Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
C01: Office 365 : Data leakage protection,
privacy, compliance and regulations
• #SPSParis C01
• Edge Pereira
• 30 Mai 201...
Merci aux sponsors!Platinum
Gold/
Or
Silver/
Argent
Organizers/
Organisateurs
Thanks to our sponsors!
Raffle/
Tombola
10% de remise avec le code SPSPa15www.sharepointeurope.com
“By far, the most common record type exposed in 2014 were passwords, followed by usernames, email addresses,
and PII (name...
“It was often said that people were the weakest link in any security chain—and that was true when attacks were less
sophis...
“SCAMS strip Australians of at least $80 million a year and gathering a vault of personal information that can be used in
...
Data Breaches
Source: Liam Clearly BRK2142 Microsoft Ignite
Source: Gartner Report: IT Governance, Risk, and Compliance Management Solutions, http://www.gartner.com/resId=1884814
“Fa...
• Introduction
• Importance of Regulatory and
Compliance Controls
• Controls in Office 365
• Demos
• Data Loss Prevention
...
Why are we here?
Source: http://www.forbes.com/sites/gilpress/2015/05/22/stopping-data-breaches-whose-job-is-it-anyway/
Compliance – What is it?
Why do we need to take
compliance seriously?
Let’s look at Office 365 customer controls
Identify Monitor Protect Educate
So what is Microsoft doing?
eDiscovery
Auditing
Encryption
Information
Management
Policies
Records Management
Two faces of compliance in Office 365
Built-in Office 365 capabilities
(global compliance)
Customer controls for
complianc...
In practise, it looks like this
What does your
organisation get?
• Independent verification
• Regulatory compliance
• Peace of mind
• Improved governance
...
Sara Aziz Janet Denis
Sales Finance Sales Manager Legal
Our Demo Participants
Data Loss
Prevention
DEMO:
Data Loss Prevention
50%
Of the IT organizations will use security services firms that
specialize in data protection, security risk management ...
What is meant by Data Loss Prevention?
in-use (endpoint actions) in-motion
(network traffic) at-rest (data storage)
[1] ht...
eDiscovery
DEMO:
eDiscovery
• Operating System and Apps fully
patched and up to date
• End-point security tools installed and
correctly configured
• F...
At-rest controls
Country PII Financial Health
USA
US State Security Breach Laws,
US State Social Security Laws, COPPA
GLBA & PCI-DSS
(Credi...
Establishing DLP
Design and implement
• Determine sensitive information types and
related policies or regulations
• Establ...
What do we mean by eDiscovery?
Source: Wikipedia (http://en.wikipedia.org/wiki/Electronic_discovery)
eDiscovery Process
Find relevant content (documents, emails, Lync conversions)DISCOVERY
PRESERVATION
Place content on lega...
Office 365 eDiscovery
Centre
In-place Hold
Auditing
Reporting and Auditing
SharePoint – Auditing Features
SharePoint Audit Reports
Find what you need
•
•
Export for action
eDiscovery Considerations
• Recoverable Items quotas separate from mailbox quotas
and need to be monitored
• In-Place Hold...
DEMO:
Document
Fingerprinting
eDiscovery Reports
Risk mitigation
• Centrally managed proactive
enforcement
• Reduced collection touch points
• Consistent and repeatable
Mi...
DEMO:
Encrypted Email
Communications
Q & A
• Introduction
• Importance of Regulatory and
Compliance Controls
• Controls in Office 365
• Demos
• Data Loss Prevention
...
Learn More
TechEd 2014 Office 365 Security and
Compliance
https://channel9.msdn.com/Events/TechEd/Australia/2014/OSS
304
O...
Thank you !
Merci !
Online evaluation form
Evaluations en ligne
http://tinyurl.com/SPSParis2015
DLP extensibility points
Content Analysis Process
Joseph F. Foster
Visa: 4485 3647 3952 7352
Expires: 2/2012
Get
Content
4485 3647 3952 7352  a 16...
Office 365 Message Encryption – Encrypt messages to any SMTP address
Information Rights Management – Encrypt content and r...
Registry Key Outlook Client
C01 office 365, DLP data loss preventions, privacy, compliance, regulations
Upcoming SlideShare
Loading in …5
×

C01 office 365, DLP data loss preventions, privacy, compliance, regulations

509 views

Published on

Presentation for SharePoint Paris 2015 on DLP Data loss prevention, privacy and compliance.

  • Be the first to comment

  • Be the first to like this

C01 office 365, DLP data loss preventions, privacy, compliance, regulations

  1. 1. C01: Office 365 : Data leakage protection, privacy, compliance and regulations • #SPSParis C01 • Edge Pereira • 30 Mai 2015 / May 30th, 2015
  2. 2. Merci aux sponsors!Platinum Gold/ Or Silver/ Argent Organizers/ Organisateurs Thanks to our sponsors! Raffle/ Tombola
  3. 3. 10% de remise avec le code SPSPa15www.sharepointeurope.com
  4. 4. “By far, the most common record type exposed in 2014 were passwords, followed by usernames, email addresses, and PII (name, address, SSN, DOB, phone number, etc.)…” 1 Billion Criminals are starting to favour PII over financial information, because it's easier to sell and leverage Source: http://www.cio.com/article/2848593/data-breach/nearly-a-billion-records-were-compromised-in-2014.html Records Compromised in 2014
  5. 5. “It was often said that people were the weakest link in any security chain—and that was true when attacks were less sophisticated. But today, no amount of education will stop hackers from getting into your network.” $400 Million There were 2,122 confirmed data breaches in 2014 Source: http://www.forbes.com/sites/gilpress/2015/05/22/stopping-data-breaches-whose-job-is-it-anyway/ Losses Due to Data Breaches
  6. 6. “SCAMS strip Australians of at least $80 million a year and gathering a vault of personal information that can be used in fraud sprees.” $80 Million Criminals are buying and selling names, addresses, birth dates, bank account and other personal details on the black market to commit identity fraud or find scam victims, a report warns. Source: http://www.heraldsun.com.au/news/law-order/scammers-steal-80-million-a-year-and-personal-information-from-australians/story-fni0fee2-1227358157405 Individual Losses Due to Scammers
  7. 7. Data Breaches Source: Liam Clearly BRK2142 Microsoft Ignite
  8. 8. Source: Gartner Report: IT Governance, Risk, and Compliance Management Solutions, http://www.gartner.com/resId=1884814 “Faced with never-ending and expanding regulatory and industry mandates, organizations invest tremendous amounts of energy on audit, compliance, controls, and (in some cases) risk management. At the same time, they seek to free staff resources from mundane tasks such as evidence gathering and simple reporting.”
  9. 9. • Introduction • Importance of Regulatory and Compliance Controls • Controls in Office 365 • Demos • Data Loss Prevention • eDiscovery • Auditing • Document Fingerprinting • Encrypted Email Communications Our Agenda for Today
  10. 10. Why are we here?
  11. 11. Source: http://www.forbes.com/sites/gilpress/2015/05/22/stopping-data-breaches-whose-job-is-it-anyway/
  12. 12. Compliance – What is it?
  13. 13. Why do we need to take compliance seriously?
  14. 14. Let’s look at Office 365 customer controls Identify Monitor Protect Educate
  15. 15. So what is Microsoft doing? eDiscovery Auditing Encryption Information Management Policies Records Management
  16. 16. Two faces of compliance in Office 365 Built-in Office 365 capabilities (global compliance) Customer controls for compliance/internal policies • Access Control • Auditing and Logging • Continuity Planning • Incident Response • Risk Assessment • Communications Protection • Identification and Authorisation • Information Integrity • Awareness and Training • Data Loss Prevention • Archiving • eDiscovery • Encryption • S/MIME • Legal Hold • Rights Management
  17. 17. In practise, it looks like this
  18. 18. What does your organisation get? • Independent verification • Regulatory compliance • Peace of mind • Improved governance • Better risk management • Avoiding prosecution
  19. 19. Sara Aziz Janet Denis Sales Finance Sales Manager Legal Our Demo Participants
  20. 20. Data Loss Prevention
  21. 21. DEMO: Data Loss Prevention
  22. 22. 50% Of the IT organizations will use security services firms that specialize in data protection, security risk management and security infrastructure management to enhance their security postures Source: http://www.gartner.com/newsroom/id/2828722 By 2018, Data Leakage Protection
  23. 23. What is meant by Data Loss Prevention? in-use (endpoint actions) in-motion (network traffic) at-rest (data storage) [1] http://en.wikipedia.org/wiki/Data_loss_prevention_software Good definition http://csrc.nist.gov/groups/SNS/rbac/documents/data-loss.pdf
  24. 24. eDiscovery
  25. 25. DEMO: eDiscovery
  26. 26. • Operating System and Apps fully patched and up to date • End-point security tools installed and correctly configured • Firewall enabled and correctly configured • Access to required applications only • Access to “need to know” data • Compliance Adherence Monitoring In-use controls (end-point)
  27. 27. At-rest controls
  28. 28. Country PII Financial Health USA US State Security Breach Laws, US State Social Security Laws, COPPA GLBA & PCI-DSS (Credit, Debit Card, Checking and Savings, ABA, Swift Code) Limited Investment: US HIPPA, UK Health Service, Canada Health Insurance card Rely on Partners and ISVs Germany EU data protection, Drivers License, Passport National Id EU Credit, Debit Card, IBAN, VAT, BIC, Swift Code UK Data Protection Act, UK National Insurance, Tax Id, UK Driver License, Passport EU Credit, Debit Card, IBAN, BIC, VAT, Swift Code Canada PIPED Act, Social Insurance, Drivers License Credit Card, Swift Code France EU data protection, Data Protection Act, National Id (INSEE), Drivers License, Passport EU Credit, Debit Card, IBAN, BIC, VAT, Swift Code Japan PIPA, Resident Registration, Social Insurance, Passport, Driving License Credit Card, Bank Account, Swift Code Built-in DLP content areas
  29. 29. Establishing DLP Design and implement • Determine sensitive information types and related policies or regulations • Establish policies to protect sensitive data • Implement Office 365 DLP features Operate • Detect sensitive data in email • Detect sensitive data with document fingerprinting • User awareness with Outlook Policy tips
  30. 30. What do we mean by eDiscovery? Source: Wikipedia (http://en.wikipedia.org/wiki/Electronic_discovery)
  31. 31. eDiscovery Process Find relevant content (documents, emails, Lync conversions)DISCOVERY PRESERVATION Place content on legal hold to prevent content modification and/or removal Collect and send relevant content for processing Prepare files for review PRODUCTION REVIEW Lawyers determine which content will be supplied to opposition Provide relevant content to opposition COLLECTION PROCESSING
  32. 32. Office 365 eDiscovery Centre
  33. 33. In-place Hold
  34. 34. Auditing
  35. 35. Reporting and Auditing
  36. 36. SharePoint – Auditing Features
  37. 37. SharePoint Audit Reports
  38. 38. Find what you need • •
  39. 39. Export for action
  40. 40. eDiscovery Considerations • Recoverable Items quotas separate from mailbox quotas and need to be monitored • In-Place Hold vs. Single Item Recovery vs. Retention Hold • Hybrid data sources
  41. 41. DEMO: Document Fingerprinting
  42. 42. eDiscovery Reports
  43. 43. Risk mitigation • Centrally managed proactive enforcement • Reduced collection touch points • Consistent and repeatable Minimised business impact • Transparent to users • Minimises the need for offline copies, until they are needed • Instantly searchable/exportable Lower cost! Important Benefits
  44. 44. DEMO: Encrypted Email Communications
  45. 45. Q & A
  46. 46. • Introduction • Importance of Regulatory and Compliance Controls • Controls in Office 365 • Demos • Data Loss Prevention • eDiscovery • Auditing • Document Fingerprinting • Encrypted Email Communications Wrap Up
  47. 47. Learn More TechEd 2014 Office 365 Security and Compliance https://channel9.msdn.com/Events/TechEd/Australia/2014/OSS 304 Office 365 Trust Centre http://office.microsoft.com/en-au/business/office-365-trust- center-cloud-computing-security-FX103030390.aspx Office Blogs http://blogs.office.com/2013/10/23/cloud-services-you-can- trust-security-compliance-and-privacy-in-office-365/ Governance, risk management, and compliance http://en.wikipedia.org/wiki/Governance,_risk_management, _and_compliance Office 365 Service Descriptions http://technet.microsoft.com/en- us/library/jj819284%28v=technet.10%29 Useful Links
  48. 48. Thank you ! Merci ! Online evaluation form Evaluations en ligne http://tinyurl.com/SPSParis2015
  49. 49. DLP extensibility points
  50. 50. Content Analysis Process Joseph F. Foster Visa: 4485 3647 3952 7352 Expires: 2/2012 Get Content 4485 3647 3952 7352  a 16 digit number is detected RegEx Analysis 1. 4485 3647 3952 7352  matches checksum 2. 1234 1234 1234 1234  does NOT match Function Analysis 1. Keyword Visa is near the number 2. A regular expression for date (2/2012) is near the number Additional Evidence 1. There is a regular expression that matches a check sum 2. Additional evidence increases confidence Verdict
  51. 51. Office 365 Message Encryption – Encrypt messages to any SMTP address Information Rights Management – Encrypt content and restrict usage; usually within own organization or trusted partners S/MIME – Sign and encrypt messages to users using certificates Encryption Solutions in Office 365
  52. 52. Registry Key Outlook Client

×