 Hello, my name is Sam. I'm Director of Consulting at Tech Impact. We're a nonprofit technology provider. And I'm here to talk with you today about security using the Microsoft Cloud. When we talk about nonprofit security, it's really important that we take a multi-layered approach. Today we're going to be talking about provider security, which is the security of the underlying tools, device security, which is the security of the devices that are storing your data, your laptops, and your desktops, the security of the accounts themselves that you're using to log in, and then also security of the underlying data, what are you storing in your cloud environment. We're going to talk about how Microsoft tools can help you address all of these different layers of security. A layered security approach is really important because otherwise you end up with what we call M&M security, crunchy on the outside and soft and gooey on the inside. In order to keep your organization safe, it's not enough to just have it be hard to get into your environment. You also have to make sure that if someone does get in, they can't get access to all of your data. In this day and age, you should assume that some aspect of your information technology has been compromised, and make sure to limit exposure for your organization if that does happen. Let's talk about how the Microsoft Cloud can help you with all this. First up I want to talk about provider security. This is security of the underlying tools. Microsoft provides something called the Microsoft Trust Center, which is a website that you can go to, and you can get information about all the different security standards that Microsoft adheres to. Microsoft is a HIPAA compliant. It has audited compliance with FSAE16 and a dozen other acronyms that you really don't care about. So just go ahead and take a look at this website. One important thing to know about Microsoft Cloud is that all of your data is encrypted in transit and at rest. So you really only need to worry about your data on local computers, and data that's being shared through the tools with people outside of your network. The underlying storage and the transfer of data between your computers and Microsoft's cloud is already encrypted and secure. Microsoft is handling the security of the tools themselves, but let's move on to what you can do to keep your organization safe, and let's start by talking about device security. The best thing you can do to keep your devices safe and secure is to encrypt them. What this means is that even if someone steals or finds a computer or a mobile device or a thumb drive, they can't actually access the data because the data itself is encrypted. On Windows, this can be accomplished using BitLocker encryption. This is built into Windows 7 and 8 Enterprise, or you can accomplish this with Windows 10 Pro or Windows 10 Enterprise. And enabling it is as simple as just clicking on turn on BitLocker in the BitLocker section of your control panel. The one downside of this approach is that you do need a specialized piece of hardware called a TPM or a trusted platform module. This does not really add any cost to your computer, and most modern business computers already have this built-in, but you do want to make sure that when you purchase new computers, it comes with a TPM. Let's move on and talk about Azure Active Directory. Azure Active Directory is a way in which you can keep your accounts secure. And we'll talk a little bit later about how it can also help you enforce your devices being secure. Azure Active Directory, despite its name, is not the same thing as On-Premise Active Directory. But it is a way for you to provide centralized authentication and device management using the cloud. Azure Active Directory can be synchronized with your On-Premise Active Directory, or in many cases, it can replace it. One of the neatest things about Azure Active Directory is that you can cloud join Windows 10 computers. You'll see here, there's a button in the control panel called Join Azure AD. You can click on this button to join the computer to Azure AD, very similar to how you might join a computer to an On-Premise domain. When you do that, your users will be able to log into the machine using their Office 365 or their Azure Active Directory username and password. From there, they'll get single sign-on directly to Office 365 and all the apps you've integrated with Azure Active Directory. This requires Windows 10 Pro or Enterprise. Azure Active Directory is a cloud-based identity provider that actually comes with Office 365. So if you're using Office 365, you're actually already logging into Azure Active Directory. Azure Active Directory can extend your On-Premise Active Directory. You can synchronize your local usernames and passwords to the cloud if you have an Active Directory server, or for many organizations, it can actually replace On-Premise Active Directory entirely. You can do a lot more with Azure Active Directory than just protect your local computers. You can also use it to provide single sign-on and centralized access to hundreds of other third-party pieces of software. So we have here a screenshot. We're taking a look at Expensify, which is just an expense management app that we use at Tech Impact. And I'm logging into this using my Office 365 username and password. As an administrator, I've added Expensify to my Azure Active Directory environment. And now my users are logging in using their Azure Active Directory or Office 365 username and password. This is a really important and easy way to keep your organization secure. Rather than trying to manage 10 or 20 usernames and passwords for every single user, you're just managing one central username and password. Any application that supports the SAML, SML standard, can be used with Azure Active Directory in this way. We can take this single sign-on to all of our applications and make it even more secure using two-factor authentication. Two-factor authentication is not one of those things that consultants tell you that you should do, but you as a nonprofit know you'll never actually do. This is actually something that all nonprofits should be seriously considering implementing. When you have two-factor authentication enabled, someone cannot get into your account just using your username and password. Instead, they also need access to your mobile phone or to another device that's being used for the two-factor authentication. When I log in to Office 365, it asks me for my username and password. And then it will ask me to type in a code, or it will call me and ask me to answer that call and press a button on the dial pad, or it will ask me to approve it through a mobile application. When I approve that request, it will then let me into Office 365. That means that if someone else has guessed or gotten my username and password and they try to log in, my personal cell phone will ring or get a text message. And if I don't respond, then that individual is not able to get access to the account. If I've tied in third-party applications to Azure Active Directory, those applications will also be secured with two-factor authentication. So in this way, I can protect just one account, but protect all of my organization's data. So we've talked about how Microsoft keeps your data secure on their platform. We've talked about data security through encryption. We've talked about account security through Azure Active Directory and two-factor authentication. Now I want to talk about data security. Data security is really, really difficult. And it's difficult because your users tend to want to get their jobs done. And so they are going to be inclined to keep information wherever is most convenient for them. Office 365 provides some functionality for you to keep an eye on where your users are keeping critical information and how they are sharing that information. The easiest way to do this is using E3 licenses in Office 365 and configuring data loss prevention policies or DLP. Data loss prevention policies allow you to look for certain kinds of information and then notify an administrator or prevent the action from occurring if someone tries to share that outside of your organization. Office 365 provides out-of-the-box templates for this for HIPAA, PCI, state breach disclosure laws, and a number of other circumstances. So it's very easy to create policies that protect your organization's specific data. When I set up a data loss prevention policy, I'm going to say the kind of information I'm looking for, where I'm looking for it, if that's exchange for email, SharePoint and OneDrive for files. And then I'm going to tell Office 365 what to do if that information is being shared improperly. I can either prevent the sharing or I can just notify an administrator that it's happening so I can pay attention and follow up on it. Setting up a data loss prevention policy in Office 365 if you have an E3 license is really only five or six clicks, and it's definitely something you should consider. If your organization is very security conscious and the built-in functionality that I've discussed so far isn't sufficient, there is more you can do with Office 365. So let's take a moment to talk about the enterprise mobility and security features that are available. The enterprise mobility and security licenses start at $1.65 per month and the higher level license is $2.80 per user per month. And this is in addition to a standard E1 or E3 or E5 license. One of the best things I can do with enterprise mobility and security is I can allow my users to manually specify sensitivity levels for my files and my emails. You'll see here a screenshot of Outlook and of Microsoft Word. And on the top there's a bar where I can specify the level of sensitivity of this particular file. I can specify if the file is public or sensitive if it's internal only or even confidential. And then on the back end I can automatically take certain administrative steps. This can be combined with encryption technology in Office 365 so I can actually apply file level encryption to individual files or individual emails. That means that if even if someone gets the individual file they won't be able to access the data within it. It also allows me to prevent these emails or these files from being sent outside of the organization. The other advanced thing I can do with Office 365 if I have one of these licenses is control access to my data. This is something called conditional access. I can prevent computers who aren't encrypted or who don't have Windows updates from running from accessing Office 365. For organizations that are dealing with sensitive information and maybe have Social Security numbers or credit card numbers in OneDrive or in Case Notes or in SharePoint, this can be a really important way to prevent users from accidentally or intentionally synchronizing sensitive files to unprotected computers. That's all I have for you today. So we've talked about the basics of Office 365 security and we've talked about what you can do with more expensive higher level licenses. And I hope this will help your organization remain secure.