The import and export of defence and military related technologies is a sensitive issue that is subject to a variety of stringent regulations. Countries are so sensitive in this area due to the potential impact on national security, that the Wikipedia entry on U.S. Arms Regulations reports the prosecution of professors who share specific types of information to their students and the prosecution of companies that a government believes may have supplied related goods such as space technology or cryptography algorithms.
One such set of stringent regulations is the U.S. International Traffic in Arms Regulations (ITAR), an exacting set of rules to ensure the safeguards of the U.S. national security. In order to support Office 365 customers requiring the additional security, privacy, and regulatory compliance of companies subject to ITAR, Microsoft has a separate offering known as the Office 365-ITAR support plan. Office 365-ITAR houses a special system architecture together with amended versions of Microsoft Exchange Online, Microsoft SharePoint Online, and Microsoft LyncTM Online.
Although ITAR regulations are for the import and export of munitions in the US only, it is interesting to note how the architecture differs and potentially what an enterprise customer can agree with Microsoft. In this article, we cover the additional security beyond that already included with the standard enterprise Office 365 plans. Office 365 Services already come with a tremendous amount of security components such as ForeFront antivirus/anti-malware protection, business continuity, firewalls, and many more. A typical Office 365 implementation will have security at both the customer end (which the customer needs to be responsible for) and in the Office 365 cloud (which Microsoft is responsible for). This diagram from the Symantec white paper on layered security shows much of the security that is required in the Office 365 cloud and on-premises.
An Office 365 ITAR-supported plan bolsters the above security with a number of extra components built within each of the layers in the simplified diagram below. Each of these layers is discussed in more detail in the technet article on the Microsoft Security Layer Model.
Perimeter defences include Internet security. Today, Internet security is the top concern for organisations in the defence industry, to the point where Internet access is either banned, enabled via specially designed equipment and connections or completely segregated from the main network. Some organisations in the US use a specially designed connection known as a TIC (Trusted Internet Connection) which allows the organisation to better monitor for intrusions into its network and provides incident-response capability in the case of a cyber attack. Microsoft supports a TIC connection in a number of ways including allowing the organisation to install its own TIC supported equipment in the Office 365 data centre.
For information on TIC, see our article Another TIC In The Box For Office 365.
For ITAR-support plan customers, the Office 365 service also provides FIPS 140-2 level 1 validated encryption for all data going over Internet connections from remote sites and/or dedicated Internet connections direct from the customer's network into the Microsoft data centre.
In Business Impact of a Cloud Crash, we read about the different failover components to ensure business continuity in case of a data centre disaster. One component discussed in the article is the Office 365 failover mechanism between two data centres to ensure continuity of business. To enable failover support there needs to be full data replication from one data centre to another. Office 365 ITAR-support plans ensure data replication and backup between primary and secondary data centres is encrypted to FIPS 140-2 level 1 validated standard.
Over the last decade, the security spotlight has focussed more and more on applications. By today's standards, Microsoft's software has much more security than a decade ago, however some of the open features within products such as Lync may be considered a security risk to many dealing in the munitions industry. To meet the security, privacy, and regulatory FISMA compliance of companies operating under ITAR, Lync Online has had to have the following features for the ITAR-support plans removed.
- No Lync federation, including federation with a Lync business partner, IBM Lotus Sametime, Windows LiveTM Messenger, or XMPP Gateway.
- No Lync Online Enterprise Voice and dial-in conferencing.
- No unauthenticated or anonymous users joining a web conference.
Saved data can be encrypted to Federal Information Processing Standard (FIPS) 140-2 level 1 validated via the Rights Management Services. Rights Management Services provides the customer with authority and control over encryption keys, and provides their users with the ability to choose the type of access others can have on each document and email message. The Rights Management Services can be enabled by customer-deployed on-premises Active Directory Rights Management Services (AD RMS) or the hosted AD RMS service provided by the Office 365 ITAR-support plans.
In a traditional defence organisation's on-premises architecture, the server and network hardware that handles top secret information is housed in a secure physical area and segregated from the normal business network.
This segregation is harder to achieve in a cloud environment due to the shared hardware, but to support the legal and compliance requirements of ITAR, the customer data has to be isolated from other Office 365 customers.
To achieve this security, Microsoft provides each Office 365 ITAR-support plan customer with their own dedicated server hardware, secured by physical barriers that are continually monitored by camera and can only be accessed by biometric devices.
This dedicated hardware is used to store all customer data that is processed by the Office 365 services. Each Office 365 ITAR-support plan customer is further isolated from other ITAR-support plan customers via dedicated virtual local area networks (VLANS), network access controls, and a trust model that restricts user context to their own dedicated environment.
The extremity of the isolation from both the standard Office 365 customers and other ITAR-supported customers does have some caveats. Unlike other Office 365 subscription plans, the ITAR-support plan cannot integrate with other types of subscription plans and Exchange Server Free/Busy and Global Address Book data cannot be shared with other Office 365 plans that a customer may have.
Policies and procedures
Two components of the bolstered security relate to the type of Microsoft personnel allowed to support ITAR governed customers and the type of authentication process used.
Dealing with confidential information that could potentially compromise national interests, means that Microsoft needs to vet support personnel in accordance with International Trafficking in Arms Regulations and remove the easy assist process used in the escalation of support requests due to the ITAR security requirements. As a result, all Microsoft personnel who have access to ITAR customer-owned data must be U.S. citizens and undergo the on-going rigorous background checks and screenings shown in the table below.
In spite of training and the proliferation of articles on how to create strong secure passwords, many organisations still suffer from bad passwords and bad password practices. Although by default, Office 365 services require a strong complex password, this security mechanism doesn't prevent users from creating bad passwords such as P@ssword1 nor does it prevent bad practices such as writing the password on a post-it note and hiding the note under the keyboard. A stronger mechanism for identity security is two-factor authentication.
Office 365 ITAR-support plans enable customers to configure Exchange Online and SharePoint Online services to use two-factor authentication only via Personal Identity Verification (PIV) standard smart cards (FIPS 201-1). PIV cards are US government identity cards that are personalised with information in which verification can be performed by people and computers. People can use the physical card for visual comparisons, whereas computers use the electronically stored data on the card to conduct automated identity verification Office 365 supports PIV two-factor authentication to services such as Outlook Anywhere, Outlook Web App, and SharePoint sites.
This article shows the additional security available to Office 365 customers involved in the trading of munitions and associated goods. Although the ITAR-support plans are only available to US-based organisations, it does illustrate the security robustness and flexibility that the Office 365 service is capable of and what is potentially available to everyone in the near future.