 Welcome to our webinar today, How Nonprofits Can Be Compliant with the Microsoft Cloud. I'm Susan Hope Bard with TechSoup. I'm here to be your host today for our expert speaker, Sam Jenkins, from Tech Impact. I want to introduce you to the platform of ReadyTalk that we'll be using. On the right side of your screen you should see a chat box. Use that chat box for all communications with us, whether that's a question or a technical challenge. We have Ali Bestikian on the back end here that will help you with any tech challenges which include audio or visual challenges. You can also chat to ask any questions. Do not bother to raise your hand. You can simply chat your question in and we'll queue them up for Sam to answer. If you lose your Internet connection you can reconnect using the link that was emailed to you in your confirmation email or in your reminder email. Audio should come through your speakers. If you hear an echo you may be logged in twice. You just may want to close one instance of ReadyTalk. We are recording this webinar so all lines are on mute. You'll be able to see the archive along with past webinars on our website at www.techsoup.org, slash community, slash events, dash webinars. You could also view our recorded webinars on our YouTube channel. You will receive a follow-up email from us in about a day or so with a link to the recording as well as Sam's presentation and any resources that he references during the event. You can also tweet us at TechSoup or use hashtag TS webinars. As I mentioned, I'm Susan Hope-Bard. I'm the Training and Education Manager here at TechSoup. And our guest presenter expert is Sam Chenkin. He is the Director of Technology Services at Tech Impact and I'll let him tell you all about his experience when he starts his presentation. But I can tell you we're very fortunate to have him. We work with Tech Impact very closely on a lot of our Microsoft webinars and educational resources. Now we want to hear a little bit about you. Here, TechSoup is headquartered in San Francisco, California. I'd like to know where you are on the map. Go ahead and chat in your city and state or the country you're joining us from. Like many of you, TechSoup is a 501C3 nonprofit. I see folks chatting in from everywhere. A couple of folks from Canada, welcome. Florida, Connecticut, Pennsylvania, wow, lots of people from around the country and several outside of the country in Canada. Thank you so much for joining us today. Before we get started with the actual presentation, we do want to do one quick poll question. So we're going to check to see your fastest fingers. This poll question is what role are you within your organization? So go ahead and take a moment to use the radio buttons to click on what role most resembles what you do in your organization. And I will give you, oh, pretty fast. This is a really fast group today, Sam. I'm going to give you about 5 more seconds. 5, 4, 3, 2, 1. And I'll skip to the results so everyone can see. Wow, it looks like a lot of folks here are in IT or admin or in operations and administration. Great. Great. Well, everybody is in the right place today to learn about how nonprofits can be compliant with the cloud. And with that, I'm going to turn it over to Sam, our expert from Tech Impact. Sam, take it away. Thanks so much, Susan. Okay, so today we're going to talk about how nonprofits can be compliant with the Microsoft cloud. This is something I talk about a lot. My name is Sam, and I am Director of Consulting Services at Tech Impact. So I oversee a team that provides high intensity interventions in nonprofits. So we help organizations take databases, complete security audits, do strategic technology planning, et cetera. So I've had the fortune to see a lot of what works and what doesn't work in nonprofit organizations and talk with organizations of all different sizes. So today I'm hopeful that most of the content will be useful to organizations of any size. And we're going to start by talking about the easier things to do, the things that are most accessible, and then go from there. We'll pause periodically to take questions. Do a question, please type it into the chat. And I'll pause periodically and ask Susan to just read off some of the questions that we should answer for the group as a whole. So with that, let's go ahead and get started. I want to start by just demystifying a little bit about security and compliance. And before I do that, I need to issue a routine disclaimer, which is that I'm not a lawyer, TechSoup, on the call here. We don't have lawyers. My advice is not legal advice. It is best practice experience based on what I understand to be the case. So this is in writing here. So let's just acknowledge that and let's move on. The most important thing when we talk about compliance is that it's not about the technology for the most part. It's about how you use the technology. So really almost anything, almost any technology can be compliant as long as it's being used that way. So when we really talk about compliance technologies and what I talk about in this presentation when I talk about how nonprofits can be compliant with the cloud, we're going to talk about how technology can force your users, maybe force them to follow their best instincts, be their best selves when it comes to security rather than the underlying tools themselves. The fact of the matter is I haven't really met more than a few nonprofits that are actually, say, HIPAA or PCI compliant. These are a number of things that it takes to really adhere to any of these standards. And it's a lot, and it's just not an option for many nonprofits. So unless you're really paying a lot of active attention, you're not compliant right now, some of these tools in the Microsoft Cloud can help you get there. I think we're actually at the point, the first point really, where nonprofits have a reasonable chance of truly being compliant just because they have access to some of these tools. So let's start to talk a little bit about what compliance is. Most nonprofits are following one of a few different basic standards, high-tech or HIPAA for patient data, PCI, FERPA, COPA, they all have really wonderful fun to say acronyms. You as a nonprofit need to understand which of these standards you are specifically required to adhere to. And it's important that you read those standards and not stick your head in the stands. So I just want to stress, being compliant is a requirement of you, of your organization, it's something you have to do. It's not something that a tool is going to handle for you. And in order to make sure that you're actually doing it, you're going to have to read the standards and understand them. So as we read those standards, they're usually encompassing a couple of key items. They're encompassing physical data to the security, access to the data logging and monitoring, retention, notification, all these different things. And you need to be paying attention to your specific requirements and how that applies. Okay, so I've covered the sort of very basics of compliance. I want to get into talking a little bit about how you as a nonprofit can actually attain compliance. So I'm going to share with you a model that we use when we talk to nonprofits about their security, and that's this one. So in this model, security is a layered approach. So we need to make sure that our organization is secured at all of these different layers. And what that makes sure is that even if one layer is compromised, our data itself, our constituents are safe. So today we're going to be talking about provider security, which is the security of the actual tools you're using, the cloud tool. We're going to talk about device security, the security of the devices that you're using to access those tools. We'll talk about account security, which is the actual logins, right? Whether or not someone can log in as you or as another user and access things they're not supposed to. And then the underlying data security itself. So good information protection for your organization means that we have to keep track of all these different things. And we're going to talk about tools available in the Microsoft Cloud to help at each of these different levels. So just to start with, the provider security piece, that's a check box. So provider security is something that you are just going to make sure that your cloud provider has the right standards in place to keep your data secure at that level. And if they do, it means that you don't have to worry about someone sort of hacking in or breaking in in a back end way. So they can still steal your credentials. They can still get access to things on your computer. But Microsoft is maintaining the security of its platform. So that one's a check box. Everything else is really up to you. It's up to how you use the tool and how you implement the tool. So let's go ahead and let's start and let's talk about how the Microsoft Cloud can help with it. So if we start by talking about platform security, I mentioned that that's the top layer that we need to think about. Office 365 and most of Microsoft's cloud products are HIPAA, PCI, FERPA, COPA, etc. compliant. They can be used in a way that's compliant with these standards. They're also independently audited with a number of different standards and this is really, really boring stuff, as I'm sure you've already noticed. This is whether or not the organization has good backups in place, whether or not they can recover from a disaster, the level of redundancy, the internal controls about change management. So if someone makes a software change, is that documented and people know what's happening. So Office 365 and other Microsoft Cloud solutions have passed all of these standards. So again, what this means is that to get your data, someone would have to compromise your accounts or take the data when it's sitting somewhere less secure, like your computer, or because someone sent it by email. So this level of security is a solved problem for you if you use Office 365. Microsoft can help you address these other levels, device security, account security, and data security, but it's not going to do it for you. So you need to take advantage of this. And it can do this by helping make sure that only authorized devices are accessing your data, that you know what's going on in the system, and that the data itself is secure even if it does get lost. So what we're going to do is we're going to go through sort of easy, medium, and hard steps to take around security and compliance in your organization. So let's start with our low hanging fruit. So low hanging fruit for any kind of security organization, any organization that is looking to pursue security includes enabling two-factor authentication, making sure we have logging turned on in the system, encryption, and training your user. So these are things that every nonprofit should be doing. And I don't mean this in a traditional consultant's say that every nonprofit should be doing each of these things. I actually mean that every organization on this call should be using at least some of these technologies if not all of them. So we're really at a point now where nonprofits are targets of hackers. And we see this a lot. The thing we see most commonly is organizations being targeted for financial gain. So we see organizations where someone is breaking into their CFO or their executive director's email accounts. And then they're initiating bank transfers. Or they're asking the HR manager for a copy of everyone's W2s. These are real attacks. I actually have clients who have experienced these issues. Most of them have caught them, which is great, but sometimes it's a close call. And these organizations are targeted. So these aren't blanket attacks. These are criminals know that nonprofits are soft targets. They're targets that maybe don't have a lot of information security, don't have really good training for end users. And as a result, they are going out to their website and they're figuring out who the office manager is or who the HR director is. And they're trying to get that person's credentials by sending them emails that trick them into logging into fake sites. That's something called phishing. And then they're launching these attacks. So I want to stress this isn't theoretical. This is real. And the steps here, this low-hanging fruit are important to help protect your organization. And they're all achievable goals. A lot of the items in this presentation also we are putting together detailed videos on how to actually accomplish this within Office 365. So look for that as well from TechSoup. Let's start with two-factor authentication. Two-factor authentication is the easiest and most important thing you can do to keep your organization safe. Normally, all you need in order to access your executive directors or your CFO's email is their username and password. And honestly, that's usually not that hard to get. There's two ways to get that information. The most common one is something called credential stuffing. And that's where a criminal will download a large database of usernames and passwords from the Internet. And these are things that have been hacked, the millions of usernames from Yahoo. There's been breaches of hundreds of different websites over time. And a lot of them are tiny websites. They're things that maybe you don't even think of as being security risks. But it's entirely possible that your CFO or your executive director use the same password for those sites that they use for Office 365. So they end up with this list of usernames and passwords, and then they go and try to log in with those usernames and passwords. So they haven't compromised Office 365, but they still have the username and password from another site. That's very common. The other common attack is something called phishing. And that's with a pH. And phishing attacks happen when you send an email to someone that looks legitimate. Often it's something like, please open this shared document or this very important invoice. And when you open that particular link or that document, you get redirected to a webpage which will look like an Office 365 login page. It's got your organization's logo and a place for your username and password. It looks just like Office 365. And people type in their credentials, but it turns out they weren't actually logging in to Office 365. They were logging into a fake website, and now those attackers have their credentials. And once you have someone's username and password, you can get in and you can read their email. And in Office 365, you can access files, et cetera. There's a lot you can do with someone's username and password. It's kind of the top risk. Two-factor authentication is more or less a silver bullet against that kind of attack. Because with two-factor authentication, having a username and a password is inadequate. It's not enough to get access to the account. With two-factor authentication, you need the username, you need the password, and you need access to the device that's being used to verify your identity. This is something that John Podesta really wished that he had. And the way it works in Office 365 is you log in with your username and password, and it will then give you an option for how you want to verify your identity. You have a few different choices. The most common one is that it will send you a text message. So it will send you a code that you then type into the website. You can also type in a code from your mobile app so that you don't need a text message plan. You don't need a data plan. It sort of works offline. Or you can actually have it prompt you on your phone to allow or deny the login. And you have to allow it in order to let you in. So when you do this, having the username and password isn't enough to get access to the account. In Office 365, this is free. You enable it user by user, and we have instructions that we're putting together for how to do that. You can pay additional money and get some additional functionality which comes in the form of a tool called conditional access. And with conditional access you can add more parameters around this. So from my organization, we pay $1.65 per user per month for this enterprise mobility and security E3 license. And when we have that, we can enable conditional access so we can say only allow a user to log into Office 365 if they have two factor turned on. So I don't have to enable it user by user. I'm doing it for the entire organization. And I can also whitelist my primary office's IP addresses. I'm not that worried about someone physically accessing my office or logging into a computer remotely and then logging into Office 365 with my stolen credentials. Mostly I'm worried about someone from China or France or the UK, a criminal, or the different parts of the US logging in. So in that case I can bypass that for my end users and just make it easier. So this is definitely something you should turn on. The next thing you should turn on, and this again is free, is administrative action logging. And this can be turned on directly through the Office 365 portal. If you go to the admin centers, there's a section called maturity and compliance. And in there under search and investigation, you'll find audit log search. And if you haven't already turned it on, there's a little link that says start auditing. And if you do that, Office 365 will record all the administrative actions taken within your Office 365 instance. So that means things like creating users. It also means changing users' passwords. It means changing permissions on mailboxes. It means deleting files from SharePoint or creating new SharePoint sites or changing permissions in SharePoint sites. It means creating groups or modifying memberships of groups, etc. So for 90 days I can go back and I can see every action that's been taken within Office 365 at a high level, every administrative action. So this is a really important tool if you want to know, for instance, maybe you have a suspicion that someone accessed your Executive Director's email account because they're an administrator and they can change permissions. You can go back and you can check to see whether or not that actually happened. They changed the permissions on the mailbox. And these logs can't be changed. So even as an Office 365 administrator, there's no way for me to go in and delete entries. They're immutable. So it's very secure in that way. And again, this is just a single click. It's just something you've got to turn on. The next thing that you want to think about is encrypting your devices. So encryption is a technology that works at the disk or the storage device level. So basically everything on the device is encrypted. And that means that if my computer is off, if I'm not logged into my computer and someone steals it or someone takes out the hard drive, they can't actually access the data. It's not possible to read the data. So the benefit of encryption is that even with full physical access to my machine, no one can grab the data off of it. That's really important for me because I do a lot of work with large data sets that I get from nonprofits as part of our data practice. And I'm storing those on my local computer some of the time because I need to be doing complex analytics work on them. And so if my computer were to be lost or stolen and my device wasn't encrypted, someone could theoretically get access to that data. But because my device is encrypted that data is safe. And this really is very secure. And in many cases this is secure from governmental access. Turning on encryption is built into most mobile devices. So you can go ahead and just go in and turn this on right now. You can also turn it on on your local Windows computers, something called BitLocker. On Windows machines you do need a piece of hardware called a TPM or a Trusted Platform Module. And that's what actually stores the encryption key. That doesn't really add any cost to the machine, but you do need to make sure that you're purchasing machines with them for a number of complicated legal reasons. It's not included with every machine. This technology is not really an Office 365 or a Microsoft Cloud technology. We are going to talk a little bit later about some tools you can use to enforce encryption being turned on and know whether or not encryption is turned on. But it felt a little important for me to make sure that you're aware that this is a key aspect of information security. So if you are dealing with sensitive data that people may or may not be downloading to their personal machines, particularly if those machines are laptops and leaving the office, encryption is something you want to consider. Finally, you want to train your users. This is the other low hanging fruit option. Most security breaches happen because users either did something silly, often emailing, spreadsheets, or personal information outside the organization, or because someone clicked on something they weren't supposed to click on. And they either logged in and gave someone their credentials or they infected their computers with something that they did not want to install. So training your users is often the highest impact thing you can do. There's a service that's been recommended to me by some of my clients called Know Before. And that's both a testing service. So you can put in all your users and it will send them an email that basically looks like a phishing email and ask them to log in with their credentials. And if they do it, it then tells you that they did it and you can require that they attend training which is also provided through the platform. So Know Before is sort of a comprehensive security management platform. So training which is not a Microsoft Cloud issue or not, but it's definitely something you should think of is a really important part of any information security strategy. So we're going to talk about some of the more complex features that are available to you as part of the Microsoft Cloud. Before we do that Susan, are there any questions we should cover? Thanks Sam. Yes, we did have a follow-up question about Azure or Azure. And I figured you will touch on that a little bit anyway, but some folks have questions about how Microsoft compliance works with that. Yeah, so most Azure services are covered by their HIPAA and PCI agreements. With HIPAA they'll sign a business associates agreement with you for most of their services. So what you want to check out is the Microsoft Trust Center. It's trust.microsoft.com. And there they'll list all the different standards that they adhere to and specifically which products adhere to those. But certainly if you have a virtual server in Azure or Azure Active Directory or any of the common Azure services, those would all be covered under that. Great. We just got another question. Someone asks, I thought that if we used an encrypted email it was secure, but perhaps not. Yes, Roger, that's a great question. And that's actually just about my next topic here. So we're going to go right into that. Okay, so advanced security tools aren't free. I want to just acknowledge that even with Office 365, even with Microsoft E1 donation, that doesn't cover a lot of the tools that we need in order to be compliant. Okay, so you will probably have to spend some money. Most organizations that are working with healthcare data or working with financial data really are going to have to pay for E3 licenses at $4.50 per user per month in order to check the boxes around a lot of security stuff. So the content that I'm talking about here requires an E3 license in order to achieve. So let's start with email encryption. So as I said before, email is not secure. Can I stand by that statement? So if I open up my Outlook and I type a message to someone and I put anything in that message, I should assume that that email can be read. It can be read by anyone sitting in the middle, which basically means the government. And then also when it's sitting in that destination system, it's also not secure. And that's because email, although it can be encrypted, is not fundamentally secure protocol. It wasn't built that way. And so it's very, very difficult to make safe. It's also a little bit complicated because the government can get access to email that's been sitting on a server for more than a certain number of days. So if you email to someone, the government can get access to that pretty easily. Email encryption, and in this case I'm referring to a technology called end-to-end encryption, allows you to use email in a way that is secure and is compliant. So if you are talking about privileged medical information, if you're communicating about someone's social security number, if you're asking people for passwords or bank account information, you really need to be using end-to-end email encryption in order to communicate about that through email. When you use end-to-end email encryption, you write a new message and outlook the same way you always do. And then in some way you tell, outlook, or exchange that that message should be encrypted. So in our environment, we put encrypt in the subject line. We just type encrypt in there. You can also automatically look for patterns like social security numbers, etc. in the email and encrypt if that's the case. When I send that message, it shows up in my sent email just as a message. I can just view it normally because data in Office 365 is secure. But when it actually gets received by the recipient, what they get is basically a notification that they've received an encrypted message. And they open up an attachment and that brings them to a web portal. And then from there they have to confirm their identity either by receiving a very short time use code which is emailed to them, or by logging in with some kind of Microsoft account for you or otherwise. And within that portal it basically looks like Outlook Web Access and they can respond to that email. And then when it comes to me, in my Office 365 instance, it just looks like a normal email. So as a user in my organization, I can't really tell that the email is encrypted, but as a recipient I have to go to the secure web portal in order to actually interact with the email. So email encryption again is included with that E3 license. If you have an E3 license you have to create a transport rule in order to turn this on. And again this is a legal necessity if you're communicating about any kind of privileged information using email. Continue. And let's talk about data loss prevention which is one of the, I think, most impressive features of Office 365. Not because it necessarily does anything so new, but mostly because of just how easy it is to set up. So data loss prevention or DLT is a technology in Office 365 that looks for sensitive information in emails and files. So we're looking for social security numbers or bank rounding numbers or bank account numbers. We can look for even more complex information like date of birth, etc. And it's pretty smart. So if I just have the right number of characters for a social security number, if that's not near a name, it won't flag it as a social security number. So it's using machine learning. It's using some best practices to understand whether or not a piece of information is really sensitive or not sensitive. When I create these policies I tell Office 365 where to apply these policies. So am I applying it in everything within Office 365? Or am I applying it just to particular sections, things like a particular SharePoint site or just these users' mailboxes? And then I'm specifying actions. What should happen if that data is found? So some important considerations. Let's say I track, I have constituent information with social security numbers for whatever reason. And I have one document library in SharePoint where that data should live. Because that document library has the appropriate permissions only the minimum number of people necessary have access to it. Using data loss prevention I can detect whether or not a social security number is saved to a different place in SharePoint. And then I can lock that file down so that only the creator of the file can read it. And I can notify their manager that the file was saved there with a link to the file. I can also look for information that's been shared externally. And I can get a little bit more complex too. I can say look for information that's shared externally that doesn't require a password. So if someone created a public view or a public edit link to an Excel spreadsheet that has sensitive information in it, I can automatically lock that file down so that no one can get access to that file. If someone tries to send an email that has a social security number in it or a bank account number in it, I can encrypt that email or I can just prevent that email from being sent. Or I can allow the email to be sent but notify the manager. And data loss prevention is really pretty customizable. If I want I can even warn the user require that they provide a document and justification for sending it and then allow the message to be sent. So it really can get pretty sophisticated here. The benefit is that these are all based on very, very easy templates. So you can see here in this screenshot we have templates for medical and health data, financial data, and general privacy information. We can also create custom templates if we want. So I can actually go in and I can find a HIPAA template. So this is a template just for HIPAA. I select the HIPAA template. I apply it everywhere and that's going to really go a long way towards keeping my information secure. Again this is part of the paid for E3 license, that $4.50 per user per month which also includes the encrypted email. Okay, the last thing I really want to talk about here is part of this E3 license, this enterprise mobility, sorry this Office 365 E3 license at $4.50 per user per month is retention policies. This is really important for most organizations that are dealing with various compliance regulations. There are rules about how long you have to keep data for. You have to keep data for 7 years or 5 years and in some cases you have to destroy data after a certain amount of time so it's not just hanging around. Those E3 license gives you access to something called retention policies in Office 365. These retention policies can apply to email but they can also apply to SharePoint files and OneDrive files. And I can set it up so that any file even if it's deleted gets maintained sort of in the back end in a way I can get access to for X number of years. There's even a way for me to turn on a retention rule that's permanent. There's literally no way to turn it off. If I want to turn it off I have to create a whole new Office 365 tenant and decommission my entire account which is quite difficult to do. So that's a way to deal with certain kinds of regulations that require that even administrators not be able to delete certain kinds of records ever. So these retention policies you set up in the same place in that security and compliance portal. You can specify where you want that to apply and the number of years you want it to apply for or the number of months and then what action to take after the retention period has been reached. Getting data out of these retention policies isn't really particularly easy. You basically do a search so you can search for all documents or you can search for documents with certain names or between different periods. It was built originally as a way to deal with lawsuits so that if you get sued and they ask you to produce documents or materials that maybe match certain search phrases etc. you can do that. But it is an important tool and it is a way that you can get any data back that gets deleted. So if you have retention policy set up someone deletes that really critical spreadsheet but it's been six months longer than the built-in SharePoint retention period. I can get that back if I have a retention policy set up ahead of time. Okay that's it for the retention policies and for the key features in Office 365 E3 licenses. It doesn't look like we have any unanswered questions here so we are going to continue and let's talk about some of the particularly advanced features that are available as part of Office 365 and Azure. And if you do have questions please type them into the chat window so that you get information that is useful to you. Okay we do have a question here Steven asks is the E3 license for the whole tenant or is it per user? It's $4.50 per user per month. So just as a refresher Microsoft offers three different levels of nonprofit enterprise licensing which is what these security features require. There is the E1 license which is free. And you can have as many of those as you want. There is the E3 license which I just talked about that's $4.50 per user per month. In addition to the security functionality it also includes a subscription to Microsoft Office that I can install my local computers or my mobile devices. And then there is also the E5 license which is $10 per user per month which includes some additional security and also some stuff around spike for business. And we do have some other materials to help you navigate that if you need help understanding licensing. But if you want to use that advanced security functionality you need to license all of the users that are going to be sort of monitored with that with that E3 license. So please keep the questions coming and let's talk about some of the more advanced functionality available. Sam we did have one more question come in. It's about the E3 licensing. Does it need to apply to all users for the data loss prevention to work? Yes. So you have to license every user that is being monitored by that data loss prevention with an E3 license. Thank you. So let's talk about single sign-on with Office 365. Now we are starting to get a little bit more complicated, a little more technical, but not necessarily more expensive. So this we can actually do for free for up to 10 applications with even that free Office 365 license. Single sign-on allows me to tie multiple services together under one login umbrella. So let's say your organization can use StrawBox and Salesforce and Expensify and a couple of other services. And right now you are maintaining a separate username and password for each of those different services. First of all, it might be sharing their username and password. It's a little hard to know who is using what. But more worryingly, if someone leaves the organization, then you have to disable all these different accounts and you may very well need to know their username and password in order to do that. With Office 365 with the Microsoft Cloud, this is technically part of Azure Active Directory. You can actually connect all those different systems back to one place. So when I go to log in to my Expensify account, I'm putting in my email address there and then I'm signing in using something called SAML, SAML, the open protocol. Lots of different services support SAML. And when I do that, it's going to actually redirect me to the Office 365 or Azure AD login page. Those two things are the same. If I'm using Office 365, I'm also using Azure Active Directory, how authentication works. So I log in with my Office 365 credentials and then I'm into Expensify. So I didn't have to keep a separate username and password for Expensify. We do the same thing with Salesforce and with any number of other applications. So again, one username and password for all these different services. If my account were to be disabled in Office 365, I would lose access to all those other services. So it's just one account to disable. Because I have two-factor authentication set up for my Office 365 account, so I can't log in to my email unless I'm putting in that code for my phone. And because I've also connected all these other tools to Office 365, I can't access Salesforce without using two-factor authentication. So this also gives me two-factor authentication for all these different applications I'm using. So one username and password to remember, easy to apply two-factor authentication to all these different services. So really, it's a little bit difficult to set up. It's different for every single application. It does provide some guidance for how to do it for several thousand different tools. But once you have it set up, it really will simplify your end user experience and allow you to have a much better security. It's actually possible to combine this with something called Cloud Join in order to get single sign-on to all your applications. So big organizations may very well be using a tool called Azure AD Connect or Directory Synchronization to connect their on-premise servers to Office 365. So my password on-premise is the same as my password in the cloud. And maybe even when I log in to my computer, I'm logging in automatically logged into Office 365. That's called single sign-on. I find it once to my computer and then I'm signed into everything else. That's really pretty complex to do. And it's not something we recommend for organizations under around 200 users. So for everyone else, how do we get single sign-on? Well, there's this functionality called Cloud Join where I can join my local machine to Office 365 or Azure Active Directory instead of to a local domain controller. So for some organizations, this can replace a local domain controller. And when I do that, I'm logging in with my Office 365 credentials. So you can see there, I'm putting in my email address and my password and when I log in, I'm then logged into my computer. If I then launch Outlook or Word or Excel, I'm automatically signed into those applications. And if I'm using Internet Explorer and I go to Expensify or Salesforce, I'm automatically logged into those as well because I'm logged into Office 365 and therefore I'm logged into those applications. So this is a very easy way to get single sign-on and to replace an on-premise Active Directory server, which is a really important consideration for some organizations. Let's say you're 20 or 30 people. You've still got a server. You've already moved your email to Office 365. Really all that server is doing is allowing you to have the same username and password at multiple computers. You can potentially replace this for free with Cloud Join. This is free if you pay for the Enterprise Mobility and Security E3 license. That's $1.65 per user per month on top of either your free Office 365 license or your not free E3 Office 365 license. You can enforce some additional control. So one of the things you can do is you can specify additional administrators on local machines. So by default, whoever joined the machine to Azure Active Directory is a local admin. If you pay for that, you can say also your IT person or your Office Manager is a local admin and can log into any machine that's Cloud joined with their credentials. That same license gives you what is one of the most powerful features of Office 365. And again, this isn't really where I would suggest you start, but it's something that you should know about. And that's something called conditional access. And conditional access can be used to prevent you from logging into different tools unless you're meeting certain conditions. There's some common scenarios for this. One really important one is that you don't want people to use their personal devices to access company resources. That was kind of easy to do before the cloud because you just didn't allow them to bring their laptops into the office. If you saw them, you wrote them up. Not so much an option anymore when people are accessing these cloud resources. So I can say unless your machine is cloud joined, unless your machine is joined to Azure Active Directory, which I only allow an admin to do on your behalf, you're not able to access Office 365. So if I go to the website, it won't let me in. Or I can make it so that I can go to the website and log in because I still want to be able to update that Word document at my sister-in-law's house. But I'm not able to use the OneDrive Sync client or the Exchange client. So I can't download a copy of all that data to my machine. And here you can see in that screenshot what it looks like if you have this turned on and your computer isn't compliant for whatever reason, it will prevent you from connecting. This can also be used to allow you to have BYOD policies, bring your own device policies. So I can make it so that anyone can enroll their device in Azure Active Directory. It's in a service called Intune. So you go to a web portal and then you can put in your username and password and you can enroll your device and it connects your computer to Office 365. And when I enroll my device, it's still my device. So I'm not logging in with my Office 365 credentials. I'm logging in with my personal credentials, but I'm still enforcing certain basic security policies on that machine. So I'm still saying in order to have your device enrolled, you need to have Windows updates turned on, you need to have antivirus running. If I want, I could say you need to have your machine be encrypted. So in this way we can check to see whether or not devices are compliant and if they're not, not allow access to Office 365. So even if people are bringing their own machines, even if we're letting them do that, we're still requiring that certain basic security measures be met before they're able to do that. So this is I think the future. This is going to be a replacement for group policy in Active Directory. It's pretty new. I wouldn't say it's quite there yet, but it's definitely coming and I think it's a thing worth playing around with. And it's relatively inexpensive at that $1.65 per user per month fee for that enterprise mobility and security license. Okay, we've got a couple more items and then I'm happy to take any more questions and we'll close out. So let's talk a little bit about file classification. I used to have some slides in here about file-based encryption. So there's the thing you can do, you can encrypt an individual file using something called Azure Information Rights Management, IRM. So I can encrypt the file so that even if I have access to the file, I can't read it if I'm not allowed to do so. So when I save the file, it's encrypted. When I open the file, Office opens it, but Office can't read the content. It's not technically possible for Microsoft Office to view the contents of that document. And what Microsoft Office does is it says, I can't read this. I better see whether or not the currently logged in user has permission to access the document. So it goes out to Office 365 and it says, Hey Office 365, I'm trying to open this document. Here's my username and password. Can I have the decryption key to unlock this document? And Office 365 says, Yeah, this user is privileged. Here's the decryption key. And then Microsoft Office can open that document. But without having received that decryption key from Office 365 or from Azure Information Rights Management, it's literally not possible for Microsoft to open that document. So this is very secure. It's much more secure than, say, setting a password on a Word document or an Excel file. Much more secure than that. The problem is that users really don't understand what that means or why they should use it or how to use it, et cetera. This encrypting individual files is quite complex. So what Microsoft has done is they've made this easier through the use of file and email classification. So if I have this turned on, I have a little plug-in installed on my machine which allows me to set a sensitivity level. And that's in that screenshot down there. So in every Office application and in my email as well, I can say, well, this particular item is public or it's internal or it's sensitive or it's restricted, it's confidential. And then in the back end, I can set different kinds of policies based on that. So all I'm expecting my users to do is generally understand a plain text description of how sensitive this information is. Is it very sensitive? Is it not sensitive at all? Is it something we should know where it is but we don't really care that much? And then based on that, I can take actions in the back end. And then those actions might be don't allow it to be emailed, don't allow it to be shared as a public link, or it might be encrypt this file so that even if someone downloads the file to their thumb drive and leaves it in the supermarket shop parking lot, someone who picks up that thumb drive can't open it because the file itself is encrypted. So using this classification policy, this is something called information rights protection and it's part of that enterprise mobility and security E3 license. If you have a higher level license, you can also detect whether or not there's sensitive information in the document. There's a little bit of overlap here with the data loss prevention stuff that we talked about. This is more customizable and also more effective. And the last thing I want to talk about is a tool called CloudApp Security. This is included with an Office 365 E5 license which is $10 per user per month. And it basically gives me even more granular access to what's going on in Office 365. So the most obvious thing it does is it gives me really detailed logging. So I can go back six months and see every single file that a user has opened. And whether or not they've edited that file or if they've downloaded it, I can view all of that. I can view that they shared the document externally with these users at this time. I can look at one document and I can see the full history of edits and views of that particular document over time. So really, really granular reporting. The next thing I can do is I can set up security alerts. And these security alerts can be basic from this person has failed to log in too many times to very advanced like this user has downloaded 30 files in the last two minutes. Maybe they're actually trying to download a full copy of our SharePoint instance. Maybe that means they're going to quit. They're trying to take our data with it. Maybe it means someone's compromised their credentials. Or I can say this person is logging in from a new location. It's a very sensitive user who doesn't travel very much. Let's let the administrator know that maybe they should look into that. And you can see here my organization is the subject of some attacks. We have two factor authentication turned on which is very important. But I'm also getting alerts here that I've had too many failed logins on a couple of accounts. So that's something that I do monitor to know what's going on. Cloud App Security can be used for a lot more than just Office 365. You can connect several hundred other applications to this as well. We have it connected to our Salesforce instance. You could also connect it to Box or Dropbox. And so you can get the same kind of login capabilities all from one place. So let's say I've connected Salesforce and Dropbox to Office 365 through single sign-on and I'm using Cloud App Security. I can click on a user and I can basically see everything they've done over the course of a day. They've opened these files in Dropbox. They've shared them out externally. They accessed this shared mailbox. They logged in at this time and they logged out at this time. I can see all of that from one place, from one console. And I can also look to see whether or not they or anyone else saved a file to SharePoint or to Salesforce or to Dropbox that had a Social Security number in it or a credit card number and take according action. So there's a lot you can do with Cloud App Security. It is pretty expensive. It's not a place I would recommend nonprofit to start, but it's a nice tool to be aware of. Okay, and that's it that I have for the presentation. I'll maybe take a few questions and then Susan, you can keep going. Great, thanks. We do have quite a few questions to round out the hour. The first is from Ravon, can you lock out USB drives? And the answer is sort of depending on the version of Windows that you're running that can be done with Intune. And that is a common security request. So that platform is also being expanded quite a bit. So I would expect to see that more widely available in the near future. Thank you. Jason has a question about what minimum version of Microsoft Office is required for document classification. Is there a backup for users working online like when they're on a flight on Wi-Fi? Yeah, that's a great question. So the document classification piece that you saw with those sensitivity labels that relies on a plug-in that's installed on their machine. Basically that is supported in Windows and you have to install the plug-in. I think Office 2013 is the oldest version supported by that. The technology is a little bit more complicated so you can use data loss prevention instead of that. And data loss prevention actually operates on the back end. It doesn't require anything in the files themselves to look for things like social security numbers and credit cards, etc. So the file classification really is mostly just for the Office client. And the DLP is a little bit more of a back end, a safety net for administrators and case users aren't using those tools properly. And honestly it gets a little more complicated than that. There are ways you can classify files even if you don't have the plug-in installed. But I don't want to get too bogged down in that moment. If you want to talk more, let me know. Thank you. Yersi has a question about the Microsoft, all this information is very helpful. Is there something similar available to organizations that use Google Cloud? Great. So I'm not going to claim to be an expert in Google Cloud. I will say that most of this, a lot of this you can do with Google Cloud, the end-to-end email encryption, the data loss prevention, that stuff that you can do, although you might need to subscribe to some third-party services in order to do it. The conditional access and the information rights management, that piece, is not so doable just within the Google Cloud although there are some third-party apps that might help you. So the benefit of doing it with Office 365 is it's all-in-one integrated platform. There should be ways to accomplish all this, not inside of the Microsoft Cloud as well. Great. Thank you. Those are the questions we have right now. So I'll just put it out to everyone before I start my wrap-up. If you do have any last-minute questions, we have about six minutes to go. I am going to talk a little bit about some of the other things we offer here at TechSoup. While I'm doing that, if you would please chat in one thing that you learned from Sam today or one thing that you are going to share with a colleague or a coworker. I know Sam brought us a lot of information today covered very really important stuff and we would like to know how you are going to share that. So you know we do have webinars. You are on one today. We also have online training. This is training that you can take on your own independently which is asynchronous. That means you can take it anytime, anywhere, any place on mobile tablet or your laptop. And you can find courses from anything from tech training, how to train your staff, to tech planning. We have a whole series on tech planning that includes things like doing an assessment of your current IT and then identifying the gap and the needs in your current organization, your nonprofit, or your library. We also have tons of design courses that are free. We also have a webinar series, our TS30. Those are 30-minute webinars. We've just started these that are very specific how-to's and tips on things like Adobe design products like Illustrator and Design Photoshop, and other things. Some upcoming webinars next week. Our Tuesday Tech 30 is on Adobe Illustrator. Our West Holding here at TechSoup is going to be leading you through some steps to build something in Illustrator. Also next week we have a very interesting storytelling webinar that's geared for libraries. It's called Lights Camera Advocacy to Action, Digital Storytelling for Libraries. So I am going to chat out the link to the online courses in a moment. And I'm also going to, I want to make sure no one has asked any additional questions. Okay, great. Then I want to take the opportunity to thank Sam and Tech Impact for their partnership. Sam has worked with us on some additional content that we will be coming out with. There will be an article in a few weeks that comes out with some video clips that Sam recorded with us that will show you some of the things like the DPL, how to set some of these things up on your computer if you're an administrator or you're in IT. So we look forward to sharing those with you in a couple of weeks. I am going to chat out the link to our courses. It is TechSoup courses. Please do check it out. Sam, you've been amazing. You've been a wonderful partner. We really appreciate Tech Impact and all the work you do with nonprofits. And I want to thank Allie Vestikian on the back end for helping out with all of the Tech challenges. And most importantly I do want to thank you for coming to our event. We know that your most valuable asset is your time. So thank you very much for this hour you've given to us. And I want to thank ReadyTalk as well for providing this platform for us to deliver these free webinars. I don't see any last minute questions so I am going to give you back two minutes of your time. So thank you so much Sam. You've been awesome. Thanks so much. All right. Bye everyone. Have a great day. This does conclude today's conference call. Thank you for your participation. You may now disconnect.