Office 365 provides access to information from different devices not only from secure office locations, but also from just about any location in the world. Data security, governance and compliance are the biggest concerns. This talk is about the robust security that is built into Office 365: data loss prevention, mobile device management, password and multi-factor authentication, message encryption, EU General Data Protection Regulation (GDPR) and Rights Management Service.

1. Office 365 Security Concerns
Sonja Madsen

2. SONJA MADSEN
SONJASAPPS
2015 Office App Awards
Best International
Developer
Microsoft Most
Valuable Professional
dev@sonjasapps.com
@sonjamadsen
www.sonjasapps.com

3. Office 365
SharePoint
Office
Skype
Azure AD

4. Anywhere, Anytime

5. Data security, governance and compliance

6. Office 365 Security
Physical, Logical, Data, Customer Controlled

7. Physical Security
• Secret location
• Badges
• Smart cards
• Biometric scanners
• Motion sensors
• Security officers
• Video surveillance
• Two-factor authentication

8. Logical Security
• Automated operations
• Customer Lock Box

9. Data Security
• Multi-tenant service
• SSL/TLS
• BitLocker

10. Data Loss Prevention (DLP)
Mobile device management (MDM)
Password and multi-factor authentication
Message encryption and S/MIME
IP filtering
EU General Data Protection Regulation and
Rights
Customer Controlled Security

11. Data Loss Prevention (DLP)
• Sensitive data such as social security or
credit card numbers

12. • Office 365 Compliance
• SAS 70 / SSAE16 Assessments
• ISO 27001
• HIPAA-Business Associate Agreement
• FISMA/FedRAMP Authority to Operate
• PCI DSS Level One
Regulatory standards

13. • Sensitive data in emails
• Data management
• Content search
• Service assurance
Security & Compliance

14. Mobile device management (MDM)
• Windows Phone 8.1
• iOS 7.1 or later versions
• Android 4 or later versions
• Windows 8.1*
• Windows 8.1 RT*

15. MDM
• Require a 4-digit password and
block Bluetooth
• Control mobile access
• Wipe only corporate data

16. Password and multi-factor authentication
• "Hard" passwords
• Expiration
• A phone call, text message, or an
app notification

17. Message encryption and S/MIME
• Send a message with a link to a page
• Authenticate with login and one-time passcode
• Anti-malware/spam controls
• Company-wide blacklists and whitelists
• S/MIME uses certificates to digitally sign and encrypt the email
content
• Sender's email client encrypts message with recipient's public key
• Recipient's private key is used to validate sender's certificate

18. IP Filtering

19. RMS
• Azure RMS for rights management on OneDrive, Exchange Online and
SharePoint Online
• Uses encryption, identity, and authorization policies
• Encryption keys used to enforce RMS policies are stored in the cloud

20. EU General Data Protection Regulation and Rights
• One low for all EU states
• One-stop-shop
• Ensure companies outside of the EU
comply with new rules
• The same rules for all companies

21. GDPR
• Right to be forgotten
• Explicit consent when processing data
• Easier access to one’s own data
• Data protection by design and by default
• Notified in case of data breach
• “Services for data” at risk

22. Denmark
• Stricter laws
• Cross-border data transfers
• Data Protection Officer or DPO

23. How Can You Prepare
• 2018
• Data protection Officer
• Systems and data strategy

24. Metalogix
• ControlPoint
• Sensitive Content Manager

25. Thank You