Presented by Jethro Seghers.

2. Jethro Seghers
@jseghers – http://www.j-solutions.be/blog

3. J-Solutions.be
 Located in Belgium
 Provides IT Business Consultancy - Evangelism
 SharePoint 2010/2013 and Online
 Cloud Services – Office 365, Windows Intune & Azure
 IT as a service – MOF and ITIL v3
@jseghers – http://www.j-solutions.be/blog

4. Agenda
 Terminology
 Infrastructure settings
 Exchange Online
 Lync Online
 SharePoint Online
 Sources of Information
@jseghers – http://www.j-solutions.be/blog

5. Data Security

6. The protection of data from
unauthorized (accidental or intentional)
modification, destruction, or disclosure

7. Data Compliance

8. Compliance is either a state of being in
accordance with established
guidelines, specifications, or legislation
or the process of becoming so

9. BRINGING TOGETHER CLOUD VERSIONS OF OUR MOST TRUSTED COMMUNICATIONS
AND COLLABORATION PRODUCTS WITH THE LATEST VERSION OF OUR DESKTOP SUITE
FOR BUSINESSES OF ALL SIZES.

10. Infrastructure

11. Overview
 Microsoft Datacenters & their locations
 DataFlow
 Privacy
 Encryption
 Identity Protection
 Password Policies
@jseghers – http://www.j-solutions.be/blog

12. Microsoft Datacenters .
 Physical Security
 Secure physical access for authorized personnel only
 State of the Art datacenters
 Hosted Applications Security
 Anti SPAM
 Encryption Mail
 Security Development Lifecycle
 Potential threats while running a service
 Exposed aspects of the service that are open to attack
@jseghers – http://www.j-solutions.be/blog

13. Microsoft Datacenters ..
 Secured Office 365 Services Infrastructure
 Server Monitoring via System Center
 Secure Remote Access via RDS
 Intrusion Detection
 Network-level Security Measures
 Customer Access via SSL
 Uptime 99,9 %
 Identity & Access Management
 Access control follows the separation of duties principle and
granting least privilege.
@jseghers – http://www.j-solutions.be/blog

14. Where is our data stored: Example: EMEA
 A primary data center is where the application software
and the customer data running on the application
software are hosted.
 A backup data center is used for failover purposes
 Data center Dublin: Primary for F.O.P.E.
 Data center The Netherlands: SharePoint Online
 Dublin + The Netherlands: interchangeably Exchange
Online + Lync Online
@jseghers – http://www.j-solutions.be/blog

15. What is stored in the US: EMEA
 Customer Information
 Microsoft Online Portal
 Routing Lync Online Communications
 Office 365 Authentication
 Additionally, Microsoft abides by the Safe Harbor
Framework for transfer of data between the European
Union and the United States.
@jseghers – http://www.j-solutions.be/blog

16. Privacy .
Microsoft Online Usage Data Account and Customer Data Core
Services Customer Address Book (excluding Core Customer Data
Data Data Customer Data)
Operating and Yes Yes Yes Yes
Troubleshooting the
Service
Security, Spam and Yes Yes Yes Yes
Malware Prevention
Improving the Yes Yes Yes No
Purchased Service,
Analytics
Personalization, No Yes No No
User Profile
Promotions
Communications No Yes No No
(Tips, Advice,
Surveys,
Promotions) – http://www.j-solutions.be/blog
@jseghers

17. Privacy ..
Microsoft Online Usage Data Account and Customer Data Core
Services Customer Address Book (excluding Core Customer Data
Data Data Customer Data)
Voluntary No No No No
Disclosure to Law
Enforcement
Advertising No No No No
@jseghers – http://www.j-solutions.be/blog

18. Encryption
 HTTPS Communication with portal.microsoftonline.com
 HTTPS Communication between clients and Exchange
Online for all protocols
 PGP: Transportation and storage of Exchange Online
Messages
 Lync Online: Instant Messaging, IM Federation
 SharePoint Online: HTTPS Connection (only for
Enterprise & Academic)
@jseghers – http://www.j-solutions.be/blog

19. Identity Protection
 Identity stored in Microsoft Online
 Identity federation via SSO
 Granular Licenses
 Different Administrator Roles
@jseghers – http://www.j-solutions.be/blog

20. Identity options comparison
1. MS Online IDs 2. Federated IDs + Dir Sync
• Authentication is done by Microsoft • Authentication is done by Corporate Infrastructure
• Larger enterprise organizations with AD on-premise
Pros
• Bound to the SLA of 99,9% of MSFT. Pros
• Users and groups mastered on-premise • SSO with corporate cred
• Users and groups mastered on-premise
Cons • Password policy controlled on-premise
• 2 sets of credentials that need to be • Enables co-existence scenarios
maintained
• Different Password policies Cons
• High availability server deployments required

21. Password Policy
 Password Restriction: 8 characters minimum and 16
characters maximum
 Values allowed:
 A-Z
 a-z
 0-9
 !@#$%^&*-_+=[]{}|:‘,.?/`~“<>();
 No UNICODE
 Cannot contain the username alias (part before @ symbol)
 Password expiry duration:
 This is set to 90 days and is not configurable
@jseghers – http://www.j-solutions.be/blog

22. Password Policy
 Password expiry:
 Can be enabled/disable via powershell at user level
 Password strength
 Strong passwords require 3 out of 4 of the following:
 Lowercase characters
 Uppercase characters
 Numbers (0-9)
 Symbols (see password restrictions above)
 Password history
 Last password cannot be used again
@jseghers – http://www.j-solutions.be/blog

23. Password Policy
 Account Lockout
 After 10 unsuccessful logon attempts (wrong password), the user will
need to solve a CAPTCHA dialog as part of logon.
@jseghers – http://www.j-solutions.be/blog

24. Is this
Independently
Verified?

25. MS Online Certification and Compliance Finder
 Certified for ISO 27001
 EU Safe Harbor
 HIPAA-Business Associate Agreement
 Data Processing Agreement
 FISMA
@jseghers – http://www.j-solutions.be/blog

26. Exchange Online

27. Exchange Online .
 Archiving
 Moderation Security/Distribution Groups
 Item Level Recovery
 Transport Rules
 Retention Policies – Managed Folder Assistent
 Deleted Mailbox Recovery
@jseghers – http://www.j-solutions.be/blog

28. Exchange Online ..
 Journaling
 F.O.P.E in Current Version, Built-In in EXO Wave 15
 Auditing
 Retention Hold
 Litigation Hold
 Mobile Device
@jseghers – http://www.j-solutions.be/blog

29. DEMO

30. Lync Online

31. Lync Online
 Privacy Settings
 External Communications
 User Defined Settings
 Sending files via IM
 Make audio and video calls
 Record Call and conferences
 Federation with Lync users in other organizations
 Federation with Users of public IM service providers
 Dial-in Conferencing
@jseghers – http://www.j-solutions.be/blog

32. DEMO

33. SharePoint Online

34. SharePoint Online .
 Information Management Policy – Records
 Use Of Term Store & Required Fields – Content Types
 Drop Off Library
 Audit
 Blocked File Types
 Security
 Versioning
 Recycle Bin
 Backup: 14 days
@jseghers – http://www.j-solutions.be/blog

35. DEMO

36. Sources Of Information
 Office 365 Trust Center : http://www.microsoft.com/en-
us/office365/trust-center.aspx
 Service Description
 Office 365 Password Policy
 Security White Paper
 Data Boundaries
@jseghers – http://www.j-solutions.be/blog

37. Questions