Microsoft: security and privacy at the time of Covid

(To Carlo Mauceli)
15/02/21

A few months ago we talked about the importance of security and privacy at the time of COVID (v.articolo) highlighting some ethical and social aspects of digital technologies.

Let's now try to deepen some points related to the suite of the moment, referring the most curious reader to the Trust Center Site where you can find all the relevant insights.

One of the topics that I have to face more and more often with our customers is the processing of personal data.

Microsoft processes personal data in accordance with the provisions of the Addendum relating to the Protection of Personal Data of Online Services ("DPA") available at the link https://aka.ms/DPA. In particular, the aforementioned DPA provides that Microsoft has the role of personal data processing manager and constitutes the agreement that binds the manager to the data controller pursuant to art. 28 paragraph 3) of the General Data Protection Regulation - Regulation (EU) 2016/679 of the European Parliament and of the Council, of 27 April 2016 (GDPR).

Microsoft's GDPR terms reflect the commitments required by processors in Article 28. Article 28 requires that processors commit to:

  • Use only secondary managers with the consent of the owner and be responsible for them.
  • Process personal data exclusively on the basis of the owner's instructions, including in relation to the transfer.
  • Make sure that the people who process your personal data respect confidentiality.
  • Implement appropriate technical and organizational measures to ensure an appropriate level of personal data security based on risk.
  • To help the owners with the related obligations to reply to the requests of the interested parties to exercise their rights under the GDPR.
  • Meet breach notification and support requirements.
  • Help controllers with data protection impact assessments and advice with competent authorities.
  • Delete or return personal data at the end of the provision of the services.
  • Support the owner with proof of compliance with the GDPR.

Data Encryption and Network Usage

Let's take Teams as an element of analysis. The use of Teams which, let us remember, is an integral part of the O365 platform, and, more generally, of all Microsoft cloud services, namely Azure, Dynamics 365 and O365 itself, does not necessarily require a dedicated VPN for remote connections.

Microsoft Teams leverages the TLS and MTLS protocols that provide encrypted communications and endpoint authentication over the Internet. Teams uses both protocols to create the network of trusted servers and to ensure that all communication on that network is encrypted. All communication between servers occurs on MTLS. Remaining or legacy SIP client-to-server communications occur over TLS.

TLS allows users, through their client software, to authenticate Teams servers, in Microsoft datacenters, to which they connect. In a TLS connection, the client requests a valid certificate from the server. To be valid, the certificate must have been issued by a Certification Authority that is also trusted by the client and the DNS name of the server must match the DNS name on the certificate. If the certificate is valid, the client uses the public key in the certificate to encrypt the symmetric encryption keys to be used for communication, so only the original owner of the certificate can use their private key to decrypt the contents of the communication. The resulting connection is reliable and is not contested by other trusted servers or clients thereafter.

Server-to-server connections rely on mutual TLS (MTLS) for mutual authentication. On an MTLS connection, the server generating a message and the server receiving it exchange certificates from a mutually trusted CA. Certificates prove the identity of each server to the other. In the Teams service, this procedure is followed.

TLS and MTLS help prevent both interception attacks and man-in-the-middle attacks. 

In a man-in-the-middle attack, the attacker directs communications between two network entities through the attacker's computer without the knowledge of either party. The TLS and Teams specification of trusted servers mitigates the risk of a man-in-the-middle attack partially on the application layer by using coordinated encryption, via public key encryption between the two endpoints. An attacker would have to have a valid and trusted certificate with the corresponding private key and issued in the name of the service the client is communicating with to decrypt the communication.

The table shows the types of traffic:

Type of traffic

Encrypted by

Server to server

MTLS

Client to server (for example, instant messaging and presence)

TLS

Multimedia streams (for example, audio and video sharing of multimedia content)

TLS

Audio and video sharing of multimedia content

SRTP / TLS

Reporting

TLS

Authentication and Authorization Systems

The “virtual room” is a Teams meeting and as such respects the same security standards. The security standards are based on those of O365 which is the platform of which Team is an integral part. It is wrong to consider product security from the point of view of authentication as this is defined at the platform level.

The access activities of the "virtual room" and Teams meeting are tracked through logs accessible by administrative users appointed by the organization.

Teams is a Cloud service and the servers are located in Microsoft's datacenters.

Data and Metadata

The data collected within the tenant, i.e. the environment created when an organization subscribes to the O365 services, is accessible by the Administrators appointed by the Administration, through the "Microsoft 365 Security Center" which includes:

  • Home: An at-a-glance view of the organization's overall security health.
  • Disallowed Operations: See the broader history of an attack by connecting the dots displayed on individual entity alerts. You can know exactly where an attack was initiated, which devices are affected, what the effects are, and where the threat has gone.
  • Alerts - have greater visibility into all alerts in the Microsoft 365 environment, including alerts from Microsoft Cloud App Security, Office 365 ATP, Azure AD, Azure ATP, and Microsoft Defender ATP. Available for E3 and E5 customers.
  • Action Center: Reduce the volume of alerts that the security team must manually respond to, allowing the security operations team to focus on more sophisticated threats and other high-value initiatives.
  • Reports - View the details and information you need to better protect your users, devices, apps, and more.
  • Secure Score: Optimizes the overall security level with Microsoft Secure Score. A summary of all security features and functionalities that have been enabled is provided and suggestions are available for improving areas.
  • Advanced hunting: Proactive search for malware, suspicious files and activity in the Microsoft 365 organization.
  • Classification - Protect data loss by adding labels to classify documents, emails, documents, sites, and more. When a label is applied (automatically or by the user), the content or site is protected according to the selected settings. For example, you can create labels to encrypt files, add content indication, and control user access to specific sites.
  • Policies - Add policies to manage devices, protect against threats, and receive alerts about various organization activities.
  • Permissions: Manage who in your organization has access to Microsoft 365 Security Center to view its content and perform tasks. You can also assign Microsoft 365 permissions in the Azure AD portal.

It is also possible to define granular access to the functions of the "Security & Compliance Center".

The global administrators, appointed by the organization, have access to the functions of the "Security & Compliance Center"; this is one of the reasons why it is important to adequately protect global administrators, decouple them from user activities (we therefore recommend not assigning an Office 365 license to these administrators) and use them only when necessary.

Where are the servers that store the data located?

When subscribing to the service, a "Tenant" is associated for each Administration / Customer, that is the logical unit that contains all the Administration data and configurations.

One of the main benefits of cloud computing is the concept of a common infrastructure shared among many customers at the same time, which leads to economies of scale. This concept is called multi-tenant. Microsoft ensures that multi-tenant cloud services architectures support enterprise-level security, confidentiality, privacy, integrity, and availability standards.

Based on the significant investments and experience gained from reliable computing and security development lifecycle, Microsoft cloud services have been designed with the assumption that all tenants are potentially hostile to all other tenants and that they are Security measures have been implemented to prevent one tenant's actions from affecting another tenant's security or service.

The two main goals for maintaining tenant isolation in a multi-tenant environment are:

  • Prevent leaking or unauthorized access to customer content between tenants; is
  • Prevent one tenant's actions from negatively impacting another tenant's service

Office 365 has implemented multiple forms of protection to prevent customers from compromising Office 365 services or applications or gaining unauthorized access to information from other tenants or the Office 365 system itself, including:

  • Logical isolation of customer content within each tenant for Office 365 services is achieved through Azure Active Directory authorization and role-based access control.
  • SharePoint Online provides data isolation mechanisms at the storage level.
  • Microsoft uses stringent physical security, background screening, and a multi-layered encryption strategy to protect the confidentiality and integrity of customer content. All Office 365 datacenters have biometric access controls, with most Palm prints requiring physical access.
  • Office 365 uses service-side technologies that encrypt customer content at rest and in transit, including BitLocker, file encryption, Transport Layer Security (TLS), and Internet Protocol Security (IPsec).

Together, the protections listed below offer robust logical isolation controls that provide threat protection and mitigation equivalent to that provided by physical isolation alone.

Data localization

With regard to the geo-location of services, the details relating to the tenants of the geographical area Europe are shown below:

► OneDrive for Business / SharePoint Online / Skype for Business / Azure Active Directory / Microsoft Teams / Planner / Yammer / OneNote Services / Stream / Forms:

  • Ireland
  • Netherlands

► Exchange Online / Office Online / Office Mobile / EOP / MyAnalytics:

  • Austria
  • Finland
  • Ireland
  • Netherlands

Customers can view information about the location of tenant-specific data in the Office 365 admin center under Settings | Organization profile | Data path tab.

Of course it doesn't end there. There is still a lot to be said about the security of Microsoft systems so in the near future I will talk about data security management in the cloud.