Cloud aber Sicher Florian van Keulen Senior Consultant Cloud & Security BASEL BERN BRUGG DÜSSELDORF FRANKFURT A.M. FREIBURG I.BR. GENEVA HAMBURG COPENHAGEN LAUSANNE MUNICH STUTTGART VIENNA ZURICH
Since 2014 at Trivadis Security Infrastructure Identity & Access Management Cloud Infrastructure & Security Office 365 & SharePoint Florian van Keulen Senior Consultant BDS Security Officer Information Security Management 2 Dec 2015
Security Opportunities 3 Dec 2015
Datacenter & Storage Location Ireland & Netherlands Azure Office 365 Dynamics CRM Online Finland & Austria NEW Office 365 Germany NEW Data Trustee Telekom http://www.microsoft.com/online/legal/v2/?docid=25 4 Dec 2015
Datacenter & Storage Location Storage Replication Locally Redundant Storage (LRS) Zone Redundant Storage (ZRS) Geo Redundant Storage (GRS) Read Access Geo Redundant Storage (RA-GRS) 5 Dec 2015
6 Dec 2015
Identity & Access Management 7 Dec 2015
Multi Factor Authentication (MFA) Extra Authentication Factor Automated Call / Token (SMS) Authenticator App For Cloud Services Also for On-Premise Rules can be Applied Administrators and Users 8 Dec 2015
Conditional Access 9 Dec 2015
Comprehensive Reports & Notifications Microsoft Threat Intelligence Credentials found in Dark web Botnet activity Authentication Context Analysis 10 Dec 2015
Unified Device Management 11 Dec 2015
Azure RMS Encrypts and protects Documents and Mails Access through Authorization by Azure AD Policies Edit Copy Print Retention Time Also with External Users 12 Dec 2015
Azure RMS uses encryption, identity, and authorization policies to secure Mails and Files protected both within and outside your organization protection remains with the data Encryption: 2048-bit RSA asymmetric key with SHA- 256 hash algorithm AES 128-bit symmetric (CBC mode with PKCS#7 padding) Azure RMS 13 Dec 2015
Azure RMS Keys are Stored in Azure Keyvault Geo-location specific Stored in HSM module Full Audit und Logging of Key usage BYOK support available Azure RMS 14 Dec 2015
Azure RMS Bring your Own Key (BYOK) 15 Dec 2015
Enterprise Mobility Suite Identity Management Authentication & Authorization MFA Conditional Access Document Level Security Encryption Policies Secure Access Microsoft Azure Active Directory Premium + Microsoft Intune + Microsoft Azure Rights Management Unified Mobile Device Management Access Management Apps Deployment Selective Wipe 16 Dec 2015
Enterprise Mobility Suite Microsoft Azure Active Directory Premium + Microsoft Intune + Microsoft Azure Rights Management 17 Dec 2015
Office 365 Security Data Retention Policies / Legal Hold Encryption Data Loss Prevention (DLP) Exchange Online Advance Threat Protection (essential RMS & MDM Features) 18 Dec 2015
Data Retention Policies / Legal Hold 19 Dec 2015
Office 365 Encryption Azure RMS Office 365 Message Encryption S/MIME 20 Dec 2015
Office 365 Message Encyption (OME) apply encryption on emails that originate from Office 365 inside or outside Office 365 External users can decrypt the received email by either: an Office 365 account (from their company) a Microsoft account a one-time passcode Azure RMS used for encryption Office 365 Message Encryption 21 Dec 2015
S/MIME standard for public key encryption digital signing of MIME data Public / Private Key Infrastructure Works with Outlook, Outlook Web App, and Exchange ActiveSync clients (mobile) S/MIME 22 Dec 2015
Encryption AES265 encryption at Rest and in Motion Two types of encryption for Data at Rest: Disk encryption (using Bitlocker) File encryption Each file is encrypted with its own key Data in Motion SSL (TLS 1.0 & 1.2) New cipher suite order Discovered vulnerabilities are taken serious: SSLv3 Support withdrawn RC4 cipher support withdrawn 23 Dec 2015
Encryption of Files in OneDrive & SharePoint Encrypted Files and File Chunks stored randomlyaccross Encrypted Storage Containers Keys of the Container & Content DB Keys of the Files and File Chunks Keys and content are stored in 3 different locations, so you need authorization in all 3 areas to reveal data 24 Dec 2015
Data Lost Prevention (DLP) Prevents Sensitive Data From Leaving Organization Provides an Alert when data such as Social Security & Credit Card Number is emailed Alerts can be customized by Admin to catch Intellectual Property from being emailed out Email, OneDrive & Office For Based On Policies File Content Patterns Built-in templates based on common regulations Import DLP policy templates from security partners or build your own 25 Dec 2015
Exchange Online Advance Threat Protection Multiple Anti Malware Engines URL Link Rich Reporting & Tracing 26 Dec 2015
Office365 Lock Box 27 Dec 2015
Does your Datacenter Support these features? High Availability & Geo Redundancy of your data Full Featured Identity and Access management Cross Premises and with 3 rd Party MFA and Conditional access Enhanced Security Reports and Notifications (Threat Intelligenz) Unified Device Management Rights Management on Document Level wherever stored E-Mail & Multi Level File Encryption Retention time, Archiving and Legal Hold Advanced Threat Protection And most of it is already in an Office365 Subscription included!!! 28 Dec 2015