Office 365 Trust has three main principles and they are realized in two distinct dimensions – Built-in capabilities and Customer controls
Built-in Capabilities is what we built into the service that is enabled by default:
We have many best practices in design and operations in our data centers to maintain Security, Privacy and Compliance.
Customer Controls is one that our customers have flexibility to implement in their environments:
Over and above what we do in the service, where we are differentiated is with giving flexible controls to achieve Security, Privacy and Compliance based on the needs of their organization. We bring in over two decades of experience to build these capabilities.
Let’s walk through each one of these important aspects one by one.
Security
Microsoft has deep experience in building on premise or workplace environments. Using that knowledge and added operational best practices like regular penetration testing we have built a security hardened service in the cloud
Built-in Capabilities
Physical security with 24 hour monitoring, seismic bracing, multi-factor authentication for physical access to data centers.
Data security with features like encryption, logical isolation of customer data and strong authentication
Operational best practices like prevent breach and assume breach to monitor, anticipate, and mitigate threats to protect your data
Customer Controls
Office 365 provides unique customer controls like Rights Management Services, Group policy settings empower you to tune up or tune down security controls based on your need.
Privacy
Microsoft is unique among major cloud service providers with over 10 year’s privacy experience and having a cloud specific privacy policy that provides strong commitments to customer data safeguarding and privacy protection.
Built-in Capabilities
We contractually commit to not mine your data for advertising purposes. In fact we do not use your data for anything other than providing you world-class services.
We are transparent with your data about the location where it is stored, who has access to it and when. We make this information accessible to you in http://trust.office365.com.
Further we give you flexibility so that if you decide to leave the service, you get to take your data with you – You can get more information in the Data portability section of the Trust Center – http://trust.office365.com.
Customer Controls
Office 365 gives you capabilities to collaborate but also give you the ability to regulate information sharing
Rights management allows users to encrypt information and apply policies to give explicit permissions to only do what they are allowed to do with that information (like copy, share, print etc.
When we build features, we consider if privacy controls need to be enabled at the admin level or at the user level
Examples:
Presence sharing with Lync allows users to let others see their online presence status or block it.
ICT role in 21st century education and its challenges
Microsoft Office 365 Compliance Solutions
1. Achieving compliance in the modern
workplace with Microsoft 365
David J. Rosenthal
VP & GM, Digital Business and Microsoft Partner Sales Executive
Microsoft Technology Center, New York City
January 21, 2019
2. 73% orgs indicated security as a top challenge holding back SaaS adoption
89% of orgs required to govern content for compliance or business continuity purposes
63% of orgs state transparency challenges restrict them from growing their cloud usage
Top 3 cloud concerns
3. Assess Govern Discover AuditControl
200+
updates per day from 750
regulatory bodies
45%
Say lack of data governance
leaves organizations open to
security and compliance risks
$9B+
Spent annually on eDiscovery
investigations
63%
Of orgs say transparency is
holding them back from
growing cloud usage
50%
YOY growth in data with
increasing complexity
4. At Microsoft, we do not take your trust for granted
• We are serious about our commitment to protect
customers in a cloud-first world.
• We live by standards and practices designed to earn
your confidence.
• We collaborate with industry and regulators to build
trust in the cloud ecosystem.
“Businesses and users are going to embrace
technology only if they can trust it.”
—Satya Nadella
5. Best-in-class security
with over a decade of
experience building
Enterprise software
and online services
Privacy by design with a
commitment to use
customers’ information
only to deliver services
Office 365
Built-in capabilities and customer controls
Commitment to meeting
industry standards and
delivering a rich set of
applications which
enable organizational
compliance
Transparency in our
operations so you can
monitor the state of your
service, track issues, and
have historical view of
availability
6. Global, hyper-scale, enterprise-grade infrastructure
Enterprise reliability via 100+ data centers
and Microsoft’s global network edge
No standing access to data, transparent
operational model, and financial-backed 99.9% SLA
Secure by design operationalized at the physical,
logical, and data layers
Compliance leadership with standards including ISO
27001/27018, FedRAMP, FISMA, and EU Model Clauses
7. Over 1,100 controls in the Office 365
compliance framework enable us to stay up to
date with the ever-evolving industry standards
across geographies.
Trust Microsoft’s verified services. Microsoft is
regularly audited, submits self-assessments to
independent 3rd party auditors, and holds key
certifications.
Key certifications
Commitmentto meetingindustrystandards
8. Compliance vision
Productivity first
Educate and empower end users to be compliant
without affecting productivity
In-place
Deliver rich, low cost compliance via built in features
Suite wide
Easily apply compliance controls and access reports
via a consistent UX across Office 365 workloads
9. Office 365 compliance solutions
Intelligent,inplaceandcomprehensive
Assess Govern Discover AuditControl
Govern your data and reduce
risk with auto-applied labels
and retention policies for
sensitive and custom data
types
Stay up to date with new
regulations and your
organizations compliance
posture
Investigate, hold and refine
data relevant to legal cases in
place with advanced tools to
reduce total volume required
for defensible review
Control data access via
encryption keys and own the
lockbox process in order to
ensure transparent data
handling and operations
Establish activity alerts and
query audit logs directly to
maintain visibility into
organization activities
Advanced Data
Governance
Compliance
Manager
Advanced
eDiscovery
Customer Key
Customer Lockbox
Archiving
Management
Activity API
10. How do you manage an
already complex
compliance landscape
when standards and
regulations are
constantly changing?
of executives were unsure what data compliance
standards applied to their organizations
47%
Assess
11. Compliance Manager
Manageyourcompliancefrom one place
• Real-time risk assessment
An intelligent score shows your compliance posture
against evolving regulations
• Actionable insights
Recommended actions to improve your data
protection capabilities
• Simplified compliance
Streamlined workflow and audit-ready reports
12.
13. How can you govern
your data to keep what
you need and get rid of
everything else? of organizations say that enforcing a data
governance policy is their biggest issue
41%
Govern
14. 1
4
Traditional Data Governance
Challenges
Point in time data
Captures data at a point in time which miss any edits in place
or from transport agents in flight
Increased risks
Content may be compromised moving from one
environment to another
Increased time
Waiting for indexing increases time required to find relevant
data
Increased costs
Having a separate copy of the data being stored significantly
increases costs
No service wide insights
Unable to leverage service wide machine learning to draw
correlations between the data
Exchange Data Outsourced Data Journaling
Third party
outsourced
journaling
Many organizations transfer data to a third party hosted archiving service which has challenges
15. Office 365 Data Governance
Datastaysin-placeanddoesnotneedtobecontinuallytransferredoutofOffice365providingbenefits
Advanced data governance enables organizational compliance by intelligently
leveraging machine assisted insights to find, import, classify, set policy and
take action on the data most important to you
IT Administrator Compliance Officer Records Manager Information Worker
Building Blocks of Office 365 Data Governance:
Personas of Office 365 Data Governance:
16. Retention policies
Unified Retention and Disposition Policy for workloads in Office 365
Records management
End user classification in Outlook, SharePoint, OneDrive and Groups. Manual
review and disposition, reporting and permissions
SEC 17A-4 compliant
SEC 17A-4 whitepaper covering SharePoint, OneDrive, Groups, Skype,
Preservation Lock, immutability, Supervisory Review
Import
Drive Shipping, Network Upload and 3rd Party Data Ingestion (Facebook,
Twitter, Bloomberg) through partners to provide cross platform compliance
and governance
Security and Compliance Center
Office 365 experience to bring together all compliance and security experiences
Data Governance:
Core Capabilities
17. Advanced Data Governance in Office 365
Intelligent Policies
Policy recommendations based on machine learning
and cloud intelligence
Take Action
Apply actions to preserve high value data in-place
and purge what’s redundant, trivial or obsolete
Automatic Classification
Classify data based on automatic analysis
(age, user, type, sensitive data and user provided
fingerprints)
Leverageintelligencetoautomatedataretentionanddeletion
18. Automatic Classification
Queries
Specific words or phrases with the ability to refine
your query by using search operators such as
AND, OR, NOT, etc. 2
Find Data Quickly
Use Content Search in the Security &
Compliance Center to find all content that’s
classified with a specific label
Sensitive Data
Over 80 sensitive built in content types supported
such as credit cards, national identification
numbers, passport numbers, etc. 1
Applylabelstocontentthatmatchescertainconditions
1. Sensitive data types are only available for SharePoint and OneDrive
2. Queries are available across Exchange, SharePoint, OneDrive and Groups
19. Intelligent Policies
Recommended Policies
System automatically detects certain data types in
documents and recommends retention policies
Policyrecommendationsbasedonmachinelearningandcloudintelligence
Included Policies
HIPPA and US Tax recommendations are currently
surfaced in the Security and Compliance Center
with additional types coming
20. Take Action
Applyactionstopreservehighvaluedatain-placeandpurgewhat’sredundant,trivialorobsolete
In-place
Data remains in its original location and users can
continue to work with their documents or mail,
but a copy of the content as it existed when you
initiated the policy is preserved
Retention
Retain content in sites, mailboxes, and public
folders indefinitely or for a specific duration
Deleting Data
A retention policy can both retain and then delete
data, or simply delete old data without retaining it
21. Supervision in Advanced Data Governance
Captureemployeecommunicationsforexaminationbyinternalorexternalreviewers
24. Protecting data in the boundary-less world
Data lifecycle protection: MIP protects sensitive data throughout the lifecycle,
within and outside the enterprise
Built in within
the platform
itself
Native
On premises,
cloud, devices,
mobile,
partners, and
customers
Anywhere
Control
continuously
Lifecycle
Unified
building blocks
Unified
Microsoft
Information
Protection
OFFICE
•Client / Mobile
•O365 Services
•Productivity
AZURE
•Hybrid Policy
•Conditional
Access
•Structured Data
WINDOWS
•Endpoint
•File System (EDP)
•Web Browser
Third
parties
25. How can you effectively
investigate, manage and
reduce the volume of
content required for
defensible review?
Of eDiscovery costs are in the review process
73%
Discover
26. Beyond litigation: Investigations
Self service case management tools
Investigators can create & manage cases, put data on hold,
perform searches and export
Wide range of scenarios
Regulatory compliance, employment law, HR, financial, internal
business requirements
Enable collaboration
Between investigators & attorneys overseeing the case
Identify subjects, witnesses, custodians
Search for relevant subjects or witnesses or custodians
Identify relevant data
Search for data relevant to the investigation across Office 365
and imported data
Secure access
Provide access based on role, delegated access and enable
security filters to scope access
27. eDiscovery model implemented in Office 365
Identify and
Preserve
Data
Search for
Documents
that might
be relevant
Rank
documents
by their
relevance
Organize
documents &
recognize
topics
View and tag
documents
sorted by
relevance,
similarity
Do all of these activities within a specific case
28. Real time indexing in Office 365
Significant enhancements to increase limits across Exchange Online and SharePoint Online
Index Limit Changes (EXO)
Limit Old New
Maximum depth of attachments 1 30
Maximum number of attachments 10 250
Maximum attachment size 32 MB 150 MB
Maximum annotation tokens
(WordBreaker)
130,000 2 million
Maximum body size in index
(mail body + attachments)
1 million
characters
67 million
characters
Maximum unique tokens in body 10,000 1,000,000
Maximum Excel file size 4 MB 4 MB (also
numbers)
Index Limit Changes (SPO)
Limit Old New
Maximum attachment size 32 MB 150 MB
Maximum Excel file size 4 MB 4 MB
30. Actionable Intelligence with Advanced eDiscovery
Intelligently explore and analyze unstructured data to quickly identify what’s relevant
Use predictive coding to train the system to find likely
relevant documents and reduce what’s sent to review
Minimize
Use near duplicate detection to organize the data
and email threading to reconstruct email
conversations
Organize
Use Themes to understand the topics represented in
the unstructured data set
Recognize
Ad-hoc searches, ability to save search queries,
and tag search results with case specific labels
Search and Tagging
31.
32. Office 365 eDiscovery partners
Help to ensure the success, usage and adoption of all O365 Compliance capabilities
http://partners.office.com/modern-productivity/compliance-and-security
33. How can I have insight
into when and how
Microsoft needs to
access my data? of executives say concerns about transparency
are holding them back from growing cloud
usage
63%
Control
34. Service encryption with Customer Key
Helps meet compliance obligations that require you
to provide and manage your own keys used to encrypt
Office 365 data at-rest
Provides added control over service’s ability to reason
over your data when key is revoked-initiating path
towards data deletion
Built into the service for seamless integration with no
disruption to end user and added protections against
unintended key loss
Auditable and verified. Actions are auditable and
controls will be verified in next upcoming SOC audit
35. Meet Compliance Needs
Customer Lockbox can help customers meet compliance
obligations by demonstrating that they have procedures
in place for explicit data access authorization
Extended access Control
Use Customer Lockbox to control access to customer
content for service operations
Visibility into actions
Actions taken by Microsoft engineers in response to
Customer Lockbox requests are logged and accessible
via the Management Activity API and the Security and
Compliance Center
Microsoft Engineer Microsoft Manager
Microsoft
Approved
CustomerMicrosoft EngineerLockbox systemCustomer
Submits
request
100101
011010
100011
Customer
Approved
Customer Lockbox
36.
37. How can I get alerts and
insights into activity in
my organization that
may increase my risk? YOY in organizational data with increasing
complexity and variety
50%
Audit
40. Activity API
See our
Microsoft
IT case
study for
DIY ideas
300+
third party
apps
2 TB
downloaded
each month
AvePoint
4ward
Sharegate
Sumologic
Symantec
Cogmotive
Palerra JiJi TechnologiesPalo Alto
Knowledge Vault
Barracuda
CloudLock
Varonis
HPE
ArcSight
Rapid7
Splunk
Netskope
IBM SkyHigh
NetworksDell
41. This interactive data map
provide specific geographic
locations of our datacenters
throughout the world where
customer data is stored in
Office 365 and Dynamics
CRM Online.
Where is my data?