GeolocationâDue to the nature of the public cloud, a customer's data may be ... which we are certified to ensure we me
Addressing Cloud Computing Security Considerations with Microsoft Office 365 Protect more
Contents 2
Introduction
3
Key Security
8
Identity and Access Management
Considerations
9
Service Integrity
4
Office 365 Service Stack
12
Endpoint Integrity
5
ISO Certifications for the
13
Information Protection
14
Related Reading
Microsoft Online Services Stack 6
Compliance and Risk Management
Introduction This document is based on a supplemental paper, Cloud Computing Security Considerations1, which focuses on a high-level discussion of the fundamental challenges and benefits of cloud computing security. The original paper includes questions cloud service providers and organizations using cloud services should consider as they evaluate a new move or expansion of existing services to the cloud. This document presumes the reader is familiar with the Cloud Computing Security Considerations paper, which offers high-level insight into how these considerations can be addressed using Office 365, a public cloud service. Office 365 combines the familiar Office desktop suite with cloud-based versions of next-generation communications and collaboration services, including Microsoft Office Professional, Microsoft® Exchange Online, Microsoft® SharePoint® Online, and Microsoft® Lync™ Online. Cloud service providers and organizations using cloud services should consider these two primary areas regarding security and compliance:
Geolocation—Due to the nature of the public cloud, a customer’s data may be distributed in various geographies around the globe.
1
Multi-Tenancy—Space on a server/infrastructure is shared among tenants.
The Cloud Computing Security Considerations paper can be found here: http://go.microsoft.com/?linkid=9708479
CLOUD COMPUTING SECURITY CONSIDERATIONS: MICROSOFT OFFICE 365 | JULY 2011
2
Key Security Considerations Here is a short summary of the considerations raised in the original paper mentioned on the previous page. As with any other technological shift or change, security benefits and risks must be addressed in order to realize the full benefits of cloud computing. Considerations such as compliance and risk management, identity and access management, service integrity, endpoint integrity, and information protection should all be explored when evaluating, implementing, managing, and maintaining cloud computing solutions. These apply to the cloud provider as well as the cloud customer; both should carefully
What will you learn from this paper?
consider and evaluate these points:
to the cloud are still responsible for compliance, risk, and security management.
This paper discusses how to address
While some of the responsibility for execution may be transferred to the cloud
cloud security considerations in an
provider, it is important to understand the overall compliance picture, as well as
Office 365 environment. It also shows how to strike the appropriate balance between customer and
the roles and responsibilities within the provider organization.
enable collaboration across organization and country borders.
When not further specified, to both the
organization’s security management.
Global Foundation Services and Microsoft® Online Services
Service Integrity—Cloud-based services should be engineered and operated with security in mind; operational processes should be integrated into the
Microsoft®
(www.globalfoundationservices.com)
Identity and Access Management—Identities may come from different providers; providers must be able to federate from on-premises to the cloud and help
Microsoft responsibilities. the information herein applies
Compliance and Risk Management—Organizations shifting part of their business
Endpoint Integrity—As cloud-based services originate—and are then consumed—on-premises, the security, compliance, and integrity of the endpoint
(www.microsoft.com/online.com).
must be part of any security consideration.
Information Protection—Cloud services require reliable processes for protecting information before, during, and after the transaction.
Responsibilities for the different considerations shift depending on the cloud service type consumed: Infrastructure-as-a-Service (IaaS), Platform-as-a-Service (PaaS), or Software-as-a-Service (SaaS). Careful definition of the control ownership is imperative in such environments.
CLOUD COMPUTING SECURITY CONSIDERATIONS: MICROSOFT OFFICE 365 | JULY 2011
3
The illustration below is based on the National Institute of Standards and Technology’s (NIST) definition of the different cloud models.
Office 365 Service Stack Office 365 is a Software-as-a-Service offering from Microsoft. In this scenario, Microsoft provides consumers the capability to use the Office 365 applications (Microsoft® Office Professional desktop suite of applications, Microsoft Exchange, Microsoft SharePoint, and Microsoft Lync) running on a cloud infrastructure and accessible from various client devices. Consumers do not manage or control the underlying cloud infrastructure, network, servers, operating systems, storage, or the individual application capabilities apart from certain configuration capabilities.
CLOUD COMPUTING SECURITY CONSIDERATIONS: MICROSOFT OFFICE 365 | JULY 2011
4
When evaluating the control environment in a Software-as-a-Service model, it is important to consider the whole technology stack of the provider since different teams/services may be involved in providing the infrastructure and application service elements.
ISO Certifications for the Microsoft Online Services Stack When evaluating Microsoft Online Services, it is helpful to understand that both Microsoft Online Services and Microsoft Global Foundation Services are International Standards Organization (ISO) 27001–based and –certified frameworks. Why is the ISO 27001 certification important? While Microsoft may not be able to provide customers with our detailed internal policies and procedures for security purposes, customers can review and evaluate the standards and implementation guidance in which we are certified to ensure we meet or exceed industry best practices. ISO 27001 defines how to implement, monitor, maintain, and continually improve the Information Security Management System (ISMS).
CLOUD COMPUTING SECURITY CONSIDERATIONS: MICROSOFT OFFICE 365 | JULY 2011
5
Compliance and Risk Management
Compliance and Risk Management Area
Microsoft
Customer
Risk
Good risk management practices are essential for any cloud
Customers are responsible for making sure they have
Management
provider. Microsoft applies its own document risk
an overall enterprise risk management process in
management process:
place and that cloud risks are included in the overall
Identify threats and vulnerabilities to the environment.
company risk.
Calculate risk. Report risks across the Microsoft cloud environment. Address risks based on an impact assessment and a business case. Test remediation effectiveness and residual risk. Manage risks on an ongoing basis. Risk
Microsoft Online Services are built to adhere to Microsoft
Some of the responsibilities for handling risks
Management
Online Services Privacy Standards2 and based on an
connected to the workloads moved to Office 365 are
Methodology
ISO 27001 framework to continually assess and improve our
transferred to Microsoft. Customers must understand,
services offerings. The processes to manage the risks in
however, whether or not the stated certifications allow
Microsoft’s environment are based and certified on
them to fulfill their regulatory requirements. By
ISO 27001. The services will be verified under SAS 70 Type II
providing transparency around our program, Microsoft
(to be replaced with industry standard SSAE16).
allows customers to evaluate our services against their requirements and make informed decisions.
Compliance
Microsoft holds several compliance certifications; these are
Microsoft customers around the world are subject to
publically available and updated on a regular basis.
many different laws and regulations. Legal
Microsoft®
requirements in one country or industry may be
Trust
Center3
provides an up-to-date view on
which certifications and practices are implemented by
inconsistent with applicable legal requirements
Microsoft. Current customers can also review the Global
elsewhere. As a provider of global cloud services, we
Foundation Services SAS 70 Type II report (to be replaced
run our services with common operational practices
with industry SSAE16). A link to our Trust Center is provided
and features across multiple customers and
in the Link section of this document. It is important to
jurisdictions. To help our customers comply with their
consider the entire service stack as outlined in the Office 365
own requirements, we build our services with
service stack picture. (See page 5.)
common privacy and security requirements in mind. However, it is our customers’ responsibility to evaluate our offerings against their own requirements so they can determine whether or not Microsoft services satisfy their regulatory needs.
Privacy Guidelines for Developing Software Products and Services: http://www.microsoft.com/downloads/en/details.aspx?FamilyID=c48cf80f-6e87-48f5-83ec-a18d1ad2fc1f&DisplayLang=en 3 Trust Center link: http://go.microsoft.com/fwlink/?LinkID=206613&CLCID=0x409 2
CLOUD COMPUTING SECURITY CONSIDERATIONS: MICROSOFT OFFICE 365 | JULY 2011
6
Compliance and Risk Management Area
Microsoft
Customer
Security
Microsoft helps comprehensively secure Office 365 services
Customers will have to manage security within their
Management
by applying the Microsoft® Security Management approach,
premises (e.g., access to customer premises from
which ensures that the security of Office 365 services is
which Office 365 is being accessed, or endpoint
vigilantly maintained, regularly enhanced, and routinely
security). They must also ensure that the environment
verified through testing. This approach provides protection
they connect to Office 365 is managed according to
at multiple levels, including:
their requirements and security standards.
Physical layers at data centers—physical controls, video surveillance, and access control. Logical layers—data isolation, hosted applications security, infrastructure services, network level, identity and access management, federated identity, and single sign on. Our Security Management program is built on ISO 27001 principles and attested to through the compliance program. Termination of
At the termination of a customer’s subscription or use of the
Upon expiration or termination of a customer’s
Service
service, the customer may always export its data. See the
online service subscription, the customer must
Product Use Rights4 for full details.
contact Microsoft and specify whether the customer
Other than as described in these terms, Microsoft has no
account should be disabled and subscriber data
obligation to continue to hold, export, or return the
deleted, or whether the subscriber data should be
customer subscriber data. Microsoft has no liability
retained for a limited time so the customer can
whatsoever for deleting the customer subscriber data
extract the data.
pursuant to these terms.
Following the expiration of the retention period,
Microsoft provides multiple notices prior to deletion of
Microsoft will disable the customer account, and then
customer subscription data so customers are informed and
delete all subscriber data.
reminded of the impending deletion of their data should they fail to act within the stipulated time frame. If a customer needs assistance fulfilling privacy requests as required by law, they may contact Microsoft Customer Support5 for help accessing, changing, or removing their customer data. Requests that cannot be fulfilled via standard tools and processes may be subject to additional charge.
4 5
Product Use Rights link: http://www.microsoft.com/licensing/about-licensing/product-licensing.aspx Microsoft Customer Support link: https://mocp.microsoftonline.com/Site/Support.aspx
CLOUD COMPUTING SECURITY CONSIDERATIONS: MICROSOFT OFFICE 365 | JULY 2011
7
Identity and Access Management Area
Microsoft
Customer
Dispute
At the end of a customer’s subscription or use of the service,
Customers are responsible for understanding the
Management
the customer may always export its data. See the Product
dispute resolution process and ensuring constant and
Use Rights for full details.
continuous access to the service in case of a dispute.
Other than as described in these terms, Microsoft has no obligation to continue to hold, export, or return the customer subscriber data. Microsoft has no liability whatsoever for deleting customer subscriber data pursuant to these terms.
Identity and Access Management Area
Microsoft
Customer
Identity
Microsoft applies strict controls over which user roles and users will be
It is important for customers to understand
Management
granted access to customer data. Users are required to complete a
that Microsoft does not manage the
form along with a business justification to request access. This must be
customer’s identities or create accounts.
approved by the user’s manager prior to gaining access. Controls
The customer must ensure that robust
related to identity and access management are formally audited
processes and procedures are in place to
annually through the SAS 70 Type II audit (to be replaced with industry
ensure an adequate level of access control
standard SSAE16).
to their own data.
We recognize the importance of our customers' non-public data. If someone—Microsoft personnel, partners, or the customer’s own administrators—accesses the user’s non-public data on the service, Microsoft can, upon request, provide a report on that access. This way, the customer will know when the data may have been accessed. To further limit the risk of unauthorized access, Microsoft does not use the same identity management platform for internal purposes as for managing the Office 365 environment. Identity
All Microsoft personnel are accountable for their handling of customer
Customers are responsible for the identity
Management
data; access to Microsoft Online Services data is granted in a manner
management processes for their identities.
Processes
that is traceable to a unique user. In other words, accountability is
Any system for identity and access control,
enforced through a set of system controls, including the use of
especially for higher value assets, should be
unique user names, data access controls, and auditing. Two-factor
based on an identity framework that uses
authentication, such as smart card logins using digital certificates or
in-person proofing, or a similarly strong
RSA tokens, is also used to further strengthen accountability.
process, and robust cryptographic
User access to data is also limited by user role, for example, system
credentials. This is the customer’s
administrators are not provided with database administrative access.
responsibility and lays the foundation for
Microsoft reviews its identity management and access controls on a regular basis for compliance to internal standards and procedures
any identity management process. Further, customers should have in place a process
CLOUD COMPUTING SECURITY CONSIDERATIONS: MICROSOFT OFFICE 365 | JULY 2011
8
Service Integrity Area
Microsoft
Customer
as well as external standards such as ISO 27001. The access levels are
to ensure the effectiveness of their own
reviewed on a periodic basis to ensure that only users who have
identity and access management processes.
appropriate business justification have access to the systems. Interoperability
An important attribute of cloud-based Office products is interoperability
Customers should adhere to
between applications; workers can move from desktop to web to mobile
interoperability standards that can be
without transforming or modifying their files as they go.
leveraged across different cloud providers,
One critical element is identity federation; Microsoft Office 365 uses
both on and off premises.
ADFS v2.0. Since ADFS v2.0 is based on several WS-* and SAML standards, it can federate with multiple identity providers. Ad Hoc
Microsoft® Active Directory®, Microsoft Lync6, and other products
Customers should ensure processes are in
Collaboration
support interoperability requirements. Microsoft works intensively with
place to verify new partners with whom
the standards bodies and implements these standards and protocols.
they want to collaborate on an ad hoc basis and who need to understand the technical requirements.
Service Integrity Service integrity includes two components: 1) Service engineering and development; and 2) service delivery. Service engineering and development encompass the way in which the provider incorporates security and privacy at all phases of development. Service delivery covers how the service is operated to meet contractual levels of reliability and support.
Service Engineering and Development Area
Microsoft
Customer
Secure
Microsoft has formalized the rigorous security practices employed by its
Customers should understand the
Development
development teams into a process called the Security Development Lifecycle
processes Microsoft uses to develop
(SDL). The SDL process is development methodology agnostic. It is fully
software and respond to security
integrated with the application development lifecycle, from design to
vulnerabilities. This process is
response, and it does not replace software development methodologies such
repeatable and designed to build
as Waterfall or Agile. Various phases of the SDL process emphasize education
security from the ground up.
and training and mandate the application of specific activities and processes as appropriate to each phase of software development. Microsoft makes this process available to the development industry through papers and books7, as well as via the SDL Pro Network8, which supports organizations in implementing SDL within their processes. Microsoft Lync link: http://lync.microsoft.com/en-us/Pages/default.aspx More information on SDL can be found at: http://www.microsoft.com/security/sdl/default.aspx 8 SDL Pro Network link: http://www.microsoft.com/security/sdl/adopt/pronetwork.aspx 6 7
CLOUD COMPUTING SECURITY CONSIDERATIONS: MICROSOFT OFFICE 365 | JULY 2011
9
Service Integrity
Service Delivery Area
Microsoft
Customer
Security
Microsoft’s security practices are multi-layered and contain:
The customer is responsible for
Practices
Physical security (includes but is not limited to):
ensuring that the endpoint from
Microsoft enforces physical security controls as part of a broad set of carrier-class data center operations. ―Carrier-class‖ means very high
which the service is consumed adheres to their policies.
availability, allowing for minimal downtime per year. Physical security controls applied to our data centers include smart-cards, identification badges, delivery and loading area isolation, video surveillance, and on-premises security officers 24/7. Only authorized staff has access to the hardware on which Office 365 is run. Host security (includes but is not limited to): Infrastructure assets are scanned daily. Penetration testing by internal and external parties occurs regularly. Automation is used to deploy hardened instances of operating systems. Automated pattern analysis of network logs identifies suspicious network activity. Real-time health monitoring and alerting speeds investigation and mitigation. Network security (includes but is not limited to): Load balancers, firewalls, and intrusion-prevention devices aid in management of volume-based denial of service attacks. Auditing
Apart from ongoing internal auditing and monitoring activities, Microsoft
Customers must verify that their
provides our customers with evidence of third-party attestations to our
compliance requirements are fulfilled
best-in-class environment and has launched Trust Center as a portal for
by the certifications and audits
compliance, security, and privacy-related topics.
Microsoft provides. One of the benefits of moving to an Office 365 environment is that Microsoft will keep the environment up to date and secure.
CLOUD COMPUTING SECURITY CONSIDERATIONS: MICROSOFT OFFICE 365 | JULY 2011 10
Service Integrity Area
Microsoft
Customer
Forensics
For incident-related purposes, Microsoft performs forensic analysis on events
Customers are responsible for
that occurred. Should in-depth investigation be required, Microsoft collects
understanding what information can
content from the subject systems using best-of-breed forensic software and
be obtained from Microsoft and
industry best practices.
which processes they must follow to
If someone—Microsoft personnel, partners, or the customer’s own
legally access corresponding
administrators—accesses the user’s non-public data on the service, Microsoft
operational data. This is the basis for
can, upon request, provide a report on that access. This way, the customer
integration into the customer’s
will know when the data may have been accessed and may be able to use
forensic processes.
the information for their forensic processes. Incident
The Microsoft Online Security Incident Response process follows these phases:
Customers should incorporate the
Response
Identification—System and security alerts are harvested, correlated, and
information they receive from
analyzed. Microsoft Online operational and security teams investigate
Microsoft into their incident response
events. If an event indicates a security issue, the incident is assigned a
processes and understand how they
severity classification and appropriately escalated within Microsoft. The
(the customer) can handle them.
escalation team includes product, security, and engineering specialists. Containment—The escalation team evaluates the scope and impact of the incident. The escalation team’s immediate priority is to ensure the incident is contained and data is safe. The team forms the response, performs appropriate testing, and implements changes. Should in-depth investigation be required, content is collected from the subject systems using forensic software and industry best practices. Eradication—After the situation is contained, the escalation team moves toward eradicating any damage caused by the security breach and identifies the root cause of the security issue. If it determines vulnerability, the escalation team reports the issue to product engineering. Recovery—During recovery, software or configuration updates are applied to the system and services are returned to a full working capacity. Lessons Learned—Microsoft analyzes each security incident to ensure we apply the appropriate mitigations to protect against future reoccurrence.
CLOUD COMPUTING SECURITY CONSIDERATIONS: MICROSOFT OFFICE 365 | JULY 2011 11
Endpoint Integrity Area
Microsoft
Customer
Business
Office 365 offerings are delivered by extremely resilient systems that help
Business Continuity is much broader
Continuity
ensure high levels of service. Office 365 leverages the Microsoft hosting
than simply moving a business
experience, as well as close ties to Microsoft product groups and support
workload to Office 365. It is
services to create a cloud service that meets our customers’ high standards.
Microsoft’s duty to ensure availability
Service continuity provisions are part of the Office 365 system design. These
to the contracted level. Customers
provisions enable Office 365 to recover quickly from unexpected events such
must understand and decide whether
as hardware or application failure, data corruption, or other incidents that
or not additional requirements for
affect users. These service continuity provisions also apply during
their business processes must be met
catastrophic outages (for example, natural disasters or a fire within a
to ensure business continuity,
Microsoft data center that renders the entire data center inoperable).
whether the service level agreed upon
Customers’ data is stored in a redundant environment with robust backup, restore, and failover capabilities to enable availability, business continuity, and rapid recovery. Multiple levels of data redundancy are implemented,
corresponds with the acceptable risks, and whether they (the customer) need to take further actions.
ranging from redundant disks to guard against local disk failure to continuous, full data replication to another data center. These measures are aligned with ISO 27001 requirements and provide a robust risk management process.
Endpoint Integrity Area
Microsoft
Customer
Endpoint
Customer access to services provided over the
Customers should ensure that the devices through which their
Internet originates from users’ Internet-enabled
users access Office 365 fulfill their needs and requirements. This
locations and ends at a Microsoft data center.
might include (but is not limited to):
These connections established between
Hardware security considerations:
customers and Microsoft data centers are
If the device (desktop, laptop, or mobile) stores information,
encrypted using industry-standard Transport
it should be hardware protected from unauthorized access
Layer Security (TLS)/Secure Sockets Layer (SSL).
(TPM, Microsoft® BitLocker®, and so on).
The use of TLS/SSL effectively establishes a highly secure browser-to-server connection to help provide data confidentiality and integrity between the desktop and the data center.
Software security considerations: Both the OS and application should be developed using a security model (SDL). Security software must be included (firewall, antivirus, IDS, and so on). A robust security practice process should be in place (auto update, timely patch deployment, client health checks, policy enforcement, and so on).
CLOUD COMPUTING SECURITY CONSIDERATIONS: MICROSOFT OFFICE 365 | JULY 2011 12
Information Protection
Information Protection Area
Microsoft
Customer
Data
Microsoft classifies all of its data along a common data
Data classification is a key element when considering
Classification
classification scheme. Customer-relevant data is pre-
what should and can be put into a public cloud
classified according to these guidelines and protection
environment. The customer is responsible for assessing
and security measures are pre-defined according to this
and classifying the data going into the cloud and
classification.
taking appropriate measures to protect the data from unauthorized access (e.g., encryption).
Data Location
Microsoft understands our customers’ need to know
Customers should evaluate whether or not the
where their data is located. Data is located in the region
Office 365 offering meets their requirements regarding
corresponding to the customer’s billing address, with
the geographic location of their data.
some supporting access performed from a U.S. location to ensure and monitor the system’s health and integrity. Detailed information is available on Trust Center. Encryption
Connections established over the Internet to the services
If customers require encryption, they must expect the
are encrypted using industry-standard Transport Layer
loss of certain functionality, such as search. When a
Security (TLS)/Secure Sockets Layer (SSL). The term
customer needs to encrypt data, responsibility for key
―data-at-rest‖ refers to data as it exists on a physical
management remains with the customer since the key
storage medium. Microsoft does not encrypt data-at-rest,
must be separated from the data.
but customers may implement Active Directory® Rights Management to provide a layer of control and security for their sensitive data.
CLOUD COMPUTING SECURITY CONSIDERATIONS: MICROSOFT OFFICE 365 | JULY 2011 13
Related Reading
Cloud Computing Security Considerations white paper: http://go.microsoft.com/?linkid=9708479.
The Office 365 Security Service Description is publicly available on the Microsoft Download Center: http://www.microsoft.com/download/en/details.aspx?id=26552.
Office 365 FAQ: http://www.microsoft.com/en-us/office365/online-software.aspx.
Trust Center: http://go.microsoft.com/fwlink/?LinkID=206613&CLCID=0x409.
Office 365 Standard Response to Request for Information: Coming soon on the Microsoft Download Center.
© 2011 Microsoft Corporation. All rights reserved. Microsoft, Active Directory, BitLocker, Lync, and SharePoint are trademarks of the Microsoft group of companies.
CLOUD COMPUTING SECURITY CONSIDERATIONS: MICROSOFT OFFICE 365 | JULY 2011 14