Cloud - aber sicher

BASEL BERN BRUGG DÜSSELDORF FRANKFURT A.M. FREIBURG I.BR. GENEVA HAMBURG COPENHAGEN LAUSANNE MUNICH STUTTGART VIENNA ZURICH

Cloud – aber „Sicher“

Florian van KeulenSenior Consultant Cloud & Security

Cloud - Aber "Sicher"2 Dec 2015

Florian van KeulenSenior ConsultantBDS

Since 2014 at Trivadis

Security Infrastructure

– Identity & Access Management

– Cloud Infrastructure & Security

– Office 365 & SharePoint

Security Officer

– Information Security Management

Security Opportunities


Datacenter & Storage Location


Ireland & Netherlands

– Azure

– Office 365

– Dynamics CRM Online

Finland & Austria NEW

– Office 365

Germany NEW

– Data Trustee Telekom

http://www.microsoft.com/online/legal/v2/?docid=25

Datacenter & Storage Location


Storage Replication

– Locally Redundant Storage (LRS)

– Zone Redundant Storage (ZRS)

– Geo Redundant Storage (GRS)

– Read Access Geo Redundant Storage (RA-GRS)

Identity & Access Management


Multi Factor Authentication (MFA)


Extra Authentication Factor

– Automated Call / Token (SMS)Authenticator App

– For Cloud Services

– Also for On-Premise

– Rules can be Applied

– Administrators and Users

Conditional Access


Comprehensive Reports & Notifications


• Microsoft Threat Intelligence

• Credentials found in Dark web

• Botnet activity

• Authentication Context Analysis

Unified Device Management


Azure RMS

Cloud - Aber "Sicher"

Encrypts and protects Documents and Mails

Access through Authorization by Azure AD

Policies • Edit• Copy• Print• Retention Time

Also with External Users

Dec 201512

Azure RMS


uses encryption, identity, andauthorization policies to secureMails and Files

protected both within and outside your organization

protection remains with the data

Encryption:

– 2048-bit RSA asymmetric key withSHA- 256 hash algorithm

– AES 128-bit symmetric (CBC mode with PKCS#7 padding)

Azure RMS

Dec 201513

Azure RMS


Keys are Stored in Azure Keyvault

– Geo-location specific

– Stored in HSM module

Full Audit und Logging of Key usage

BYOK support available Azure RMS

Dec 201514

Azure RMS – Bring your Own Key (BYOK)

Cloud - Aber "Sicher"Dec 201515

Enterprise Mobility Suite


Identity Management Authentication & Authorization

MFA Conditional Access

Unified Mobile Device ManagementAccess Management Apps DeploymentSelective Wipe

Microsoft AzureActive Directory Premium

Microsoft Intune

Microsoft AzureRights Management

++

Document Level SecurityEncryption

PoliciesSecure Access

Enterprise Mobility Suite


Microsoft AzureActive Directory Premium

Microsoft Intune

Microsoft AzureRights Management

++

Office 365 Security


Data Retention Policies / Legal Hold

Encryption

Data Loss Prevention (DLP)

Exchange Online Advance Threat Protection

(essential RMS & MDM Features)

Data Retention Policies / Legal Hold


Office 365 Encryption


Azure RMS Office365MessageEncryption S/MIME

Dec 201520

Office 365 Message Encyption (OME)


apply encryption on emails that originate from Office 365

inside or outside Office 365

External users can decrypt the received email by either:

– an Office 365 account (from their company)

– a Microsoft account

– a one-time passcode

Azure RMS used for encryption

Office365MessageEncryption

Dec 201521

S/MIME


standard for

– public key encryption

– digital signing of MIME data

Public / Private Key Infrastructure

Works with Outlook, Outlook Web App, and Exchange ActiveSync clients (mobile)

S/MIME

Dec 201522

Encryption


• AES265 encryption at Rest and in Motion

• Two types of encryption for Data at Rest:

• Disk encryption (using Bitlocker)

• File encryptionEach file is encrypted with its own key

• Data in Motion

• SSL (TLS 1.0 & 1.2)

• New cipher suite order

• Discovered vulnerabilities are taken serious:

• SSLv3 Support withdrawn

• RC4 cipher support withdrawn

Encryption of Files in OneDrive & SharePoint


Encrypted Files and File Chunksstored randomly accross

Encrypted Storage Containers

Keys of theContainer &Content DB

Keys of the Files andFile Chunks

Keys and content are stored in 3 different locations, so you need authorization in all 3 areas to reveal data

Data Lost Prevention (DLP)


Prevents Sensitive Data From Leaving Organization

Provides an Alert when data such as Social Security & Credit Card Number is emailed

Alerts can be customized by Admin to catch Intellectual Property from being emailed out

• Email, OneDrive & Office

• For Based On Policies

• File Content Patterns

• Built-in templates based on common regulations

• Import DLP policy templates from security partners or build your own

Exchange Online Advance Threat Protection


• Multiple Anti Malware Engines

• URL Link

• Rich Reporting & Tracing

Office365 Lock Box

Cloud - Aber "Sicher"Dec 201527

Does your Datacenter Support these features?


• High Availability & Geo Redundancy of your data

• Full Featured Identity and Access management Cross Premises and with 3rd Party

• MFA and Conditional access

• Enhanced Security Reports and Notifications (Threat Intelligenz)

• Unified Device Management

• Rights Management on Document Level wherever stored

• E-Mail & Multi Level File Encryption

• Retention time, Archiving and Legal Hold

• Advanced Threat Protection

And most of it is already in an Office365 Subscription included !!!

Cloud - aber sicher

Presentations & Public Speaking

Transcript of Cloud - aber sicher