Recommandé
Recommandé
Contenu connexe
En vedette
En vedette (7)
Dernier
Dernier (20)
How to Plan and Complete a Secure Office 365 Migration
- 1. Brian LongSteve Goodman Ion Gott
- 2. How to Plan and Complete a Secure Office 365 Migration Presented By: Conrad Agramont, Director of Technology Services, Agile IT Ion Gott, Partner Technology Strategist, Microsoft
- 4. Security Best-in-class security with over a decade of experience building Enterprise software & online services • Physical and data security with access control, encryption and strong authentication • Security best practices like penetration testing, defense-in-depth approach to protect against cyber-threats • Unique customer controls with Rights Management Services to empower customers to protect information Compliance Commitment to industry standards and organizational compliance • Enable customers to meet global compliance standards in ISO 27001, EUMC, HIPAA, FISMA • Contractually commit to privacy, security and handling of customer data through Data Processing Agreements • Admin Controls like Data Loss Prevention, Legal Hold, E-Discovery to enable organizational compliance Privacy Privacy by design with a commitment to use customers’ information only to deliver services • No mining of data for advertising • Transparency with the location of customer data, who has access and under what circumstances • Privacy controls to regulate sharing of sites, libraries, folders and communications with external parties
- 5. Office 365 Built-in Security Office 365 Customer Controls Office 365 Independent Verification and Compliance Office 365 Security 24 Hour Monitored Physical Hardware Isolated Customer Data Secure NetworkEncrypted Data Automated operations Microsoft security best practices
- 6. Customer data isolation Designed to support logical isolation of data that multiple customers store in same physical hardware. Intended or unintended mingling of data belonging to a different customer/tenant is prevented by design using Active Directory organizational units 6 Customer A Customer B
- 7. Data in transit Strong SSL/TLS cipher suite Perfect Forward Secrecy Datacenter-to-datacenter encryption Data at rest BitLocker disk encryption Per-file encryption for customer content Encryption
- 8. Encryption at rest with Per-file Encryption A B C D Key Store A B C D A B C D
- 10. Mobile device & application management Access & information protection Desktop Virtualization Hybrid identity Conditional access to corporate resources Secure data sharing Easy management and control
- 11. Rights management Data encryption Policy enforcement Azure Active Directory Share internally Share externally
- 13. Protecting your data at various vectors User Devices Data
- 14. Data Encryption Data Loss Prevention Anti Spam & Anti Virus
- 15. Rights Management Service S/MIME Office 365 Message Encryption Transport Layer Security Exchange server Data disk Exchange server Data disk RMS, S/MIME protected MessageDelivery User Office 365 Message Encryption SMTP to partners: TLS protected Encryption technologies
- 16. Rights Management Service Data protection at rest Data protection at rest Data Protectionin motion Data Protectionin motion Information can be protected with RMS at rest or in motion Data protection at rest RMS can be applied to any file type using RMS app
- 18. Identity & Access Management Federation Secure Password Synchronization Multi-factor Authentication Users
- 19. Password hashes User accounts User Authentication Authentication Sign-on AAD Sync On-premises directory • SAML token based authentication • Password Synchronization • Two-factor authentication • Client-based access control
- 20. Mobile Apps Multi-factor authentication using any phone Text MessagesPhone Calls Push Notification One-Time-Passcode (OTP) Token Out-of-Band* Call Text One-Time Passcode (OTP) by Text *Out of band refers to being able to use a second factor with no modification to the existing app UX.
- 21. Device Management Device wipe Selective Wipe Walled Garden Devices
- 22. Device Management Microsoft Intune Mobile Device Management Built-InBuilt-in Microsoft Intune Conditional Access Selective Wipe LoB app
- 23. Native E-mail Browser LoB Managing Office Mobile Apps with Intune LoB
- 26. “We’re taking advantage of the legal hold and eDiscovery features that are built into Microsoft Office 365 to handle internal issues when necessary. We used to use a patchwork of best-of-breed products for archiving and eDiscovery. Now everything is together in one solution, and we no longer have to pay for those external products.”
- 30. Office 365 AgileAscend is a Complete Fixed Price On Identity Management and Email Migration Project Team Assures Your Success of Your Data is Our Key Priority Solution Focused Expert Protection Includes of 100% of Your Active Mailboxes Migration
- 31. Essentials Mailbox Migration & Change Management Ideal with IT staff and ample resources Premium Client Deployment & User Support Ideal with few IT staff or requiring accelerated migration Full Project Management Comprehensive Quality Assurance Process Server side Data Migration Change management and Training for IT Team Post-migration Support for IT Team OnDemand Training for Smooth User Onboarding Installation of Office 365 components (sign-on client, Lync) on client workstations Configuration of Outlook & Lync End User Support ensuring service access and provide a centralized service desk for issues post-migration Complete Client Deployment Progress Reporting Complete Migration
- 32. Ascend Week 4 Week 3 Week 2 Week 1 PROJECT TYPICALLY PRESENTS A 4-6 WEEK TIMELINE FROM KICK OFF TO COMPLETION * The exact time depends on the number of mailboxes, amount of data, available bandwidth, optimal transfer rate, and other factors. INTRO Intro to Team: Project Lead, Support Lead & Project Manager Data collection Discovery Verification of Data collected Prepare Identity and Security Framework Configure Hybrid Exchange Weekend Migration of mailboxes (single phase) OR Begin Hybrid Exchange Move This could be several days to weeks depending on various factors* PLANNING PILOT MIGRATE 3 Change Management 4 IT Admin Training 1 Validate MX & Mailflow 2 Pilot Migration 1 2 3 4
- 34. Let’s discuss your project today! Ask about EOY project pricing! < TODO > Contact: Sales@AgileIT.com Call: 619.292.0800 Click: www.agileit.com
Notes de l'éditeur
- Office 365 Trust has three main principles and they are realized in two distinct dimensions – Built-in capabilities and Customer controls Built-in Capabilities is what we built into the service that is enabled by default: We have many best practices in design and operations in our data centers to maintain Security, Privacy and Compliance. Customer Controls is one that our customers have flexibility to implement in their environments: Over and above what we do in the service, where we are differentiated is with giving flexible controls to achieve Security, Privacy and Compliance based on the needs of their organization. We bring in over two decades of experience to build these capabilities. Let’s walk through each one of these important aspects one by one. Security Microsoft has deep experience in building on premise or workplace environments. Using that knowledge and added operational best practices like regular penetration testing we have built a security hardened service in the cloud Built-in Capabilities Physical security with 24 hour monitoring, seismic bracing, multi-factor authentication for physical access to data centers. Data security with features like encryption, logical isolation of customer data and strong authentication Operational best practices like prevent breach and assume breach to monitor, anticipate, and mitigate threats to protect your data Customer Controls Office 365 provides unique customer controls like Rights Management Services, Group policy settings empower you to tune up or tune down security controls based on your need. Privacy Microsoft is unique among major cloud service providers with over 10 year’s privacy experience and having a cloud specific privacy policy that provides strong commitments to customer data safeguarding and privacy protection. Built-in Capabilities We contractually commit to not mine your data for advertising purposes. In fact we do not use your data for anything other than providing you world-class services. We are transparent with your data about the location where it is stored, who has access to it and when. We make this information accessible to you in http://trust.office365.com. Further we give you flexibility so that if you decide to leave the service, you get to take your data with you – You can get more information in the Data portability section of the Trust Center – http://trust.office365.com. Customer Controls Office 365 gives you capabilities to collaborate but also give you the ability to regulate information sharing Rights management allows users to encrypt information and apply policies to give explicit permissions to only do what they are allowed to do with that information (like copy, share, print etc. When we build features, we consider if privacy controls need to be enabled at the admin level or at the user level Examples: Presence sharing with Lync allows users to let others see their online presence status or block it. Compliance Microsoft is the experienced industry leader in cloud compliance for enterprise customers. Built-n Capabilities Office 365 is verified to meet requirements specified in ISO 27001, EU model clauses, HIPAA BAA, and FISMA. What is important and differentiating is how we do it. We enable our customers to meet these compliance requirements through risk management processes refined over decades of experience in Enterprise IT Our Data Processing Agreement addresses privacy, security and handling of customer data, which helps you comply with local regulations. Customer Capabilities There are distinct capabilities that Office 365 provides with compliance controls like Data Loss Prevention, Legal Hold and E-Discovery to comply based on the needs of your organization
- Microsoft is an industry leader in cloud security, and implements policies and controls on par or greater than on-premises data centers of even the most sophisticated organizations. Office 365 Security and Compliance consists of three parts. Built-in Security – Office 365 is a security-hardened service that has security built into the service. Our customers benefit from in-depth security features that we have built as a result of two decades of experience. We have implemented processes, and technologies to proactively identify and eliminate security threats before they become risks for customers. A few worth noting are cutting edge practices like Assume breach, War-gaming, Security development lifecycle etc. 2. Customer Controls Office 365 offers security controls that allow customer to customize security and compliance settings based on the needs of their organization. Flexibility is a very important tenet of our service as we would like to make sure our service meets the needs of various different organizations including highly regulated and security conscious organizations. We offer features like Rights Management Services, Data Loss Prevention, Legal Hold, E-discovery to ensure our customers can secure their Office 365 instance and comply with regulations that apply to their industry or organization. Independent Verification & Compliance Office 365 has scalable security and Risk Management processes that allow compliance with industry standards like ISO 27001, HIPAA, FISMA and Fedramp. We are heavily invested by having dedicated teams that evaluate evolving standards and regulations landscape to meet the needs of our customers.
- One reason Office 365 is both scalable and low-cost is because is that it is a multi-tenant service; i.e. data from different customers share the same hardware resources. Office 365 is designed to host multiple tenants in a secure way through data isolation. Data storage and processing for each tenant is segregated through Active Directory® structure and capabilities specifically developed to help build, manage, and secure multi-tenant environments. Active Directory isolates customers using security boundaries (also known as silos). This safeguards a customer’s data so that it cannot be accessed or compromised by co-tenants. For additional data isolation, a version of Office 365 is available that stores data on dedicated hardware.
- Customer data is protected in transit using SSL/TLS encryption. Whether the data is in transit between the users and the Microsoft data centers or between the data centers, it is protected using encryption. Customer data is also protected at rest in the Microsoft data centers. All messaging data like emails and lync conversations that are stored in Exchange are protected using 128-bit or 256-bit AES encryption. Similar bit locker encryption is also being implemented in SharePoint. Bitlocker protects against the scenarios where; A rogue person may get physical hold of the disk or a server, due to; Unauthorized physical access to servers / hardware in datacenters. A disk or server not getting recycled appropriately. Microsoft has other controls to prevent; Unauthorized physical access to servers / hardware in datacenters Prevent inappropriate recycle of disk / server. Beyond bitlocker, there is per-file encryption of content that is stored in SharePoint Online. This is a unique implementation that significantly reduces the attack surface. We will talk about it in detail in the next slide.
- With this technology, every file stored in SharePoint Online – including OneDrive for Business folders – is encrypted with its own key, and subsequent updates to the file are each encrypted with their own unique key as well. In the case of large files, the files are split into chunks and each individual chunk has a separate encryption key. Your organization’s files will be distributed across multiple Microsoft Azure storage containers, each with separate credentials, rather than storing them all in a single database. Further, the encryption keys themselves are encrypted. By spreading encrypted files across storage locations and physically separating master encryption keys from both content and the file map, Per-file encryption vastly reduces the risk of unauthorized access to the content making SharePoint Online and OneDrive for Business an extremely secure place to store your data. .
- Slide 32: Right info. Right person. Right device. We’ve covered off user identity and mobile device and application management. But perhaps the reason that the two previous topics are so important is because it’s users accessing data on their devices that causes risk to the business. Data getting into the wrong hands can be a costly and embarrassing business. Nobody wants to be Target! But even less spectacular breaches can damage your business or lead to serious consequences, especially in industries with stringent regulation. Businesses need to keep their data protected as much as possible – striking a balance between user productivity and data protection. Microsoft’s Access & Information Protection solutions help companies address these challenges. Let’s start with the ultimate goal: users can work from anywhere on their devices with access to their corporate resources. This can be achieved through native applications for the device platform, web-based applications, and through data sync. You can enable users to register their devices for single sign-on and access to corporate data with Workplace Join. This allows IT to be able to open up access to applications and data that otherwise would not be available, in return for knowing about the device. Providing users with access to the resources they need to get their job done means ensuring that users can access corporate applications and data wherever they are on their devices. To further protect data, access can be conditional based on the user’s identity, the device the user is using, and whether the user is inside the corporate network or connecting from an external location. In addition to on-premises resources that need to be accessed, the user is likely to also want to access cloud-based applications and services. So to make this a seamless experience for users, they are provided with a common identity when accessing cloud-based resources, which is enabled by IT through Active Directory Federation Services. As part of the decision to make corporate resources available to users on the device of their choice, you may want to require additional levels of verification. An example is requiring the user to register the device that they are using. When a user registers their device, it becomes known and “trusted” to provide device level authentication. Additional security can be provided by IT creating business-driven access policies with multi-factor authentication, based on the content being accessed. For Microsoft, Empowering Enterprise Mobility means starting with the user, giving them an identity that follows them on premises and in the cloud; enabling them to be as productive as possible across a range of devices; but all the while ensuring that data is protected.
- Most companies also have data stored in other locations - users desktops, file-shares - Can't preserve a fileshare but can search - Exchange - we support hybrid that allows you to search across mailboxes that are online and on-prem
- Broadly we can consider three vectors from the end user/customer perspective where we continue to build solutions to mitigate risk. Identity and Access: It is about how users and admins access the service or the data in the service securely for their productivity needs 2. Devices: How do we think about securing the various devices considering the realities of BYOD that access the service and the data 3. Data: Finally securing the data itself that the users access without impacting their ability to be productive
- The third and a very important vector we try to protect is the data itself. Because customers own and control their data, they should have the flexibility to secure them based on their needs.
- Rights Management Service: RMS enables secure collaboration through encryption for content at rest or in motion with intelligence (Identity and Policy) for content at rest or in motion to enable protection of data. S/MIME: Digital signatures Message encryption during transit and at rest For customer to synchronize two attributes (userCertificate and userSMIMECertificate) from on-premises AD to O365. Will require updated DirSync tool deployed and customer to manage PKI. Will allow for 2 users in the same organization to compose, read, encrypt, decrypt, sign S/MIME email via OWA and Outlook clients. Digital signatures Message encryption during transit and at rest Office 365 Message Encryption With Office 365 Message Encryption, you can send encrypted emails to anyone. All you need is a Office 365 or Microsoft Account to receive encrypted emails TLS Opportunistic Forced TLS
- RMS enables secure collaboration through encryption for content at rest or in motion with intelligence (Identity and Policy) for content at rest or in motion to enable protection of data. Lock up personal data stores with BitLocker / BitLocker to Go Everyday Metaphor: Lock on the front door of your home. Good, but once open, everyone gets in. Great way to protect against lost laptops and other assets but not at a granular level Rights Management Everyday Metaphor: Certified mail that, when closed, requires re-certification before reuse. Protection for data ‘in the wild’ with flexible terms-of-use, and transport agnostic Generic file protection using ‘Rights Protected Folders’ SharePoint ‘Secure Libraries’ Everyday Metaphor: A well run public Library whose librarian actually asks to see your identity Great way to host data that can be centralized; data that leaves is protected Pro-active protection (aka DLP) via Exchange, FOPE, FCI, ISV offers, etc. Everyday Metaphor: A persistent yard caretaker for your ‘digital landscape’ Volunteer application of RM will only get you so far DLP offers at strategic points does wonders! Combined, these offers give you protection of lost assets, data in repositories, data in flight (user protected or not), and IT controlled* auditing of data usage.
- Office 365 customers using an on-premises Active Directory and willing to provide a single set of credentials across premises have two distinct options: Identity federation, implemented through the deployment of a Directory Synchronization and Secure Token Service infrastructure such as Active Directory Federation Services (AD FS), Password Synchronization, implemented through the deployment of the Windows Azure AD Directory Synchronization tool (DirSync). While both solutions allow users to access Office 365 services with the same username and password they use on-premises, they differ significantly in their implementation and in the scenarios they support. The purpose of this article is to provide guidance to assist in the selection of the most suitable directory integration option for your business needs.
- Integrated with AD, Azure AD and ADFS Federation: Secure SAML token based authentication Password Synchronization: Only a one way hash of the password will be synchronized to the cloud such that the original password cannot be reconstructed from it. Enables additional authentication mechanisms: Two-Factor Authentication – including phone-based 2FA Client-Based Access Control based on devices/locations Role-Based Access Control
- Office 365 has built-in multi-factor authentication that customers can use whether they are using purely cloud identities or federated identities for their users to access Office 365. Multi-factor authentication is about providing 2 factors of authentication. First factor being what you know (username/password) and what you have (either access to a mobile phone or any landline phone) that is configured when multi-factor authentication is enabled. Multi-factor authentication with Office 365 can be used with mobile phones or traditional landlines. Multi-factor authentication enabled users can use multi-factor authentication app for Smart phones (Windows Phone, iOS and Android), text messages or simply a phone call to authenticate to any phone. Multi-factor authentication is supported for web-based clients or Office rich clients. Further customers can use other on-premises multi-factor authentication systems like RSA SecureID with ADFS to enable multi-factor authentication as well.
- With consumerization of IT and BYOD, users are increasingly bringing all kinds of mobile devices to corporate environments. While various mobile devices are used for personal needs, IT organizations would want to allow users to use these mobile devices (egs; iOS and Android) for certain productivity needs like email and Office. This presents a challenge in that customers would need to manage these devices to ensure their corporate data is safe incase these devices are compromised, lost or stolen. To manage these devices in Office 365 environment, we cover three broad areas – Device wipe where the entire device can be wiped clean Selective wipe where data tied to certain managed apps can be wiped clean Walled garden where corporate managed apps are in walled off from the personal apps so that users cannot copy data from managed apps to their personal app environments.
- Built into Office 365 – Early 2015 Advanced capabilities with Microsoft Intune
- Device Management for Office Mobile Apps (OneDrive for Business, Office for iPad, Office for Mobile on iPhone and Android Phone, OWA for Devices) Mobile devices are the first and only connected device for a billion people, and there’s no question that workplaces are evolving to become more focused on mobile computing. As businesses adopt a BYOD (Bring Your Own Device) approach to mobile devices, it is critical for them to keep corporate data secure on personal devices. Traditional MDM (mobile device management) solutions used for this purpose have a one-size fits all approach with a non-intuitive, highly restricted application that challenges users’ ability to stay productive. By using Intune in combination with Office mobile applications, users will be able to access corporate data and create, view, edit, and share content in a secure way, without sacrificing productivity. IT admins will be able to enforce restrictions that keep corporate data within Office applications and other managed apps. The data will be encrypted and contained within the application on the mobile device, allowing IT admins the ability to remote wipe the corporate data and no longer having to completely wipe the entire device that could possibly contain personal data. Key benefits: Secure Collaboration – Office Apps combined with Intune will allow organizations to encrypt and keep data within Office applications and other approved applications. Selectively wipe corporate data – The ability to separate corporate data on personal devices from personal data is vital to a successful BYOD policy. With new Office App management we allow the IT admin to perform selective device wipe which erase corporate data without effecting the user’s personal data. Rich Office Experience – Users can access corporate data in a secure way, without being forced to use unfamiliar one-size fits all applications provided by 3rd party MDM solutions. They can enjoy rich Office applications that are familiar to end users, in a managed environment. Timeline CY14Q4 – Intune will release its next major version, which will provide the back-end “plumbing” for the capabilities described in this slide. CY14Q4 – Office Apps on iOS and Android, along with the OneDrive for Business app, will be updated to support integration with Intune. CY15Q1– Intune will add “conditional access”, or the ability for IT admins to require users to enroll their devices in Intune in order to gain access to corporate data in Office applications. OWA for iPhone, iPad, and Android phone will be updated to support integration with Intune. First-time access to corporate resources (Exchange, OneDrive for Business) is conditional on the device being managed by Intune Selectively wipe corporate data and apps from devices Manage line of business apps alongside as Office Mobile Apps in “walled garden” Administrator can manage policy around how data is shared between managed and non-managed apps Give users familiar, full-featured Office applications; maintain document formatting across platforms
- eDiscovery occurs when: Gov agency wants to see whether you are following the right regulations and doing business properly Competitor feels like you violated a patent or copied their work You get an audit or request for information For example, someone who left your organization sues you and requests electronic information to prove what happened and demonstrate in court what occurred In all of these cases you are legally required to provide this information to the court This adds up to a lot of money being spent on eDiscovery related activities within organizations
- In most companies today, eDiscovery is service-centric, meaning the organization’s data is physically transferred to vendor’s data center where it is indexed and processed. This business process is inefficient, costly and prone to risk. With Office 365 we simplify the eDiscovery process by enabling in-place, intelligent eDiscovery, allowing you to quickly identify relevant documents while decreasing cost and risk In-Place means you no longer need to ship massive volumes of data out of the organization as part of an outsourced eDiscovery process. With the unified eDiscovery Center, you can search across SharePoint, Skype for Business, OneDrive for Business and Exchange mailboxes. Integration of the Equivio predictive coding and machine learning platform increases relevance by identifying themes, near duplicates and providing new generation clustering. The fully integrated capabilities accelerate the eDiscovery process – so that you can get to the most relevant data much faster and export it for further review. Rather than your data being moved around across different internal and external environments, it remains in Office 365, constantly protected by Microsoft’s stringent cloud security throughout the eDiscovery process, which not only lowers your risk but also saves you time and money.