How Nonprofits Can Be Compliant with the
Microsoft Cloud
With Sam Chenkin, Tech Impact
April 19, 2017
Using ReadyTalk
2
•
Chat to ask questions
•
If you lose your Internet connection, reconnect using
the link emailed to you.
•
Your audio will play through your computer’s speakers.
Hear an echo? You may be logged in twice and will
need to close one instance of ReadyTalk
•
This webinar will be available on the TechSoup
website along with past webinars:
www.techsoup.org/community/events-webinars
•
You can also view recorded webinars and videos on
our YouTube channel:
https://www.youtube.com/TechSoupVideo
•
Follow up email
•
Tweet us @TechSoup or using hashtag: #tswebinars
. © TechSoup Global | All rights reserved
Presenters
Susan Hope Bard
Training and Education Manager
TechSoup
Sam Chenkin
Tech Impact
The Need Is Global – And So Are We
TechSoup’s mission is to build a dynamic bridge that enables civil society organizations and social change
agents around the world to gain effective access to the resources they need to design and implement
solutions for a more equitable planet.
Countries Served
TechSoup Partner Location
Where are you on the map?
NetSquared Local Group
How Nonprofits Can Be
Compliant with the
Microsoft Cloud
[email protected]
Sam Chenkin
DIRECTOR OF CONSULTING SERVICES
As Director of Technology Services, I oversee our consulting staff as they
help nonprofits focus on their mission. Our team supports hundreds of
nonprofits every year as they make decisions about their technology
strategy, build data systems, and understand their data.
When I’m not at Tech Impact I’m cooking, traveling, or singing rather
poorly.
What We’re Talking About Today
• Everyone throws around the word compliance but how do
you actually achieve that? In this free, 60-minute webinar
we’ll discuss achievable goals for the nonprofit community to
keep their data safe with the Microsoft Cloud. We’ll explore
account security like two-factor authentication, data security
like encryption, and how to make sure only compliant devices
can access your data.
7
About Security & Compliance
• We are not lawyers
• We do not pretend to be lawyers
• We do not even play lawyers on TV
• Under no circumstances should you
take what we say as legal advice
• Got it?
• Good.
Now the Dirt
• Most compliance isn’t about the technology, it’s about how you use
the technology
• Most “compliance” technology is about enforcing compliance rather
than being in compliance in the first place
• You need to decide how important enforcement is
The Sad Truth
• You definitely aren’t in compliance now unless you have staff dedicated to
it.
• Are you?
• Enforcing password expiration, complexity, re-use, and sharing?
• Have an IDP device doing packet inspection?
• Monitoring security logs regularly
and taking action on events?
• Have credit card data on a
physical separate network?
• Keeping and monitoring file audit logs including file access?
• Keeping all client-related data in a restricted location?
• Encrypting all devices with sensitive data, particularly
when out of the office?
• Using two factor authentication for remote access?
• Documenting your data and know everywhere
it is stored, how it is stored and how it is transported
What to look for
• Most nonprofits deal with one of a few basic standards
•
•
•
•
•
•
•
HITECH/HIPPA: patient data
PCI: financial transaction data
FERPA: student data
COPPA: interactions with minors
FISMA: governmental data
Sarbanes-Oxley / Gramm-Leach-Bliley: financial data
Contractual obligations from partners and funders (e.g. government)
• Check out this super old article: https://technet.microsoft.com/enus/magazine/2006.09.businessofit.aspx
This is Complicated but not Rocket Science
• Read the standards, this is in the
public domain
• Check to see if your cloud solutions
specifically
list compliance with these standards
• Be aware of what is happening in your
organization
• Don’t stick your head in the sand
What to think about
• These standards for the most part cover a few basic things
• Physical Security of equipment with data
• Access to Data by internal staff and external actors
• Logging & Auditing of the use of technologies
• Monitoring & Detecting of misuse and intrusions
• Retention of sensitive records
• Notification of breach
Model of
Nonprofit
Security
Provider
Security
Device
Security
Account
Security
Data Security
Provider Security is a Checkbox
• ISO 27001: Evaluates compliance with
information security standards
• SSAE 16 / SOC 1: Does the design of a system live
up to what the vendor promises?
• SOC 2: Does the design and operation of a
system live up to what the vendor promises?
• Very, very, very boring standards for information
security. Your cloud vendor should have at least
SSAE16 / SOC 1
Beyond that, it’s up to you
• Having systems that can be compliant doesn’t mean
they are
• Pay special attention to:
• Is data retained long enough? (Retention)
• Is data downloaded out of the system protected
(Encryption)
• Can you tell if people are emailing / sharing data
they shouldn’t be (Data Loss Prevention / DLP)
• How are you controlling access to data?
(Authentication, Session Management)
How Can The Microsoft Cloud Help?
Microsoft Handles Platform Security
• Office 365, if properly implemented, is HIPPA,
PCI, FERPA, COPPA, etc compliant
• It is independently audited for FISMA, SOC2 Type
II, Safe Harbor, SSAE16 SOC1 Type II, ISO 27018,
ISO 27001
• What does this mean? To get your data someone
would have to compromise your accounts or take
data when it’s sitting somewhere less secure than
Office 365 (your computer or sent via email)
How Can Microsoft Help with The Rest?
• Make sure only authorized and safe devices
are accessing your data
• Secure your accounts so that only
authorized individuals are using them
• Provide auditing tools and help you look for
worrisome patterns by authorized users or
detect unauthorized users
• Provide additional security for individual
files or emails that might contain
particularly sensitive information
Device Security
Account Security
Data Security
20
Where to Start?
Low Hanging Fruit
•
•
•
•
Enable Two-Factor Authentication
Enable Administrative Action Logging
Encryption
Train your Users
22
Two-Factor Authentication
• Free if enabled user-by-user.
• Purchase Enterprise Mobility +
Security E3 ($1.65/user/month)
to:
• Enforce automatically across your
entire organization
• White-list your main offices
• Annoyances:
• Works best with Office 2016
• Doesn’t work with ActiveSync
23
Administrative Action
Logging
• Tracks user account changes, document
deletions, passwords changes that have
occurred in the last 90 days
• Free, but needs to be turned on
• Helps you understand if someone is making
changes they shouldn’t be making!
24
Encrypt Your Devices
• Built into modern Mac OS X
(FileVault), Windows 7/8
Enterprise, Windows 10 Pro /
Enterprise
• Easy to turn on in mobile
devices (“Encrypt Storage”)
• PCs require a “Trusted Platform
Module”
You need
one of these!
Train Your Users
• Have an acceptable use policy that outlines what is considered sensitive data and
how to properly handle it (email is not secure)
• Subscribe to a 3rd party training and Phishing simulator service to find out who is silly
enough to hand over their credentials and force them to learn more
(https://www.knowbe4.com/ has been recommended by my clients)
26
What’s Next
Advanced Security Tools Aren’t Free
• To go beyond the basics, you’ll need to make some investments
• Office 365 E3 licenses ($4.50/user/month) includes some important
tools that may be necessary if you want to maintain compliance with
HIPPA, PCI, and other standards. Everything in this section requires
this license.
28
Email Encryption
• Email isn’t secure, but with
encrypted emails your recipients
are directed to a secure portal
to view and respond to sensitive
emails
• Emails are encrypted based on
Exchange Transport Rules which
can be triggered by a keyword
(“encrypt”) in the email or by
the detection of SSNs, CC#s, etc
29
Data Loss Prevention
• Create rules in Office 365 that
span email and files to look for
common kinds of sensitive
information
• Prevent content from being
shared/emailed externally,
notify managers, or lock it down
• Will work on new content and
on items that have been in
SharePoint for a while
• Enabled through the Security &
Compliance portal if you have an
E3 license
30
Retention Policies
• Tell Office 365 to keep
documents or email for
a certain period of time
• Items can be
(laboriously) retrieved
through a content
search
• Can be applied globally
or to specific mailboxes
or SharePoint /
OneDrive locations
31
Let’s Go Crazy
Single Sign-On
• Any 3rd party service supporting
SAML can be integrated
• When logging into these
services users are redirected to
Office 365
• Two-factor authentication can
be applied
• Disable a user in one place and
their access everywhere is
disabled
• Free for up to 10 applications
33
Cloud Join
• Windows 10 machines can be
“Cloud Joined” to Azure instead
of to a local server
• Users log in with their Office 365
credentials
• They’ll have Single Sign On to
Office 365 and any apps you’ve
tied to Azure AD
• Free. Enterprise Mobility +
Security E3 license let’s you
specify additional admins on
local computers
34
Conditional Access
• Devices need to be enrolled
before they can access Office 365
• Devices can’t be enrolled unless
they meet InTune policies
• Remote-wipe devices
• You can restrict access to certain
applications (OneDrive sync client,
Outlook desktop) while still
allowing basic access to a web
browser
• Requires an Enterprise Mobility +
Security E3 license
($1.65/user/month)
35
File Classification
• Give your users an easy way to mark documents or emails with a “Sensitivity”
rather than asking them to know what they are doing
• Automatically encrypt files or emails, prevent sharing, or take other actions based
on those policies
• Requires an Enterprise Mobility + Security License
36
Cloud App Security
• Go way beyond admin logging and
DLP security
• Look at files and emails for
sensitive content
• Look for high-risk actions
(excessive failed logins, mass
downloads of files, new locations)
• Have very granular logs for every
file and every user (file access,
shared mailbox access)
• Requires an Office 365 E5 or
Enterprise Mobility + Security E5
license
37
Thank You!
Sam Chenkin – [email protected]
Questions?
39
Get Your TechSoup Courses!
40
. © TechSoup Global | All rights reserved
Upcoming Webinars and Events
• 4/25: Tuesday Tech30: Adobe Illustrator
• 4/26: Lights, Camera, Advocacy to Action: Digital Storytelling
for Libraries
• Explore our webinar archives for more!
41
. © TechSoup Global | All rights reserved
Thank You to Our Webinar Sponsor!
ReadyTalk offers dedicated product demos for
TechSoup organizations 4 times per week.
For more information: www.techsoup.org/readytalk
Please complete the post-event survey that will
pop up once you close this window.
42
. © TechSoup Global | All rights reserved