File Protection Solutions Office 365 in Office 365 Three ...

1 File Protection Solutions Recommended architectures for protecting files in Office 365. in Office 365. This topic is 1 of 4 in a series 1 2 3 4. Three types of data 1 Baseline data Microsoft recommends you establish a minimum standard for protecting data, as well as the identities and devices that access your data. Microsoft provides strong default Protection that meets the needs of many organizations. Some organizations require additional capabilities to meet their baseline requirements. 2 Sensitive data Some organizations have a subset of data that personally identifiable information, and some needs to be protected both internally and categories of regulated data. Apply increased externally from accidental oversharing and Protection to targeted files within your Office leakage.

2 Examples include executive strategy 365 environment. plans, product specifications, files with 3 Highly regulated or classified data Some organizations may have a very small amount of data that is highly classified, trade secret, or regulated data. Microsoft provides capabilities to help organizations meet these requirements, including added Protection for identities and devices. File Protection capabilities Microsoft provides a range of capabilities to protect your data. This document describes capabilities for protecting files so you can choose the best options to protect your organization s data. Baseline Protection Increased data Protection Protection for highly regulated data Bring Your Own Key (BYOK) with Azure Information Default file encryption Classification, labeling, and Protection Protection and SharePoint Online Permissions for SharePoint and OneDrive for Hold Your Own Key (HYOK) with Active Directory Data Loss Prevention (DLP) in Office 365.

3 Business libraries Rights Management Service and SharePoint Online Office 365 service encryption with External sharing policies Customer Key (coming soon). Device access policies for SharePoint Online and Windows 10 capabilities: Bitlocker and Windows OneDrive for Business Information Protection (WIP). Capabilities are additive Identity and device capabilities Microsoft recommends protecting your identities and devices at similar levels that you protect your data. These capabilities can be used together with file Protection capabilities. For more information, see Identity and Device Protection for Office 365. Baseline Protection Increased Protection Protection for highly regulated data Intune mobile application management Intune device management Azure Active Directory multi-factor authentication Azure Active Directory conditional access Azure Active Directory Identity Protection Microsoft Cloud App Security -or- Office 365 Advanced Security Management Azure Active Directory Privileged Identity Management See topics 2-4 for more information and resources.

4 July 2017 2017 Microsoft Corporation. All rights reserved. To send feedback about this documentation, please write to us at CloudAdop File Protection Solutions Recommended architectures for protecting files in Office 365. in Office 365. This topic is 2 of 4 in a series 1 2 3 4. Baseline Protection This topic describes capabilities you can use to increase the baseline level of Protection of files in Office 365. Some of these capabilities apply broadly. Some of these capabilities can be targeted to specific data sets. Default file encryption By default, all files stored in Office 365 are encrypted with the Protection of files in the datacenter strongest encryption and detection technologies available. This Once the file reaches the Microsoft datacenter, the files are encrypted protects files from attackers and people outside of your organization.

5 Through two components: BitLocker disk-level encryption and per-file encryption. BitLocker encrypts all data on a disk. Per -file encryption goes Protection of files in transit even further by including a unique encryption key for each file. Further, every Every file in SharePoint and OneDrive is encrypted in transit (TLS , , and update to every file is encrypted using its own encryption key. Before they re ) between the user s browser, PC, Mac, or mobile device and our stored, the keys to the encrypted files are themselves encrypted and stored in datacenters. All connections are established using 2048-bit keys. a physically separate location. This applies to protocols on any device used by clients, such as Skype for Every step of this encryption uses Advanced Encryption Standard (AES) with Business Online, Outlook, and Outlook on the web.

6 256-bit keys and is Federal Information Processing Standard (FIPS) 140 -2. compliant. The encrypted content is distributed across several containers throughout the datacenter, and each container has unique credentials. More information: For more information about encryption used by Microsoft cloud services and Whitepaper download: File Security in Microsoft Office 365. datacenters, see the Data Encryption in OneDrive for Business and SharePoint Microsoft Trust Center Encryption Online. Permissions for SharePoint and OneDrive for Business libraries You can use permissions in SharePoint to provide or restrict user access to the site or its contents. Default SharePoint groups Owners You can add individual users or SharePoint sites come with several default groups full control Azure Active Directory groups that you can use to manage permissions.

7 These are not related to Office 365 groups. Members Azure Active Directory edit group Visitors read Create a custom group for finer-grain control Custom groups in SharePoint Online let you choose finer-grain permission levels. You can also determine who can view the membership of the group and whether users can request to join the group. Full Control Design Edit Contribute Read View Only Contribute + Contribute + add, View, add, update, View and View, no approve and edit and delete lists delete list items download download customize (not just list items) and documents More information: Understanding permission levels in SharePoint Understanding SharePoint groups Office 365 Groups and Microsoft Teams In addition to configuring the default permissions for a SharePoint site, you Microsoft Teams can take advantage of Office 365 Groups or Microsoft Teams.

8 Microsoft Teams is the chat-centered workspace in Office 365. Currently Office 365 private group Microsoft Teams are all private. When a new team is created, a new Office 365 Group is also created, including the group SharePoint site Content in a private group can only be seen by the members of the group. People who want to join a private group have to be approved by a group Chat data is encrypted in transit and encrypted at rest. Files are stored in a owner. group SharePoint library and restricted to members of the team. Groups cannot be seen or accessed by people outside of your organization Administrator settings for Microsoft Teams unless those people have been specifically invited as guests. For users Microsoft Teams Quick Start Learn about Office 365 Groups Continued on next page External sharing policies Be sure to configure external sharing policies to support your Some polices can be set for individual site collections.

9 This can help collaboration and file Protection objectives. you protect sensitive files at a higher level than other files. However, An external user is someone outside of your organization who is policies for individual site collections cannot be less restrictive than invited to access your SharePoint Online sites and documents but what is set for the entire SharePoint Online environment. does not have a license for your SharePoint Online or Microsoft Office Manage external sharing for your SharePoint Online environment 365 subscription. Share sites or documents with people outside your organization External sharing policies apply to both SharePoint Online and OneDrive for Office 365. Business. You must be a SharePoint Online SharePoint Online OneDrive for admin to configure sharing policies.

10 Business You must be a Site Owner or have full control permissions to share a site or document with external users. Type of sharing What external users can do Notifications Don t allow sharing outside your Prevent external users from sharing files, Currently only available in OneDrive for Business. organization folders, sites they don t own Notify owners when: Allow sharing to authenticated external users Require external users to accept sharing Users invite additional external users to only (allow new or limit to existing) invitations with the same account the shared files Allow sharing to external users with an invitation was sent to External users accept invitations to access anonymous access link files Limit external sharing using domains (allow An anonymous access link is created or and deny list) changed Choose the default link type (anonymous, company shareable, or restricted).