Secure Collaboration: Start classifying, labeling, and protecting your (most valuable) data
•
0 likes•415 views
Security is one of the top priorities for each company, secure external collaboration is a big part of this. How can we, as a company, work together with customers, partners, and vendors without having the risk of sharing confidential documents? How can we share sensitive information through email within my organization? In order to implement an information protection solution, you first need to understand what kind of information you need to protect; identifying your most critical assets is the first step in the data protection journey. Learn how you can leverage Azure Information Protection to enable secure sharing of information with employees, customers and partners in an easy and frictionless way.
Recommended
Recommended
More Related Content
What's hot
What's hot (20)
Similar to Secure Collaboration: Start classifying, labeling, and protecting your (most valuable) data
Similar to Secure Collaboration: Start classifying, labeling, and protecting your (most valuable) data (20)
More from Bram de Jager
More from Bram de Jager (8)
Recently uploaded
Recently uploaded (20)
Secure Collaboration: Start classifying, labeling, and protecting your (most valuable) data
- 1. Secure Collaboration: Start classifying, labeling, and protecting your (most valuable) data Bram de Jager Lead Architect - delaware
- 3. Challenges with the complex environment Employees Business partners Customers Apps Devices Data Users Data leaks Lost device Compromised identity Stolen credentials
- 4. The problem is ubiquitous Intellectual Property theft has increased 56% rise data theft Accidental or malicious breaches due to lack of internal controls 88% of organizations are Losing control of data 80% of employees admit to use non-approved SaaS app 91% of breaches could have been avoided Organizations no longer confident in their ability to detect and prevent threats Saving files to non-approved cloud storage apps is common
- 5. Unregulated, unknown Managed mobile environment How much control do you have? On-premises Perimeter protection Identity, device management protection Hybrid data = new normal It is harder to protect
- 6. The evolution of Azure RMS DOCUMENT TRACKING DOCUMENT REVOCATION Monitor & respond LABELINGCLASSIFICATION Classification & labeling ENCRYPTION Protect ACCESS CONTROL POLICY ENFORCEMENT
- 7. Azure Information Protection DOCUMENT TRACKING DOCUMENT REVOCATION Monitor & respond LABELINGCLASSIFICATION Classification & labeling ENCRYPTION Protect ACCESS CONTROL POLICY ENFORCEMENT Full Data Lifecycle
- 8. Classify Data – Begin the Journey SECRET CONFIDENTIAL INTERNAL PUBLIC IT admin sets policies, templates, and rules PERSONAL Classify data based on sensitivity Start with the data that is most sensitive IT can set automatic rules; users can complement it Associate actions such as visual markings and protection
- 9. How Classification Works Reclassification You can override a classification and optionally be required to provide a justification Automatic Policies can be set by IT Admins for automatically applying classification and protection to data Recommended Based on the content you’re working on, you can be prompted with suggested classification User set Users can choose to apply a sensitivity label to the email or file they are working on with a single click
- 10. Apply labels based on classification %##&$^#*!~@& FINANCE CONFIDENTIAL %$^#*@& Persistent labels that travel with the document Labels are metadata written to documents Labels are in clear text so that other systems such as a DLP engine can read it and a hash of policies, rules, and user information
- 11. Protect data against unauthorized use VIEW EDIT COPY PASTE Email attachment FILE Protect data needing protection by: Encrypting data Including authentication requirement and a definition of use rights (permissions) to the data Providing protection that is persistent and travels with the data Personal apps Corporate apps
- 12. Demo Set an information protection platform for your business - in minutes
- 13. Using variables in visual markings • ${Item.Label} for the selected label. For example: Internal • ${Item.Name} for the file name or email subject. For example: JulySales.docx • ${Item.Location} for the path and file name for documents, and the email subject for emails. For example: Sales2016Q3JulyReport.docx • ${User.Name} for the owner of the document or email, by the Windows signed in user name. For example: rsimone • ${User.PrincipalName} for the owner of the document or email, by the Azure Information Protection client signed in email address (UPN). For example: rsimone@vanarsdelltd.com • ${Event.DateTime} for the date and time when the selected label was set. For example: 8/16/2016 1:30 PM
- 14. Azure Information Protection and SharePoint SharePoint supports Information Rights Management, based on Azure RMS Not “integrated” with Azure Information Protection (yet?) Automation based on AIP SDK would be a option to auto apply labels based on context Align Data Loss Prevention (DLP) with Azure Information Protection
- 15. Wrap-up
- 16. Azure Information Protection Premium P1/P2 Feature Azure Information Protection Premium P1 (EMS E3) Azure Information Protection Premium P2 (EMS E5) Manual labeling (user driven) Yes Yes View labels and watermarks in Office Yes Yes Apply content marking and RMS protection in Office Yes Yes Automatic and recommended labeling (conditions) Yes Classification, labeling and protection with MCAS Yes HYOK (Hold your own key – multi RMS server support) Yes
- 17. Key takeaways Azure Information Protection is about Classify, Label, Protect, and Monitor & Respond Helps your organization to understand and really use business information protection based on data classification Think about compliancy for the General Data Protection Regulation (GDPR), which is active as off May 25th 2018
Editor's Notes
- You have these entities – users, devices, apps and data Data is being shared with employees, customers and business partners You have to manage the complexity of protecting your users’ identities, and data stored on their devices and apps You need to prepare to mitigate the risks of providing freedom and space to your employees. You need to meet compliance and regulatory standards, maintain company security policies and requirements, and detect threats — all the while giving workers a better and more productive experience The cloud is here to stay The ‘cloud accepting’ population is growing… VERY rapidly Your managers (CxO) are changing their minds… or soon will… or are being replaced Microsoft is meeting organizations ‘in the middle’: abilities like lockbox, ‘going local’, etc. Your competition will use the cloud to their advantage You can’t compete with cloud vendors on substrate services (time, cost, innovation) You can’t lay the substrate and do value-add at the same rate as your cloud peers There will be breaches… both in the cloud and on-premises Cloud vendors, with billions invested and far better ‘signals’, will act/evolve far quicker
- We heard from you… and you are not alone
- You had control over your data when it resided within your boundaries Now that boundary has expanded with managed devices and cloud assets. MDM solutions help but not when data moves outside of your controlled environment Once shared outside your environment, you lose control over your data.
- 1.For years, RMS helped businesses provide persistent protection over their data through encryption, access control and policy enforcement 2.We added tracking and revocation capabilities for greater control over shared data 3. Now we also have classification and labeling capabilities so that you can identify what data needs protection and protect only the data that needs protection Timelines Active Directory RMS - 2003 Azure RMS – 2013/2014 Announcement: Microsoft acquisition of Secure Islands – June 2016 Azure Information Protection (AIP) preview – July 2016 Azure Information Protection (AIP) general available – October 2016
- 1.For years, RMS helped businesses provide persistent protection over their data through encryption, access control and policy enforcement 2.We added tracking and revocation capabilities for greater control over shared data 3. Now we also have classification and labeling capabilities so that you can identify what data needs protection and protect only the data that needs protection
- At data creation Using known data classification, well known company terminology Start small, learn based on experience Question: who is working at a business who has information protection language? Like private, restricted,… Now lower your hand whose business is not using this very well?
- Best case – IT sets up policy But IT can’t catch all so... Recommendations is the next best Flexibility for users to reclassify because policies won’t get it right all the time. But everything is logged so IT can audit in case of violation Users also have the option to label if they deem necessary, even when not automatically classified
- Labels stay with the data to enforce the policies and classification Persistent tag User awareness through visual labels Leverage AIP through SDK, third party integration or automation
- Extra protection is available for sensitive data Not just encryption, but rights of who can access it and what they can do with the data Audit trails to track data (via portal)
- Placeholders in header/footer
- https://docs.microsoft.com/en-us/information-protection/deploy-use/configure-policy-markings
- https://www.microsoft.com/en-us/cloud-platform/azure-information-protection-features HYOK vs BYOK >> HYOK on-premises for very highly confidential cases, other online with BYOK BYOK (Bring Your Own Key) is supported by Azure
- https://docs.microsoft.com/en-us/information-protection/get-started/faqs-infoprotect#how-can-dlp-solutions-and-other-applications-integrate-with-azure-information-protection