Monday, February 5, 2018

Office 365 Security and Compliance



This blog is going to cover the basics of Office 365 security and governance and I will follow up with more blog with every feature. Feel free to stop by the Microsoft security & compliance online resource but you will see very soon realize that it is just overwhelming, since there is so much to it. The below options will help you secure your office 365 platform and give you a quick score on your security. Below is a screenshot of a widget which is available in the SCC (security & compliance center)


Moving to a cloud shouldn’t mean losing access to knowing what’s going on. With Office 365, it doesn’t. Microsoft aims to be transparent in operations so you can monitor the state of your service, track issues, and have a historical view of availability.

If you are responsible for the security of your office 365 services & data you will across SCC, this area is mostly for Office 365 admins to security the Office 365 data & services to meet organizational compliance requirements.




1.     Following are the categories to secure your office 365 services & data:
§  Alerts
§  Permissions
§  Classifications
§  Data Loss Prevention
§  Data Governance
§  threat Management
§  Search & Investigation
§  Reports

§  Service Assurance

Security & Compliance Center availability for different Office 365 plans

Security & Compliance Center availability for Business and Enterprise plans

Feature
Office 365 Business Essentials 
Office 365 Business 
Office 365 Business Premium 
Office 365 Enterprise E1
Office 365 US Government G1
Office 365 Enterprise E3
Office 365 US Government G3
Office 365 Enterprise E5
Office 365 Enterprise F1
Office 365 US Government F1
Yes
Yes
Yes
Yes
Yes
Yes
Yes
No
No
No
No
No
Yes
No
Threat management such as mail filtering and anti-malware
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Advanced threat management such as customer lockbox and threat explorer for phishing campaigns6
No
No
No
No
No
Yes
No
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Data loss prevention
No
No
No
No
Yes
Yes
No
Yes
Yes
Yes
Yes
Yes
Yes
Yes
No
No
No
No
No
Yes
No
Search and investigation
Yes
No
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Yes
No
No
No
No
Yes
Yes
No
No
No
No
No
No
Yes
No
Litigation Holds (including query-based Litigation Holds)
No
No
No
No
Yes
Yes
No
No
No
No
Yes3
Yes4
Yes4
No
Manual retention/deletion policies
No
No
No
No
Yes
Yes
No

Security & Compliance Center availability for Standalone plans

Feature
Exchange Online Plan 1
Exchange Online Plan 2
Exchange Online Kiosk
SharePoint Online Plan 1
SharePoint Online Plan 2
Skype for Business Online Plan 1
Skype for Business Online Plan 2
Yes
Yes
Yes
Yes
Yes
Yes
Yes
No
Yes
No
No
Yes
No
Yes
Threat management such as mail filtering and anti-malware
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Advanced threat management such as customer lockbox and threat explorer for phishing campaigns
No
No
No
No
No
No
No
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Data loss prevention
No
Yes
No
No
Yes
No
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Yes
No
No
No
No
No
No
No
Search and investigation
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Yes
No
No
No
Yes
No
No
Yes
No
No
No
No
No
No
No
No
No
Litigation Holds (including query-based Litigation Holds)
No
Yes
No
No
Yes
No
No
Yes
Yes
No
Yes
Yes
No
No
Manual retention/deletion policies
No
Yes
No
No
Yes
No
Yes

1.1 Alerts


Alerts is where an organization can configure and manage security alerts.
This is where a security admin can configure & manage alert policies, It has the following options:
§  Manage Alerts
§  View Security Alerts
§  Manage Advanced Alerts

Security Alerts can also be configured to be sent out an email notification.  
Alerting with Advanced Security Management also needs to be switched on
Advanced Security Management includes:
§  Threat detection—Helps you identify high-risk and abnormal usage, and security incidents.
§  Enhanced control—Shapes your Office 365 environment leveraging granular controls and security policies.
§  Discovery and insights—Get enhanced visibility into your Office 365 usage and shadow IT without installing an endpoint agent.

1. 2 Permissions 




Assign permissions to people in your organization so they can perform tasks in the Security & Compliance Center. Although you can use this page to assign permissions for most features in here, you'll need to use the Exchange admin center and SharePoint to set permissions for others.

Permissions in the Security & Compliance Center are based on the same Role Based Access Control (RBAC) permissions model that is used in Exchange Online. To access the Security & Compliance Center, users need to be a member of one or more Compliance Center role groups that are listed on the Permissions page.




Below is a list of Security & Compliance Center role groups:




1.3 Classification


This is where data can be classified using with labels, you can classify data across your organization for governance, and enforce retention rules based on that classification.
For example, you might have:
§  Tax forms that need to be retained for a minimum period.
§  Press materials that need to be permanently deleted when they reach a certain age.
§  Competitive research that needs to be both retained and then permanently deleted.
§  Work visas that must be marked as a record so that they can’t be edited or deleted.

With labels, you can:
§  Enable people in your organization to apply a label manually to content in Outlook on the web, Outlook 2010 and later, OneDrive, SharePoint, and Office 365 groups. Users often know best what type of content they’re working with, so they can classify it and have the appropriate policy applied.
§  Apply labels to content automatically if it matches specific conditions, such as when the content contains:
o   Specific types of sensitive information. This is available for content in SharePoint and OneDrive.
o   Specific keywords that match a query you create. This is available for content in Exchange, SharePoint, OneDrive, and Office 365 groups.

The ability to apply labels to content automatically is important because:
§  You don’t need to train your users on all your classifications.
§  You don’t need to rely on users to classify all content correctly.
§  Users no longer need to know about data governance policies – they can instead focus on their work.
§  Note that auto-apply labels require an Office 365 Enterprise E5 subscription.
§  Apply a default label to a document library in SharePoint and Office 365 group sites, so that all documents in that library get the default label.
§  Implement records management across Office 365, including both email and documents. You can use a label to classify content as a record. When this happens, the label can’t be changed or removed, and the content can’t be edited or deleted.
§  You create and manage labels on the Labels page in the Office 365 Security & Compliance Center.

1.4 Data Loss Prevention

for Organizations to protect sensitive information, prevent its disclosure organization need to comply with several standards and industry regulations.

Examples of sensitive information might be personally identifiable information (PII) like a medical record, social security information etc. DLP (data loss prevention) can be used to identify, monitor and protect sensitive information across office 365 platform.

Below is a list of things that DLP can do as per Microsoft Article:

§  Identify sensitive information across many locations, such as Exchange Online, SharePoint Online, and OneDrive for Business.
§  Prevent the accidental sharing of sensitive information
§  Monitor and protect sensitive information in the desktop versions of Excel 2016, PowerPoint 2016, and Word 2016.
§  Help users learn how to stay compliant without interrupting their workflow.
§  View DLP reports showing content that matches your organization’s DLP policies.



1.5 Data Governance 


Data governance is all about keeping your data around when you need it and getting rid of it when you don't. With data governance in Office 365, you can manage the full content lifecycle, from importing and storing data at the beginning, to create policies that retain and then permanently delete content at the end.

You can import email from other systems, enables archive mailboxes or set policies for
retaining email and other content within your organization
§  Import - Import PST files to Exchange mailboxes then you can use the Intelligent Import feature to filter the items in PST files that get imported to the target mailboxes.
§  Archive - Archive mailboxes to provide additional email storage for the people in your organization. Enable or disable a user's archive mailbox
§  Retention - Create a policy to retain what you want and get rid of what you don't. While your organization may be required to retain content for a period of time because of compliance, legal, or other business requirements, keeping content longer than required might create unnecessary legal risk.
§  Supervision - Supervision lets you define policies that capture email and 3rd-party communications in your organization so they can be examined by internal or external reviewers. Reviewers can then classify these communications, make sure they're compliant with your organization's policies, and escalate questionable material if necessary.  

1.6 Threat Management 


Threat management is used to
§  help control and manage mobile device access to your organization's data
§  help protect your organization from data loss
§  help protect inbound and outbound messages from malicious software and spam
§  to protect your domain's reputation and to determine whether senders are maliciously spoofing accounts from your domain

Options for creating threat management policies:

1.7 Search & Investigation 


This feature can be used to search through ALL the content of your organization. Everybody's email, documents, Skype conversation history, everything really.
few things that can be done here are

§  Content Search:
This is the neatly ordered and automated version of the admin power-trip. You can search through ALL the content of your organization. Everybody's email, documents, Skype conversation history, everything really.

§  Audit Log Search
You can view ALL actions in your Office365 organization. Who accessed what, who shared what, which admin deleted that group? Every action is taken within Office365 with a bunch of predefined result-filters.

§  eDiscovery
eDiscovery is the tool you use when you need to prove something. It does not just do the whole search all the contents!!!', it logs the actual search criteria so an investigator (read: non-it-admin, for instance, someone from the legal department) can not only produce the requested data, but also show how they acquired it. It also lets you delegate the searching for this data to a
specific group of users (so legal can do it themselves without granting them uber-admin rights) AND you can save the query so they can run it whenever they like (so no more 'hey all that boring search-work you did for us last Friday, can you do that again, every Friday for the next 12 months or so?').

·         Productivity app discovery

1.8 Reports

There are whole bunch of reports here that can be used to help you understand how your organization is using Office 365, including reports related to auditing, device management, Supervisory review, and data loss prevention. View user activity reports such as sign-ins for
SharePoint Online, Exchange Online, and Azure Active Directory


1.9 Service Assurance

Service assurance is used to access details of how Microsoft keeps office 365 customer safe and meets industry compliance requirements, some of the documents you can see here are:
§  Microsoft security practices for customer data that is stored in Office 365.
§  Independent third-party audit reports of Office 365.
§  Implementation and testing details for security, privacy, and compliance controls that Office 365 uses to protect your data.

You can also find out how Office 365 can help customers comply with standards, laws, and regulations across industries, such as the:
§  International Organization for Standardization (ISO) 27001 and 27018
§  Health Insurance Portability and Accountability Act of 1996 (HIPAA)
§  Federal Risk and Authorization Management Program (FedRAMP)