Addressing Cloud Computing Security Considerations with Microsoft Office 365 Protect more
Contents 2 Introduction 3 Key Security Considerations 4 Office 365 Service Stack 5 ISO Certifications for the Microsoft Online Services Stack 8 Identity and Access 9 Service Integrity 12 Endpoint Integrity 13 Information Protection 14 Related Reading 6 Compliance and Risk Introduction This document is based on a supplemental paper, Cloud Computing Security Considerations 1, which focuses on a high-level discussion of the fundamental challenges and benefits of cloud computing security. The original paper includes questions cloud service providers and organizations using cloud services should consider as they evaluate a new move or expansion of existing services to the cloud. This document presumes the reader is familiar with the Cloud Computing Security Considerations paper, which offers high-level insight into how these considerations can be addressed using Office 365, a public cloud service. Office 365 combines the familiar Office desktop suite with cloud-based versions of next-generation communications and collaboration services, including Microsoft Office Professional, Microsoft Exchange Online, Microsoft SharePoint Online, and Microsoft Lync Online. Cloud service providers and organizations using cloud services should consider these two primary areas regarding security and compliance: Geolocation Due to the nature of the public cloud, a customer s data may be distributed in various geographies around the globe. Multi-Tenancy Space on a server/infrastructure is shared among tenants. 1 The Cloud Computing Security Considerations paper can be found here: http://go.microsoft.com/?linkid=9708479 2
Key Security Considerations Here is a short summary of the considerations raised in the original paper mentioned on the previous page. What will you learn from this paper? This paper discusses how to address cloud security considerations in an Office 365 environment. It also shows how to strike the appropriate balance between customer and Microsoft responsibilities. When not further specified, the information herein applies to both the Microsoft Global Foundation Services (www.globalfoundationservices.com) and Microsoft Online Services (www.microsoft.com/online.com). As with any other technological shift or change, security benefits and risks must be addressed in order to realize the full benefits of cloud computing. Considerations such as compliance and risk management, identity and access management, service integrity, endpoint integrity, and information protection should all be explored when evaluating, implementing, managing, and maintaining cloud computing solutions. These apply to the cloud provider as well as the cloud customer; both should carefully consider and evaluate these points: Compliance and Risk Organizations shifting part of their business to the cloud are still responsible for compliance, risk, and security management. While some of the responsibility for execution may be transferred to the cloud provider, it is important to understand the overall compliance picture, as well as the roles and responsibilities within the provider organization. Identity and Access Identities may come from different providers; providers must be able to federate from on-premises to the cloud and help enable collaboration across organization and country borders. Service Integrity Cloud-based services should be engineered and operated with security in mind; operational processes should be integrated into the organization s security management. Endpoint Integrity As cloud-based services originate and are then consumed on-premises, the security, compliance, and integrity of the endpoint must be part of any security consideration. Information Protection Cloud services require reliable processes for protecting information before, during, and after the transaction. Responsibilities for the different considerations shift depending on the cloud service type consumed: Infrastructure-as-a-Service (IaaS), Platform-as-a-Service (PaaS), or Software-as-a-Service (SaaS). Careful definition of the control ownership is imperative in such environments. 3
The illustration below is based on the National Institute of Standards and Technology s (NIST) definition of the different cloud models. Office 365 Service Stack Office 365 is a Software-as-a-Service offering from Microsoft. In this scenario, Microsoft provides consumers the capability to use the Office 365 applications (Microsoft Office Professional desktop suite of applications, Microsoft Exchange, Microsoft SharePoint, and Microsoft Lync) running on a cloud infrastructure and accessible from various client devices. Consumers do not manage or control the underlying cloud infrastructure, network, servers, operating systems, storage, or the individual application capabilities apart from certain configuration capabilities. 4
When evaluating the control environment in a Software-as-a-Service model, it is important to consider the whole technology stack of the provider since different teams/services may be involved in providing the infrastructure and application service elements. ISO Certifications for the Microsoft Online Services Stack When evaluating Microsoft Online Services, it is helpful to understand that both Microsoft Online Services and Microsoft Global Foundation Services are International Standards Organization (ISO) 27001 based and certified frameworks. Why is the ISO 27001 certification important? While Microsoft may not be able to provide customers with our detailed internal policies and procedures for security purposes, customers can review and evaluate the standards and implementation guidance in which we are certified to ensure we meet or exceed industry best practices. ISO 27001 defines how to implement, monitor, maintain, and continually improve the Information Security System (ISMS). 5
Compliance and Risk Compliance and Risk Risk Risk Methodology Compliance Good risk management practices are essential for any cloud provider. Microsoft applies its own document risk management process: Identify threats and vulnerabilities to the environment. Calculate risk. Report risks across the Microsoft cloud environment. Address risks based on an impact assessment and a business case. Test remediation effectiveness and residual risk. Manage risks on an ongoing basis. Microsoft Online Services are built to adhere to Microsoft Online Services Privacy Standards 2 and based on an ISO 27001 framework to continually assess and improve our services offerings. The processes to manage the risks in Microsoft s environment are based and certified on ISO 27001. The services will be verified under SAS 70 Type II (to be replaced with industry standard SSAE16). Microsoft holds several compliance certifications; these are publically available and updated on a regular basis. Microsoft Trust Center 3 provides an up-to-date view on which certifications and practices are implemented by Microsoft. Current customers can also review the Global Foundation Services SAS 70 Type II report (to be replaced with industry SSAE16). A link to our Trust Center is provided in the Link section of this document. It is important to consider the entire service stack as outlined in the Office 365 service stack picture. (See page 5.) Customers are responsible for making sure they have an overall enterprise risk management process in place and that cloud risks are included in the overall company risk. Some of the responsibilities for handling risks connected to the workloads moved to Office 365 are transferred to Microsoft. Customers must understand, however, whether or not the stated certifications allow them to fulfill their regulatory requirements. By providing transparency around our program, Microsoft allows customers to evaluate our services against their requirements and make informed decisions. Microsoft customers around the world are subject to many different laws and regulations. Legal requirements in one country or industry may be inconsistent with applicable legal requirements elsewhere. As a provider of global cloud services, we run our services with common operational practices and features across multiple customers and jurisdictions. To help our customers comply with their own requirements, we build our services with common privacy and security requirements in mind. However, it is our customers responsibility to evaluate our offerings against their own requirements so they can determine whether or not Microsoft services satisfy their regulatory needs. 2 Privacy Guidelines for Developing Software Products and Services: http://www.microsoft.com/downloads/en/details.aspx?familyid=c48cf80f-6e87-48f5-83ec-a18d1ad2fc1f&displaylang=en 3 Trust Center link: http://go.microsoft.com/fwlink/?linkid=206613&clcid=0x409 6
Compliance and Risk Security Termination of Service Microsoft helps comprehensively secure Office 365 services by applying the Microsoft Security approach, which ensures that the security of Office 365 services is vigilantly maintained, regularly enhanced, and routinely verified through testing. This approach provides protection at multiple levels, including: Physical layers at data centers physical controls, video surveillance, and access control. Logical layers data isolation, hosted applications security, infrastructure services, network level, identity and access management, federated identity, and single sign on. Our Security program is built on ISO 27001 principles and attested to through the compliance program. At the termination of a customer s subscription or use of the service, the customer may always export its data. See the Product Use Rights 4 for full details. Other than as described in these terms, Microsoft has no obligation to continue to hold, export, or return the customer subscriber data. Microsoft has no liability whatsoever for deleting the customer subscriber data pursuant to these terms. Microsoft provides multiple notices prior to deletion of customer subscription data so customers are informed and reminded of the impending deletion of their data should they fail to act within the stipulated time frame. If a customer needs assistance fulfilling privacy requests as required by law, they may contact Microsoft Customer Support 5 for help accessing, changing, or removing their customer data. Requests that cannot be fulfilled via standard tools and processes may be subject to additional charge. Customers will have to manage security within their premises (e.g., access to customer premises from which Office 365 is being accessed, or endpoint security). They must also ensure that the environment they connect to Office 365 is managed according to their requirements and security standards. Upon expiration or termination of a customer s online service subscription, the customer must contact Microsoft and specify whether the customer account should be disabled and subscriber data deleted, or whether the subscriber data should be retained for a limited time so the customer can extract the data. Following the expiration of the retention period, Microsoft will disable the customer account, and then delete all subscriber data. 4 Product Use Rights link: http://www.microsoft.com/licensing/about-licensing/product-licensing.aspx 5 Microsoft Customer Support link: https://mocp.microsoftonline.com/site/support.aspx 7
Identity and Access Dispute At the end of a customer s subscription or use of the service, the customer may always export its data. See the Product Use Rights for full details. Other than as described in these terms, Microsoft has no obligation to continue to hold, export, or return the customer subscriber data. Microsoft has no liability whatsoever for deleting customer subscriber data pursuant to these terms. Customers are responsible for understanding the dispute resolution process and ensuring constant and continuous access to the service in case of a dispute. Identity and Access Identity Identity Processes Microsoft applies strict controls over which user roles and users will be granted access to customer data. Users are required to complete a form along with a business justification to request access. This must be approved by the user s manager prior to gaining access. Controls related to identity and access management are formally audited annually through the SAS 70 Type II audit (to be replaced with industry standard SSAE16). We recognize the importance of our customers' non-public data. If someone Microsoft personnel, partners, or the customer s own administrators accesses the user s non-public data on the service, Microsoft can, upon request, provide a report on that access. This way, the customer will know when the data may have been accessed. To further limit the risk of unauthorized access, Microsoft does not use the same identity management platform for internal purposes as for managing the Office 365 environment. All Microsoft personnel are accountable for their handling of customer data; access to Microsoft Online Services data is granted in a manner that is traceable to a unique user. In other words, accountability is enforced through a set of system controls, including the use of unique user names, data access controls, and auditing. Two-factor authentication, such as smart card logins using digital certificates or RSA tokens, is also used to further strengthen accountability. User access to data is also limited by user role, for example, system administrators are not provided with database administrative access. Microsoft reviews its identity management and access controls on a regular basis for compliance to internal standards and procedures It is important for customers to understand that Microsoft does not manage the customer s identities or create accounts. The customer must ensure that robust processes and procedures are in place to ensure an adequate level of access control to their own data. Customers are responsible for the identity management processes for their identities. Any system for identity and access control, especially for higher value assets, should be based on an identity framework that uses in-person proofing, or a similarly strong process, and robust cryptographic credentials. This is the customer s responsibility and lays the foundation for any identity management process. Further, customers should have in place a process 8
Service Integrity Interoperability Ad Hoc Collaboration as well as external standards such as ISO 27001. The access levels are reviewed on a periodic basis to ensure that only users who have appropriate business justification have access to the systems. An important attribute of cloud-based Office products is interoperability between applications; workers can move from desktop to web to mobile without transforming or modifying their files as they go. One critical element is identity federation; Microsoft Office 365 uses ADFS v2.0. Since ADFS v2.0 is based on several WS-* and SAML standards, it can federate with multiple identity providers. Microsoft Active Directory, Microsoft Lync 6, and other products support interoperability requirements. Microsoft works intensively with the standards bodies and implements these standards and protocols. to ensure the effectiveness of their own identity and access management processes. Customers should adhere to interoperability standards that can be leveraged across different cloud providers, both on and off premises. Customers should ensure processes are in place to verify new partners with whom they want to collaborate on an ad hoc basis and who need to understand the technical requirements. Service Integrity Service integrity includes two components: 1) Service engineering and development; and 2) service delivery. Service engineering and development encompass the way in which the provider incorporates security and privacy at all phases of development. Service delivery covers how the service is operated to meet contractual levels of reliability and support. Service Engineering and Development Secure Development Microsoft has formalized the rigorous security practices employed by its development teams into a process called the Security Development Lifecycle (SDL). The SDL process is development methodology agnostic. It is fully integrated with the application development lifecycle, from design to response, and it does not replace software development methodologies such as Waterfall or Agile. Various phases of the SDL process emphasize education and training and mandate the application of specific activities and processes as appropriate to each phase of software development. Microsoft makes this process available to the development industry through papers and books 7, as well as via the SDL Pro Network 8, which supports organizations in implementing SDL within their processes. Customers should understand the processes Microsoft uses to develop software and respond to security vulnerabilities. This process is repeatable and designed to build security from the ground up. 6 Microsoft Lync link: http://lync.microsoft.com/en-us/pages/default.aspx 7 More information on SDL can be found at: http://www.microsoft.com/security/sdl/default.aspx 8 SDL Pro Network link: http://www.microsoft.com/security/sdl/adopt/pronetwork.aspx 9
Service Integrity Service Delivery Security Practices Auditing Microsoft s security practices are multi-layered and contain: Physical security (includes but is not limited to): Microsoft enforces physical security controls as part of a broad set of carrier-class data center operations. Carrier-class means very high availability, allowing for minimal downtime per year. Physical security controls applied to our data centers include smart-cards, identification badges, delivery and loading area isolation, video surveillance, and on-premises security officers 24/7. Only authorized staff has access to the hardware on which Office 365 is run. Host security (includes but is not limited to): Infrastructure assets are scanned daily. Penetration testing by internal and external parties occurs regularly. Automation is used to deploy hardened instances of operating systems. Automated pattern analysis of network logs identifies suspicious network activity. Real-time health monitoring and alerting speeds investigation and mitigation. Network security (includes but is not limited to): Load balancers, firewalls, and intrusion-prevention devices aid in management of volume-based denial of service attacks. Apart from ongoing internal auditing and monitoring activities, Microsoft provides our customers with evidence of third-party attestations to our best-in-class environment and has launched Trust Center as a portal for compliance, security, and privacy-related topics. The customer is responsible for ensuring that the endpoint from which the service is consumed adheres to their policies. Customers must verify that their compliance requirements are fulfilled by the certifications and audits Microsoft provides. One of the benefits of moving to an Office 365 environment is that Microsoft will keep the environment up to date and secure. 10
Service Integrity Forensics Incident Response For incident-related purposes, Microsoft performs forensic analysis on events that occurred. Should in-depth investigation be required, Microsoft collects content from the subject systems using best-of-breed forensic software and industry best practices. If someone Microsoft personnel, partners, or the customer s own administrators accesses the user s non-public data on the service, Microsoft can, upon request, provide a report on that access. This way, the customer will know when the data may have been accessed and may be able to use the information for their forensic processes. The Microsoft Online Security Incident Response process follows these phases: Identification System and security alerts are harvested, correlated, and analyzed. Microsoft Online operational and security teams investigate events. If an event indicates a security issue, the incident is assigned a severity classification and appropriately escalated within Microsoft. The escalation team includes product, security, and engineering specialists. Containment The escalation team evaluates the scope and impact of the incident. The escalation team s immediate priority is to ensure the incident is contained and data is safe. The team forms the response, performs appropriate testing, and implements changes. Should in-depth investigation be required, content is collected from the subject systems using forensic software and industry best practices. Eradication After the situation is contained, the escalation team moves toward eradicating any damage caused by the security breach and identifies the root cause of the security issue. If it determines vulnerability, the escalation team reports the issue to product engineering. Recovery During recovery, software or configuration updates are applied to the system and services are returned to a full working capacity. Lessons Learned Microsoft analyzes each security incident to ensure we apply the appropriate mitigations to protect against future reoccurrence. Customers are responsible for understanding what information can be obtained from Microsoft and which processes they must follow to legally access corresponding operational data. This is the basis for integration into the customer s forensic processes. Customers should incorporate the information they receive from Microsoft into their incident response processes and understand how they (the customer) can handle them. 11
Endpoint Integrity Business Continuity Office 365 offerings are delivered by extremely resilient systems that help ensure high levels of service. Office 365 leverages the Microsoft hosting experience, as well as close ties to Microsoft product groups and support services to create a cloud service that meets our customers high standards. Service continuity provisions are part of the Office 365 system design. These provisions enable Office 365 to recover quickly from unexpected events such as hardware or application failure, data corruption, or other incidents that affect users. These service continuity provisions also apply during catastrophic outages (for example, natural disasters or a fire within a Microsoft data center that renders the entire data center inoperable). Customers data is stored in a redundant environment with robust backup, restore, and failover capabilities to enable availability, business continuity, and rapid recovery. Multiple levels of data redundancy are implemented, ranging from redundant disks to guard against local disk failure to continuous, full data replication to another data center. These measures are aligned with ISO 27001 requirements and provide a robust risk management process. Business Continuity is much broader than simply moving a business workload to Office 365. It is Microsoft s duty to ensure availability to the contracted level. Customers must understand and decide whether or not additional requirements for their business processes must be met to ensure business continuity, whether the service level agreed upon corresponds with the acceptable risks, and whether they (the customer) need to take further actions. Endpoint Integrity Endpoint Customer access to services provided over the Internet originates from users Internet-enabled locations and ends at a Microsoft data center. These connections established between customers and Microsoft data centers are encrypted using industry-standard Transport Layer Security (TLS)/Secure Sockets Layer (SSL). The use of TLS/SSL effectively establishes a highly secure browser-to-server connection to help provide data confidentiality and integrity between the desktop and the data center. Customers should ensure that the devices through which their users access Office 365 fulfill their needs and requirements. This might include (but is not limited to): Hardware security considerations: If the device (desktop, laptop, or mobile) stores information, it should be hardware protected from unauthorized access (TPM, Microsoft BitLocker, and so on). Software security considerations: Both the OS and application should be developed using a security model (SDL). Security software must be included (firewall, antivirus, IDS, and so on). A robust security practice process should be in place (auto update, timely patch deployment, client health checks, policy enforcement, and so on). 12
Information Protection Information Protection Data Classification Data Location Encryption Microsoft classifies all of its data along a common data classification scheme. Customer-relevant data is preclassified according to these guidelines and protection and security measures are pre-defined according to this classification. Microsoft understands our customers need to know where their data is located. Data is located in the region corresponding to the customer s billing address, with some supporting access performed from a U.S. location to ensure and monitor the system s health and integrity. Detailed information is available on Trust Center. Connections established over the Internet to the services are encrypted using industry-standard Transport Layer Security (TLS)/Secure Sockets Layer (SSL). The term data-at-rest refers to data as it exists on a physical storage medium. Microsoft does not encrypt data-at-rest, but customers may implement Active Directory Rights to provide a layer of control and security for their sensitive data. Data classification is a key element when considering what should and can be put into a public cloud environment. The customer is responsible for assessing and classifying the data going into the cloud and taking appropriate measures to protect the data from unauthorized access (e.g., encryption). Customers should evaluate whether or not the Office 365 offering meets their requirements regarding the geographic location of their data. If customers require encryption, they must expect the loss of certain functionality, such as search. When a customer needs to encrypt data, responsibility for key management remains with the customer since the key must be separated from the data. 13
Related Reading Cloud Computing Security Considerations white paper: http://go.microsoft.com/?linkid=9708479. The Office 365 Security Service Description is publicly available on the Microsoft Download Center: http://www.microsoft.com/download/en/details.aspx?id=26552. Office 365 FAQ: http://www.microsoft.com/en-us/office365/online-software.aspx. Trust Center: http://go.microsoft.com/fwlink/?linkid=206613&clcid=0x409. Office 365 Standard Response to Request for Information: Coming soon on the Microsoft Download Center. 2011 Microsoft Corporation. All rights reserved. Microsoft, Active Directory, BitLocker, Lync, and SharePoint are trademarks of the Microsoft group of companies. 14