There are many pathways to an Office 365 migration, but completing the migration is only part of the solution. You need to consider security and accessibility in the initial planning stage and ensure they’re fully completed even after your email and data arrive safely in Office 365. While Office 365 offers capabilities for Identity Management, it’s limited in protecting data once it leaves the platform.
Join Steve Goodman, Microsoft MVP, and Ion Gott, Partner Technology Strategist at Microsoft, to learn how data security should be managed during your migration and how to leverage the Microsoft Enterprise Mobility Suite to protect data with Rights Management.
2. How to Plan and Complete a Secure
Office 365 Migration
Presented By:
Conrad Agramont, Director of Technology Services, Agile IT
Ion Gott, Partner Technology Strategist, Microsoft
3.
4. Security Best-in-class security with over a decade of experience building Enterprise software & online services
• Physical and data security with access control, encryption and strong authentication
• Security best practices like penetration testing, defense-in-depth approach to protect against cyber-threats
• Unique customer controls with Rights Management Services to empower customers to protect information
Compliance Commitment to industry standards and organizational compliance
• Enable customers to meet global compliance standards in ISO 27001, EUMC, HIPAA, FISMA
• Contractually commit to privacy, security and handling of customer data through Data Processing Agreements
• Admin Controls like Data Loss Prevention, Legal Hold, E-Discovery to enable organizational compliance
Privacy Privacy by design with a commitment to use customers’ information only to deliver services
• No mining of data for advertising
• Transparency with the location of customer data, who has access and under what circumstances
• Privacy controls to regulate sharing of sites, libraries, folders and communications with external parties
5. Office 365 Built-in Security
Office 365 Customer Controls
Office 365 Independent Verification
and Compliance
Office 365 Security
24 Hour
Monitored
Physical
Hardware
Isolated
Customer Data
Secure NetworkEncrypted Data
Automated
operations
Microsoft
security best
practices
6. Customer data isolation
Designed to support logical isolation of
data that multiple customers store in same
physical hardware.
Intended or unintended mingling of data
belonging to a different customer/tenant is
prevented by design using Active Directory
organizational units
6
Customer A Customer B
7. Data in transit
Strong SSL/TLS cipher suite
Perfect Forward Secrecy
Datacenter-to-datacenter
encryption
Data at rest
BitLocker disk encryption
Per-file encryption for customer
content
Encryption
8. Encryption at rest with Per-file Encryption
A B C D
Key Store
A
B
C
D
A
B
C
D
9.
10. Mobile device &
application
management
Access &
information
protection
Desktop
Virtualization
Hybrid
identity
Conditional access to corporate resources
Secure data sharing
Easy management and control
15. Rights Management Service
S/MIME
Office 365 Message Encryption
Transport Layer Security
Exchange server
Data disk
Exchange server
Data disk
RMS, S/MIME protected
MessageDelivery
User
Office 365
Message
Encryption
SMTP to
partners:
TLS protected
Encryption technologies
16. Rights Management Service
Data protection at rest
Data protection at rest
Data Protectionin motion Data Protectionin motion
Information can
be protected
with RMS at rest
or in motion
Data protection at rest
RMS can be applied to any file type using RMS app
20. Mobile Apps
Multi-factor authentication using any phone
Text MessagesPhone Calls
Push Notification
One-Time-Passcode
(OTP) Token
Out-of-Band* Call Text
One-Time Passcode
(OTP) by Text
*Out of band refers to being able to use a second factor with no modification to the existing app UX.
26. “We’re taking advantage of the legal hold and
eDiscovery features that are built into Microsoft
Office 365 to handle internal issues when necessary.
We used to use a patchwork of best-of-breed
products for archiving and eDiscovery. Now
everything is together in one solution, and we no
longer have to pay for those external products.”
27.
28.
29.
30. Office 365
AgileAscend is a
Complete Fixed Price
On Identity Management
and Email Migration
Project Team
Assures Your Success
of Your Data
is Our Key Priority
Solution Focused
Expert Protection
Includes
of 100% of
Your Active Mailboxes
Migration
31. Essentials
Mailbox Migration
& Change Management
Ideal with IT staff
and ample resources
Premium
Client Deployment
& User Support
Ideal with few IT staff or
requiring accelerated migration
Full Project Management
Comprehensive Quality Assurance Process
Server side Data Migration
Change management and Training for IT Team
Post-migration Support for IT Team
OnDemand Training for Smooth User Onboarding
Installation of Office 365 components
(sign-on client, Lync) on client workstations
Configuration of Outlook & Lync
End User Support ensuring service access and provide
a centralized service desk for issues
post-migration
Complete Client Deployment Progress Reporting
Complete
Migration
32. Ascend
Week 4
Week 3
Week 2
Week 1
PROJECT TYPICALLY
PRESENTS A
4-6 WEEK TIMELINE
FROM KICK OFF
TO COMPLETION
* The exact time depends on the number of mailboxes, amount of data, available
bandwidth, optimal transfer rate, and other factors.
INTRO
Intro to Team: Project Lead, Support Lead & Project Manager
Data collection
Discovery
Verification of Data collected
Prepare Identity and Security Framework
Configure Hybrid Exchange
Weekend Migration
of mailboxes
(single phase)
OR
Begin Hybrid Exchange Move
This could be several days to weeks
depending on various factors*
PLANNING
PILOT
MIGRATE
3 Change Management
4 IT Admin Training
1 Validate MX & Mailflow
2 Pilot Migration
1
2
3
4
Office 365 Trust has three main principles and they are realized in two distinct dimensions – Built-in capabilities and Customer controls
Built-in Capabilities is what we built into the service that is enabled by default:
We have many best practices in design and operations in our data centers to maintain Security, Privacy and Compliance.
Customer Controls is one that our customers have flexibility to implement in their environments:
Over and above what we do in the service, where we are differentiated is with giving flexible controls to achieve Security, Privacy and Compliance based on the needs of their organization. We bring in over two decades of experience to build these capabilities.
Let’s walk through each one of these important aspects one by one.
Security
Microsoft has deep experience in building on premise or workplace environments. Using that knowledge and added operational best practices like regular penetration testing we have built a security hardened service in the cloud
Built-in Capabilities
Physical security with 24 hour monitoring, seismic bracing, multi-factor authentication for physical access to data centers.
Data security with features like encryption, logical isolation of customer data and strong authentication
Operational best practices like prevent breach and assume breach to monitor, anticipate, and mitigate threats to protect your data
Customer Controls
Office 365 provides unique customer controls like Rights Management Services, Group policy settings empower you to tune up or tune down security controls based on your need.
Privacy
Microsoft is unique among major cloud service providers with over 10 year’s privacy experience and having a cloud specific privacy policy that provides strong commitments to customer data safeguarding and privacy protection.
Built-in Capabilities
We contractually commit to not mine your data for advertising purposes. In fact we do not use your data for anything other than providing you world-class services.
We are transparent with your data about the location where it is stored, who has access to it and when. We make this information accessible to you in http://trust.office365.com.
Further we give you flexibility so that if you decide to leave the service, you get to take your data with you – You can get more information in the Data portability section of the Trust Center – http://trust.office365.com.
Customer Controls
Office 365 gives you capabilities to collaborate but also give you the ability to regulate information sharing
Rights management allows users to encrypt information and apply policies to give explicit permissions to only do what they are allowed to do with that information (like copy, share, print etc.
When we build features, we consider if privacy controls need to be enabled at the admin level or at the user level
Examples:
Presence sharing with Lync allows users to let others see their online presence status or block it.
Compliance
Microsoft is the experienced industry leader in cloud compliance for enterprise customers.
Built-n Capabilities
Office 365 is verified to meet requirements specified in ISO 27001, EU model clauses, HIPAA BAA, and FISMA.
What is important and differentiating is how we do it. We enable our customers to meet these compliance requirements through risk management processes refined over decades of experience in Enterprise IT
Our Data Processing Agreement addresses privacy, security and handling of customer data, which helps you comply with local regulations.
Customer Capabilities
There are distinct capabilities that Office 365 provides with compliance controls like Data Loss Prevention, Legal Hold and E-Discovery to comply based on the needs of your organization
Microsoft is an industry leader in cloud security, and implements policies and controls on par or greater than on-premises data centers of even the most sophisticated organizations.
Office 365 Security and Compliance consists of three parts.
Built-in Security –
Office 365 is a security-hardened service that has security built into the service. Our customers benefit from in-depth security features that we have built as a result of two decades of experience.
We have implemented processes, and technologies to proactively identify and eliminate security threats before they become risks for customers. A few worth noting are cutting edge practices like Assume breach, War-gaming, Security development lifecycle etc.
2. Customer Controls
Office 365 offers security controls that allow customer to customize security and compliance settings based on the needs of their organization. Flexibility is a very important tenet of our service as we would like to make sure our service meets the needs of various different organizations including highly regulated and security conscious organizations.
We offer features like Rights Management Services, Data Loss Prevention, Legal Hold, E-discovery to ensure our customers can secure their Office 365 instance and comply with regulations that apply to their industry or organization.
Independent Verification & Compliance
Office 365 has scalable security and Risk Management processes that allow compliance with industry standards like ISO 27001, HIPAA, FISMA and Fedramp.
We are heavily invested by having dedicated teams that evaluate evolving standards and regulations landscape to meet the needs of our customers.
One reason Office 365 is both scalable and low-cost is because is that it is a multi-tenant service; i.e. data from different customers share the same hardware resources. Office 365 is designed to host multiple tenants in a secure way through data isolation. Data storage and processing for each tenant is segregated through Active Directory® structure and capabilities specifically developed to help build, manage, and secure multi-tenant environments. Active Directory isolates customers using security boundaries (also known as silos). This safeguards a customer’s data so that it cannot be accessed or compromised by co-tenants. For additional data isolation, a version of Office 365 is available that stores data on dedicated hardware.
Customer data is protected in transit using SSL/TLS encryption. Whether the data is in transit between the users and the Microsoft data centers or between the data centers, it is protected using encryption.
Customer data is also protected at rest in the Microsoft data centers.
All messaging data like emails and lync conversations that are stored in Exchange are protected using 128-bit or 256-bit AES encryption.
Similar bit locker encryption is also being implemented in SharePoint.
Bitlocker protects against the scenarios where;
A rogue person may get physical hold of the disk or a server, due to;
Unauthorized physical access to servers / hardware in datacenters.
A disk or server not getting recycled appropriately.
Microsoft has other controls to prevent;
Unauthorized physical access to servers / hardware in datacenters
Prevent inappropriate recycle of disk / server.
Beyond bitlocker, there is per-file encryption of content that is stored in SharePoint Online. This is a unique implementation that significantly reduces the attack surface. We will talk about it in detail in the next slide.
With this technology, every file stored in SharePoint Online – including OneDrive for Business folders – is encrypted with its own key, and subsequent updates to the file are each encrypted with their own unique key as well. In the case of large files, the files are split into chunks and each individual chunk has a separate encryption key.
Your organization’s files will be distributed across multiple Microsoft Azure storage containers, each with separate credentials, rather than storing them all in a single database. Further, the encryption keys themselves are encrypted.
By spreading encrypted files across storage locations and physically separating master encryption keys from both content and the file map, Per-file encryption vastly reduces the risk of unauthorized access to the content making SharePoint Online and OneDrive for Business an extremely secure place to store your data.
.
Slide 32: Right info. Right person. Right device.
We’ve covered off user identity and mobile device and application management. But perhaps the reason that the two previous topics are so important is because it’s users accessing data on their devices that causes risk to the business.
Data getting into the wrong hands can be a costly and embarrassing business. Nobody wants to be Target!
But even less spectacular breaches can damage your business or lead to serious consequences, especially in industries with stringent regulation.
Businesses need to keep their data protected as much as possible – striking a balance between user productivity and data protection.
Microsoft’s Access & Information Protection solutions help companies address these challenges.
Let’s start with the ultimate goal: users can work from anywhere on their devices with access to their corporate resources. This can be achieved through native applications for the device platform, web-based applications, and through data sync.
You can enable users to register their devices for single sign-on and access to corporate data with Workplace Join. This allows IT to be able to open up access to applications and data that otherwise would not be available, in return for knowing about the device.
Providing users with access to the resources they need to get their job done means ensuring that users can access corporate applications and data wherever they are on their devices. To further protect data, access can be conditional based on the user’s identity, the device the user is using, and whether the user is inside the corporate network or connecting from an external location.
In addition to on-premises resources that need to be accessed, the user is likely to also want to access cloud-based applications and services. So to make this a seamless experience for users, they are provided with a common identity when accessing cloud-based resources, which is enabled by IT through Active Directory Federation Services.
As part of the decision to make corporate resources available to users on the device of their choice, you may want to require additional levels of verification.
An example is requiring the user to register the device that they are using. When a user registers their device, it becomes known and “trusted” to provide device level authentication. Additional security can be provided by IT creating business-driven access policies with multi-factor authentication, based on the content being accessed.
For Microsoft, Empowering Enterprise Mobility means starting with the user, giving them an identity that follows them on premises and in the cloud; enabling them to be as productive as possible across a range of devices; but all the while ensuring that data is protected.
Most companies also have data stored in other locations - users desktops, file-shares
- Can't preserve a fileshare but can search
- Exchange - we support hybrid that allows you to search across mailboxes that are online and on-prem
Broadly we can consider three vectors from the end user/customer perspective where we continue to build solutions to mitigate risk.
Identity and Access:
It is about how users and admins access the service or the data in the service securely for their productivity needs
2. Devices:
How do we think about securing the various devices considering the realities of BYOD that access the service and the data
3. Data:
Finally securing the data itself that the users access without impacting their ability to be productive
The third and a very important vector we try to protect is the data itself.
Because customers own and control their data, they should have the flexibility to secure them based on their needs.
Rights Management Service:
RMS enables secure collaboration through encryption for content at rest or in motion with intelligence (Identity and Policy) for content at rest or in motion to enable protection of data.
S/MIME:
Digital signatures
Message encryption during transit and at rest
For customer to synchronize two attributes (userCertificate and userSMIMECertificate) from on-premises AD to O365. Will require updated DirSync tool deployed and customer to manage PKI.
Will allow for 2 users in the same organization to compose, read, encrypt, decrypt, sign S/MIME email via OWA and Outlook clients.
Digital signatures
Message encryption during transit and at rest
Office 365 Message Encryption
With Office 365 Message Encryption, you can send encrypted emails to anyone.
All you need is a Office 365 or Microsoft Account to receive encrypted emails
TLS
Opportunistic
Forced TLS
RMS enables secure collaboration through encryption for content at rest or in motion with intelligence (Identity and Policy) for content at rest or in motion to enable protection of data.
Lock up personal data stores with BitLocker / BitLocker to Go
Everyday Metaphor: Lock on the front door of your home. Good, but once open, everyone gets in.
Great way to protect against lost laptops and other assets but not at a granular level
Rights Management
Everyday Metaphor: Certified mail that, when closed, requires re-certification before reuse.
Protection for data ‘in the wild’ with flexible terms-of-use, and transport agnostic
Generic file protection using ‘Rights Protected Folders’
SharePoint ‘Secure Libraries’
Everyday Metaphor: A well run public Library whose librarian actually asks to see your identity
Great way to host data that can be centralized; data that leaves is protected
Pro-active protection (aka DLP) via Exchange, FOPE, FCI, ISV offers, etc.
Everyday Metaphor: A persistent yard caretaker for your ‘digital landscape’
Volunteer application of RM will only get you so far DLP offers at strategic points does wonders!
Combined, these offers give you protection of lost assets, data in repositories, data in flight (user protected or not), and IT controlled* auditing of data usage.
Office 365 customers using an on-premises Active Directory and willing to provide a single set of credentials across premises have two distinct options:
Identity federation, implemented through the deployment of a Directory Synchronization and Secure Token Service infrastructure such as Active Directory Federation Services (AD FS),
Password Synchronization, implemented through the deployment of the Windows Azure AD Directory Synchronization tool (DirSync).
While both solutions allow users to access Office 365 services with the same username and password they use on-premises, they differ significantly in their implementation and in the scenarios they support.
The purpose of this article is to provide guidance to assist in the selection of the most suitable directory integration option for your business needs.
Integrated with AD, Azure AD and ADFS
Federation: Secure SAML token based authentication
Password Synchronization: Only a one way hash of the password will be synchronized to the cloud such that the original password cannot be reconstructed from it.
Enables additional authentication mechanisms:
Two-Factor Authentication – including phone-based 2FA
Client-Based Access Control based on devices/locations
Role-Based Access Control
Office 365 has built-in multi-factor authentication that customers can use whether they are using purely cloud identities or federated identities for their users to access Office 365.
Multi-factor authentication is about providing 2 factors of authentication. First factor being what you know (username/password) and what you have (either access to a mobile phone or any landline phone) that is configured when multi-factor authentication is enabled.
Multi-factor authentication with Office 365 can be used with mobile phones or traditional landlines. Multi-factor authentication enabled users can use multi-factor authentication app for Smart phones (Windows Phone, iOS and Android), text messages or simply a phone call to authenticate to any phone.
Multi-factor authentication is supported for web-based clients or Office rich clients.
Further customers can use other on-premises multi-factor authentication systems like RSA SecureID with ADFS to enable multi-factor authentication as well.
With consumerization of IT and BYOD, users are increasingly bringing all kinds of mobile devices to corporate environments.
While various mobile devices are used for personal needs, IT organizations would want to allow users to use these mobile devices (egs; iOS and Android) for certain productivity needs like email and Office.
This presents a challenge in that customers would need to manage these devices to ensure their corporate data is safe incase these devices are compromised, lost or stolen.
To manage these devices in Office 365 environment, we cover three broad areas –
Device wipe where the entire device can be wiped clean
Selective wipe where data tied to certain managed apps can be wiped clean
Walled garden where corporate managed apps are in walled off from the personal apps so that users cannot copy data from managed apps to their personal app environments.
Built into Office 365 – Early 2015
Advanced capabilities with Microsoft Intune
Device Management for Office Mobile Apps (OneDrive for Business, Office for iPad, Office for Mobile on iPhone and Android Phone, OWA for Devices)
Mobile devices are the first and only connected device for a billion people, and there’s no question that workplaces are evolving to become more focused on mobile computing. As businesses adopt a BYOD (Bring Your Own Device) approach to mobile devices, it is critical for them to keep corporate data secure on personal devices. Traditional MDM (mobile device management) solutions used for this purpose have a one-size fits all approach with a non-intuitive, highly restricted application that challenges users’ ability to stay productive.
By using Intune in combination with Office mobile applications, users will be able to access corporate data and create, view, edit, and share content in a secure way, without sacrificing productivity. IT admins will be able to enforce restrictions that keep corporate data within Office applications and other managed apps. The data will be encrypted and contained within the application on the mobile device, allowing IT admins the ability to remote wipe the corporate data and no longer having to completely wipe the entire device that could possibly contain personal data.
Key benefits:
Secure Collaboration – Office Apps combined with Intune will allow organizations to encrypt and keep data within Office applications and other approved applications.
Selectively wipe corporate data – The ability to separate corporate data on personal devices from personal data is vital to a successful BYOD policy. With new Office App management we allow the IT admin to perform selective device wipe which erase corporate data without effecting the user’s personal data.
Rich Office Experience – Users can access corporate data in a secure way, without being forced to use unfamiliar one-size fits all applications provided by 3rd party MDM solutions. They can enjoy rich Office applications that are familiar to end users, in a managed environment.
Timeline
CY14Q4 – Intune will release its next major version, which will provide the back-end “plumbing” for the capabilities described in this slide.
CY14Q4 – Office Apps on iOS and Android, along with the OneDrive for Business app, will be updated to support integration with Intune.
CY15Q1– Intune will add “conditional access”, or the ability for IT admins to require users to enroll their devices in Intune in order to gain access to corporate data in Office applications. OWA for iPhone, iPad, and Android phone will be updated to support integration with Intune.
First-time access to corporate resources (Exchange, OneDrive for Business) is conditional on the device being managed by Intune
Selectively wipe corporate data and apps from devices
Manage line of business apps alongside as Office Mobile Apps in “walled garden”
Administrator can manage policy around how data is shared between managed and non-managed apps
Give users familiar, full-featured Office applications; maintain document formatting across platforms
eDiscovery occurs when:
Gov agency wants to see whether you are following the right regulations and doing business properly
Competitor feels like you violated a patent or copied their work
You get an audit or request for information
For example, someone who left your organization sues you and requests electronic information to prove what happened and demonstrate in court what occurred
In all of these cases you are legally required to provide this information to the court
This adds up to a lot of money being spent on eDiscovery related activities within organizations
In most companies today, eDiscovery is service-centric, meaning the organization’s data is physically transferred to vendor’s data center where it is indexed and processed. This business process is inefficient, costly and prone to risk.
With Office 365 we simplify the eDiscovery process by enabling in-place, intelligent eDiscovery, allowing you to quickly identify relevant documents while decreasing cost and risk
In-Place means you no longer need to ship massive volumes of data out of the organization as part of an outsourced eDiscovery process. With the unified eDiscovery Center, you can search across SharePoint, Skype for Business, OneDrive for Business and Exchange mailboxes.
Integration of the Equivio predictive coding and machine learning platform increases relevance by identifying themes, near duplicates and providing new generation clustering.
The fully integrated capabilities accelerate the eDiscovery process – so that you can get to the most relevant data much faster and export it for further review.
Rather than your data being moved around across different internal and external environments, it remains in Office 365, constantly protected by Microsoft’s stringent cloud security throughout the eDiscovery process, which not only lowers your risk but also saves you time and money.