Upload
trivadis
View
544
Download
0
Embed Size (px)
Citation preview
BASEL BERN BRUGG DÜSSELDORF FRANKFURT A.M. FREIBURG I.BR. GENEVA HAMBURG COPENHAGEN LAUSANNE MUNICH STUTTGART VIENNA ZURICH
Cloud – aber „Sicher“
Florian van KeulenSenior Consultant Cloud & Security
Cloud - Aber "Sicher"2 Dec 2015
Florian van KeulenSenior ConsultantBDS
Since 2014 at Trivadis
Security Infrastructure
– Identity & Access Management
– Cloud Infrastructure & Security
– Office 365 & SharePoint
Security Officer
– Information Security Management
Security Opportunities
Cloud - Aber "Sicher"3 Dec 2015
Datacenter & Storage Location
Cloud - Aber "Sicher"4 Dec 2015
Ireland & Netherlands
– Azure
– Office 365
– Dynamics CRM Online
Finland & Austria NEW
– Office 365
Germany NEW
– Data Trustee Telekom
http://www.microsoft.com/online/legal/v2/?docid=25
Datacenter & Storage Location
Cloud - Aber "Sicher"5 Dec 2015
Storage Replication
– Locally Redundant Storage (LRS)
– Zone Redundant Storage (ZRS)
– Geo Redundant Storage (GRS)
– Read Access Geo Redundant Storage (RA-GRS)
Cloud - Aber "Sicher"6 Dec 2015
Identity & Access Management
Cloud - Aber "Sicher"7 Dec 2015
Multi Factor Authentication (MFA)
Cloud - Aber "Sicher"8 Dec 2015
Extra Authentication Factor
– Automated Call / Token (SMS)Authenticator App
– For Cloud Services
– Also for On-Premise
– Rules can be Applied
– Administrators and Users
Conditional Access
Cloud - Aber "Sicher"9 Dec 2015
Comprehensive Reports & Notifications
Cloud - Aber "Sicher"10 Dec 2015
• Microsoft Threat Intelligence
• Credentials found in Dark web
• Botnet activity
• Authentication Context Analysis
Unified Device Management
Cloud - Aber "Sicher"11 Dec 2015
Azure RMS
Cloud - Aber "Sicher"
Encrypts and protects Documents and Mails
Access through Authorization by Azure AD
Policies • Edit• Copy• Print• Retention Time
Also with External Users
Dec 201512
Azure RMS
Cloud - Aber "Sicher"
uses encryption, identity, andauthorization policies to secureMails and Files
protected both within and outside your organization
protection remains with the data
Encryption:
– 2048-bit RSA asymmetric key withSHA- 256 hash algorithm
– AES 128-bit symmetric (CBC mode with PKCS#7 padding)
Azure RMS
Dec 201513
Azure RMS
Cloud - Aber "Sicher"
Keys are Stored in Azure Keyvault
– Geo-location specific
– Stored in HSM module
Full Audit und Logging of Key usage
BYOK support available Azure RMS
Dec 201514
Azure RMS – Bring your Own Key (BYOK)
Cloud - Aber "Sicher"Dec 201515
Enterprise Mobility Suite
Cloud - Aber "Sicher"16 Dec 2015
Identity Management Authentication & Authorization
MFA Conditional Access
Unified Mobile Device ManagementAccess Management Apps DeploymentSelective Wipe
Microsoft AzureActive Directory Premium
Microsoft Intune
Microsoft AzureRights Management
++
Document Level SecurityEncryption
PoliciesSecure Access
Enterprise Mobility Suite
Cloud - Aber "Sicher"17 Dec 2015
Microsoft AzureActive Directory Premium
Microsoft Intune
Microsoft AzureRights Management
++
Office 365 Security
Cloud - Aber "Sicher"18 Dec 2015
Data Retention Policies / Legal Hold
Encryption
Data Loss Prevention (DLP)
Exchange Online Advance Threat Protection
(essential RMS & MDM Features)
Data Retention Policies / Legal Hold
Cloud - Aber "Sicher"19 Dec 2015
Office 365 Encryption
Cloud - Aber "Sicher"
Azure RMS Office365MessageEncryption S/MIME
Dec 201520
Office 365 Message Encyption (OME)
Cloud - Aber "Sicher"
apply encryption on emails that originate from Office 365
inside or outside Office 365
External users can decrypt the received email by either:
– an Office 365 account (from their company)
– a Microsoft account
– a one-time passcode
Azure RMS used for encryption
Office365MessageEncryption
Dec 201521
S/MIME
Cloud - Aber "Sicher"
standard for
– public key encryption
– digital signing of MIME data
Public / Private Key Infrastructure
Works with Outlook, Outlook Web App, and Exchange ActiveSync clients (mobile)
S/MIME
Dec 201522
Encryption
Cloud - Aber "Sicher"23 Dec 2015
• AES265 encryption at Rest and in Motion
• Two types of encryption for Data at Rest:
• Disk encryption (using Bitlocker)
• File encryptionEach file is encrypted with its own key
• Data in Motion
• SSL (TLS 1.0 & 1.2)
• New cipher suite order
• Discovered vulnerabilities are taken serious:
• SSLv3 Support withdrawn
• RC4 cipher support withdrawn
Encryption of Files in OneDrive & SharePoint
Cloud - Aber "Sicher"24 Dec 2015
Encrypted Files and File Chunksstored randomly accross
Encrypted Storage Containers
Keys of theContainer &Content DB
Keys of the Files andFile Chunks
Keys and content are stored in 3 different locations, so you need authorization in all 3 areas to reveal data
Data Lost Prevention (DLP)
Cloud - Aber "Sicher"25 Dec 2015
Prevents Sensitive Data From Leaving Organization
Provides an Alert when data such as Social Security & Credit Card Number is emailed
Alerts can be customized by Admin to catch Intellectual Property from being emailed out
• Email, OneDrive & Office
• For Based On Policies
• File Content Patterns
• Built-in templates based on common regulations
• Import DLP policy templates from security partners or build your own
Exchange Online Advance Threat Protection
Cloud - Aber "Sicher"26 Dec 2015
• Multiple Anti Malware Engines
• URL Link
• Rich Reporting & Tracing
Office365 Lock Box
Cloud - Aber "Sicher"Dec 201527
Does your Datacenter Support these features?
Cloud - Aber "Sicher"28 Dec 2015
• High Availability & Geo Redundancy of your data
• Full Featured Identity and Access management Cross Premises and with 3rd Party
• MFA and Conditional access
• Enhanced Security Reports and Notifications (Threat Intelligenz)
• Unified Device Management
• Rights Management on Document Level wherever stored
• E-Mail & Multi Level File Encryption
• Retention time, Archiving and Legal Hold
• Advanced Threat Protection
And most of it is already in an Office365 Subscription included !!!