Microsoft Office 365
Security Requirements for Offshore Hosted Office Productivity Services: conformance guide for Office 365.
Published 1/07/2017 Microsoft New Zealand Limited 22 Viaduct Harbour Avenue, Auckland
Table of Contents Introduction ...... 1
How to use this document ...... 1
Fit with the GCIO Cloud Risk and Assurance Framework ...... 1
Disclaimer...... 2
Acknowledgement ...... 2
Summary ...... 3
Microsoft Office 365 Solution Map...... 4
Microsoft Guidance on GCIO Security Requirements ...... 6
1. Information, data or materials classified at CONFIDENTIAL and above must not be stored or processed in off-shore hosted office productivity services ...... 6
2. Agencies must have process controls relating to intrusion detection, prevention, investigations, and enterprise logging...... 9
3. Agencies must architect ICT networks to ensure that cloud services can be used safely and effectively...... 10
4. Agencies must have control over the interaction between public cloud services and end user devices...... 11
5. Agencies must ensure compatibility with existing government security technology services such as SEEMail and, where appropriate, cyber defence capabilities...... 15
6. Agencies must ensure that information and data is encrypted in transit and at rest...... 16
7. Agencies must have sole control over the associated cryptographic keys ...... 18
8. Agencies must ensure that multi-factor authentication is used to control access to the service...... 23
9. Agencies must identify where data stored by a service is replicated or backed-up...... 24
10. Agencies must revise their agency disaster recovery and incident management plans to cater for offshore hosted office productivity services ...... 26
11. Agencies must have decommissioning processes as outlined in the NZISM ...... 27
12. Agencies must require assurance checks on cloud service providers in accordance with the NZISM ...... 28
13. Agencies must ensure that there are appropriate security controls over physical access to datacentres...... 29
14. Agencies must have assurance that appropriate patching and software maintenance is undertaken ...... 30
15. Agencies must ensure that there are technical protections to prevent data-mingling on shared storage platforms ...... 31
Office 365 Subscription Plans mapped to Security Technologies ...... 33
Appendix: Office 365 encryption capabilities ...... 34
Security Requirements for Offshore Hosted Office Productivity Services: Office 365 conformance guide.
Introduction
In January 2017, the New Zealand Government Chief Information Officer (GCIO) published Security Requirements for Offshore Hosted Office Productivity Services Explained (the “GCIO Security Requirements”), a guidance document that sets out the security requirements New Zealand government agencies must conform to when using offshore hosted office productivity services. The guidance was developed as part of the GCIO’s work on accelerating public sector adoption of cloud services, as directed by Cabinet in July 2016 [CAB Min (16) 03/16 refers]. This document provides Microsoft’s response to the GCIO Security Requirements. It is designed to assist agencies to conform1 to these security control requirements when using Microsoft Office 365.
How to use this document
This document provides agencies with information intended to assist them in determining how to conform with each of the 15 items in the GCIO Security Requirements document when using Office 365. Where appropriate, it also identifies additional risks or considerations, and provides advice related to each requirement. Agencies should note that they are expected to conform to, not comply with, the GCIO Security Requirements. Accordingly, this document has not been developed as a compliance guide; it does not provide a simple check list of steps that agencies should take. Rather, for each of the 15 security requirements, it indicates how an agency can either meet the “baseline” control requirement set out by the GCIO or, where this is not feasible, how to identify compensating controls that enable conformance. For each requirement, the document sets out:
• A summary of the GCIO security control requirement.
• Key aspects of conforming to this requirement.
• Guidance on how Microsoft can help agencies conform to the requirement.
• Other information Microsoft feels agencies should consider in relation to the requirement.
• Sources of additional information.
Readers should note that some of the answers assume that the organisation making use of this document is an “Eligible Agency” under the terms of the Microsoft G2015 all-of-government agreement that is in place with the New Zealand Department of Internal Affairs.
Fit with the GCIO Cloud Risk and Assurance Framework
The GCIO Security requirements neither stand alone, nor represent the only things that agencies must consider when adopting Office 365. Rather, as shown in figure 1 below, they fit into the wider GCIO Cloud Risk and Assurance Framework that agencies should follow when procuring any cloud service.
1 Note: Paragraph 13 of the GCIO Security requirements document states: “New Zealand government agencies may use offshore hosted office productivity services provided they conform to the security requirements from the Cabinet Minute, and other relevant NZISM controls, as detailed in this guidance.”
Microsoft New Zealand July 2017 Page 1 of 37 Security Requirements for Offshore Hosted Office Productivity Services: Office 365 conformance guide.
Conform to Complete agency Undertake initial "GCIO Security certification and Inform GCIO risk assessment Requirements" accreditation
• Follow GCIO Cloud Risk • Use guidance in this • Follow C&A • Provide completed Cloud Assessment Process. document. requirements set out in Risk Assessment Tool NZISM. and Cloud Endorsement • Complete GCIO Cloud Risk Assessment Tool, • Complete GCIO Cloud by Agency to GCIO. using content from Endorsement by Agency • Note: GCIO does not act Microsoft New Zealand’s template as approver but can "GCIO 105" question request agency to review responses for O365. if not deemed adequate. • Obtain O365 risk assessment and security certification audit reports from GCIO.
• Use other GCIO risk assessment approaches and tools as appropriate.
Figure 1 – Fit with GCIO Cloud Risk and Assurance Framework
Disclaimer
The information contained in this document represents the current view of Microsoft Corporation on the issues discussed, and the current state of both O365 and other Microsoft products and services, as of the date of publication. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information presented after the date of publication. This document is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS DOCUMENT. Complying with all applicable copyright laws is the responsibility of the user. Without limiting the rights under copyright, no part of this document may be reproduced, stored in or introduced into a retrieval system, or transmitted in any form or by any means (electronic, mechanical, photocopying, recording, or otherwise), or for any purpose, without the express written permission of Microsoft Corporation.
Acknowledgement
Microsoft acknowledges the assistance of Axenic Ltd. in the preparation of this document.
Microsoft New Zealand July 2017 Page 2 of 37 Security Requirements for Offshore Hosted Office Productivity Services: Office 365 conformance guide.
Summary
New Zealand government agencies can use Microsoft Office 365 and conform to all but one of the ‘baseline’ security requirements in the GCIO guidance document (see “Important Note” below), primarily by using the native security controls available in Office 365. While agencies remain accountable for ensuring that their security obligations are met, Microsoft provides its Office 365 customers with a comprehensive security ‘toolkit’ to meet these needs. This toolkit consists of five main areas:
1. Guidance or supporting documentation
2. O365 security 5. Built-in features that security features agencies can Microsoft integrate Office 365 Security Toolkit
3. Ancillary 4. Service Microsoft assurance security documents capabilities
Figure 2 - Microsoft Office 365 Security Toolkit 1. Guidance or supporting documentation - Microsoft provides agencies guidance or supporting technical documentation that they can use to complete a process or activity (e.g. integrate with on-premises infrastructure); 2. Security features that agencies can integrate - Office 365 can provide a feature (e.g. Office 365 auditing) that agencies can integrate with their related processes and systems (e.g. security incident response and management); 3. Ancillary Microsoft security capabilities – alongside capabilities within Office 365, Microsoft can provide ancillary capabilities or features that agencies can configure or enable (e.g. Azure Information Protection, Multi-factor Authentication, Mobile Device Management); 4. Service assurance documents - Microsoft provides service assurance artefacts (e.g. content in the Microsoft Trust Centre) that agencies can review as part of their assurance processes; or 5. Built-in security features - Office 365 provides a capability or feature (e.g. Encryption of Data at Rest) that agencies can leverage.
Microsoft New Zealand July 2017 Page 3 of 37 Security Requirements for Offshore Hosted Office Productivity Services: Office 365 conformance guide.
Combined with good agency security practice, Microsoft is confident that agencies can meet their obligations to protect the security and privacy of their information within Office 365, and provides capabilities that can assist them in achieving this. For example, Office 365 Secure Score is a security analytics service that helps organisations better understand and improve their security posture and reduce their risk when using Office 365. Secure Score can help agencies balance their security and productivity needs with guidance to help them enable the right mix of the 71 available security features, and to model what their score would look like after adopting some of these features. Agencies can also compare their score with other organisations and see how their score has been trending over time. NOTE: Secure Score displays information from various sources like AAD, but Secure Score does not store any of this personal information inside the service. Important Note:
The exception to Microsoft’s ability to enable agencies to conform to the ‘baseline’ security controls in the GCIO Security Requirements document is requirement 7 that states “Agencies must have sole control over the associated cryptographic keys”. While Microsoft’s Azure Information Protection with Hold Your Own Key (HYOK) capability may be utilised for conforming to the baseline requirement, Microsoft believes that doing so is not advisable in most circumstances. Counter to the goal of reducing agency risk, if used incorrectly the deployment of any Hold Your Own Key (HYOK) cryptographic capability, whether provided by Microsoft or any other party, can significantly INCREASE an agency’s risk profile by introducing the possibility of PERMANENT loss of access to agency data hosted in the cloud. If an agency wishes to deploy this capability, in-depth discussion with Microsoft is strongly advised.
Microsoft Office 365 Solution Map
The table below summarises this document by listing the Security Control Requirements for Offshore Hosted Office Productivity Services, and mapping these to relevant elements of the “Microsoft Office 365 Security Toolkit” that provide capabilities, products and/or services that can help an agency meet the requirement.
ID GCIO Security Control Requirement Office 365 Security Toolkit feature Detailed Guidance
in security in
-
1. Guidance 1. Feature Security 2. capability 3.Ancillary Assurance Service 4. 5. Built Strategy and Architecture 1 Information, data, or materials classified at ✓ ✓ Refer to page 6 CONFIDENTIAL and above MUST NOT be stored or processed in off-shore hosted office productivity services. 2 Agencies MUST have process controls relating to ✓ ✓ ✓ Refer to page 9 intrusion detection, prevention, investigations, and enterprise logging in operation. 3 Agencies MUST architect their ICT Networks to ensure ✓ ✓ Refer to page 10 that cloud services can be used safely and effectively. 4 Agencies MUST have control over the interaction ✓ ✓ ✓ ✓ Refer to page 11 between public cloud services and end user devices.
Microsoft New Zealand July 2017 Page 4 of 37 Security Requirements for Offshore Hosted Office Productivity Services: Office 365 conformance guide.
5 Agencies MUST ensure compatibility with existing ✓ ✓ Refer to page 15 government security technology services in use, such as SEEMail and cyber defence capabilities. Cryptography 6 Agencies MUST ensure that data is encrypted in ✓ ✓ Refer to page 16 transit and at rest. 7 Agencies MUST have sole control over the Not recommended in most instances Refer to page 18 associated cryptographic key. Access Control 8 Agencies MUST ensure that multi-factor ✓ ✓ Refer to page 23 authentication is used to control access to the service. Backup and Recovery 9 Agencies MUST identify where data stored by a ✓ Refer to page 24 service is replicated and/or backed-up. 10 Agency MUST revise their agency disaster-recovery ✓ ✓ ✓ Refer to page 26 plans to cater for cloud-based services. System Decommissioning 11 Agencies MUST have decommissioning processes as ✓ ✓ Refer to page 27 outlined in the NZISM. 3rd party (Independent) Assurance 12 Agencies MUST have assurance checks on cloud ✓ ✓ Refer to page 28 service providers in accordance with the NZISM. 13 Agencies MUST ensure that there are appropriate ✓ Refer to page 29 security controls over physical access to data centres. 14 Agencies MUST have assurance that appropriate ✓ ✓ Refer to page 30 patching and maintenance of software is undertaken. 15 Agencies MUST ensure there are technical ✓ ✓ Refer to page 31 protections to prevent data-mingling on shared storage platforms.
Microsoft New Zealand July 2017 Page 5 of 37 Security Requirements for Offshore Hosted Office Productivity Services: Office 365 conformance guide.
Microsoft Guidance on GCIO Security Requirements
1. Information, data or materials classified at CONFIDENTIAL and above must not be stored or processed in off-shore hosted office productivity services
What is this security control? Agencies can use Microsoft Office 365 to store or process information, data and materials that is classified at RESTRICTED or below. This means that information that has been classified at CONFIDENTIAL, SECRET or TOP SECRET cannot be stored in either Office 365 or any other cloud service (either on- or offshore). However, official information that does not meet the threshold for a security classification (i.e. information that is referred to as UNCLASSIFIED’) and information that has been classified at IN-CONFIDENCE, SENSITIVE and/or RESTRICTED can be stored in Office 365. Readers should note that, on average, respondents to a recent GCIO survey on agency adoption of cloud services indicated that they have very little (less than 1%) information classified above RESTRICTED. Respondents with information above RESTRICTED were primarily from the national security and justice sectors.
Security Classification Office 365
UNCLASSIFIED
IN-CONFIDENCE
SENSITIVE
RESTRICTED
CONFIDENTIAL
SECRET
TOP SECRET
Figure 3 - New Zealand Security Classification System mapped to Office 365 Key aspects of conforming to this requirement Agencies must ensure that all information, data and materials are assessed, classified and protectively marked (labelled) and handled in accordance with the New Zealand Government Security Classification System. A protective marking indicates the required level of protection to all users of any official information and gives assurances that information of broadly equivalent worth or value is given an appropriate and consistent level of protection throughout the New Zealand government. Agencies should have a defined process for achieving this, and agency staff should be made aware of the data handling process and their obligation to apply it, and provided with sufficient training on how to apply it correctly. To conform to with this security requirement, agencies must ensure that they do not store any information, data and materials classified at or above CONFIDENTIAL in Microsoft Office 365 or its ancillary cloud services (e.g. Azure Active Directory).
Microsoft New Zealand July 2017 Page 6 of 37 Security Requirements for Offshore Hosted Office Productivity Services: Office 365 conformance guide.
How can Microsoft help agencies meet this requirement? Agencies are responsible for assessing and classifying their own information, data, and materials. Data Loss Prevention (DLP) in Office 365 allows organisations to protect sensitive content in both email and documents spread across Exchange Online, SharePoint Online and OneDrive for Business. Examples of sensitive information that you might want to prevent from being improperly disclosed outside your organisation include financial data or personally identifiable information (PII) such as credit card numbers, health records, or other sensitive data which you tell the system to protect. With a DLP policy, you can: • Identify sensitive information across many locations, such as Exchange Online, SharePoint Online, and OneDrive for Business. For example, you can identify any document containing a credit card number that’s stored in any OneDrive for Business site, or you can monitor just the OneDrive sites of specific people. • Prevent the accidental sharing of sensitive information. For example, you can identify any document or email containing a health record that’s shared with people outside your organisation, and then automatically block access to that document or block the email from being sent. • Monitor and protect sensitive information in the desktop versions of Outlook 2016, Excel 2016, PowerPoint 2016, and Word 2016. Just like in Exchange Online, SharePoint Online, and OneDrive for Business, these Office 2016 desktop programs include the same capabilities to identify sensitive information and apply DLP policies. DLP provides continuous monitoring when people share content in these Office 2016 programs. • Help users learn how to stay compliant without interrupting their workflow. You can educate your users about DLP policies and help them remain compliant without blocking their work. For example, if a user tries to share a document containing sensitive information, a DLP policy can both send them an email notification and show them a policy tip in the context of the document library that allows them to override the policy if they have a business justification. The same policy tips also appear in Outlook on the web, Office mobile apps, Outlook 2013 and later, Excel 2016, PowerPoint 2016, and Word 2016. • View DLP reports showing content that matches your organisation’s DLP policies. To assess how your organisation is complying with a DLP policy, you can see how many matches each policy and rule has over time. If a DLP policy allows users to override a policy tip and report a false positive, you can also view what users have reported. You create and manage DLP policies through the Office 365 Security & Compliance Centre. With Azure Information Protection (AIP), classification of data can occur at the time of creation or modification, either automatically or manually, based on source, context and content. Once data has been classified, a persistent label is embedded in the data and actions such as visual marking and encryption can be taken based on the classification and label. AIP, which uses Azure Rights Management (Azure RMS) as the protection engine, can be used to allow agency staff to easily apply a label and associated protection policies (use rights and encryption) to documents and emails. AIP supports whitelisting of domains so that agencies can share information with the appropriate level of data security without adding the overhead of managing access to the data.
Microsoft New Zealand July 2017 Page 7 of 37 Security Requirements for Offshore Hosted Office Productivity Services: Office 365 conformance guide.
Classify Label Protect Share
•Manually select an •Apply in-document •Restrict the ability to copy, •Share encrypted content appropriate classification labelling print and screen capture securely with external •Auto-suggest (or enforce) •Tag the file or email with content individuals and classification based on metadata •Encrypt using Microsoft organisations content scan key, customer-managed or •Auto-expire content customer-held key •Monitor who is accessing •Limit access to just your your protected files and organisation, or specific where they are located people or groups within •Revoke access to your your organisation protected files
In Microsoft’s view, all content should be classified and labelled, and agencies should develop a view on when it is appropriate to apply AIP protection policies and encryption to mitigate risk. For most agencies, this will be for information classified as SENSITIVE or RESTRICTED, and on an as-required basis for lower classifications.
What else should agencies consider? Agencies intending to use AIP should carefully plan to define and meet appropriate information classification needs, and define relevant protection policies, rules, and classification labels BEFORE enforcing data protection. Agencies also need to ensure that they educate their staff on what information should be classified to what level, and how to label documents and emails using AIP, even if automatic classification is applied. It is important to balance flexibility with simplicity when constructing your classification and protection options – aim to give your people easy, good choices. Too many choices will be counterproductive. Microsoft recommends starting with 3-5 top level labels across an agency and then scoping any additional labels to targeted users as needed. Without proper planning and support, agency staff may be reluctant to apply data protection policies. This could result in incorrectly classified data, leading to its possible disclosure, or rendering it inaccessible for legitimate use. Microsoft can provide guidance to agencies as they undertake this work.
Where can agencies go for more information? Additional Information on URL New Zealand Government Security https://www.protectivesecurity.govt.nz/home/information-security- Classification System management-protocol/new-zealand-government-security-classification- system/ Azure Information Protection https://docs.microsoft.com/en-us/information-protection/ technical documentation Azure RMS Security Evaluation https://aka.ms/rmssec EMS Solution - Secure data using https://docs.microsoft.com/en-us/enterprise-mobility- classification, labelling, and security/solutions/infoprotect-secure-classify-scenario protection Microsoft France information https://sway.com/yXywe-nYIf9EFpiI protection whitepaper series https://www.microsoft.com/en-us/download/details.aspx?id=44565
Microsoft New Zealand July 2017 Page 8 of 37 Security Requirements for Offshore Hosted Office Productivity Services: Office 365 conformance guide.
2. Agencies must have process controls relating to intrusion detection, prevention, investigations, and enterprise logging.
What is this security control? Agencies must be able to detect, prevent, and respond to information security incidents related to their use of Office 365, and ensure that Office 365 provides an adequate level of logging and reporting so that incidents can be investigated.
Key aspects of conforming to this requirement Agencies are responsible for having an information security incident management process so that they can recognise, respond to and manage information security incidents when using Office 365 (as well as any existing on-premises infrastructure and cloud services). While Microsoft will detect, prevent, and investigate security incidents in Office 365, agencies need to define what audit events they want to monitor and be alerted on, and configure their Office 365 instance to report on these events (through Power BI dashboards, Management Activity APIs, Advanced Security Management, etc.). In addition, agencies need to integrate their incident management processes with Microsoft’s to ensure that security incidents can be effectively managed throughout their lifecycle.
How can Microsoft help agencies meet this requirement? Microsoft’s security incident response management processes include technical mechanisms, organisational policies, and operational procedures to prevent, monitor, detect, and respond to security incidents in Office 365. Microsoft security teams operate 24 x 7 x 365 security incident monitoring and response services, and are continually looking for indicators of compromise, including by using continual Red Teaming as part of Microsoft’s ‘assume breach’ strategy’. Agencies can communicate security incidents to the Microsoft Security Response Center (MSRC) and be notified of any security incidents by their Technical Account Manager (TAM). Office 365 produces audit and event logs recording user and administrator activities, exceptions, faults, and security events. Office 365 has several audit and reporting features that enable agencies to track user and administrative activity within their Office 365 tenant, including changes made to configuration settings, and changes made to documents or other items. Some of the auditing and reporting features include: • Content Search and eDiscovery. • Unified Audit Log Search. • Office 365 Management Activity API. • Office 365 Activity Usage Reports Dashboard. • Advanced Security Management. • Customer Lockbox. Agencies can use their on-premises Security Incident and Event Manager (SIEM) solution - many of which already ship connectors for Office 365 - with the Office 365 Management Activity API to get the same report information as the information provided in the Office 365 Security and Compliance Center, but with SIEM integration. They can manage the on-premises report, and keep this information on premises indefinitely. Agencies’ Office 365 administrators can use Customer Lockbox to control how a Microsoft support engineer accesses your data during a support case. In rare scenarios where the engineer requires access to your data to troubleshoot and fix an issue, Customer Lockbox allows you to approve or reject the access request. If you approve it, the engineer can access the data. Each request has an expiration time, and once the issue is resolved, the request is closed, and access is revoked.
Microsoft New Zealand July 2017 Page 9 of 37 Security Requirements for Offshore Hosted Office Productivity Services: Office 365 conformance guide.
What else should agencies consider? To use the Office 365 audit and reporting features, agencies need to enable audit logging to record user and administrator activity. This feature is not enabled by default. Agencies are responsible for ensuring that they have intrusion detection and prevention measures, and audit and event logging capabilities in place, for the components they are responsible for managing (e.g. end-user computing devices, Active Directory servers). In addition to the events and log data that is available to customers, there is an internal Microsoft log data collection service called Cosmos that is used by Office 365 engineers. Office 365 service teams upload audit logs into Cosmos for aggregation and correlation, alerting, and reporting to correct vulnerabilities and improve the performance of Office 365. To ensure the protection of customer data that may be present in the logs, an automated tool obfuscates any fields that contain customer data, such as tenant information and end-user identifiable information, and replaces these fields with a hashed (encrypted) value.
Where can agencies go for more information? Additional Information URL on Office 365 Security http://download.microsoft.com/download/2/F/1/2F16A9CA-8D4F-4BB5-8F85- Incident Management 3A362131A95B/Office%20365%20Security%20Incident%20Management.pdf Security in Office 365 https://www.microsoft.com/en-us/download/confirmation.aspx?id=26552 Whitepaper Management API https://msdn.microsoft.com/en-us/office-365/office-365-management-activity-api- Reference Guide reference
3. Agencies must architect ICT networks to ensure that cloud services can be used safely and effectively.
What is this security control? Agencies need to ensure that their infrastructure supports their adoption and use of Office 365, and that it is architected to protect information from unauthorised access, disclosure, modification, and loss. In addition to this, agencies need to ensure that their users can easily and effectively use Office 365 services through supporting security services (e.g. single sign-on, mobile device management, mobile application management).
Key aspects of conforming to this requirement Agencies need to ensure that their adoption of Office 365 meets their identified use cases, and create an architecture to ensure the safe and effective use of the service. Agencies need to identify what Office 365 deployment scenario best fits their requirements, and how the supporting information services and systems will be secured, before adopting the service. Microsoft strongly recommends that New Zealand government agencies plan for a hybrid Office 365 scenario, where some functionality is provided by online services (e.g. Azure Active Directory) and some is delivered by on- premises servers (e.g. Active Directory servers). It is expected that most agencies will still need to operate and manage at least some on-premises infrastructure for the foreseeable future for a variety of reasons, including enabling integration with SEEMail (if used). For agencies that do not want to manage any server infrastructure and have all functionality provided by Office 365 and related cloud computing services, it is recommended that they contact Microsoft New Zealand for advice and guidance on what is possible.
Microsoft New Zealand July 2017 Page 10 of 37 Security Requirements for Offshore Hosted Office Productivity Services: Office 365 conformance guide.
Agencies need to determine how their users will work, how end-user computing devices will be used and protected, and how users will be identified and authenticated. Some common user and device decisions include: • Mobile or office-based – will staff be in an office environment, working from home, or working on the go? • Managed or personal devices – does the agency want to issue staff with devices, or support the use of personal devices as part of a BYOD strategy? • Single sign-on and Identity Federation – will the agency want users to be able to log on to Office 365 with their on- premises credentials or use a 3rd party identity provider? Once agencies understand their adoption and use of Office 365, they should gain assurance that it meets their business requirements (including security requirements). This can be achieved through activities such as formal security architecture and design reviews, which could be performed internally or through an independent 3rd party.
How can Microsoft help agencies meet this requirement? To assist with meeting this requirement, Microsoft provides a wide range of independent audit reports and supporting assurance documentation including the results of Office 365 penetration testing. This is available through the Service Trust Platform in the Microsoft Trust Center. Microsoft also provides various support, documentation, tools and resources, and expert services such as FastTrack, to help agencies plan for, adopt and manage Office 365.
Where can agencies go for more information? Additional Information on URL FastTrack Productivity Guide https://fasttrack.microsoft.com/office/envision/productivitylibrary Adoption Guide https://go.microsoft.com/fwlink/?LinkId=690086 Office Training Center Bill of Materials https://www.microsoft.com/en-us/download/details.aspx?id=54088 Office Training Roadmaps https://support.office.com/en-us/article/office-training-roadmaps- 62a4b0dc-beba-4d8e-b79c-0ad200e705a1?ui=en-US&rs=en- US&ad=US&wt.mc_id=AID573689_QSG_BLOG_140051 Office 365 Blogs https://blogs.office.com/?filter=true&filter-product=office-365 MSIT Worksmart Training Guides https://technet.microsoft.com/en-us/bb687781.aspx Sample Adoption Guide https://view.officeapps.live.com/op/view.aspx?src=https://fto365dev.blob.c ore.windows.net:443/media/Default/DocResources/en- us/Resources/Sample_Adoption_Plan.xlsx FastTrack Engagement Content http://fasttrack.microsoft.com/office/drive-value/engage Office Training Center http://aka.ms/O365Learning FastTrack EMS Guide https://fasttrack.microsoft.com/ems/envision
4. Agencies must have control over the interaction between public cloud services and end user devices.
What is this security control? Agencies must ensure that end-user computing devices (e.g. workstations, laptops, tablets, and smartphones) used to access Office 365 are configured, managed, and maintained to protect information from unauthorised access, disclosure, modification, and loss.
Key aspects of conforming to this requirement Agencies are responsible for managing the security of the end-user computing devices that their staff use to access Office 365. Agencies should understand how staff are using devices when accessing Office 365, and determine
Microsoft New Zealand July 2017 Page 11 of 37 Security Requirements for Offshore Hosted Office Productivity Services: Office 365 conformance guide. appropriate policies to ensure that those devices can be used safety and effectively. This applies to agency-supplied or personal devices as part of a Bring-Your-Own-Device (BYOD) strategy. Agencies are responsible for implementing device management solutions that ensure: • Devices are configured and hardened, via either a traditional standard operating environment build or “modern management” deployment). • Devices are patched and updated. • A strong authentication mechanism is used to control access to the device. • Multi-factor authentication is used to authenticate the user to Office 365. • Devices have encryption of data at rest enabled. • Data on devices can be protected or securely erased through remote wipe functions.
How can Microsoft help agencies meet this requirement? Office 365 provides agencies with basic built-in mobile device management for iOS, Android, and Windows Phones. Office 365 Mobile Device Management functions include being able to enforce passwords, enforce mobile device encryption, and prevent access from jailbroken/rooted mobile devices. In addition, Office 365 supports secure data erasure capabilities either through an incorrect number of failed password attempts (local wipe) or by remotely wiping the device. Microsoft Intune extends the Mobile Device Management (MDM) capabilities of Office 3652, enabling not only deeper management of Android and iOS devices but also the management of Mac OS X and Windows PC devices. Intune provides the same Office 365 MDM capabilities plus the ability to enrol and manage more types of end-user devices, define, and enforce device configuration policies, and manage user and device profiles (e.g. certificate, Wi-Fi, VPN, and email profiles). Intune also provides the ability to protect data at the application and identity level through Intune App Protection (Mobile Application Management (MAM)) policies for devices that are not enrolled in MDM. This capability is available for iOS and Android devices. Capabilities include: • Encrypting the data in apps. • Securing app access by requiring a PIN/passcode or corporate credentials. • Blocking copy and paste, or preventing data transfer outside of the work context (work-only apps and work identity within multi-identity apps). • Preventing backup to personal cloud storage and preventing "Save as". • Having all web links open within the Intune Managed Browser. Intune App Protection can work independently of a MDM solution, providing both an additional layer of protection and a different model for securing agency apps and data in BYOD scenarios. Importantly, the policies work neatly with the multi-identity support built into the Office apps – enabling agencies to protect data while letting staff keep using the apps for personal documents and email. For devices running Windows 10 Pro or Enterprise, Windows Information Protection (WIP) can be used to protect an agency from data leakage by providing MAM-style management across applications, data sources and data. Files arriving onto the device from defined corporate sources (e.g. VPN, SharePoint Online, Exchange) are encrypted at the file level using Windows Encrypting File System (EFS) and can only be accessed by users with the appropriate certificates. Flow of information out of applications defined as ‘corporate’ can also be controlled – without the
2 https://support.office.com/en-us/article/Choose-between-MDM-for-Office-365-and-Microsoft-Intune-c93d9ab9-efb2-4349-9b93- 30c30562ee22
Microsoft New Zealand July 2017 Page 12 of 37 Security Requirements for Offshore Hosted Office Productivity Services: Office 365 conformance guide. applications needing to be updated or changed. WIP can be managed using either Configuration Manager or a MDM tool such as Intune. From an authentication perspective, Office 365 offers Office 365 Multi-Factor Authentication (MFA) which requires that users must use more than one verification method before being able to access the Office 365 services, regardless of device and location. This is a useful but basic version of Azure Multi-Factor Authentication (Azure MFA) which is available as a standalone service or as part of the Enterprise Mobility and Security (EMS) suite. Azure MFA provides fraud alerting, reporting, the option of trusted IPs/networks and makes the service available for other cloud and on- premises applications and services. Azure Active Directory Conditional Access enables you to set specific conditions for a user to access an application or cloud services including Office 365. Conditional Access helps protect access to an agency's applications and resources from unknown and/or unmanaged devices, and devices that do not meet the security policy of an agency. After access requirements are met, the user is authenticated and can access the application. This applies a set of contextual controls at the user, location/network, session, risk profile, device, and app levels – which can be different for different services, and applied to all users or just groups or individuals. You can allow or block access or challenge users with Multi-Factor Authentication, device enrolment, or password change. A key scenario is restricting access to domain-joined or Intune-enrolled and compliant devices. Additionally, Azure Active Directory Identity Protection (included in Enterprise Mobility and Security E5) applies machine learning-based identity protection to detect suspicious behaviour and apply risk-based conditional access that protects your applications and critical company data in real time. Office 365 E5 includes Office 365 Advanced Security Management (ASM) which provides more visibility and control over data flowing in and out of Office 365. • Threat detection—Helps you identify high-risk and abnormal usage, and security incidents. • Enhanced control—Shapes your Office 365 environment leveraging granular controls and security policies. • Discovery and insights—Get enhanced visibility into your Office 365 usage and shadow IT without installing an endpoint agent. The Enterprise Mobility and Security suite provides an expanded version of this toolset called Cloud App Security (CAS – Microsoft’s native Cloud Access Security Broker capability). The key differences are: • ASM provides protection and monitoring for Office 365 only, while CAS will work across all your cloud services. • Usage patterns, upload/download traffic anomalies. • Extended policy engine, policy enforcement and data loss prevention (DLP) features. • Discovery, security, and risk ratings across 13,000 cloud services. • Automatic firewall, and application proxy log uploads. • AIP integration allowing for the protection of files in Office 365 OneDrive and SharePoint Online with Azure RMS directly.
Increasing sophistication of protection
Intune MDM & Office 365 Cloud App Office 365 MDM Azure MFA Advanced Security & Azure Intune MAM & MFA w/Conditional Security Identity Access Management Protection
What else should agencies consider? Agencies need to understand how their staff operate and use their computing devices, and define appropriate device and application policies that are in proportion to the risk of having agency information accessible from the device.
Microsoft New Zealand July 2017 Page 13 of 37 Security Requirements for Offshore Hosted Office Productivity Services: Office 365 conformance guide.
Poorly defined and implemented policies will lead to the information not being appropriately protected. Conversely, overly restrictive policies can lead to the device being unusable, leading to staff being unproductive or finding alternative (and potentially riskier) ways of working.
Where can agencies go for more information? Additional Information on URL Microsoft Identity Driven http://download.microsoft.com/download/E/C/7/EC78FF06-02BB-4DFD-9EBB- Security CADB66BB594F/Microsoft_Identity%20Driven%20Security_Datasheet_EN_US.pdf Office 365 MDM https://support.office.com/en-us/article/Overview-of-Mobile-Device-Management- MDM-for-Office-365-faa7d8e5-645d-4d59-839c-c8d4c1869e4a Intune MDM https://docs.microsoft.com/en-us/intune/ Intune App Protection (MAM https://docs.microsoft.com/en-us/intune-azure/manage-apps/what-is-app- with/out enrolment) protection-policy and https://msdn.microsoft.com/en- us/windows/hardware/commercialize/customize/mdm/implement-server-side- mobile-application-management Office 365 MFA https://support.office.com/en-us/article/Plan-for-multi-factor-authentication-for- Office-365-Deployments-043807b2-21db-4d5c-b430-c8a6dee0e6ba Azure MFA https://docs.microsoft.com/en-us/azure/multi-factor-authentication/index Azure Active Directory https://docs.microsoft.com/en-us/azure/active-directory/active-directory- Conditional Access conditional-access Azure Active Directory https://docs.microsoft.com/en-us/azure/active-directory/active-directory- Identity Protection identityprotection Office 365 Advanced Security https://support.office.com/en-us/article/Overview-of-Advanced-Security- Management Management-in-Office-365-81f0ee9a-9645-45ab-ba56-de9cbccab475?ui=en- US&rs=en-NZ&ad=NZ Cloud App Security https://docs.microsoft.com/en-us/cloud-app-security/ Office 365 Secure Score https://support.office.com/en-us/article/Introducing-the-Office-365-Secure-Score- c9e7160f-2c34-4bd0-a548-5ddcc862eaef?ui=en-US&rs=en-US&ad=US Controlling Access to Office https://www.microsoft.com/en-us/download/details.aspx?id=53317 365 and Protecting Content on Devices
Microsoft New Zealand July 2017 Page 14 of 37 Security Requirements for Offshore Hosted Office Productivity Services: Office 365 conformance guide.
5. Agencies must ensure compatibility with existing government security technology services such as SEEMail and, where appropriate, cyber defence capabilities.
What is this security control? Agencies must identify any government security technology services they currently use that may be affected by their adoption of Office 365 and determine whether they can be successfully integrated with it.
Key aspects of conforming to this requirement Agencies must identify and assess whether the government security technology services that they currently use can be successfully integrated with Office 365. They should also identify whether they need to re-architect and redeploy those services to support integration (see Requirement 3). If a security technology service that is currently used by the agency cannot be integrated with Office 365, the agency must determine whether it can effectively manage the risks associated with its use of Office 365 without the service in place.
How can Microsoft help agencies meet this requirement? Microsoft has published the Office 365: SEEMail Integration and Reference Architecture whitepaper that presents some of the architectural patterns and considerations for integrating SEEMail with Office 365. Note: the GCIO and Microsoft are working to update this guidance at the time of publication of this document.
What else should agencies consider? A frequent agency objective when implementing Office 365 is the retirement of all on-premises/locally-hosted Exchange infrastructure. However, for agencies mastering their identity in Active Directory and synchronising to Azure Active Directory, the supported configuration is the use of a locally hosted Exchange Server to manage the Exchange attributes in Active Directory. The Exchange Server(s) can be standalone management consoles or configured as a hybrid to allow for local hosting of some mailboxes, and to act as a secure mail relay between a SEEMail gateway and Exchange Online. Please note: • The SEEMail gateway forwards all mail unencrypted to an agency’s internal mail system – creating the need for a mail relay to encrypt everything using TLS when forwarding it on to Exchange Online. • There are other tools (including ADSIEDIT) that can be used to deal with the Exchange attributes in Active Directory, but this is not a supported method. As such, we cannot recommend this approach. • A 3rd party mail relay could be used between SEEMail and Exchange Online. Agencies participating in SEEMail but wishing to pursue a ‘pure’ cloud-only environment with no locally-hosted Active Directory should contact Microsoft to discuss this approach. A potential approach to cloud-only integration with SEEMail is use of a 3rd party mail relay. A SEEMail compatible pattern for establishing this is expected to be developed through work currently occurring with the GCIO (see above).
Microsoft New Zealand July 2017 Page 15 of 37 Security Requirements for Offshore Hosted Office Productivity Services: Office 365 conformance guide.
Where can agencies go for more information? Additional Information on URL SEEMail https://www.ict.govt.nz/services/show/SEEMail Office 365: SEEMail Integration and http://aka.ms/seemail-gcio Reference Architecture Exchange Online Protection https://technet.microsoft.com/en-us/library/jj723119(v=exchg.150).aspx Exchange Online Advanced Threat https://technet.microsoft.com/en-us/library/exchange-online-advanced- Protection threat-protection-service-description.aspx De-commissioning on-premises https://technet.microsoft.com/en-us/library/dn931280(v=exchg.150).aspx Exchange servers
6. Agencies must ensure that information and data is encrypted in transit and at rest.
What is this security control? Encryption of information and data in transit: Information sent between end-user computing devices (e.g. workstations, laptops, tablets, and smartphones), integrated agency information services and systems (e.g. Active Directory, Active Directory Federation Services, SEEMail), and Office 365 must be encrypted. In addition to this, information sent or shared with another party using Office 365 must be encrypted. Encryption of information and data at rest: Agencies need to ensure that information stored at rest in Office 365 is encrypted. Similarly, information that is synchronised with Office 365 and stored on end-user computing devices (e.g. workstations, laptops, tablets and smartphones) must be encrypted.
Key aspects of conforming to this requirement Agencies need to configure their information services or systems (e.g. Mail Relay) to use Transport Layer Security (TLS) if they choose to integrate with Office 365. Microsoft supports TLS integrations (e.g. forced TLS) that ensure data is protected while travelling across the agency’s internal network and across the Internet. However, agencies are responsible for configuring and managing their systems to use TLS. Note that all email from the SEEMail gateway forwards to your mail system unencrypted, so email going to Office 365 will need to be encrypted by a mail relay (typically an Exchange Server in hybrid configuration – see above). In addition, agencies need to enable encryption of data at rest for any devices, information services or systems that connect to and stores information from Office 365.
How can Microsoft help agencies meet this requirement? Microsoft follows a control and compliance framework that focuses on risks to the Office 365 service and to customer content. Microsoft implements a large set of technology and process-based methods (referred to as controls) to mitigate these risks. Identification, evaluation, and mitigation of risks via controls is a continuous process. The implementation of controls within various layers of our cloud services such as facilities, network, servers, applications, users (such as Microsoft administrators) and data form a defence-in-depth strategy. Within this framework all customer content within Microsoft Office 365 is protected by a variety of technologies and processes, including various forms of encryption. Microsoft uses service-side technologies in Office 365 that encrypt customer content at rest and in-transit. For content at rest, Office 365 uses both operating system and application (service) encryption. For content in-transit, Office 365 uses Transport Layer Security (TLS) and Internet Protocol Security (IPsec). Validation of our encryption policies and processes policy and their enforcement is independently verified
Microsoft New Zealand July 2017 Page 16 of 37 Security Requirements for Offshore Hosted Office Productivity Services: Office 365 conformance guide. through third-party auditors. Some risk scenarios, and important details of the currently available Microsoft encryption technologies that mitigate them, are listed in the tables in the appendix to this document. Note: As of July 2017 (subject to change) Azure Active Directory will encrypt customer directory data at rest via encryption (BitLocker) using AES 128-bit encryption. This will be enabled by default for all Azure Active Directory subscriptions. From a device perspective, Microsoft recommends that all devices by an agency that interact with Office 365 services are encrypted – whether they are owned by the agency or BYOD. Encryption can typically be enforced through management tools such as Microsoft BitLocker Administration and Monitoring (MBAM) for BitLocker device encryption in Windows and mobile device management tools like Intune. Note that the Windows 10 Creators’ Update has introduced support for managing BitLocker through Intune MDM policies leveraging the Windows configuration service provider. For additional security or where BYOD devices are not enrolled in MDM (and thus may not be encrypted) the recommendation is to make use of Intune App Protection (MAM) and the MAM-enabled Office Mobile Apps such as OneDrive, Outlook, Excel, PowerPoint, and Word. These apps support app-level encryption – protecting agency data on what should be considered a less-trusted device. Introduced in Windows 10 Anniversary Edition for Enterprise and Pro editions is a new capability called Windows Information Protection (WIP). Agencies can create policies (using Configuration Manager, Microsoft Intune, or other MDM tools) defining which applications can work with corporate (agency) data and what locations are sources of corporate data (e.g. Office 365, VPN sessions, file servers etc.) - and the level of control versus auditing. Corporate data is automatically encrypted after it’s loaded on a device from an enterprise source or if an employee marks the data as corporate. Then, when the enterprise data is written to disk, WIP uses the Windows-provided Encrypting File System (EFS) to protect it and associate it with the agency’s identity. Even if the files are copied to removable media they remain encrypted and can only be accessed on a WIP-enabled device and by an authenticated agency user. While useful on agency-owned and managed devices, this can be invaluable on BYOD Windows devices provided they are running Windows 10 Pro. For this reason, we recommend that BYOD policy should stipulate Windows devices must be running Windows 10 Pro. Customer-managed encryption technologies Office 365 provides additional data encryption technologies that agencies can manage and configure to further protect their information. These technologies offer a variety of ways to further encrypt customer content at rest or in- transit, and include: • Azure Rights Management. • Office 365 Message Encryption. • Secure Multipurpose Internet Mail Extension (S/MIME).
What else should agencies consider? Agencies need to be careful when using 3rd party content filters, web proxies, data loss prevention (DLP) products and SSL/TLS interception products that detect and protect against malware. Agencies should be aware of security products or services that intercept secured network traffic by performing a ‘man-in-the-middle (MiTM)’ interception of the communications. Recent advisories highlight how some of these security products can weaken SSL/TLS, significantly degrading the security of the network traffic, and increasing the likelihood of an agency user falling victim to MiTM attacks by malicious third parties. Agencies should thoroughly evaluate the risks associated with inserting such 3rd party capabilities between themselves and Office 365, as per the requirements of the GCIO’s Cloud Computing Risk and Assurance Framework.
Microsoft New Zealand July 2017 Page 17 of 37 Security Requirements for Offshore Hosted Office Productivity Services: Office 365 conformance guide.
Where can agencies go for more information? Additional Information on URL Office 365 MDM https://support.office.com/en-us/article/Overview-of-Mobile-Device- Management-MDM-for-Office-365-faa7d8e5-645d-4d59-839c-c8d4c1869e4a Intune MDM https://docs.microsoft.com/en-us/intune/ Intune App Protection https://docs.microsoft.com/en-us/intune-azure/manage-apps/what-is-app- protection-policy and https://msdn.microsoft.com/en- us/windows/hardware/commercialize/customize/mdm/implement-server-side- mobile-application-management MBAM https://technet.microsoft.com/en-us/windows/hh826072.aspx Windows Information Protection https://technet.microsoft.com/en-us/itpro/windows/keep-secure/protect- enterprise-data-using-wip Office 365 Content Encryption https://www.microsoft.com/en-us/download/confirmation.aspx?id=54652 Whitepaper Data Encryption in SharePoint https://technet.microsoft.com/en-us/library/dn905447.aspx and OneDrive
7. Agencies must have sole control over the associated cryptographic keys
What is this security control? Agencies must be the sole party that controls (generates, owns, and manages) the associated cryptographic keys used to protect their data within Office 365. Important: Agencies cannot meet this requirement and effectively use office productivity services in the public cloud. Microsoft Office 365 must have access to cryptographic keys to encrypt and decrypt agency data for processing purposes, and enable functioning of important information protection and security capabilities of the service. Note: it is essential that agencies consider the following:
1. This is an inherent attribute of any SaaS service, whether provided by Microsoft or any other party.
2. It is not only information protection and security capabilities that are impacted if a SaaS service cannot decrypt customer data - many or most productivity features would also be impacted.
Microsoft advises agencies to seriously consider the extent to which this baseline control is impractical to implement, and thoroughly review the associated risks. To conform with the security control requirement, Microsoft advises that agencies should consider adopting the GCIO approved approach of applying “compensating controls” as defined in the GCIOs security requirements guidance document.
Key aspects of conforming to this requirement Agencies need to carefully consider the extent to which they either need or want to have control over the cryptographic keys used to encrypt their data when using Office 365. Agencies should consider the potential risks and opportunities associated with who takes responsibility for managing the cryptographic keys used in Office 365.
Microsoft New Zealand July 2017 Page 18 of 37 Security Requirements for Offshore Hosted Office Productivity Services: Office 365 conformance guide.
Microsoft New Zealand recommends that New Zealand government agencies use the default Microsoft approach to key management. In a default Office 365 implementation, Microsoft will be the trusted key management service provider. Microsoft establishes and manages cryptographic keys for required cryptography employed within the information system in accordance with defined requirements for key generation, distribution, storage, access, and destruction. In accordance with the "Public Key Infrastructure Operational Security Standard" component of Microsoft’s Security Policy, Microsoft Online Services including Office 365 leverage the cryptographic capabilities that are directly a part of the Windows Operating System for certificates and authentication mechanisms (e.g. Kerberos). These cryptographic modules have been certified by NIST as being FIPS 140-2 complaint. Relevant NIST certificate numbers are: 1321, 1333, 1334, 1335, 1336, and 1339. Any time cryptographic capabilities are employed to protect the confidentiality, integrity, or availability of data within Microsoft Online Services, the modules and/or ciphers used are FIPS 140 compliant.
Alternatively, agencies can choose the customer-managed approach. The agency will control (generate, store, and manage) keys used by Office 365 services, and store these keys in the Azure Key Vault service. Office 365 services can then be configured to use the customer’s keys that are stored in Azure Key Vault – this feature is called Office 365 Customer Key and will be generally available in Q3 of CY17. To use Customer Key, agencies will need a robust cryptographic key management capability with appropriate personnel, operational processes, and infrastructure to ensure that they can manage their tenant keys throughout their lifecycle. Failure to effectively manage tenant keys can lead to widespread service outage. Microsoft has designed Customer Key so that the risk of permanent customer data loss due to accidental or malicious actions is very low. The Customer Key feature is designed with best-in-class protection of customer data, utilizing separation of duties and encryption key diversity to address a range of threat scenarios. In addition to these crucial protections, Customer Key provides customers with the ability to remove all cryptographic keys necessary for Microsoft to process customer data stored in Office 365. Below is a basic summary of the key management options available to Office 365 customers, and key considerations in their selection, split into tenant/service-level and item/file-level capabilities. Note that the table also includes details for Microsoft’s Azure Information Protection (AIP) encryption capabilities (both bring your own and hold your own key options) which agencies may wish to deploy as part of the baseline and/or compensating controls they elect to implement to conform to this requirement. Note also that, to enable AIP BYOK or HYOK capabilities, agencies will need to purchase the Azure Key Vault Premium service and operate a supported HSM infrastructure (e.g. Thales nShield HSM).
Microsoft New Zealand July 2017 Page 19 of 37 Security Requirements for Offshore Hosted Office Productivity Services: Office 365 conformance guide.
Table 1: Office 365 key management options Key management Office 365 Office 365 Azure Azure Azure option Default Customer Key Information Information Information Protection Protection BYOK Protection Default HYOK CONSIDERATION SERVICE-LEVEL ITEM/FILE-LEVEL Applicability All O365 Exchange Online, Email Email messages, Email services SharePoint Online messages, Files Files messages, Files Responsible for Microsoft Customer + Microsoft Customer Customer key management Microsoft Responsible for Microsoft Customer + Microsoft Microsoft Customer key operation and Microsoft uptime Thales HSM No Optional - No Yes Yes required? agencies can use (highly Azure Key Vault available HSM for key generation, solution or use their own strongly Thales HSM to recommended) generate keys. Locally hosted No No No No Yes Rights Management Service infrastructure required? Data transparent Yes Yes Yes Yes – with No – files are to Office 365 significant opaque services - SaaS limitations in features work as Exchange Online3 designed/expecte d e.g. search, Delve, DLP, ASM etc.? Additional privacy - Customer can - Service unable to Microsoft and functionality withdraw the process AIP other 3rd provided ability for protected items parties cannot Microsoft to following customer access your process customer withdrawal of key. protected data. data
How can Microsoft help agencies meet this requirement? Office 365 is a trustworthy key management service provider. Microsoft has strong cryptographic key management policies, processes, and technologies in place to ensure the secure use and protection of cryptographic keys throughout their lifecycle (i.e. generation, distribution, storage, access, and destruction), and has independent, regularly updated, security certifications and attestations that support it. Office 365 leverages Azure Key Vault, and also uses the cryptographic modules that are built into the Windows operating system for certificate, authentication
3 Microsoft documentation describes the limitations as ‘Azure RMS BYOK is not compatible with Exchange Online’: https://docs.microsoft.com/en-us/information-protection/plan-design/byok-price-restrictions
Microsoft New Zealand July 2017 Page 20 of 37 Security Requirements for Offshore Hosted Office Productivity Services: Office 365 conformance guide. and encryption mechanisms (e.g. Kerberos, BitLocker), and these cryptographic modules have been certified by NIST as being FIPS 140-2 validated. Any time cryptographic capabilities are used within Office 365, the modules and/or ciphers used are FIPS validated. For customers that do not elect to use Customer Key, Microsoft generates and manages all encryption keys used to encrypt customer data at rest. Customers electing to use the Office 365 Customer Key feature will manage the lifecycle of their tenant keys in the Azure Key Vault service and can choose to either generate their own root key in a Thales HSM and upload it to the Azure Key Vault FIPS 140-2 Level 2-validated HSMs, or to generate the tenant key directly within Azure Key Vault. Azure Key Vault provides a REST API so that customers can consume near-real-time logging showing all access and usage of keys in Azure Key Vault service. Currently, it is planned that Customer Key will be available in H2 of CY2017, covering Exchange Online, OneDrive for Business and SharePoint Online services. Skype for Business conversations saved into a user’s conversations folder in their mailbox will also be included. Microsoft advises New Zealand government agencies that are contemplating implementing either BYOK or HYOK capabilities to carefully consider their requirements for doing so from a balance-of-risk perspective. Implementing such a solution requires the agency to have robust cryptographic key management capabilities in place. Failure to effectively manage keys used with either Office 365 Customer Key, or Azure Information Protection (BYOK or HYOK), could lead to widespread service impact and permanent data loss. Non-technical controls Alongside technical capabilities that agencies can use as “compensating controls” to conform to this requirement, Microsoft also makes contractual commitments that allow Office 365 customers to mitigate the type risk that this control is focused on. These commitments are set out in the Microsoft Online Services Terms (OST). Specifically, in the OST Microsoft makes the following commitments: • Use of Customer Data: “Customer Data will be used only to provide Customer the Online Services including purposes compatible with providing those services. Microsoft will not use Customer Data or derive information from it for any advertising or similar commercial purposes. As between the parties, Customer retains all right, title and interest in and to Customer Data. Microsoft acquires no rights in Customer Data, other than the rights Customer grants to Microsoft to provide the Online Services to Customer. This paragraph does not affect Microsoft’s rights in software or services Microsoft licenses to Customer.” • Disclosure of Customer Data: “Microsoft will not disclose Customer Data outside of Microsoft or its controlled subsidiaries and affiliates except (1) as Customer directs, (2) as described in the OST, or (3) as required by law. Microsoft will not disclose Customer Data to law enforcement unless required by law. If law enforcement contacts Microsoft with a demand for Customer Data, Microsoft will attempt to redirect the law enforcement agency to request that data directly from Customer. If compelled to disclose Customer Data to law enforcement, Microsoft will promptly notify Customer and provide a copy of the demand unless legally prohibited from doing so. Upon receipt of any other third-party request for Customer Data, Microsoft will promptly notify Customer unless prohibited by law. Microsoft will reject the request unless required by law to comply. If the request is valid, Microsoft will attempt to redirect the third party to request the data directly from Customer. Microsoft will not provide any third party: (a) direct, indirect, blanket or unfettered access to Customer Data; (b) platform encryption keys used to secure Customer Data or the ability to break such encryption; or (c) access to
Microsoft New Zealand July 2017 Page 21 of 37 Security Requirements for Offshore Hosted Office Productivity Services: Office 365 conformance guide.
Customer Data if Microsoft is aware that the data is to be used for purposes other than those stated in the third party’s request. In support of the above, Microsoft may provide Customer’s basic contact information to the third party.” Also, to assist agencies to evaluate the overall risk of loss of control of their data that they are exposed to, which this GCIO security requirement seeks to address, every six months Microsoft publishes its Law Enforcement Requests for User Data and U.S. National Security Orders for User Data.
What else should agencies consider? It is important for agencies to understand the implications of the “Additional Considerations” related to this requirement that are set out in the GCIO Security Requirements document. The use of BYOK still requires the agency to allow use of its tenant key by Microsoft, as Microsoft needs access to the keys for its services and applications to encrypt and decrypt data stored in Office 365. Similarly, the use of a 3rd party service provider (e.g. a Cloud Application Security Broker service, or the TaaS PKI Service Provider) to create a tenant key for BYOK requires the agency to allow use of its tenant key by both the third party and Microsoft. In Microsoft’s view, on a balance-of-risk basis, agencies using Office 365 to manage information and data classified below SENSITIVE or RESTRICTED are best advised to adopt the default Office 365 approach to key management whereby Microsoft will be the trusted key management service provider. For information or data classified at SENSITIVE of RESTRICTED level agencies can elect to deploy Azure Information Protection capabilities but should note the caveats below. For agencies that are considering Azure Information Protection (AIP) there is an option to implement a Hold Your Own Key (HYOK) configuration. AIP with HYOK requires an agency to implement additional on-premises infrastructure (e.g. Active Directory (AD) servers, Active Directory Rights Management Service (AD RMS) servers, HSMs) and will also result in the agency managing two RMS instances (AD RMS and Azure RMS). Microsoft does not generally recommended AIP with HYOK for New Zealand government agencies, as implementing such a solution will substantially degrade the functionality offered by Office 365 and requires the agency to have confidence that its cryptographic key management processes and infrastructure are utterly robust. Any data protected with AD RMS policies will become opaque to Office 365, and most functions will not work (e.g. no search, no web access, no views, no anti-malware, no anti-spam, no eDiscovery, etc.) across this content. In addition, because Microsoft will have no access to the agency’s tenant or cryptographic keys it cannot recover customer data if the keys are compromised. If an agency does wish to implement this capability, in depth discussions with Microsoft are highly advised.
Where can agencies go for more information? Additional Information on URL Content Encryption in https://www.microsoft.com/en-us/download/confirmation.aspx?id=54652 Microsoft Office 365 Whitepaper: Bring Your Own http://download.microsoft.com/download/F/6/3/F63C9623-053F-44DD-BFA8- Key with Azure Key Vault for C11FA9EA4B61/Bring-Your-Own-Key-with-Azure-Key-Vault-for-Office-365-and- Office 365 and Azure Azure.docx Microsoft Azure Information https://aka.ms/aippapers Protection whitepapers Microsoft Online Services https://www.microsoft.com/en-us/Licensing/product-licensing/products.aspx Terms (OST)
Microsoft New Zealand July 2017 Page 22 of 37 Security Requirements for Offshore Hosted Office Productivity Services: Office 365 conformance guide.
8. Agencies must ensure that multi-factor authentication is used to control access to the service.
What is this security control? Agencies must ensure that agency staff, including administrators, are authenticated using a Multi-Factor Authentication (MFA) (also called two-factor authentication) method before they are granted access to Office 365. Traditionally users are authenticated only using a username and a password (i.e. something they know). MFA seeks to strengthen the authentication process by using one or more additional factors. For example, a onetime password (OTP) generated by a mobile application (i.e. something they have) and/or a fingerprint (i.e. something they are).
Key aspects of conforming to this requirement Agencies need to ensure that, for any instance of access from outside of their corporate network, MFA is enforced for all users, including administrators, before they are granted access to Office 365. Agencies should also ensure that the mechanism used for staff to use MFA is available to agency staff, such as a cell phone to receive a OTP SMS code or the Microsoft Authenticator application.
How can Microsoft help agencies meet this requirement? Microsoft supports the enforcement of MFA for Office 365 using Multi-Factor Authentication for Office 365, Azure Multi-Factor Authentication or Azure Multi-Factor Authentication Server with Active Directory Federation Services (AD FS). Agencies that are using Azure AD to authenticate their users against their on-premises Active Directory must use Azure Multi-Factor Authentication Server for AD FS, which requires an Azure Multi-Factor Authentication or Azure Active Directory Premium licence. However, it can be used to secure Office 365, on-premises services, and thousands of Software as a Service (SaaS) applications from other cloud service providers. Agencies that are not using Azure AD to authenticate their users can use Multi-Factor Authentication for Office 365 to secure Office 365 applications at no extra cost. Both MFA options support the following methods: • Phone Call – the user receives a call to their registered phone number asking them to verify they are attempting to sign in. The user can either press the # key on their phone or enter a PIN to authenticate to Office 365. • SMS Message – the user receives a text message to their registered mobile phone number with a six-digit verification code. The user must enter the code to authenticate to Office 365. • Mobile App One-Time Password – the Authenticator app running on the user’s smartphone generates a six-digit verification code. The user must enter the code to authenticate to Office 365. • Mobile App Notification – the Authenticator app running on the user’s smartphone presents a verification request. The user must select Verify or Approve to authenticate to Office 365.
What else should agencies consider? Agencies need to identify and manage end-user computing devices, applications or custom solutions that do not natively support Multi-Factor Authentication for Office 365. Office 365 provides support for application passwords that will need to be used for non-browser clients or applications that do not support modern authentication (e.g. native email clients). The Azure MFA user experience is designed to provide easy but secure user access to an agency’s applications and services. Azure MFA is designed to provide an extra layer of security when strong authentication is required. Using multi-factor authentication helps protect agency’s applications and services from being accessed by an unauthorised user whom may have gained access to the credentials of a valid agency user.
Microsoft New Zealand July 2017 Page 23 of 37 Security Requirements for Offshore Hosted Office Productivity Services: Office 365 conformance guide.
Leveraging Azure Active Directory Premium, agencies can focus MFA to specific applications and services based on the agencies security context of the application and data within the application. Agencies can also use conditional access to block access to specific applications when a user is not on a trusted network or IP range. These controls can be either applied on an application-by-application basis or at top-level, requiring users to always use Azure MFA when outside of the network. Azure MFA also has an option to be deployed on-premises in a hybrid configuration to allow for agencies to protect on-premises resources with the same experience as the Office 365 Azure MFA scenarios. Azure Active Directory Premium also allows agencies to configure risk-based policies that automatically respond to detected issues when a specified risk level has been reached. Triggers such as an agency user found on a password database, users accessing Office 365 (or other cloud applications) from an anonymiser etc. will activate the conditional access controls provided by Azure Active Directory and Enterprise Mobility and Security (EMS). These can automatically block or initiate adaptive remediation actions including password resets and multi-factor authentication enforcement on behalf of an agency. Agencies can also leverage Azure Active Directory Privileged Identity Management (PIM), to manage, control, and monitor access to an agency’s resources in Azure AD and Office 365 by administrators. PIM allows for on-demand and "just in time" administrative access, along with reports about administrator access history and changes in administrator assignments within the cloud services.
Where can agencies go for more information? Additional Information on URL Office 365 MFA https://support.office.com/en-us/article/Plan-for-multi-factor-authentication-for- Office-365-Deployments-043807b2-21db-4d5c-b430-c8a6dee0e6ba Azure MFA https://docs.microsoft.com/en-us/azure/multi-factor-authentication/index Azure MFA Server https://docs.microsoft.com/en-us/azure/multi-factor-authentication/multi-factor- authentication-get-started-server Azure Active Directory https://docs.microsoft.com/en-us/azure/active-directory/active-directory- Conditional Access conditional-access Azure Active Directory https://docs.microsoft.com/en-us/azure/active-directory/active-directory- Identity Protection identityprotection Azure Active Directory https://docs.microsoft.com/en-us/azure/active-directory/active-directory-privileged- Privileged Identity identity-management-configure?toc=%2fazure%2factive-directory%2fprivileged- Management identity-management%2ftoc.json Modern Authentication - https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory- Active Directory authentication-libraries https://blogs.office.com/2015/11/19/updated-office-365- Authentication Library modern-authentication-public-preview/ (ADAL) Microsoft France Azure https://sway.com/J-ldpNMIu97EiqYU Active Directory whitepaper https://www.microsoft.com/en-us/download/details.aspx?id=36391 series
9. Agencies must identify where data stored by a service is replicated or backed-up.
What is this security control? When using Office 365, agencies must identify the countries where their data will be stored. This includes any countries where data is replicated or backed-up, to support the agency in meeting compliance, resilience, and disaster recovery requirements.
Microsoft New Zealand July 2017 Page 24 of 37 Security Requirements for Offshore Hosted Office Productivity Services: Office 365 conformance guide.
Key aspects of conforming to this requirement Agencies need to identify and document where the information they store in Office 365 will be located. This includes services that are available as part of their Office 365 subscription (e.g. Exchange Online, SharePoint Online, etc.), those that support the use of Office 365 (e.g. Azure Active Directory), as well any additional services that they choose (e.g. Exchange Online Archiving).
How can Microsoft help agencies meet this requirement? Microsoft provides information to its customers on the geographic location of data stored in Office 3654,5. Microsoft has a regionalised datacentre strategy, where the customer’s country or region determines the primary storage location for their data. Microsoft will replicate customer data to at least two datacentres within the primary region based on: • Reducing latency for fast login times for users, and access to data within Office 365. • Ensuring data availability and resiliency in the case of a major datacentre event. • Data residency requirements of customers and countries. For New Zealand government agencies purchasing from New Zealand, the tenant would be automatically placed into the Australia region for Office 365 and to the Worldwide partition for Azure Active Directory. The Datacentre locations for these regions are presented in figure 4 below.
Figure 4 - Office 365 and Azure AD Data Locations What else should agencies consider? While Australia will be the likely primary region for agency data, Microsoft may need to send some data to Microsoft personnel or subcontractors outside this region to troubleshoot or investigate specific service issues (e.g. incident response, service improvement) – generally at the request of the customer. Contractual arrangements regarding such data movements are set out in the Microsoft Online Services Terms (OST).
4 ‘Where is my data?’ https://www.microsoft.com/online/legal/v2/?docid=25 5 https://www.microsoft.com/en-us/trustcenter/privacy/where-your-data-is-located
Microsoft New Zealand July 2017 Page 25 of 37 Security Requirements for Offshore Hosted Office Productivity Services: Office 365 conformance guide.
Also, if Microsoft needs to move agency data to a new country (e.g. following a geographical event, region expansion etc.) agencies will be notified through compliance notifications and asked to opt-in or opt-out depending on their agreement.
Where can agencies go for more information? Additional Information on URL Microsoft Online Services Terms https://www.microsoft.com/en-us/Licensing/product-licensing/products.aspx
10. Agencies must revise their agency disaster recovery and incident management plans to cater for offshore hosted office productivity services
What is this security control? Agencies need to ensure that their disaster recovery and incident management plans are updated to account for their adoption and use of Office 365.
Key aspects of conforming to this requirement Agencies are responsible for having a documented disaster recovery plan so that they can continue to use Office 365 in the event of a business disruption, and return to normal business operations within their Recovery Time Objectives and Recovery Point Objectives. While Office 365 is a highly resilient service providing high levels of service availability, agencies need to integrate their disaster recovery processes with Microsoft’s to ensure that they can recover quickly from unexpected events such as hardware or software failure, data corruption, or catastrophic outages. This particularly applies to an agency’s facilities and services or systems that they choose to integrate with Office 365.
How can Microsoft help agencies meet this requirement? Microsoft has designed and implemented Office 365 with redundancies and resiliency to maximise reliability and deliver high service availability. This enables Office 365 to recover quickly from unexpected events such as hardware or application failure, data corruption, or other incidents that affect users. These provisions will also apply in the event of low probability but potentially catastrophic events (e.g. a natural disaster or major incident impacting a Microsoft datacentre), as Office 365 handles failures at the application layer instead of the datacentre layer. Office 365 has been designed and built around resiliency principles which include: • Redundancy built into every layer – such as: o Physical redundancy (e.g. multiple disk/cards, servers, geographical sites, and datacentres). o Data redundancy (constant replication across datacentres). o Functional redundancy (the ability for customers to work offline when there is no network connectivity). • Resiliency - via active load balancing and dynamic prioritisation of tasks based on current loads, constant recovery testing across failure domains, and both automated failover and manual switchover to healthy resources. • Distributed functionality of component services - to help limit the scope and impact of a failure in one area and to simplify all aspects of maintenance and deployment, diagnostics, repair, and recovery. • Continuous monitoring - with extensive recovery and diagnostic tools to drive automated and manual recovery of the service. • Simplification to drive predictability - including the use of standardised components and processes, wherever possible, loose coupling among the software components for less complex deployment and maintenance, and a change management process that goes through progressive stages of being deployed worldwide.
Microsoft New Zealand July 2017 Page 26 of 37 Security Requirements for Offshore Hosted Office Productivity Services: Office 365 conformance guide.
• Human backup - with 24/7 on-call support to provide rapid response and information collection towards problem resolution.
What else should agencies consider? Agencies should also consider the disaster recovery requirements for their critical on-premises infrastructure that integrates with Office 365. Scenarios that agencies should consider include: • An outage of Azure Active Directory Connect (previously known as Azure AD Sync or DirSync). • An outage of Active Directory Federation Services. • An outage of on-premises Active Directory (for agencies that use their own AD instance for authentication to Office 365). • Availability of on-premises networks between the agency staff and the Microsoft datacentres. • Availability of endpoint devices for staff to access Office 365. An important area to consider is major disaster/event scenarios that are low probability but high impact: • International network outage – blocking all access to offshore services of any description • Local disaster crippling local infrastructure hosting, with internet access being restored first For the first scenario, hybrid configurations (Exchange, Skype for Business) will provide some benefits. In the second scenario, the offshore, internet-based nature of Office 365 will be an advantage – with the key constraint being available bandwidth. We recommend the use of password-hash synchronisation through Azure AD Connect for customers using ADFS, allowing them to cut over and use the hash for authentication in the event of ADFS being unavailable. Note: agencies are not obliged to create local backups to conform to the GCIO security control requirements. If an agency perceives a need to back up any of their O365 data locally, Microsoft will be pleased to discuss approaches or options for doing this.
Where can agencies go for more information? Additional Information on URL Security in Office 365 https://www.microsoft.com/en-us/download/confirmation.aspx?id=26552 Whitepaper.docx Data Resiliency in Office 365.pdf https://www.microsoft.com/en-us/download/confirmation.aspx?id=53560 Azure AD Connect Health https://docs.microsoft.com/en-nz/azure/active-directory/connect-health/active- directory-aadconnect-health Azure AD Connect: Operational https://docs.microsoft.com/en-nz/azure/active-directory/connect/active- tasks and considerations – directory-aadconnectsync-operations#staging-mode Staging Mode
11. Agencies must have decommissioning processes as outlined in the NZISM
What is this security control? Agencies need to ensure that they have a decommissioning plan and process, to ensure that they can safely extract and sanitise data stored in their Office 365 tenant, in accordance with the NZISM.
Key aspects of conforming to this requirement Agencies need to determine an exit strategy should the need arise to exit their Office 365 tenancy. This includes having a documented plan for decommissioning their service and securing their data, which will need to include:
Microsoft New Zealand July 2017 Page 27 of 37 Security Requirements for Offshore Hosted Office Productivity Services: Office 365 conformance guide.
• Migration plans – how will data, users, and licenses be migrated to a replacement service? • Data retention and archiving requirements – what contractual and legislative requirements exist for retaining data, and transferring data custodianship for archiving purposes? • Service decommissioning procedures – what steps are required to end the service subscription, sanitise and delete agency data, and complete any other decommissioning needs?
How can Microsoft help agencies meet this requirement? Microsoft offers data deletion as part of its data privacy commitments. For Office 365, at contract termination or expiration, Microsoft will provide at least 90 days to confirm that all customer data has been migrated, after which the data will be destroyed to make it unrecoverable. If a customer prefers, Office 365 provides functions to personally destroy their data following Microsoft guidance. In addition to this, if the customer revokes the root encryption keys used to secure customer data within the Office 365 (e.g. in a BYOK scenario), then all encrypted data will become permanently unrecoverable. Microsoft securely disposes of its media using formal media sanitisation and destruction procedures. Microsoft sanitises and destroys media in accordance with organisational standards and policies and is consistent with NIST 800- 88 (Guidelines for Media Sanitisation).
What else should agencies consider? Agencies need to understand that once customer content has been destroyed or made unrecoverable, it is permanently unrecoverable. Microsoft has no ability to recover any customer content or encryption keys.
Where can agencies go for more information? Additional Information on URL Content Encryption in Microsoft https://www.microsoft.com/en-us/download/confirmation.aspx?id=54652 Office 365.pdf
12. Agencies must require assurance checks on cloud service providers in accordance with the NZISM
What is this security control? Agencies need to undertake assurance activities to confirm that Office 365 has the controls required to effectively manage their security risks, before certifying and accrediting it for their use.
Key aspects of conforming to this requirement Agencies are required to undertake assurance activities (e.g. design reviews, penetration testing, controls validation audits, etc.) as part of the NZISM Certification and Accreditation (C&A) process, and in accordance with the GCIO’s Cloud Computing Risk and Assurance Framework. These activities are used to provide an agency and its stakeholders with confidence that the security controls required to manage their risks have been appropriately designed and implemented. For security and operational reasons Microsoft does not allow its customers to directly audit its cloud services. Also, direct auditing of a public cloud service is a very large and costly undertaking. However, agencies can review the large body of compliance and assurance information, including audit reports, available from Microsoft to gain independent assurance that it has effective security controls and practices in place for Office 365.
How can Microsoft help agencies meet this requirement? Every year, Microsoft undergoes 3rd party audits from internationally recognised auditors as an independent validation that Microsoft complies with their policies and procedures for security, privacy, continuity, and compliance. Office 365 offers one of the most comprehensive set of security certifications and attestations of any cloud service provider,
Microsoft New Zealand July 2017 Page 28 of 37 Security Requirements for Offshore Hosted Office Productivity Services: Office 365 conformance guide. including FIPS 140-2, HIPPA, CCSL (IRAP), ISO/IEC 27001, ISO/IEC 27018, SOC 1 and SOC 2. A specialist compliance and assurance team continuously tracks standards and regulations, developing common control sets for the Microsoft product team to build into the service. Microsoft is committed to transparency to help customers meet their compliance needs. Office 365 users are strongly encourage to access and use the relevant parts of both the Microsoft Trust Centre - especially the industry-leading Service Trust Platform (STP) – and also the Security & Compliance Center6 embedded within Office 365. These capabilities allow O365 customers to access security assurance information such as: • Compliance reports by 3rd party security auditors (e.g. FedRAMP, GRC, ISO, SOC / SSAE 16) • Trust documents (e.g. whitepapers, FAQ, trust documentation). • Status of audited controls (further description of Office 365 security controls as part of ISO 27001:2013 and ISO 27018:2014). • Results of penetration tests. In addition to this, Microsoft New Zealand is committed to supporting the assurance needs of New Zealand government and has responded to New Zealand Government Chief Information Officer’s cloud computing security and privacy considerations questionnaire (i.e. the “GCIO 105”), to help support agencies meet their cloud computing compliance needs.
What else should agencies consider? Agencies need to ensure they understand, read, and interpret the service assurance information as part of their Certification and Accreditation process, to ensure that they are satisfied that Office 365 meets their security requirements.
Where can agencies go for more information? Additional Information on URL Microsoft GCIO 105 response documents – https://www.microsoft.com/en-us/TrustCenter/Compliance/NZCC Office 365, Intune, Azure, Dynamics 365, Power BI GCIO risk assessment and security audit Available from GCIO on request. reports, and Security Certificates (up to In- Confidence) for Microsoft Azure, Office 365, and Azure AD
13. Agencies must ensure that there are appropriate security controls over physical access to datacentres
What is this security control? Agencies need to ensure that Microsoft has implemented appropriate physical security controls to prevent an unauthorised party gaining physical access to the datacentres hosting Office 365.
Key aspects of conforming to this requirement For security and operational reasons Microsoft does not allow its customers to directly audit its cloud services. Also, direct auditing of a public cloud service is a very large and costly undertaking. However, agencies can review the
6 https://support.office.com/en-us/article/Service-assurance-in-the-Office-365-Security-Compliance-Center-47e8b964-4b09-44f7- a2d7-b8a06e8e389c
Microsoft New Zealand July 2017 Page 29 of 37 Security Requirements for Offshore Hosted Office Productivity Services: Office 365 conformance guide. information and 3rd party assurance reports available from Microsoft to gain independent assurance that it has appropriate physical security in place at the Datacentres that host Office 365. Agencies are responsible for ensuring the physical security of their end-user computing devices and information systems, and the locations that they host equipment in or operate from (e.g. Head Office, hot desks, working remotely).
How can Microsoft help agencies meet this requirement? Microsoft datacentres around the globe are built from the ground up to protect services and data from harm by natural disaster or unauthorised access. All datacentres are within scope of the independent and internationally recognised security audit reports and certifications regularly undertaken on Microsoft Azure. Microsoft defines and uses security perimeters to protect areas that contain customer information and information processing facilities. Microsoft implements controls such as perimeter gates, electronic access badge readers, biometric readers, mantraps, anti-tailgate devices, and anti-pass back controls, as well as alarms, continuous video surveillance, and security officers to monitor and control access to facilities. Microsoft protects secure areas within facilities using appropriate entry controls to ensure that only authorised personnel are allowed access, and to protect infrastructure from accidental damage, disruption and physical tampering. Microsoft has designed and built secure rooms (e.g. Main Distribution Frame rooms, co-location rooms), implemented controls such as metal conduits, locked racks or cages, and cable trays, and controls access to secure areas by requiring two-factor authentication (access badge and biometrics). In addition to the physical access controls, Microsoft has implemented operational procedures to restrict physical access to authorised employees, contractors, and visitors. This includes: • Authorisation to grant temporary or permanent access is limited to authorised staff, and requests and authorisations are tracked in a ticketing and access control system. • Visitors are required to be escorted at all times, and access within the facility is logged and audited. • Access badges are issued to personnel requiring access only after verification of identification, and access is reviewed on a quarterly basis.
Where can agencies go for more information? Additional Information on URL Security in Office 365 Whitepaper.docx https://www.microsoft.com/en-us/download/confirmation.aspx?id=26552 Service Assurance https://support.office.com/en-us/article/Service-assurance-in-the-Office- 365-Security-Compliance-Center-47e8b964-4b09-44f7-a2d7- b8a06e8e389c
14. Agencies must have assurance that appropriate patching and software maintenance is undertaken
What is this security control? Agencies need to ensure that Microsoft has implemented a robust and comprehensive product lifecycle, including effective patch and vulnerability management strategies, to minimise the risk of an unauthorised party exploiting a known vulnerability to gain access to information stored in Office 365.
Key aspects of conforming to this requirement Microsoft does not generally allow its customers to directly audit its cloud services. Direct auditing of a public cloud service is a very large and costly undertaking, and presents potential security risks and operational challenges. However, to gain independent assurance that it has effective product lifecycle, patch, and vulnerability management
Microsoft New Zealand July 2017 Page 30 of 37 Security Requirements for Offshore Hosted Office Productivity Services: Office 365 conformance guide. practices in place for Office 365, agencies can review the extensive information and 3rd party assurance reports and certifications available via the Microsoft Trust Center.
How can Microsoft help agencies meet this requirement? Microsoft identifies, reports, and corrects system flaws in Office 365 through vulnerability management, incident response management, patch and configuration management processes. Microsoft receives vulnerability-related information from multiple sources which include: • Microsoft Security Response Centre (MSRC). • The Microsoft Digital Crimes Unit. • Vendor websites. • Other 3rd party services (e.g. Internet Security Systems). • United States Computer Emergency Readiness Team (US-CERT). • Internal and external vulnerability scanning of services daily. Microsoft has implemented procedures to control the installation of software within Office 365. Patches, updates, and threat mitigations are covered by the Microsoft Security Development Lifecycle (SDL)7. Office 365 has robust patch management release cycles and engagement models to mitigate new vulnerabilities or threats as quickly as possible.
What else should agencies consider? Agencies must ensure that they also have a robust and comprehensive product lifecycle, patch and vulnerability management strategies that cover: • operating systems and applications on end-user computing devices (e.g. workstations, laptops, tablets, and smartphones). • operating system and applications on the infrastructure components they are responsible for managing and maintaining (e.g. Active Directory servers). This will ensure that the devices and infrastructure components that are managed by the agency remain compatible with Office 365 and minimise the risk of malicious party exploiting a known vulnerability in them to gain access to the information stored in Office 365.
Where can agencies go for more information? Additional Information on URL Response to GCIO 105 questions – Microsoft https://www.microsoft.com/en-us/TrustCenter/Compliance/NZCC Office 365 – July 2015 – FINAL.pdf
15. Agencies must ensure that there are technical protections to prevent data-mingling on shared storage platforms
What is this security control? Agencies need to ensure that Microsoft has implemented technical controls to prevent their data stored in Office 365 from being mixed, blended, or combined with other tenants’ data to protect against unauthorised access, disclosure, modification, and loss.
Microsoft New Zealand July 2017 Page 31 of 37 Security Requirements for Offshore Hosted Office Productivity Services: Office 365 conformance guide.
Key aspects of conforming to this requirement For security and operational reasons, Microsoft does not allow its customers to directly audit its cloud services. Also, direct auditing of a public cloud service is a very large and costly undertaking. However, agencies can review the information and 3rd party assurance reports available from Microsoft to gain independent assurance that it has implemented and maintains controls that prevent data-mingling.
How can Microsoft help agencies meet this requirement? Microsoft cloud services, including Office 365, have been designed with the assumption that all tenants are potentially hostile to all other tenants. Microsoft has implemented comprehensive security measures to prevent a tenant from being able to access content, or affect the security, of another tenant. Multiple forms of protection have been implemented throughout Office 365 that work together to provide robust logical isolation. These include: • Logical isolation of tenants, users and services through Azure Active Directory partitions, containers, authorisation and Role-Based Access Control (RBAC). • Logical isolation of tenants, users and services within Office 365 through Azure Active Directory and Directory Services. • Logical isolation of customer content at the storage level, through operating system ACLs and enforcement by Azure Active Directory. • Multi-layered encryption strategy, which combines with the data isolation storage models for each service (e.g. Exchange Online, Skype for Business, SharePoint Online) to provide additional isolation of customer data. • SharePoint Online provides additional data isolation mechanisms at the storage level. Microsoft continuously monitors and explicitly tests for weaknesses and vulnerabilities in tenant boundaries, including monitoring for intrusion, permission violation attempts, and resource starvation.
Where can agencies go for more information? Additional Information on URL Tenant Isolation in https://www.microsoft.com/en-us/download/confirmation.aspx?id=54249 Microsoft Office 365
Microsoft New Zealand July 2017 Page 32 of 37 Security Requirements for Offshore Hosted Office Productivity Services: Office 365 conformance guide.
Office 365 Subscription Plans mapped to Security Technologies
The following table details which Office 365 technologies are available in each subscription plan.
Security Feature
Office Office K1 365 Office E1 365 Office E3 365 Office E5 365 E3 SPE ECS / E5 SPE Azure Active Directory ✓ ✓ ✓ ✓ ✓ ✓ Office 365 MFA ✓ ✓ ✓ ✓ ✓ ✓ Office 365 MDM ✓ ✓ ✓ ✓ ✓ ✓ Office 365 Data Loss Prevention ✓ ✓ ✓ ✓ Secure Score ✓ ✓ ✓ ✓ ✓ ✓ Exchange Online Protection - filtering ✓ ✓ ✓ ✓ ✓ ✓ Exchange Online Advanced Threat Protection ✓ ✓ Office 365 Advanced Security Management ✓ ✓ Advanced Threat Intelligence ✓ ✓ Customer Lock Box (process control) ✓ ✓ Skype for Business, OneNote, Outlook and OneDrive ✓ ✓ ✓ ✓ ✓ ✓ free apps with MAM support Word, Excel and PowerPoint Mobile Apps with MAM ✓ ✓ ✓ ✓ support Azure AD MFA ✓ ✓ Azure AD Conditional Access ✓ ✓ Azure AD Identity Protection ✓ Azure AD Privileged Identity Management ✓ Intune MDM ✓ ✓ Intune App Protection ✓ ✓ Customer Key (BYOK) in Office 365 ✓ ✓ Azure Information Protection – manual ✓ ✓ Azure Information Protection – automated ✓ Azure Information Protection – BYOK8 ✓ ✓ ✓ ✓ Azure Information Protection – HYOK ✓ Cloud App Security ✓ Windows Information Protection ✓ ✓ • Secure Productive Enterprise E3 (formerly Enterprise Cloud Suite or ‘ECS’) includes Office 365 E3, Enterprise Mobility and Security E3 and Windows Enterprise E3 • Secure Productive Enterprise E5 includes Office 365 E5, Enterprise Mobility and Security E5 and Windows Enterprise E5 For more information refer to: https://www.microsoft.com/en-us/secure-productive-enterprise/default.aspx
8 Requires Azure Key Vault - https://docs.microsoft.com/en-us/information-protection/plan-design/byok-price-restrictions
Microsoft New Zealand July 2017 Page 33 of 37 Security Requirements for Offshore Hosted Office Productivity Services: Office 365 conformance guide.
Appendix: Office 365 encryption capabilities
Table 1: Risk scenarios and relevant encryption capabilities
Encryption Risk scenario Applies to Implementation Value Technology Disks or servers in Office BitLocker Exchange AES 256-bit BitLocker provides a fail-safe approach to 365 are stolen or Online, protect against loss of data due to stolen or improperly recycled. SharePoint improperly recycled hardware (server / disk). Online, Skype for Business Internal or external hacker SharePoint Files or The encrypted data cannot be decrypted tries to access individual Online chunked files, without access to keys. Helps to mitigate files / data as a blob. using AES risk of a hacker accessing data and cross There is an attempt to Service 256-bit tenant access of data. access data across tenant. encryption Internal or external hacker Skype for Files, using AES The encrypted data cannot be decrypted tries to access individual Business 256-bit without access to keys. Helps to mitigate files / data as a blob. risk of a hacker accessing data. Man-in-the-middle or TLS between Exchange Service This implementation provides value to both other attack to tap the Office 365 Online, implemented Microsoft and customers and assures data data flow between Office and clients SharePoint privacy as it flows between Office 365 and 365 and client computers Online, the client. over Internet. Skype for Business, Yammer Data falls into the hands Azure Rights Exchange Customer Azure Information Protection uses Azure of a person who should Managemen Online, managed RMS which provides value to customers by not have access to the t (included in SharePoint using encryption, identity, and data. Office 365 or Online, and authorisation policies to help secure files Azure OneDrive for and email across multiple devices. Azure Information Business RMS provides value to customers where all Protection) emails originating from Office 365 that match certain criteria (i.e. all emails to a certain address) can be automatically encrypted before they get sent to another recipient. Email falls into the hands S/MIME Exchange Customer S/MIME provides value to customers by of a person who is not Online managed assuring that email encrypted with S/MIME the intended recipient. can only be decrypted by the direct recipient of the email. Email falls in hands of a Office 365 Exchange Customer OME provides value to customers where all person either within or Message Online managed emails originating from Office 365 that outside Office 365 who is Encryption match certain criteria (i.e. all emails to a not the intended certain address) are automatically recipient of the email. encrypted before they get sent to another internal or an external recipient. Email is intercepted via a SMTP TLS Exchange Customer This scenario provides value to the man-in-the middle or with partner Online managed customer such that they can send / receive other attack while in organisation all emails between their Office 365 tenant transit from an Office 365 and their partner’s email organisation tenant to another partner inside an encrypted SMTP channel. organisation.
Microsoft New Zealand July 2017 Page 34 of 37 Security Requirements for Offshore Hosted Office Productivity Services: Office 365 conformance guide.
Table 2: details of encryption technologies for data in transit and at rest Encryption Key exchange Implemented FIPS 140-2 Technology algorithm and Key management9 by Validated strength BitLocker Exchange AES 256-bit AES external key is stored in a Secret Safe and in the Yes. Online registry of the Exchange server. The Secret Safe is a secured repository that requires high-level elevation and approvals to access. Access can be requested and approved only by using an internal tool called Lockbox. The AES external key is also stored in the Trusted Platform Module in the server. A 48-digit numerical password is stored in Active Directory and protected by Lockbox. SharePoint AES 256-bit AES external key is stored in a Secret Safe. The Secret Yes Online Safe is a secured repository that requires high-level elevation and approvals to access. Access can be requested and approved only by using an internal tool called Lockbox. The AES external key is also stored in the Trusted Platform Module in the server. A 48-digit numerical password is stored in Active Directory and protected by Lockbox. Skype for AES 256-bit AES external key is stored in a Secret Safe. The Secret Yes Business Safe is a secured repository that requires high-level elevation and approvals to access. Access can be requested and approved only by using an internal tool called Lockbox. The AES external key is also stored in the Trusted Platform Module in the server. A 48-digit numerical password is stored in Active Directory and protected by Lockbox. File-Level SharePoint AES 256-bit The master keys, which protect the per-blob keys, are Yes Encryption Online stored in two locations: 1. First, the secured store (a built-in SharePoint secret repository) which is protected by the Farm Key. 2. Second, the master keys are backed-up in the central SharePoint Online secret store. These keys are updated (and the blob keys re- encrypted) every 42 days. Skype for AES 256-bit Each piece of content is encrypted using a different Yes Business randomly generated 256-bit key. The encryption key is stored in a corresponding metadata XML file which is also encrypted by a per-conference master key. The master key is also randomly generated once per conference. TLS between Exchange Opportunistic The TLS certificate for Exchange Online Yes, when TLS Office Online TLS supporting (outlook.office.com) is a 2048-bit sha256RSA certificate 1.2 with 256- 365 and multiple cipher issued by Baltimore CyberTrust Root. bit cipher clients/partne suites The TLS root certificate for Exchange Online is a 2048bit strength is rs sha1RSA certificate issued by Baltimore CyberTrust used Root. Be aware that for security reasons, our certificates do change from time to time. SharePoint The TLS certificate for SharePoint Online Yes Online (*.sharepoint.com) is a 2048-bit sha256RSA certificate issued by Baltimore CyberTrust Root.
9 TLS certificates referenced in this table are for US datacentres; non-US datacentres also use 2048-bit sha256RSA certificates.
Microsoft New Zealand July 2017 Page 35 of 37 Security Requirements for Offshore Hosted Office Productivity Services: Office 365 conformance guide.
The TLS root certificate for SharePoint Online is a 2048- bit SHA1RSA certificate issued by Baltimore CyberTrust Root. Be aware that for security reasons, our certificates do change from time to time. Skype for TLS for SIP The TLS certificate for Skype for Business (*.lync.com) is Yes Business communications a 2048-bit sha256RSA certificate issued by Baltimore and PSOM data CyberTrust Root. sharing sessions The TLS root certificate for Skype for Business is a 2048- bit sha256RSA certificate issued by Baltimore CyberTrust Root. TLS between Exchange TLS 1.2 with AES Microsoft uses an internally managed and deployed Yes Microsoft Online, 256 certification authority for server-to-server datacentres SharePoint Secure Real- communications between Microsoft datacentres. Online, and time Skype for Transport Business Protocol (SRTP) Azure Rights Exchange Supports Managed by Microsoft. Yes Management Online Cryptographic (included in Mode 2, an Office updated and 365 or Azure enhanced RMS Information cryptographic Protection) implementation. RSA 2048 for signature and encryption, and SHA-256 for hash in the signature. SharePoint Supports Managed by Microsoft, which is the default setting; or Yes Online Cryptographic Mode 2, an Customer-managed (aka BYOK), which is an alternative updated and to Microsoft-managed keys. Organisation that have an enhanced RMS IT-managed Azure subscription can use BYOK and log cryptographic its usage at no extra charge. For more information, see implementation Implementing bring your own key. In this configuration, . RSA 2048 for Thales HSMs are used to protect your keys. For more signature and information, see Thales HSMs and Azure RMS. encryption, and SHA-256 for signature. S/MIME Exchange Cryptographic Depends on the customer-managed public key Yes, when Online Message infrastructure deployed. Key management is performed configured to Syntax Standard by the customer, and Microsoft never has access to the encrypt 1.5 (PKCS private keys used for signing and decryption. outgoing #7) messages with 3DES or AES256 Office 365 Exchange Same as Azure Uses Azure Information Protection as its encryption Yes Message Online RMS infrastructure. The encryption method used depends on Encryption (Cryptographic where you obtain the RMS keys used to encrypt and Mode 2 - RSA decrypt messages. 2048 for signature and encryption, SHA-256 for signature)
Microsoft New Zealand July 2017 Page 36 of 37 Security Requirements for Offshore Hosted Office Productivity Services: Office 365 conformance guide.
SMTP TLS Exchange TLS 1.2 with AES The TLS certificate for Exchange Online Yes, when TLS with partner Online 256 (outlook.office.com) is a 2048-bit sha256RSA certificate 1.2 with 256- organisation issued by Baltimore CyberTrust Root. bit cipher The TLS root certificate for Exchange Online is a 2048bit strength is sha1RSA certificate issued by Baltimore CyberTrust used Root. Be aware that for security reasons, our certificates do change from time to time.
Microsoft New Zealand July 2017 Page 37 of 37