Monitoring & Data Sovereignty

  • Microsoft operates over 100 world class data centers around the world to store and host the Office 365 platform.  
  • Data center security includes undisclosed locations, 24 x 7 x 365 monitoring, fenced and guarded entry ways, access restricted to authorized personnel with multiple layers of biometric scans, background checks on all data center employees, redundant power and cooling, etc. etc. 
  • Microsoft data centers truly are enterprise grade and operate at what is referred to as hyperscale, with over 1 million servers and over 15 billion dollars currently invested.  
  • Microsoft data centers are currently located in 34 regions around the world so if data sovereignty is a concern, you can select which region you wish to have your tenant hosted in and be assured that your data will remain in region or in country. 

Best Practices in Server Deployment

  • Servers are deployed to the Office 365 environment using the best practices that Microsoft has promoted and IT Pros have been using for years, including least privilege models, segregation of responsibilities for service accounts and server roles, control of ports & protocols through server hardening, etc.  
  • The provisioning of new servers within farm is automated to ensure that new servers are always provisioned the same way every time. 
  • The farms hosting the Office 365 services are built to meet Microsoft's extremely rigid SLAs.
  • The entire Office 365 service is constructed to maintain separation of data between tenants, so that data from one tenant cannot leak into another tenant.  The service has been designed from the ground up to support this very strict requirement.

High Availability and Disaster Recovery

  • Microsoft guarantees 99.9% availability of its Office 365 environment.  That means a maximum of 8 h 45 m 57 s of downtime per year.  This commitment is financial backed as well to its customers.
  • Microsoft publishes its measured SLA statistics on a quarterly basis and we can see that they are often hitting better that 99.9%, and occasionally achieving 99.99%.  To put that in perspective, that's 52 m 35.7 s of downtime per year.
  • For disaster recovery, Microsoft commits to its customers a 6 hour RTO (recovery time objective) and a 1 hour RPO (recovery point objective).  That means that in the event of a data center disaster, your tenant will be back up and running in a maximum of 6 hours, and you will at most lose 1 hour of data.
  • High Availability and Disaster Recovery is available out of the box with Office 365, to every level of license you can purchase.  There is nothing that customers need to do to enable that!

If we consider just this one aspect of protecting your data, comparing what Microsoft provides to what you can build, deploy and maintain, would your current data center provide this level of availability or disaster recovery?

Automation and Restriction of Server Administrative Functions

  • Regular server administration functions are automated through PowerShell, so that administrative functions are fulfilled the same way every time.  The human element is removed when it comes to routine server maintenance and management.
  • Administrators of the Office 365 data centers have zero standing access to the environment.  If an administrator or support personnel requires access to a tenant, they must submit a ticket internally requesting access through a formal process called 'lockbox'.  They must specify exactly which capabilities and level of access is needed and for how long.  Access and the time permitted are strictly minimized and all access expires after a maximum of 4 hours, requiring the process to start once again.

Encrypted Data at Rest & in Motion

  • All data at rest within Office 365 is encrypted using 2 different methods.  First, all drives within the Office 365 data center are bit locker encrypted.  
  • Secondly, all files within SharePoint sites and OneDrive for Business are encrypted using a complex file encryption mechanism.  This mechanism will shredded every file into chunks, each chunk encrypted with a unique key, the encrypted chunks are randomly distributed across multiple Azure Storage Containers, the encryption keys are themselves encrypted with a master key, the encrypted keys are stored in the content database (in a different system from the Azure Storage Containers), the master key is stored in a third system called the key store (the most protected asset in the Microsoft data center), and finally all keys rotated (re-generated) every 24 hours.  You can read more about this encryption process in an earlier blog post of mine: How Does Microsoft Protect our Data in Office 365?
  • Later this year, Microsoft will allow organizations to bring and manage their own master key as part of an E5 license.
  • All data transmitted from an end user's browser to Office 365 is encrypted while in motion using TLS.  The communication between all servers in the Office 365 data center is also encrypted using TLS.  All SSL protocols have been deprecated and removed from the environment, since SSL is no longer considered secure.  TLS 1.2 is used by default.  Only in cases where older browsers are used, will communication security revert back to TLS 1.1 or TLS 1.0.  This is important because PCI DSS compliance, for storing credit card data, requires the use of TLS 1.2 as the primary security protocol.

Advanced Authentication Models

  • Microsoft only supports secure authentication protocols such as claims based authentication using SAML 2.0 and OATH 2.0.  
  • Microsoft provides the ability to quickly and easily enable multi-factor authentication for either end users or administrators (or both) within your organization.  You can limit this to only privileged users, only to executives that access sensitive data, or to the entire organization.  Multi-factor authentication supports a robust set of 2nd factors, including one time pass code via text message or phone call, smart card, client side digital certificates and Microsoft Authenticator app.
  • Modern authentication has recently been introduced so that users accessing documents or Office 365 services through Microsoft client applications such as Word, Excel, PowerPoint or Outlook either on their desktop or mobile devices can have the same secure and robust authentication experience.

Security & Vulnerability Patching with Zero Downtime

  • It's well known that most server security vulnerabilities come from administrators not keeping up to date with security patches.  In 2016 alone, 16 critical or important security patches have been released across all SharePoint versions (2007, 2010, 2013, 2016.  In an on premise environment, keeping up with all security patches is an extremely time consuming task, made only more difficult if you work in an environment where downtime is strictly minimized or not permitted.
  • Office 365 deploys deploys all server security patches as soon as possible, and with zero downtime to your tenant.  This ensures that vulnerabilities and zero day attacks are closed as promptly as possible, while minimizing disruption to client tenants.

Regulatory Compliance, Security Audits & Transparency

  • Office 365 has provided unprecedented transparency into how it secures and operates the services.
  • Microsoft has complied with a long list of regulatory compliance standards for protecting and securing your data.  The list of standards, along with exactly how they comply and how they do not comply is fully published on the Office 365 Trust Center
  • The Office 365 environment undergoes regular independent 3rd party security audits, and the results of those audits are published in the Office 365 Security and Compliance Center within all tenants, for clients to see.  Along with those published audit reports, every control that has been audited is listed, along with the requirements and recommendations for each.
  • Microsoft also actively promotes of a Shared Responsibility with respect to security of your data within Office 365.  Microsoft is very clear about their commitments for security the Office 365 platform, and they work to educate clients on what their responsibilities are as well, with respect to providing access to internal or external users, permissioning, reviewing activity logs, etc.

Additional Security Capabilities

Office 365 provides a long list of additional robust security capabilities for administrators, site owners and end users to help them secure and protect their data within the Office 365 service, including:
  • Information Rights Management
  • Data Loss Prevention
  • Activity Monitoring and Alerts
  • Advanced Threat Protection for Email
  • Advanced Security Management
  • Conditional Access Policies
  • Customer Lock Box
With all of these security considerations and capabilities in place to protect your information in Office 365, I think we would all be hard pressed to build an environment as secure and and as robust as what is currently available from the Microsoft cloud.

   -Antonio



No comments:

Post a Comment