Applies to: Office 365
Topic Last Modified: 2015-03-25
|The content of this description applies only to existing Office 365 Dedicated customers with established private networking services. Prospective customers will use the forthcoming Office 365 Dedicated vNext release and its networking implementation. Contact your Microsoft account team for more details.|
Because the Microsoft Office 365 Dedicated network is designed to manage multiple customer environments from a single management environment, compartmentalized network infrastructure controls are specifically implemented to help ensure the confidentiality and integrity of your organization's data. Under no circumstances is access from one organization's Office 365 Dedicated subscriber’s environment to another subscriber’s environment permitted. The Microsoft network also enables reliable data availability through equipment redundancy, resiliency, and industry-standard high-availability design practices.
Microsoft Internet connections are used to transport email on your organization's behalf, and for access from mobile and Internet-connected employees. Working with your organization, Microsoft applies a rich set of security controls and optimizes routing to ensure the desired level of performance. In particular, the following three levels of security are implemented to prevent unwanted traffic from entering the Office 365 network or your dedicated virtual local area network (VLAN).
As traffic heads toward the VLAN, two sets of network filters allow only authorized networks on given ports and protocols to reach the servers for a specific Office 365 Dedicated service.
At the router, security by abstraction obscures the routes and allows only authorized traffic to pass through. Because virtualization is used on the router level, only the needed routes are present in your organization's routing table.
All unrecognized traffic is routed to a network security enforcement point (NSEP) where specific rules govern the type of traffic that is allowed to pass through on a stateful basis. Any traffic that does not meet the NSEP rule list is dropped.
In addition to this three-tiered security, there is a final checkpoint in the data centers. This checkpoint only allows servers managed by Microsoft and configured for Internet access to receive Internet traffic. Reverse access from the Internet to the Customer Network is blocked entirely.
One key strategy that Microsoft uses to maintain the confidentiality and integrity of your Office 365 Dedicated data is compartmentalization. The following techniques are used to control information flow between the Management Network, the Managed Network, and the Customer Network:
Logical separation. VLAN technology is used to further separate communications between Customer Network and Managed Network segments.
Firewalls. Firewalls and other network security enforcement point equipment are used to limit data exchanges with systems that are exposed to the Internet and to isolate these systems from back-end systems managed by Microsoft.
One-way trusts. Active Directory one-way trusts are used to prevent systems or users in the Managed Network from authenticating to resources on the Management Network. A similar trust prevents these entities from authenticating to the Customer Network.
Protocol restrictions. Only Terminal Services can be used to access systems on a Managed Network from the Management Network.
The following figure illustrates the network information flows and associated restrictions for Office 365 Dedicated plans.
Coordinate with Microsoft about any changes to your network environment that impact network security.
If specific protocols must be blocked at the network level, contact your service delivery manager (SDM) to initiate the Configuration Request process.
Provide and implement all required controls to maintain network security and separation for each Office 365 Dedicated customer.