Office 365 Security and Compliance Overview
Office 365 Security and Compliance
Overview
Contents
Feedback? Would love to hear you thoughts on errors, omissions and ideas please send to Lou
Gucciardo
Introduction
The purpose of this paper is to provide an overview of security and compliance features within
Office 365 that are within a subscriber’s control. This is by no means intended to be exhaustive and does not attempt to cover other important aspects like psychical security. A complete overview of all security features can be found at the Office 365 Trust Center .
Authentication
Authentication is designed to verify an individual’s identity prior to gaining access to a service.
Authentication uses one or more of the following methods.
Knowledge: What you know (password, pin, security question)
Ownership: What you have (certificate, token, cell phone)
Inherence: What are you (fingerprint, iris scan)
There are 4 authentication options available for Office 365. An overview of options can be found here .
They include;
1.
Separate on premise and cloud identities
2.
Directory Synchronization without password
3.
Directory Synchronization with password (hash)
4.
Directory Synchronization with federation and single on
The 4 th option single sign on is preferred method for enterprises. Single Sign On requires directory synchronization and federation. Directory synchronization synchronizes on premise directory with windows azure active directory services. Each Office 365 subscription comes with a corresponding subscription to WAADS. This is the freemium subscription additional features are available. Dir Synch software is installed on premise and controls the synchronization. An overview of directory synchronization can be found here .
Federation creates a relationship with Office 365 informing the service to redirect any requests for authentication back to your on premise authentication method. This provides the enterprise the most control and flexibility in design and implementation of an authentication strategy.
Office 365 ADFS
The process follows these steps.
1.
The Office 365 logon Web page prompts the user for credentials.
2.
WAADS identifies the domain as federated and redirects the client browser to the logon Web page on the account federation server proxy.
3.
The client browser requests the logon Web page from the account federation server proxy: a.
Internal DNS servers resolve the account federation server proxy URL to the CNAME of the account federation server. b.
Windows Integrated authentication occurs transparently.
4.
The account federation server does the following: a.
Validates user credentials and gets attributes from Active Directory in the corporate network forest using Lightweight Directory Access Protocol (LDAP). b.
Builds the security token for Office 365. c.
Builds the ADFS authentication cookie.
5.
The account federation server redirects the Web browser to send the POST request to WAADS. a.
The POST request includes the security token in the body and Java script to activate. b.
The ADFS authentication cookie is written to the browser.
6.
The client browser sends a POST request to WAADS.
7.
WAADS redirects the Web browser to send the POST request to the Office 365: a.
Builds the security token for the Web application. b.
Builds the new ADFS authentication cookie. c.
The POST request includes the security token in the body and Java script to activate. d.
The ADFS authentication cookie is written to the browser.
8.
The Web browser sends the POST request to Office 365.
9.
Office 365 redirects the client to its requested application URL: a.
ADFS validates the security token. b.
Builds the new ADFS authentication cookie. c.
The ADFS authentication cookie is written to the browser.
10.
The client browser uses the ADFS authentication cookie to request the original application URL from the ADFS-enabled Web server.
11.
Office 365 authorizes the user’s request based on attributes from the security token.
Yammer does not use the Office 365 authentication system. Details of Yammer authentication are provided in Yammer success center .. A unified authentication method is on the roadmap. Simplified sign on is enabled when Yammer.com is set as the default social experience in Office 365. Office 365 users are mapped to their existing Yammer accounts. This means when you click Yammer from your
Office 365 global navigation bar, you do not need to authenticate again. Office 365 users without existing Yammer accounts are taken to a streamlined sign-up and verification process. This scenario is only valid from the Office 365 portal. If accessing from Yammer.com single sing in is still required.
Authorization
Once authenticated we want to ensure access is selectively granted to the appropriate parties.
Office 365 provides granular, flexible and customizable roles based access control.
Office 365
Office 365 Administrative provides a set of roles to manage the service. The global administrator is the highest level of access provided. Details on the roles can be found here .
Each user is assigned a set of licenses. Removing license will make that service inaccessible.
Licensing Controls
Exchange Online
Access is provided through use of role based groups. Detailed information of Exchange Online role based access can be found here . Default groups are provided and any number of new groups with roles can be created.
SharePoint Online & OneDrive for Business
Site Collection Administrator
SharePoint Online sites are organized in a site collection. The site collection is a boundary for security i.e. who can access, sharing can be turned on or off and other features enabled or disabled. The site collection administrator is responsible for setting access and features for a particular site collection.
Typical site collection administrator responsibilities include;
Main point of contact between your part of the organization and your IT department.
Working closely with people in certain roles in IT, such as your Office 365 administrator.
Performing some tasks that might previously have been referred to your organization’s IT team, such as deciding who has access to important intellectual property stored on your organizations web sites (that is, setting site-collection level permissions), and deciding which features to make available to the people who will be using the sites in your site collection.
Providing some technical support for the people who use your site collection.
The most successful programs for site collection administrators include ongoing training and collaboration among the group.
User Access
User access is based upon roles. The system provides a set of default roles. These roles have a set of permission associated to them. As many new roles as required can be created and customized to your needs.
Default Groups
As an example you can see in the group Members. It is prefixed by the name of the site in this case Test. Members have a default permission level of contribute. The permission contribute then contains the individual actions someone with that level can perform.
Action included in contribute permission level
Enterprises will create custom groups and permission levels and map these groups to active directory groups. This enables access to be centrally controlled. An example might be a group
Accounting Analyst have one set of permissions and Accounting Managers which have a high set of permissions. These groups are controlled by a job code in ERP system which is used to created active directory groups.
Roles can be applied to objects within the system and all object are security trimmed so they cannot be viewed by someone who does do have access. An example might be different documents and folders within a document library have unique permission.
By default when provisioned each individual OneDrive for Business for Business is its own site collection and the individual assigned the OneDrive for Business is set as the site collection administrator.
Accounting
needs.
Accounting aggregates the various features a subscriber can control to meet their individual
Auditing
Office 365
Office 365 Administration console provides a selection of reports designed to detailed system activity.
Reports are continually being updated and new reports added.
Administration Reports
Exchange Online
Audit logging is used to troubleshoot configuration issues by tracking specific changes made by administrators and to help you meet regulatory, compliance, and litigation requirements. Microsoft
Exchange Online provides two types of audit logging:
Administrator audit logging records any action, based on a Windows PowerShell cmdlet, performed by an administrator. This can help you troubleshoot configuration issues or identify the cause of security- or compliance-related problems.
Mailbox audit logging records whenever a mailbox is accessed by someone other than the person who owns the mailbox. This can help you determine who has accessed a mailbox and what they have done.
Detailed information on Exchange Online auditing can be found here
SharePoint Online and OneDrive for Business
Auditing can be enabled at the site collection level. When enabled a set of reports are available.
Custom reports can be easily created. New compliance reporting for OneDrive for Business is scheduled to be released in September 2014.
Audit reports available in SharePoint Online
Journaling
Journaling is the ability to record all communications, including email communications, in an organization for use in the organization's email retention or archival strategy. To meet an increasing number of regulatory and compliance requirements, many organizations must maintain records of communications that occur when employees perform daily business tasks.
Journaling is supported in Exchange Online. The journaling mailbox must be on premise. Details can be found here
Retention
Exchange Online
Retention is flexible and configurable. It is achieved through rules applied by administration or user. Detailed information on retention in Exchange Online can be found here .
Sharepoint Online/OneDrive for Business
Retention can be achieved using retention policies or creating workflows. Retention policies can be multi-stage and are available for records and non-records.
Retention Policy Settings 1
Archiving
Archiving refers to backing up the data, removing it from its native environment, and storing it elsewhere.
Exchange Online
Exchange online provides unlimited archiving per mailbox. The archive is set to 100 GB and can be increased using a support request. Details on Exchange Online Archiving can be found here .
SharePoint Online/OneDrive for Business
Similar to retention, archiving can be achieved using retention policies or creating workflows. Retention policies can be multi-stage and are available for records and non-records.
Records Management
Exchange Online
Messaging records management (MRM) helps your organization prevent the permanent deletion of email messages and other messaging content, deleted by users or by messaging policies, needed to comply with company policy, government regulations, or legal needs. MRM also lets you automatically remove older messaging content that has no legal or business value. MRM uses retention policies and retention tags to control how long to keep items in users' mailboxes and define what action to take on items that have reached a certain age. here
SharePoint Online/OneDrive for Business
Extensive records management capabilities are available in SharePoint Online. Details can be found here .
Legal Hold
Exchange Online
You can put a litigation hold, also known as legal hold, on a mailbox to preserve e-mail messages and other mail items for an extended period. Litigation hold also prevents items from being permanently deleted. When a user's mailbox is put on litigation hold, the user can purge items from their mailbox but the items are retained indefinitely on the servers in the Microsoft datacenter. Litigation hold also maintains the version history for items that are modified.
SharePoint Online /OneDrive for Business
Applying a hold means preserving a copy of the original content in case it’s modified or deleted by a user. Holds can be placed on content in SharePoint Online sites (including OneDrive for Business for
Business sites). A hold is used to retain the content in its original form at the time when the hold is applied. When users apply a hold to a site or mailbox, the content remains in-place in its original location
eDiscovery
Exchange Online
Exchange Online can help you perform discovery searches for relevant content within mailboxes. Details of In-Place eDiscovery can be found here .
Exchange Online eDiscovery and hold eDiscovery Center eDiscovery center is sophisticated tool designed to provide self service eDiscovery to business users.
The eDiscovery center is part of SharePoint Online and can be used to discover and export content in
Exchange Online, Lync Online and SharePoint Online. eDiscovery is based upon search and certain search configurations will allow for content outside of Office 365 to be discoverable. Detailed information on the eDiscovery center can be found here . eDiscovery Center
Data Loss Prevention
Data loss prevention is a system designed to detect potential data breach / data ex-filtration transmissions and prevent them by monitoring, detecting and blocking sensitive data. DLP is key to stopping potential leaks prior to leaving the enterprise firewall and to enforce internal policies. As an example many enterprises have a policy that PHI cannot be included in the subject of an e-mail message. The reason for this is that information is not encrypted in transit. (A list of recommended/not recommended data types is provided below.) DLP will scan the title, find PHI and execute the rules within its template.
PHI Recommended Data Types
Email body
Email attachment body
SharePoint site content
Information in the body of a SharePoint file
Lync presentation file body
IM or voice conversations
Examples of data-sets or repositories not suitable for inclusion of ePHI
Email headers, including “From”, “To”*, or “Subject Line”
Filenames (including filenames of any attachments or uploaded documents on any Service)
URLs, or any public SharePoint websites
Account, billing, or service configuration data
Internet domain names (e.g.,“fabrikam.com”)
User global address list or address book data (including user account holder’s name, user name, contact information and address book data)**
Support ticket information (information sent directly from customer to support for troubleshooting, or information you request be accessed for Microsoft technical support)
Exchange Online
Using transport rules Exchange Online can detect sensitive information and when detected preform a series of actions. An extensive list of DLP templates are available with the subscription including a HIPAA template.
These can be easily modified or new templates created. Detailed information on DLP in Exchange
Online can be found here .
Exchange Online DLP supports document fingerprinting. Document fingerprinting can identity a form and based upon it’s fingerprint and perform an action. As an example a patient’s admission form can be fingerprinted and if someone tries to e-mail this document it will be intercepted. Document fingerprinting information can be found here .
SharePoint Online/OneDrive for Business
DLP is schedule to be added in September 2014.
Exchange Hosted Encryption
Microsoft Exchange Hosted Encryption (EHE) is a convenient, easy-to-use email encryption service that helps safely deliver your confidential business communications in a hosted secure email solution. This email encryption service enables users to send and receive encrypted email directly from their desktops as easily as regular email, to anyone at any time. Using rules you selectively target business needs. As an example anytime a Dr. sends an e-mail to a partner hospital then encrypt the message. More information on EHE can be found here .
Information Rights Management
Azure Information Rights Management is part of Office 365 subscription and can be activated from the Office 365 Admin console. Information Rights Management (IRM) allows individuals to specify access permissions to content. By using IRM, it helps prevent sensitive information from being printed, forwarded, or copied by unauthorized people. After permission has been restricted by using IRM, the access and usage restrictions are enforced no matter where the information is, because the permissions to access are stored within the content.
Exchange Online
IRM provides online and offline protection of e-mail messages and supported attachments. IRM protection can be applied by users in Outlook or Outlook Web App, and it can be applied by administrators using transport protection rules and Outlook protection rules. IRM helps administrators and users control who can access, forward, print, or copy sensitive data within e-mail messages.
Detailed information on IRM in Exchange Online can be found here .
SharePoint Online/OneDrive for Business
Document libraries can be configure to use IRM. Once applied all documents within that library are encrypted on egress. When a document library has IRM applied it will not synch to a local device.
Allowing IRM protected libraries to synch is on the roadmap. Detailed information on IRM in SharePoint
Online can be found here .
A bring your own key option is available. Details can be found here .
Sharing in SharePoint Online/OneDrive for Business
Sharing particularly sharing with external parties is available in Sharepoint Online and OneDrive for Business. It is important to understand how sharing works and can be managed.
Sharing is first turned on at the administration level. From the SharePoint Online admin center select settings.
Turn on sharing
Once sharing is available any site collection can now be enabled. This provides the ability to segregate content protecting sensitive data. Select the site collection and then select sharing from the ribbon.
Enable sharing for a site collection
Sharing is dependent upon the rights of the person attempting to share. Here is an example.
Babe Ruth is a member of the Visitors group. The visitor group allows for reading but not editing and he
wants to share with Whitey Ford who does not have rights to the site. When the Babe shares a toast appears in the upper right hand corner “Sharing request sent to site owner for approval”. Garth belongs to the owner group, he receives an e-mail from Babe Ruth requesting to share the site with Whitey Ford.
Garth also has a request waiting on the portal so he can approve or reject.
Sharing Toast
e-mail to Site Collection Administrator
Access Request Summary
In this example Babe Ruth does not have authority to share so his request must be approved. To have authority to share a user must belong to a group that has “Manage permissions” permissions. You can create new groups with custom permissions if required. As an example, we may have a site collection whose content is low business impact. In this scenario any document can be shared and we decide managers can share without approval. To accomplish this we copy the contribute group and change the name to “Managers with Sharing” and add the “manage permissions” permission.
OneDrive works a bit different since the owner of the OneDrive is set to site collection admin by default. i.e. they have the “manage permissions” so no approval is required when content is shared.
Information Rights Management can be used from Office 365 to protect documents. This can be enabled from the client application.
IRM in Word 1
Or from a SharePoint document library or both. When enabled in the client application the user decides whether or not to protect the document. When applied to a SharePoint document library all documents in that library are encrypted on egress.
Enabling IRM in SharePoint Online
Please note when IRM is applied to a SharePoint document library that library cannot be synched to a local device. Synching IRM protected libraries is on the roadmap. Information on setting up
IRM in SharePoint online can be found here. An overview of Rights management can be found here.
Controlling what is shared
The Office 365 Admin can configure sharing so that sites cannot be shared. By default permissions in SharePoint Online are hierarchical and inherited so it is possible by sharing the site all objects under the site will also be shared. This is configurable so objects can have their own set of permissions. Turning off site sharing will protect against content mistakenly being shared.
Determine what can be shared
Authentication for external sharing
When content is shared with external parties there are two methods for authentication. If the receiving party has an Office 365 account they will be authenticated using Windows Azure Activate
Directory Services. If they do not then a Windows Account is required and they will be authenticated by
Microsoft. Having a Microsoft account doesn’t require a Microsoft e-mail address i.e. *.live.com,
*.outlook.com. A Microsoft account can be mapped to any e-mail address.
Recovering deleted data
Exchange Online
When a user deletes items from the default Deleted Items folder by using the Delete,
Shift+Delete, or Empty Deleted Items Folder actions in Microsoft Outlook and Outlook Web App, the items are moved to the Recoverable Items folder, and into a subfolder named Deletions. The duration
that deleted items are retained in this folder is based on the deleted item retention period configured for the mailbox. An Exchange Online mailbox is configured to retain deleted items for 14 days, by default. You can use the Shell to change this setting to a maximum of 30 days. If you need to retain deleted items for longer than 30 days, you can place the mailbox on In-Place Hold.
SharePoint Online/OneDrive for Business
SharePoint Online uses a two stage recycle bin to manage deleted files. Each user has their own recycle bin and the site collection admin also has one. When a user delete a file it is sent to both recycle bins. If a user deletes a file from their recycle bin. It is still available to site collection administration. The maximum amount of time a file can stay in a recycle bin is 90 days.
OneDrive for Business Sites “My Sites”
Once a profile has been deleted the My Site is marked for deletion and will be deleted in 14 days. To prevent deletion the site can be delegated to their manager or a secondary owner.
Resources
Trust Center
Deployment Guide
Service Descriptions
Office 365 Public Roadmap
Will the provider sign a Business Associates Agreement (BAA)?
Are all services/features provided covered by the BAA?
Will the BAA expire?
Is the providers’ definition of a breach consistent with your organizations definition?
Will the provider notify you of a breach within the current legal requirements (60 days)?
Does provider have necessary accreditations (HIPPA/HITECH & FISMA)?
Are partners and assessors of accreditations certified with HITRUST?
Will your data (including PHI) be used by the provider for secondary purposes?
Are messages encrypted in transit and at rest?
Can encryption rules be added? (i.e. automatically encrypt all messages sent to *.hospital.com)
Does the provider include e-discovery and legal hold?
Does the provider include Information Rights Management?
Does the provider include Data Loss Prevention?
Does the provider include auditing capabilities?
Appendix A Yammer Authentication
