Review the use of HTTPS and SSL and discover that getting access to Office 365 data via the web is secured. Learn how safeguards are implemented within the cloud using encryption such as SSL and PKI.
- [Narrator] Keeping data secure in the cloud is not impossible or difficult so long as you follow industry best practices. Let's take a look at some of the industry best practices for data security. These include implementing a strong password policy which ensures all passwords are long and that they are changed on a regular basis. Ideally, you should implement multi-factor authentication or MFA. You should only grant data access rights and permissions to those users who absolutely need to access the data. And for all data that relates to customers, ensure that you audit and monitor access to it and then review the logs often. And to secure data at rest or whilst in transit, you should use data encryption. Remember that the more layers of security that you can put in place, the more difficult it is for your data to be compromised. However, each layer that you introduce will increase the complexity and potential increase the cost of the solution. Data security functionality includes using symmetric or asymmetric encryption for data at rest, and to protect data transmitted across your internal LAN and WAN networks you can use virtual private networks. For data on the internet we can use secure socket layer or transport layer security protocols. You should know that all encryption is secure but there are different levels of how secure. One of the easiest encryption models to implement is symmetric encryption. This uses a single key to both encrypt and decrypt files. The key is also known as a secret key or shared key or private key. Both the sender and receiver must know the same secret key and if the key is exposed to a third party then the security will be compromised. Now although relatively weak compared to other encryption methods, symmetric encryption is very fast, secure, and easy to set up. A slower but much more secure and complex method is called asymmetric encryption. It's also known as public key encryption. It uses clever mathematics to create a pair of related encryption keys. One key is then used to encrypt the data and the other key for decryption. VPNs or virtual private networks allow data security to be implemented across the network between your remote sites. These are quite common nowadays and you can use them to encrypt the data that's sent over public networks such as the internet. They're commonly used by remote workers accessing the corporate network. Secure socket layer or SSL is quite old. It uses two keys to encrypt data sent across the internet, a public key and a private key. SSL is used all over the web. You can tell because the URL will start with HTTPS, which stands for HTTP secure, and it uses public keys. Transport layer security or TLS protocols supersedes SSL and is often referred to as SSL 3.1. HTTPS can either use SSL or TLS, but TLS is the default protocol nowadays as it's much more secure. It also provides encrypted communication between the browser and the web server. TLS is usually the default security protocol for most browsers with SSL being the generic term that's still commonly used. It's easy to ignore basic security measures. These include technical errors such as the perimeter security of your network and firewall, limiting who has access to create virtual machines and access the host servers running hypervisor-based VMs. Data theft can occur if access to hard drives, storage arrays, and SANs are not tightly controlled. And you also need to secure your client and server operating systems, keeping them updated and only using software that's currently supported. In addition to the technical solutions, you should also implement internal security policies. This includes training for staff. This will help minimize risk and ensure that if there is any malicious activity then it's detected quickly and actioned. You also need to adopt configuration and change management such as ITIL or IT service management. In addition, you should establish an audit policy and watch over your IT assets. You can then review the logs and look for suspicious network activity. Let's drop into our demo environment and review the use of HTTPS and SSL. I've opened Microsoft Edge and here we can see Megan Bowen's email. In the URL if I click the padlock symbol here we can see the security for the website. The connection to the server is encrypted and if I select the view certificate link, we can see the details of the certificate that is used to protect this website. We can see the certificate is valid. It's been issued by a valid certificate authority, and it's valid from November 2018 to November 2020, and it's been issued to Microsoft. We can scroll down. We can see the public key and all other information relating to the certificate. Let's take a look at a certificate in Chrome. Here we can see the Office 365 landing page. I'll click the padlock icon and we can see we have a valid certificate and the connection is secure. I'll select the certificate and we can see the certificate details. It's been issued to Microsoft using TLS and we can see the date from and to. If I select details, we can see more details relating to the certificate. If I now navigate to a website that has got an expired certificate, we can see the results. Here we can see the browser automatically tells us that the website is not secure.
- Cloud principles and delivery mechanisms
- Managing privacy in the cloud
- Meeting compliance goals
- Cloud availability
- Monitoring service health and maintenance
- Cloud services and their characteristics
- Identifying requirements of Microsoft cloud services
- Signing up for cloud services
- Configuring cloud services
- Configuring Microsoft Intune