Successfully reported this slideshow.

[IGNITE2018] [BRK2495] What’s new in Microsoft Information Protection solutions to help you protect your sensitive data

1

Share

Upcoming SlideShare
Azure Information Protection
Azure Information Protection
Loading in …3
×
1 of 76
1 of 76

[IGNITE2018] [BRK2495] What’s new in Microsoft Information Protection solutions to help you protect your sensitive data

1

Share

Description

Breakout Session with Bruno Lopes (MVP Exchange) on Microsoft Ignite | The Tour 2018

Transcript

  1. 1. BRK2495
  2. 2. Identity & access management Security management Threat protection
  3. 3. 88 % of organizations no longer have confidence to detect and prevent loss of sensitive data of employees use non-approved SaaS apps at work80% 85 % of enterprise organizations keep sensitive information in the cloud 58 % Have accidentally sent sensitive information to the wrong person
  4. 4. “I can’t apply unified policies across various data sources or to a specific repository” “My data is scattered across sources and the data continues to grow” “When enforcing compliance our business users’ productivity is disrupted” “I need complete coverage of all my devices and applications” “How do I protect sensitive information such as sensitive PII data across my enterprise?” “How do I find only relevant data when I need it?”
  5. 5. LabelDiscover Classify Sensitivity Retention  Encryption  Restrict Access  Watermark  Header/Footer  Retention  Deletion  Records Management  Archiving  Sensitive data discovery  Data at risk  Policy violations  Policy recommendations  Proactive alerts Unified approach to discover, classify & label Automatically apply policy-based actions Proactive monitoring to identify risks Broad coverage across locations Apply label Unified approach Monitor
  6. 6. Office 365 Information Protection Windows Information Protection Azure Information Protection What Where How
  7. 7. What Where How Office 365 Information Protection Windows Information Protection Azure Information Protection
  8. 8. Scan & detect sensitive data based on policy Classify and label data based on sensitivity Apply protection actions, including encryption, access restrictions
  9. 9. a CLOUD & SaaS APPS
  10. 10. CONFIDENTIAL Tag that is customizable, readable by other systems, and persistent. It becomes the basis for applying and enforcing data protection policies. In files and emails, the label is persisted as document metadata In SharePoint Online, the label is persisted as container metadata
  11. 11. Consistent and easy for users Apply and update labels while working in Office apps – Word, PowerPoint, Excel and Outlook Built-in Integrated natively into Office apps; no plug-ins or add-ons required for latest Office 365 apps. Broad platform support Starting next week: Mac, iOS and Android public preview via Office Insider Office on Windows and Outlook mobile public preview by EOY Azure Information Protection add-in available today
  12. 12. Leverage ad-hoc end user controls or automatic policies Protect Mitigates risk of unintended disclosure through encryption and rights protection Control Leverage automatic policies or ad hoc end-user controls, for emails shared inside or outside the organization Compliance Meet compliance obligations that require encrypting data or encryption key control Recipients can read protected messages using consumer identities Easily read protected emails on any device
  13. 13. Windows protects file based on sensitivity label Prevent data from being accidentally copied to unmanaged apps and sites Available starting with Windows 10 version 1809 Understand labels, apply policy
  14. 14. Helps you manage sensitive data prior to migrating to Office 365 or other cloud services Use discover mode to identify and report on files containing sensitive data Use enforce mode to automatically classify, label and protect files with sensitive data Can be configured to scan: • CIFS file shares • SharePoint Server 2016 • SharePoint Server 2013
  15. 15. Discovery mode! Constantly monitoring!
  16. 16. Adobe Acrobat will be able to understand and honor labels and protection View protected files natively on Adobe Acrobat on Windows Labeling experience will be built natively into Acrobat Integration enabled by the Microsoft Information Protection SDK Public Preview: October 2018 GA: January 2019
  17. 17. Scan & detect sensitive data based on policy Classify and label data based on sensitivity Apply protection actions, including encryption, access restrictions View reports and assess classified, labeled and protected data
  18. 18. Better visibility into classified, labeled and protected files – across workloads Help identify information protection anomalies and risks View by label type, service/app and label method (e.g. manual, automatic) Recommendations to tune policy settings
  19. 19. PCs, tablets, mobile Office 365 DLP & Message EncryptionWindows Information Protection Azure Information Protection Exchange Online, SharePoint Online & OneDrive for Business Highly regulated Microsoft Cloud App Security Office 365 Advanced Data Governance Datacenters, file shares Azure SaaS & ISVs O F F I C E 3 6 5D E V I C E S C L O U D S E R V I C E S , S A A S A P P S & O N - P R E M I S E S Intune App Protection Policies
  20. 20. Getting started
  21. 21. Demo
  22. 22. Discover compliance-related sensitive data across locations, including on-premises GDPR-specific sensitive information types helps protect personal data in EU countries Assess whether or not your cloud apps are GDPR compliant Gain visibility into classification, labeling and protection of personal data (including endpoints, locations, users) Guide end-users when working with personal data – with policy tips and recommendations
  23. 23. Capabilities O365 E3 O365 E5 EMS E3 EMS E5 Classification & labeling of sensitive data Create and manage sensitivity labels in Security & Compliance Center unified labeling experience ● ● ● ● Manual labeling of files in Office 365 services (Exchange Online, SharePoint Online,OneDrive for Business) ● ● Manual labeling in Office apps (Word, PowerPoint, Excel, Outlook) using native labeling ● ● ● ● Manual labeling in Office apps on Windows using AIP client ● Automated classification and labeling of files in Office 365 services (Exchange Online,SharePoint Online, OneDrive for Business) ● ● Discover sensitive data in on-premises file servers, apply label to entire repository or folder 1 ● ● Automated classification and labeling of files in on-premises file servers (AIP scanner) ● Automated classification and labeling in Office apps (Word, PowerPoint, Excel, Outlook) using native labeling ● ● Automated classification and labeling inf Office apps on Windows using AIP client ● Information Protection SDK to apply labels to files ● ● Encryption & rights-based restrictions Add ad-hoc protection to Office documents ● ● Encrypt emails to internal or external recipients ● ● Data Loss Prevention (DLP) Block sharing of sensitive files in Office 365 services (Exchange Online, SharePoint Online, OneDrive for Business) ● ● Cloud App Security Classify and label data in 3rd-party SaaS apps and cloud services ● Windows Information Protection Prevent copying and sharing of data from a business location to a non-business location on Windows 10 devices ● ● Apply Windows Information Protection policy based on sensitivity label in document ● 1 Running AIP scanner in “Discover all” mode
  24. 24. © Copyright Microsoft Corporation. All rights reserved. BRK2006 - Use Microsoft Information Protection (MIP) to help protect your sensitive data everywhere, throughout its lifecycle BRK3002 - Understanding how Microsoft Information Protection capabilities work together to protect sensitive information across devices, apps, and services THR2005 - The latest and greatest Microsoft information protection capabilities you should be using now
  25. 25. © Copyright Microsoft Corporation. All rights reserved. Thank you

Editor's Notes

  • BRK2495: What's new in Microsoft Information Protection solutions to help you protect your sensitive data - wherever it lives or travels
    SEC20: Configuring and deploying Microsoft Information Protection solutions to help protect your sensitive data
  • So now, let's talk about the second piece of our platform story, and that's around information protection.
  • Sensitive data is at risk more than ever before. We have all seen and heard about the inadvertent or inappropriate sharing of sensitive information – either in the news or perhaps in your own organization. This data shows that the concern is real, but of course it becomes even more real when it happens to you and your company, and have to deal with potentially severe consequences.

    11% source: https://www.otalliance.org/system/files/files/initiative/documents/ota_cyber_incident_trends_report_jan2018.pdf
    58% source: http://www.strozfriedberg.com/wp-content/uploads/2014/01/Stroz-Friedberg_On-the-Pulse_Information-Security-in-American-Business.pdf

  • So, we know that with the shift to the mobile-first cloud-first world, the perimeter is only a single component of protecting information. 
    It’s important that customers balance their goals of security and productivity:
    Customers want to enable and foster collaboration to create new business value, and this requires data sharing and data mobility
    At the same time, they want to prevent unauthorized disclosure, modification, or destruction of data and important information
    Customers also want to reduce and manage the risk of user errors – such as unintentional sharing or inappropriate usage of important information

    Ultimately, data must be protected at all time, both inside and outside of the network.
  • Adding to the complexity are the increasing compliance demands that many companies must navigate. This is driving the need to implement robust data protection and data governance policies. With the explosion of data – at an exponential rate – customers are looking for a unified approach and streamlined process to target the most relevant sensitive data, and apply the right controls. All while ensuring that end user productivity is not negatively impacted. For many customers, GDPR is the most important compliance matter facing them over the next year or so. There are certain steps that customers can take to protect their sensitive information and accelerate their compliance with their internal requirements as well as regulatory bodies or GDPR.

    OLD DATA-POINTS:
    80% of enterprises allow BYOD
    730 cloud apps are being used, on average
    85% of enterprises keep sensitive data in the cloud. https://www.vormetric.com/company/newsroom/press-releases/85-of-enterprises-keeping-sensitive-data-in-the-cloud-70-very-or-extremely-concerned-about-it-2016-vormetric-data-threat-report-cloud-big-data-and-iot-edition

    Employees work on nearly 2x the number of teams than they did five years ago
    Information overload wastes 25% of employee time, costing U.S. business $997B each year
  • Clearly, there are several reasons why a comprehensive information protection approach is so important. People are working in new ways. Data is being created and shared across boundaries – across a variety of devices, apps and cloud services. Compliance concerns add a layer of scrutiny to how data is being used and shared. Now let’s take a closer look at a framework for how customers can define and implement their own information protection strategy.

    We see four primary elements of the information protection lifecycle: Discover, classify, protect and monitor. Each step has its own set of requirements and unique considerations.

    First, let’s talk about the Discover phase: Discovering sensitive data is the first step. As data travels to various location – often outside of the organization’s environment, you want to know what sensitive data you have and where it’s located. Data may have different levels of sensitivity, and not all data needs the same level of protection.

    Classify: After sensitive data has been discovered, it’s important to classify the data into distinct categories so that custom controls, such as policies and actions, can be applied. Once the classification scheme is set by the organization, policies can be configured and customized so that sensitive data such as intellectual property, customer info, health records, etc., are protected, stored and shared in a manner that adheres to the organization’s unique requirements. Classification and labeling persists with the file and can be understood and honored by other services, avoiding the need to reclassify and re-label throughout the file’s journey.

    Protect: Classifying and labeling data often results a policy rule to apply some level of protection to sensitive data.

    Monitor: Gaining visibility into how users are using or distributing sensitive information is an important component of your information protection strategy. In the case of unexpected activity or events involving sensitive information, organizations also need to be able to respond quickly and accurately.  

  • - Comment Exchange MRM Policies
  • First, let’s look at the Detect phase of information protection. This involves scanning and detecting sensitive data – all based on the policy defined and configured by your organization.

    Key considerations:
    Is there an automated way to discover important data?
    Which regulations and compliance factors matter?
    Is my data spread out across devices, cloud & on prem?
    Is my data spread out geographically?
    Are certain employees or groups more relevant for discovery?
    Do I know the characteristics of sensitive or important data?
  • In order to achieve comprehensive protection across your organization, it’s important that you are able to discover sensitive information no matter where it is created or lives. That means having sensitive data discovery capabilities across your on premises file shares or datacenters, on individual devices as well as across cloud services and SaaS applications.
  • We are also investing in building labeling capabilities natively into Office applications, across all platforms (Mac, iOS, Android, Windows). Along with the unified labeling schema, this will provide a consistent and better end-user experience. Customers won’t need to download and install any separate plug-ins, since the labeling experience will be built right into Office.

    The native labeling experience for Office for Mac is currently in public preview in the Office Insider program (with iOS and Android Office coming shortly thereafter) and we are targeting general availability for most platforms by the end of CY18.
  • Talking point: OME is enabled for ~100M Office 365 users.

    Context: Email is also main source of sharing information therefore Email prone to unintended disclosure. Encryption typically is also too difficult to use. For a lot of organizations one of their biggest hurdles is making it easy enough so users can adopt the technology and collaborate securely.

    At Ignite we announced new capabilities in Office 365 Message Encryption that protect and control your sensitive emails. These enhancements are aimed squarely at helping you better safeguard your sensitive email communications without hampering the ability for your users to be productive and to easily collaborate with those inside or outside of your organization.

    PROTECT: Mitigate the risk of unintended disclosure of emails to anyone inside or outside your organization, so that only the indented recipient with the right identity can read the encrypted message. Recipients outside of the organization can use their email provider. OME provides added layer of encryption at the content level. OME also enables organizations to rights protect the email so only the people with the right identity can read the message and the Office application that’s attached also inherit the protections applied to the email.
    Ex. Greg from Big Bank needs to send a sensitive message to his client on his recommended stock picks but does not want him to forward.
    CONTROL: Admins can apply automatic policies and end users can be empowered to apply ad hoc policies that encrypt and rights protect messages sent inside and outside the organization. Additionally, recipients can easily read protected messages using their consumer identities such as Google, Yahoo or Microsoft Accounts – or use a one time passcode.
    Ex. secret acquisition, company wishes to encrypt all messages between the external company. Admin applies mail flow rule.
    Ex. Doctor wants to communicate with his/her patients who uses gmail. Patient can authenticate using their Google identity to read and reply to the protected message
    COMPLIANCE: We’re also providing more enterprise grade capabilities - for regulated customers, Office 365 Message Encryption will enable you to provide and manage your own tenant encryption keys with BYOK with Azure Information Protection for Exchange Online.
  • The recently released AIP scanner can you help discover, classify, label and protect sensitivity information in your on-premises file servers. We know that customers still hold a lot of data on-premises, even if they are moving to the cloud. The AIP scanner can help in providing greater visibility into the presence of sensitive data on-premises, or you can apply the desired labeling and protection before migrating your files to Office 365, for example.
  • First, let’s look at the Detect phase of information protection. This involves scanning and detecting sensitive data – all based on the policy defined and configured by your organization.

    Key considerations:
    Is there an automated way to discover important data?
    Which regulations and compliance factors matter?
    Is my data spread out across devices, cloud & on prem?
    Is my data spread out geographically?
    Are certain employees or groups more relevant for discovery?
    Do I know the characteristics of sensitive or important data?
  • 63
  • This summarizes the primary solutions that can be implemented to protect sensitive information on devices, within your Office 365 environment, and then beyond your Office 365 environment to Azure, 3rd party cloud services and apps and on-premises environments.

    At the device level: Windows Information Protection and BitLocker help protect sensitive information on Windows 10 devices. Beyond Windows devices, Intune mobile device management and mobile application management provides similar protection capabilities.

    Many customers use Office 365 as their main productivity solution. We protect information whether it resides in email in Exchange Online, SharePoint Online or OneDrive for Business.
    Office 365 Advanced Data Governance enables you to classify and label documents for the purpose of applying retention, expiration and deletion policies to important information
    This is complemented with Office 365 Data Loss Prevention (DLP), which enables you to prevent sensitive information in Office 365 from getting into the wrong hands or being accidentally shared

    Beyond Office 365, customers are increasingly using Azure and/or a combination of cloud services and cloud apps, often in conjunction with legacy on premises data centers and file shares.
    Azure Information Protection helps protect sensitive information across cloud services and on premise environments
    Microsoft Cloud App Security provides visibility and control across cloud app usage

    Each of these components work together to provide end-to-end protection of sensitive data across your environment. Let’s take a closer look at each and how it can help you.
  • Meeting compliance requirements is a top priority for many companies. GDPR is obviously a concern, and similar regulations are either in place or will soon be in place in most parts of the world. We have several capabilities that can help your in your compliance journey.

    You can configuring your policies to discover, classify and protect compliance-related sensitive data across a variety of locations. This includes Office 365, cloud services, and even on-premises file serves (using the AIP scanner).

    We just recently released several new GDPR related sensitive information types in Office 365 that you can use to detect personal data in EU countries. We are targeting at making this available in Azure Information Protection later in CY18, as well as expanding the list of sensitive information types.

    Microsoft Cloud App Security recently made enhancements to be able to assess which of your cloud apps are GDPR compliant.
  • Microsoft Field: Please view associated material at https://microsoft.sharepoint.com/sites/Infopedia_G01/Pages/AIP.aspx and Office 365 OnRamp at https://microsoft.sharepoint.com/sites/Infopedia_G03/officeonramp/SitePages/Office365Security.aspx#Security

  • Description

    Breakout Session with Bruno Lopes (MVP Exchange) on Microsoft Ignite | The Tour 2018

    Transcript

    1. 1. BRK2495
    2. 2. Identity & access management Security management Threat protection
    3. 3. 88 % of organizations no longer have confidence to detect and prevent loss of sensitive data of employees use non-approved SaaS apps at work80% 85 % of enterprise organizations keep sensitive information in the cloud 58 % Have accidentally sent sensitive information to the wrong person
    4. 4. “I can’t apply unified policies across various data sources or to a specific repository” “My data is scattered across sources and the data continues to grow” “When enforcing compliance our business users’ productivity is disrupted” “I need complete coverage of all my devices and applications” “How do I protect sensitive information such as sensitive PII data across my enterprise?” “How do I find only relevant data when I need it?”
    5. 5. LabelDiscover Classify Sensitivity Retention  Encryption  Restrict Access  Watermark  Header/Footer  Retention  Deletion  Records Management  Archiving  Sensitive data discovery  Data at risk  Policy violations  Policy recommendations  Proactive alerts Unified approach to discover, classify & label Automatically apply policy-based actions Proactive monitoring to identify risks Broad coverage across locations Apply label Unified approach Monitor
    6. 6. Office 365 Information Protection Windows Information Protection Azure Information Protection What Where How
    7. 7. What Where How Office 365 Information Protection Windows Information Protection Azure Information Protection
    8. 8. Scan & detect sensitive data based on policy Classify and label data based on sensitivity Apply protection actions, including encryption, access restrictions
    9. 9. a CLOUD & SaaS APPS
    10. 10. CONFIDENTIAL Tag that is customizable, readable by other systems, and persistent. It becomes the basis for applying and enforcing data protection policies. In files and emails, the label is persisted as document metadata In SharePoint Online, the label is persisted as container metadata
    11. 11. Consistent and easy for users Apply and update labels while working in Office apps – Word, PowerPoint, Excel and Outlook Built-in Integrated natively into Office apps; no plug-ins or add-ons required for latest Office 365 apps. Broad platform support Starting next week: Mac, iOS and Android public preview via Office Insider Office on Windows and Outlook mobile public preview by EOY Azure Information Protection add-in available today
    12. 12. Leverage ad-hoc end user controls or automatic policies Protect Mitigates risk of unintended disclosure through encryption and rights protection Control Leverage automatic policies or ad hoc end-user controls, for emails shared inside or outside the organization Compliance Meet compliance obligations that require encrypting data or encryption key control Recipients can read protected messages using consumer identities Easily read protected emails on any device
    13. 13. Windows protects file based on sensitivity label Prevent data from being accidentally copied to unmanaged apps and sites Available starting with Windows 10 version 1809 Understand labels, apply policy
    14. 14. Helps you manage sensitive data prior to migrating to Office 365 or other cloud services Use discover mode to identify and report on files containing sensitive data Use enforce mode to automatically classify, label and protect files with sensitive data Can be configured to scan: • CIFS file shares • SharePoint Server 2016 • SharePoint Server 2013
    15. 15. Discovery mode! Constantly monitoring!
    16. 16. Adobe Acrobat will be able to understand and honor labels and protection View protected files natively on Adobe Acrobat on Windows Labeling experience will be built natively into Acrobat Integration enabled by the Microsoft Information Protection SDK Public Preview: October 2018 GA: January 2019
    17. 17. Scan & detect sensitive data based on policy Classify and label data based on sensitivity Apply protection actions, including encryption, access restrictions View reports and assess classified, labeled and protected data
    18. 18. Better visibility into classified, labeled and protected files – across workloads Help identify information protection anomalies and risks View by label type, service/app and label method (e.g. manual, automatic) Recommendations to tune policy settings
    19. 19. PCs, tablets, mobile Office 365 DLP & Message EncryptionWindows Information Protection Azure Information Protection Exchange Online, SharePoint Online & OneDrive for Business Highly regulated Microsoft Cloud App Security Office 365 Advanced Data Governance Datacenters, file shares Azure SaaS & ISVs O F F I C E 3 6 5D E V I C E S C L O U D S E R V I C E S , S A A S A P P S & O N - P R E M I S E S Intune App Protection Policies
    20. 20. Getting started
    21. 21. Demo
    22. 22. Discover compliance-related sensitive data across locations, including on-premises GDPR-specific sensitive information types helps protect personal data in EU countries Assess whether or not your cloud apps are GDPR compliant Gain visibility into classification, labeling and protection of personal data (including endpoints, locations, users) Guide end-users when working with personal data – with policy tips and recommendations
    23. 23. Capabilities O365 E3 O365 E5 EMS E3 EMS E5 Classification & labeling of sensitive data Create and manage sensitivity labels in Security & Compliance Center unified labeling experience ● ● ● ● Manual labeling of files in Office 365 services (Exchange Online, SharePoint Online,OneDrive for Business) ● ● Manual labeling in Office apps (Word, PowerPoint, Excel, Outlook) using native labeling ● ● ● ● Manual labeling in Office apps on Windows using AIP client ● Automated classification and labeling of files in Office 365 services (Exchange Online,SharePoint Online, OneDrive for Business) ● ● Discover sensitive data in on-premises file servers, apply label to entire repository or folder 1 ● ● Automated classification and labeling of files in on-premises file servers (AIP scanner) ● Automated classification and labeling in Office apps (Word, PowerPoint, Excel, Outlook) using native labeling ● ● Automated classification and labeling inf Office apps on Windows using AIP client ● Information Protection SDK to apply labels to files ● ● Encryption & rights-based restrictions Add ad-hoc protection to Office documents ● ● Encrypt emails to internal or external recipients ● ● Data Loss Prevention (DLP) Block sharing of sensitive files in Office 365 services (Exchange Online, SharePoint Online, OneDrive for Business) ● ● Cloud App Security Classify and label data in 3rd-party SaaS apps and cloud services ● Windows Information Protection Prevent copying and sharing of data from a business location to a non-business location on Windows 10 devices ● ● Apply Windows Information Protection policy based on sensitivity label in document ● 1 Running AIP scanner in “Discover all” mode
    24. 24. © Copyright Microsoft Corporation. All rights reserved. BRK2006 - Use Microsoft Information Protection (MIP) to help protect your sensitive data everywhere, throughout its lifecycle BRK3002 - Understanding how Microsoft Information Protection capabilities work together to protect sensitive information across devices, apps, and services THR2005 - The latest and greatest Microsoft information protection capabilities you should be using now
    25. 25. © Copyright Microsoft Corporation. All rights reserved. Thank you

    Editor's Notes

  • BRK2495: What's new in Microsoft Information Protection solutions to help you protect your sensitive data - wherever it lives or travels
    SEC20: Configuring and deploying Microsoft Information Protection solutions to help protect your sensitive data
  • So now, let's talk about the second piece of our platform story, and that's around information protection.
  • Sensitive data is at risk more than ever before. We have all seen and heard about the inadvertent or inappropriate sharing of sensitive information – either in the news or perhaps in your own organization. This data shows that the concern is real, but of course it becomes even more real when it happens to you and your company, and have to deal with potentially severe consequences.

    11% source: https://www.otalliance.org/system/files/files/initiative/documents/ota_cyber_incident_trends_report_jan2018.pdf
    58% source: http://www.strozfriedberg.com/wp-content/uploads/2014/01/Stroz-Friedberg_On-the-Pulse_Information-Security-in-American-Business.pdf

  • So, we know that with the shift to the mobile-first cloud-first world, the perimeter is only a single component of protecting information. 
    It’s important that customers balance their goals of security and productivity:
    Customers want to enable and foster collaboration to create new business value, and this requires data sharing and data mobility
    At the same time, they want to prevent unauthorized disclosure, modification, or destruction of data and important information
    Customers also want to reduce and manage the risk of user errors – such as unintentional sharing or inappropriate usage of important information

    Ultimately, data must be protected at all time, both inside and outside of the network.
  • Adding to the complexity are the increasing compliance demands that many companies must navigate. This is driving the need to implement robust data protection and data governance policies. With the explosion of data – at an exponential rate – customers are looking for a unified approach and streamlined process to target the most relevant sensitive data, and apply the right controls. All while ensuring that end user productivity is not negatively impacted. For many customers, GDPR is the most important compliance matter facing them over the next year or so. There are certain steps that customers can take to protect their sensitive information and accelerate their compliance with their internal requirements as well as regulatory bodies or GDPR.

    OLD DATA-POINTS:
    80% of enterprises allow BYOD
    730 cloud apps are being used, on average
    85% of enterprises keep sensitive data in the cloud. https://www.vormetric.com/company/newsroom/press-releases/85-of-enterprises-keeping-sensitive-data-in-the-cloud-70-very-or-extremely-concerned-about-it-2016-vormetric-data-threat-report-cloud-big-data-and-iot-edition

    Employees work on nearly 2x the number of teams than they did five years ago
    Information overload wastes 25% of employee time, costing U.S. business $997B each year
  • Clearly, there are several reasons why a comprehensive information protection approach is so important. People are working in new ways. Data is being created and shared across boundaries – across a variety of devices, apps and cloud services. Compliance concerns add a layer of scrutiny to how data is being used and shared. Now let’s take a closer look at a framework for how customers can define and implement their own information protection strategy.

    We see four primary elements of the information protection lifecycle: Discover, classify, protect and monitor. Each step has its own set of requirements and unique considerations.

    First, let’s talk about the Discover phase: Discovering sensitive data is the first step. As data travels to various location – often outside of the organization’s environment, you want to know what sensitive data you have and where it’s located. Data may have different levels of sensitivity, and not all data needs the same level of protection.

    Classify: After sensitive data has been discovered, it’s important to classify the data into distinct categories so that custom controls, such as policies and actions, can be applied. Once the classification scheme is set by the organization, policies can be configured and customized so that sensitive data such as intellectual property, customer info, health records, etc., are protected, stored and shared in a manner that adheres to the organization’s unique requirements. Classification and labeling persists with the file and can be understood and honored by other services, avoiding the need to reclassify and re-label throughout the file’s journey.

    Protect: Classifying and labeling data often results a policy rule to apply some level of protection to sensitive data.

    Monitor: Gaining visibility into how users are using or distributing sensitive information is an important component of your information protection strategy. In the case of unexpected activity or events involving sensitive information, organizations also need to be able to respond quickly and accurately.  

  • - Comment Exchange MRM Policies
  • First, let’s look at the Detect phase of information protection. This involves scanning and detecting sensitive data – all based on the policy defined and configured by your organization.

    Key considerations:
    Is there an automated way to discover important data?
    Which regulations and compliance factors matter?
    Is my data spread out across devices, cloud & on prem?
    Is my data spread out geographically?
    Are certain employees or groups more relevant for discovery?
    Do I know the characteristics of sensitive or important data?
  • In order to achieve comprehensive protection across your organization, it’s important that you are able to discover sensitive information no matter where it is created or lives. That means having sensitive data discovery capabilities across your on premises file shares or datacenters, on individual devices as well as across cloud services and SaaS applications.
  • We are also investing in building labeling capabilities natively into Office applications, across all platforms (Mac, iOS, Android, Windows). Along with the unified labeling schema, this will provide a consistent and better end-user experience. Customers won’t need to download and install any separate plug-ins, since the labeling experience will be built right into Office.

    The native labeling experience for Office for Mac is currently in public preview in the Office Insider program (with iOS and Android Office coming shortly thereafter) and we are targeting general availability for most platforms by the end of CY18.
  • Talking point: OME is enabled for ~100M Office 365 users.

    Context: Email is also main source of sharing information therefore Email prone to unintended disclosure. Encryption typically is also too difficult to use. For a lot of organizations one of their biggest hurdles is making it easy enough so users can adopt the technology and collaborate securely.

    At Ignite we announced new capabilities in Office 365 Message Encryption that protect and control your sensitive emails. These enhancements are aimed squarely at helping you better safeguard your sensitive email communications without hampering the ability for your users to be productive and to easily collaborate with those inside or outside of your organization.

    PROTECT: Mitigate the risk of unintended disclosure of emails to anyone inside or outside your organization, so that only the indented recipient with the right identity can read the encrypted message. Recipients outside of the organization can use their email provider. OME provides added layer of encryption at the content level. OME also enables organizations to rights protect the email so only the people with the right identity can read the message and the Office application that’s attached also inherit the protections applied to the email.
    Ex. Greg from Big Bank needs to send a sensitive message to his client on his recommended stock picks but does not want him to forward.
    CONTROL: Admins can apply automatic policies and end users can be empowered to apply ad hoc policies that encrypt and rights protect messages sent inside and outside the organization. Additionally, recipients can easily read protected messages using their consumer identities such as Google, Yahoo or Microsoft Accounts – or use a one time passcode.
    Ex. secret acquisition, company wishes to encrypt all messages between the external company. Admin applies mail flow rule.
    Ex. Doctor wants to communicate with his/her patients who uses gmail. Patient can authenticate using their Google identity to read and reply to the protected message
    COMPLIANCE: We’re also providing more enterprise grade capabilities - for regulated customers, Office 365 Message Encryption will enable you to provide and manage your own tenant encryption keys with BYOK with Azure Information Protection for Exchange Online.
  • The recently released AIP scanner can you help discover, classify, label and protect sensitivity information in your on-premises file servers. We know that customers still hold a lot of data on-premises, even if they are moving to the cloud. The AIP scanner can help in providing greater visibility into the presence of sensitive data on-premises, or you can apply the desired labeling and protection before migrating your files to Office 365, for example.
  • First, let’s look at the Detect phase of information protection. This involves scanning and detecting sensitive data – all based on the policy defined and configured by your organization.

    Key considerations:
    Is there an automated way to discover important data?
    Which regulations and compliance factors matter?
    Is my data spread out across devices, cloud & on prem?
    Is my data spread out geographically?
    Are certain employees or groups more relevant for discovery?
    Do I know the characteristics of sensitive or important data?
  • 63
  • This summarizes the primary solutions that can be implemented to protect sensitive information on devices, within your Office 365 environment, and then beyond your Office 365 environment to Azure, 3rd party cloud services and apps and on-premises environments.

    At the device level: Windows Information Protection and BitLocker help protect sensitive information on Windows 10 devices. Beyond Windows devices, Intune mobile device management and mobile application management provides similar protection capabilities.

    Many customers use Office 365 as their main productivity solution. We protect information whether it resides in email in Exchange Online, SharePoint Online or OneDrive for Business.
    Office 365 Advanced Data Governance enables you to classify and label documents for the purpose of applying retention, expiration and deletion policies to important information
    This is complemented with Office 365 Data Loss Prevention (DLP), which enables you to prevent sensitive information in Office 365 from getting into the wrong hands or being accidentally shared

    Beyond Office 365, customers are increasingly using Azure and/or a combination of cloud services and cloud apps, often in conjunction with legacy on premises data centers and file shares.
    Azure Information Protection helps protect sensitive information across cloud services and on premise environments
    Microsoft Cloud App Security provides visibility and control across cloud app usage

    Each of these components work together to provide end-to-end protection of sensitive data across your environment. Let’s take a closer look at each and how it can help you.
  • Meeting compliance requirements is a top priority for many companies. GDPR is obviously a concern, and similar regulations are either in place or will soon be in place in most parts of the world. We have several capabilities that can help your in your compliance journey.

    You can configuring your policies to discover, classify and protect compliance-related sensitive data across a variety of locations. This includes Office 365, cloud services, and even on-premises file serves (using the AIP scanner).

    We just recently released several new GDPR related sensitive information types in Office 365 that you can use to detect personal data in EU countries. We are targeting at making this available in Azure Information Protection later in CY18, as well as expanding the list of sensitive information types.

    Microsoft Cloud App Security recently made enhancements to be able to assess which of your cloud apps are GDPR compliant.
  • Microsoft Field: Please view associated material at https://microsoft.sharepoint.com/sites/Infopedia_G01/Pages/AIP.aspx and Office 365 OnRamp at https://microsoft.sharepoint.com/sites/Infopedia_G03/officeonramp/SitePages/Office365Security.aspx#Security

  • More Related Content

    Related Books

    Free with a 30 day trial from Scribd

    See all

    ×