Author Archives: Rutgers Connect Support Team

Rutgers Connect Security and Trust Part Three: Mobile Device Management 

This is the third in a series of articles covering data security and privacy in Rutgers Connect, addressing both the standards and capabilities of the Office 365 platform and the Rutgers-specific customizations and policies related to these topics.

The first entry in the series, Rutgers Connect Security and Trust Part One: The Office 365 Platform Security, introduced users to security and data resiliency features native to the Office 365 platform.

It was followed by Rutgers Connect Security and Trust Part Two: Rutgers-Specific Implementation and Policies, which covered the customizations made and policies enacted to protect users’ privacy in Rutgers Connect.

In this third and final article, we will discuss Mobile Device Management.


Reasons to Use MDM

Mobile Device Management is a suite of software and policies designed to ensure that end-user and University data stored on mobile devices is secured from unauthorized access. Modern mobile devices are far more advanced than old-style mobile telephones; they are full-powered computers that go with us everywhere. Unfortunately, these devices are often unsecured from casual access by unauthorized parties, and they are easily lost or stolen. MDM enrollment helps reduce the security risk these factors pose.

While MDM enrollment is not mandatory, users who chose to not enroll their devices in the Rutgers Connect MDM system may only access Rutgers Connect services via the mobile web interface. For many, this is sufficient. However, users desiring more advanced integration, including the ability to edit and share Office files, full calendar integration, device caching of email and other data, access to OneDrive-hosted files, etc. must enroll their devices.


MDM Requirements & Capabilities

There is a considerable amount of confusion and misinformation about what Rutgers can and cannot do to a enrolled mobile device. While other products offered by Microsoft may be able to enforce more advanced policies and controls (as reflected by warnings presented during the enrollment process), the version purchased by and available to Rutgers University cannot track users’ movements or access any data on the device, including any data about usage, installed software, personal data, photographs, etc. The MDM product’s capabilities are limited to enforcing certain basic security settings and providing remote wipes of the device when requested by the user.

As configured and supported by the University, the only requirements most users will have to comply with for MDM enrollment are securing the phone with a simple lock screen PIN and accepting the remote wipe access. Users who are subject to HIPAA regulations must also ensure that all data on the device is encrypted and use a more complicated PIN. In all cases, more modern devices which support fingerprint authentication can use that method as a substitute for the PIN when unlocking the device, but the PIN will still be required at device startups and reboots.

Rutgers University will never initiate a remote device wipe without the express permission and request of the device owner. This option is available to the owner of a device, the delegated Connect administrators for their department, and select OIT Connect administrators. The use of this feature is limited to cases where a device has been lost or stolen and the device owner requests that all data on the device be wiped to secure it from any chance of unauthorized access.

More information about MDM and configuration of mobile devices can be found here.


Authors: Vladimir Gabrielescu, Elizabeth McMillion, Rae Clarke

This concludes our three-part series of articles on Security and Trust in Rutgers Connect, but stay tuned for other topics to be covered in future articles.

If you have any questions, comments or suggestions regarding the Rutgers Connect article series, please write to help@oit.rutgers.edu.


As described in this series, Office 365 and the Rutgers Connect implementation are designed with security as a top priority, offering a wide array of rigorous protective features at multiple levels which provide users with a great deal of privacy and safety. However, as with every existing platform, NPPI (Non-Public Personal Information, such as Social Security numbers) should still not be transmitted via email.

Rutgers Connect Security and Trust Part Two: Rutgers-Specific Implementation and Policies

This is the second in a series of articles covering data security and privacy in Rutgers Connect, addressing both the standards and capabilities of the Office 365 platform and the Rutgers-specific customizations and policies related to these topics.

The first entry in the series, Rutgers Connect Security and Trust Part One: The Office 365 Platform Security, introduced users to security and data resiliency features native to the Office 365 platform.

In this article, we focus on Rutgers-specific security considerations as well as additional protective features included in the Rutgers Connect implementation of Office 365.


HIPAA Compliance

While Microsoft Office 365 is a HIPAA-compliant product and Microsoft has signed a Business Associate Agreement (BAA) with the University, Rutgers Connect is currently undergoing a rigorous in-house analysis to evaluate and document all aspects of the product, both as offered by Microsoft and as configured by the University, with regard to HIPAA compliance. When this effort is complete, the University should be able to provide better guidance about which specific HIPAA data types, communications, and activities can be used, stored, and conducted via Rutgers Connect. In the meantime, please contact the Office of Enterprise Risk Management, Ethics, and Compliance if you have any questions.

Along with the provisions set forth in the University’s BAA with Microsoft for Office 365 and the security features built into the platform, Rutgers Connect automatically enforces a number of additional security features for University members who are part of units designated as HIPAA-covered entities.

Email originating from users belonging to such units and addressed to external users is automatically routed through a product named Zix. Zix scans outgoing messages for HIPAA-covered data, such as private patient information, and ensures that the message is delivered securely to the recipient by ensuring end-to-end encryption of the communication channel via a number of different technologies.

The end user needs to ensure that any communications involving HIPAA data are sent only to those parties who have the correct authorization to handle the data they receive. Proper training for all users handling and communicating HIPAA data is essential.

Current, already-existing procedures which cover the handling of HIPAA and NPPI data (like using a patient portal for doctors to securely communicate with patients) should NOT be changed simply because Rutgers Connect is now available. All standard procedures for handling HIPAA data and communications should continue unchanged. Proposals for new procedures or changes to existing procedures involving HIPAA data should be submitted for evaluation and authorization to the appropriate organizations tasked with those responsibilities.

More information about Office 365 and HIPAA is available from Microsoft. Interested users may wish to visit the Office 365 & Microsoft Dynamics CRM Online HIPAA/HITECH frequently asked questions page on the Microsoft website.


Additional Implemented Security and Privacy Features

After consulting with IPS (Information Protection and Security) and ERM (the Office of Enterprise Risk Management, Ethics, and Compliance), OIT has made a number of security-related choices when configuring Rutgers Connect which protect users from intentional or accidental exposure of private or internal data.

Anonymous external sharing of all data is restricted. While users may certainly share Calendars, OneDrive stored files, etc with colleagues external to Rutgers Connect and the University at large, the sharing cannot be anonymous. The intended recipient of the share must create their own set of unique login credentials when they receive the first share notification and use these credentials whenever accessing the shared data. Calendars may be externally shared anonymously, but with limitations on what information is exposed; recipients can view the times and names of events, but no event details, notes, or attachments will be visible.

At this time, users cannot access the plugin store or grant third-party applications permission to interact directly with the data stored in their accounts. Third-party applications may request access to your mailbox, OneDrive data, and more; to avoid accidental or malicious exposure of your data, user authorization of such third-party application access is not enabled. That does not mean we cannot integrate Rutgers Connect with third-party services – in fact, we have already done so for a number of Rutgers-supported services such as Blackboard – but such configurations and associations must be made by OIT systems administrators after appropriate review.

To protect users from both accidental deletions of email or files and malicious data removal in the case of an account breach, OIT has configured Rutgers Connect to retain and potentially recover data for 30 to 60 days after deletion. The length of time for which an item is retained varies. Newly-created or received items can be recovered for up to 60 days from the day of creation or receipt regardless of when they were deleted, while older items can be recovered for 30 days after deletion. This is not an effortless operation; users should always be careful to preserve data they still need and only delete unnecessary items.

Access to Rutgers Connect services via mobile devices is limited to only web access unless the device is enrolled in the Rutgers Connect Mobile Device Management system. Mobile Device Management (MDM) will be covered in more depth in the third article in this series.

Additional security features such as two-factor authentication, data loss protection algorithms and policies, and Advanced Threat Protection are being currently evaluated and will be deployed when appropriate.


Delegated Administration

Rutgers Connect is centrally configured, managed and supported by OIT, primarily by the Enterprise Messaging group and the OIT Help Desk. When picking the product, a fundamental feature the selection committee considered was the ability to delegate certain administrative tasks and functions to local and departmental IT support structures.

Whenever possible, OIT delegates control over departmental domain management, resource creation and maintenance, various user support functions, etc. to the IT staff directly supporting various academic and administrative units. This delegation leverages the Role-Based Access Control capabilities of Office 365 to ensure that no departmental IT staff has access to the resources and data owned by other departments. Additionally, tools and APIs are in place to ensure that all business practices are enforced across all departments and IT staff.

Delegated administrators are bound to the same requirements and rules regarding user information and privacy as the central OIT staff managing Rutgers Connect. These rules are formulated and maintained by the University, including the Office of General Counsel and other parties.


Rutgers Access to User Data

User privacy is of utmost importance, and OIT is cognizant of the trust placed in our hands. To ensure that this privacy is always respected, OIT has implemented the following guidelines and tools.

  1. No OIT staff member or delegated departmental administrator will access user data without first obtaining the explicit permission of the user except under a very narrow set of cases such as:
    1. Performing a legal eDiscovery or OPRA search at the written request of the Office of General Counsel. In these cases, OIT staff do not access the data directly, but retrieve it for use by OGC without examining it.
    2. Combating or investigating an active and emergent security threat where we believe an account is being used maliciously or by unauthorized actors.
  2. In the unusual case that an OIT staff member needs access to a user’s account in the course of providing support or performing maintenance functions, OIT staff will first obtain permission from the user to access the data, either directly from the user or via local support acting as intermediaries for the user. Such access will always be limited to the minimum required to solve the issue at hand, and permission to access the account is considered withdrawn when the issue is resolved.
  3. All actions taken by OIT staff or delegated departmental administrators are immutably logged. No one in Rutgers University can alter these logs in any way; these logs are not under the control of the University, but rather they are immutably maintained by Microsoft. Logging of administrator actions cannot be turned off or bypassed.
  4. All eDiscovery and OPRA searches are immutably logged. In addition, records are kept of the official requests received from the Office of General Counsel directing the searches in question.

Additional standards and policies are being developed by the Office of General Counsel in consultation with other relevant parties. Any new standards and procedures will be posted in the appropriate locations.


Authors: Vladimir Gabrielescu, Elizabeth McMillion, Rae Clarke

This concludes Part Two of the Rutgers Connect Security and Trust series. Stay tuned for the third and final article in the series, which will cover Mobile Device Management.

If you have any questions, comments or suggestions regarding the Rutgers Connect article series, please write to help@oit.rutgers.edu.


As described in this series, Office 365 and the Rutgers Connect implementation are designed with security as a top priority, offering a wide array of rigorous protective features at multiple levels which provide users with a great deal of privacy and safety. However, as with every existing platform, NPPI (Non-Public Personal Information, such as Social Security numbers) should still not be transmitted via email.

Rutgers Connect Security and Trust Part One: The Office 365 Platform Security

When selecting Microsoft Office 365 as the platform for Rutgers Connect – the new central email, calendaring, and collaboration solution for the University – the members of the committee tasked with this selection process were keenly aware that data security and privacy ranked among the most important considerations. This series of articles will introduce both University IT staff and interested members of the community to the standards and capabilities of the Office 365 platform designed to ensure data security and privacy. It will also provide an overview of the Rutgers-specific customizations and policies which further this high-priority endeavor.

The first articles in the series will cover the Office 365 platform’s security capabilities and compliance offerings.

Microsoft publishes a vast amount of information detailing their techniques, policies, methodology, and implementations relating to the security of Office 365. Interested users should browse the Office 365 Trust Center for additional information, as these articles will cover only a small portion of what Microsoft has made available.

https://www.microsoft.com/en-us/trustcenter/cloudservices/office365 .


Data Location, Privacy, and Access by Third Parties

Contractually, Microsoft guarantees that all Rutgers University data is stored exclusively in US-based datacenters. Within these facilities, data which belongs to Rutgers is logically segregated from the data of all other Office 365 tenants owned by other clients. Furthermore, all data is encrypted both at rest and in transit and between the user and all components of Office 365.

Microsoft does not provide any government agency with direct, unfettered access to either customer data or the encryption keys securing the data. Their privacy statement regarding government access to data reads, in part:

If a government entity approaches Microsoft directly with a request related to a Microsoft Online Services customer, Microsoft will first try to redirect the entity to the customer to respond. If Microsoft is required to respond to the demand, Microsoft will promptly notify the customer and provide a copy of the demand (unless legally prohibited).

Microsoft publishes its law enforcement requests report to identify the number and types of requests it receives and its compliance with those requests. Microsoft recently received permission from the U.S government to publish information about Foreign Intelligence Surveillance Act orders and National Security Letters.

The government access reports are available here: https://www.microsoft.com/en-us/about/corporate-responsibility/reports-hub

For more on data privacy, see Privacy in Office 365.


Data Security in Office 365 and Azure

All data in Office 365 and its Rutgers University implementation (Rutgers Connect) can only be accessed over encrypted network protocols, ensuring that no third-party actor can intercept or read any communications between the end user and Office 365.

Once data of any sort is stored in Office 365, it remains at least doubly encrypted while at rest. First, all data is encrypted at the disk storage layers using BitLocker protocols. Second, each file residing in the Office 365 platform is individually encrypted, independently of the underlying storage encryption. As a rule, encryption keys are kept in different datacenters than the data they encrypt.

For more on data encryption, see Content Encryption in Microsoft Office 365.


Data Resiliency

To ensure that no customer data is ever lost, Microsoft ensures that for each user file stored within Office 365 there must exist at least 4 copies, which must reside in 4 separate datacenters within the United States. The architecture of Office 365 and the underlying Azure infrastructure is based on an understanding that failures can (and will) happen due to hardware, software, networking, and human errors. All efforts are made to ensure that none of these failures will ever result in customer data loss. So far, after one year of the platform’s active deployment at the University, we can confirm that we are not aware of any data loss for any Rutgers Connect user.

In addition to the data resiliency standards listed above, Office 365 offers many additional protections. For example, all data is scanned for known malware and viruses whenever entering or leaving Office 365, and data at rest is scanned weekly. Another of the platform’s offerings is the availability of a thorough version history for each document uploaded to OneDrive that keeps track of every change. This feature could be used to recover data that has been corrupted or even sabotaged by ransomware infections; a user could simply restore to a previous copy from before the known infection date.

As an additional level of protection, no file can be executed directly (and certain executable file extensions cannot even be stored) in the Office 365 environment.

For more on data resiliency, see Data Resiliency in Office 365.


Monitoring of Irregular Sign-ins and Intrusions:

Adding to the layers of protection mentioned thus far, all user and administrator access to data is logged and monitored for suspicious behavior. System administrators cannot access or modify user data without immutable logs of such activity. User login activity is monitored for access from suspicious locations or IP addresses; when such irregular access is detected, system administrators are notified to ensure a timely response and help prevent any possible compromise of user data.

For more on auditing and reporting, see Auditing and Reporting in Office 365.


Office 365 Compliance with Various Legal and Security Frameworks:

Microsoft Office 365 has been certified as compliant with many legal and security standards spanning a multitude of national and international legal systems. Standards with which Office 365 is compliant include HIPAA, FISMA, FedRAMP, FERPA, and many more.

Of particular interest to the Rutgers community is the Business Associate Agreement Microsoft has signed with regards to HIPAA compliance, as this has enabled Rutgers to proceed with the evaluation and certification of Rutgers Connect for use by RBHS and other departments that handle HIPAA-covered data.

For more on compliance offerings and other security topics see, About Microsoft Cloud Security.


Authors: Vladimir Gabrielescu, Elizabeth McMillion, Rae Clarke

Stay tuned for additional articles in this series, which will cover Rutgers-specific security considerations and features.

If you have any questions, comments or suggestions regarding the Rutgers Connect article series, please write to help@oit.rutgers.edu.


As described in this series, Office 365 and the Rutgers Connect implementation are designed with security as a top priority, offering a wide array of rigorous protective features at multiple levels which provide users with a great deal of privacy and safety. However, as with every existing platform, NPPI (Non-Public Personal Information, such as Social Security numbers) should still not be transmitted via email.