Data protection and privacy
General Information
The use of Microsoft 365 is established in close coordination with the Chief IT Security Officer. It should be noted that the requirements regarding information security and data protection also remain valid when using cloud services.
=> Confidential data may be edited or stored in the Microsoft cloud in OneDrive, Sharepoint and Teams (exception granted by CISO).
According to the directive “Information security at ETH Zurich”, the information owners are responsible for the correct classification. All users of Microsoft 365 / Teams must confirm that they have read these terms of use during the subscription.
Encryption
All data which are treated by the users in the Microsoft cloud are encrypted in both transport and storage. Here you will find an overview of the different encryptions per service.
Appl. | Encryption during transport |
Teams | Server-zu-Server MTLS |
SharePoint Online | Client-zu-Server TLS |
OneDrive for Business | Client-zu-Server TLS |
Exchange Online | Not applicable - wird in der ETH Zürich zurzeit on-Premise gespeichert |
.
Appl. | Encryption data storage (Data @ Rest) |
Teams | AES-256 (SharePoint Online) |
SharePoint Online | AES-256 Azure Storage selbst kann Dateien nicht entschlüsseln da Schlüssel nur für SharePoint Online Dienst lesbar ist. Alle Ver- und Entschlüsselung findet im gleichen Sicherheitskontext wie die Tenant Isolierung statt, welche ebenfalls Azure AD und SharePoint Online von anderen Kundenumgebungen trennt. |
OneDrive for Business | AES-256 (SharePoint Online) |
Exchange Online | Not applicable - wird in der ETH Zürich zurzeit on-Premise gespeichert |
.
End-to-end encryption for calls in Microsoft Teams
As mentioned above, Microsoft Teams offers standard encryption (TLS - Transport Layer Security and SRTP Secure Real-Time Transport Protocol) for communication.
However, if you want to take extra precautions for particularly sensible conversations, Teams offers end-to-end encryption (E2EE) for one-to-one calls. With E2EE, call information is encrypted at its origin and decrypted at its intended destination, so no information can be decrypted between these points.
This allows you to experience the following features during a one-to-one call with this additional encryption: audio, video and screen sharing. Note that the following features are not available during an E2EE call:
Recording, live captions and transcription, call transfer, call companion and transfer to another device, and add a participant.
Enabling E2EE
Before calling, both people must do the following:
Next to your profile picture, select Teams, then select Settings.
Select Privacy on the left, then select the toggle next to End-to-end encrypted calls to turn it on.
In case you wish to verify if end-to-end encryption is enabled, look for the lock sign in the top-left corner of the call window. This tells you that E2EE is enabled for both parties. Note that both participants must have the E2EE option enabled in order to benefit from an active |
.
Data storage
All data used by the user in the Microsoft Cloud is encrypted both in transport and in storage. The data is stored in Microsoft data centers in Switzerland or at locations in the European Union (EU). All applications in which Microsoft stores data outside of Switzerland or the EU have been deactivated by the ID. Exceptions to this must be approved by the school management.
Microsoft ensures that data in the event of loss can be restored for the affected users within a period of up to 90 days. All users of Microsoft 365 are created with their identities from the Active Directory (AD) in the Microsoft Cloud. We use a procedure called ADFS to register. This synchronizes the identities in the Microsoft Cloud. The ETH username and the ETH password are used for registration. Office 365 does not use a separate password and does not save it in the cloud.
Use of logging data in Microsoft 365
Microsoft 365 brings together various log data that arise when using Microsoft 365 cloud services in a central container under the name Unified Audit Log (UAL). This logging of log data is saved by Microsoft in the cloud and made temporarily accessible to ETH Zurich. The IT services have drawn up a logging policy in cooperation with the Chief Security Information Officer. This describes the framework as well as the accompanying technical and organizational protective measures that form the prerequisites for the operation of the Unified Audit Log of MS 365.
=> Link to the Logging Policy (in German)
Multi-factor authentication for guest access to MS Teams
When using cloud services, additional security measures must be taken in order to prevent unauthorized access to the data stored in the cloud. For this reason, multi-factor authentication is activated for all guests. This means that all guests must register a second factor when logging in for the first time, e.g. a mobile phone or an authenticator app.
In addition to the mandatory password, the guest must then identify himself, depending on the method selected, using an SMS code sent to a smartphone or using a specific authentication app. The combination of several authentication factors increases the certainty that the user who is currently trying to authenticate is actually who he claims to be.
Set-up of the multi-factor authentification
Step 1: Click on the link in the invitation email "Open Microsoft Teams". If the email address to which the invitation was sent is not yet linked to a Microsoft account, you must first create an account.
Step 2: The "More information required" screen will be displayed. Click "Next"
Step 3: Choose which method you want to use to authenticate yourself.
The following options are available:
- Authentication phone / mobile Phone (SMS or call back)
- Office phone
- Mobile app
Option 1: You can have an SMS code sent to your mobile phone.
Option 2: In case you select the office phone option, you can answer the call on your landline.
Option 3: In case you wish to use the Microsoft Authenticator app, please select "Mobile App".
When using the Authenticator app from Microsoft (download link https://www.microsoft.com/de-de/account/authenticator), it must not be deleted after registration. The Authenticator app must also be reconfigured after a device change.
An explanatory video how to set up the Microsoft Authenticator app is available under the following link: https://www.microsoft.com/de-de/videoplayer/embed/RE2Pbu3?pid=ocpVideo0-innerdiv-oneplayer&postJsllMsg=true&maskLevel=20&market=de-de
The multifactor authentication must be confirmed regularly. Whenever you then log in again or after a long period of inactivity on a device with your Microsoft 365 account, you have to confirm the registration by another factor. This procedure is reliable protection against phishing or unauthorized login with your Micrososft365 account and password.
Each user can also check or manage the MFA settings directly via the following link: https://mysignins.microsoft.com/
Here you can switch to a different method, store additional registration methods and set the standard registration method. It is recommended to store at least one additional registration method in the event that the preferred route is not available, for example in the event of a defect / replacement of your mobile phone.
Information architecture
Microsoft Teams is the central element of the Microsoft 365 landscape, but has no data storage itself. Teams divides the data that is generated in a team into different applications:
Group conversations and the group calendar are stored in Exchange
Meetings are stored in Exchange as well
Team chats are also stored in Exchange
Meeting recordings end up in Stream
All other documents, the OneNote notebook and the SharePoint Wiki end up in the site collection in SharePoint.
File attachments in a chat and attachments to tasks from Planner are stored in SharePoint.
Based on the current Exchange Hybrid mode used within ETH, certain deviations may arise from the above illustration. Voice mail is deactivated and chats are not recorded in Exchange due to the hybrid exchange mode.