In this special edition of Garage Series Live Under the Hood, Jeremy Chapman goes deep on the operational side of information protection with lead engineer Matt Swann – from Office 365′s blue team – responsible for detecting and analyzing anomalies in the service. They discuss how the service is architected for security across physical, network, access and data vectors then Matt demonstrates how the cloud is used to protect the cloud with real intrusion and anomaly detection examples.
Last week we concluded our Garage Series Road Trip with our final stop in Dubai, where we saw how businesses in the booming Gulf region are using Office 365 and we took a tour of Project, offline support in OWA and OneDrive for Business and saw a video call using Lync from a watch. This week revisit the conversation of trusting the Office 365 service with one of our foremost experts, Matt Swann. His team – aka the Blue Team – is responsible for detecting anomalies in the service and keeping the red team in check.
Office 365 is built to adhere to the toughest security and compliance standards globally. That means every layer in the defense in depth strategy: physical, network, access and data meet stringent standards. In addition to that there are also a few key differences compared to how many organizations run mail and collaboration services on premises – where standing permissions and “super-admins” can represent vulnerabilities in managing data services. Office 365 is operated with zero standing permissions, instead the process is designed to provide just-in-time and time-limited access only when needed. Perry Clark explained this process – called Lock Box – in a From Inside the Cloud video.
The fascinating part of this show for me was when Matt talked about service modeling works to find patterns in known good, known bad and unknown processes. When I started at Microsoft, I was on the team that developed the original Desired Configuration Monitoring Solution Accelerator to do something very similar. In both processes, you define and continually refine a manifest of what health, configuration or allowable behavior means and/or the converse of this. Office 365 uses a similar model and in turn uses the power and scale of the cloud to detect known good and bad processes in an automated way sifting through terabytes of logging data continually. Matt even shows an example of how this works on the show. Of course machine learning, automation, scale and processing power have improved in the last few years and you’ll want to see the show for all of the details.
Next time we will bring back Mark Russinovich to carry on the conversation of cloud security as we look at the most common perceived threats in cloud computing and how Office 365 and Microsoft Azure rate against them.