This document contains slides from a presentation on securing Office 365 with Secure Score. The presentation discusses current cybersecurity trends, GDPR responsibilities, evaluating Secure Score assessments, and Office 365 threat intelligence. It provides an overview of Microsoft's Secure Score, which analyzes an organization's security posture and provides recommendations to improve security and compliance. Secure Score helps prioritize actions, understand risks, and monitor security improvements over time. The presentation includes demonstrations of the Security & Compliance Center and performing a risk assessment using Secure Score.
20. Slide
‹#›
Providing clarity and consistency
for the protection of personal data
Enhanced personal privacy rights
Increased duty for protecting data
Mandatory breach reporting
Significant penalties for non-compliance
The EU General Data
Protection Regulation
(GDPR) imposes new rules on
organizations that offer goods and
services to people in the European
Union (EU), or that collect and analyze
data tied to EU residents, no matter
where they are located.
21. Slide
‹#›
Personal
privacy
Individuals have the right to:
• Access their personal data
• Correct errors in their
personal data
• Erase their personal data
• Object to processing of
their personal data
• Export personal data
Controls and
notifications
• Strict security requirements
• Breach notification
obligation
• Appropriate consents for
data processing
• Confidentiality
• Recordkeeping
Transparent
policies
Transparent and easily
accessible policies
regarding:
• Notice of data collection
• Notice of processing
• Processing details
• Data retention/deletion
IT and
training
Need to invest in:
• Privacy personnel and
employee training
• Data policies
• Data Protection Officer
(larger organizations)
• Processor/Vendor
contract
What are the key changes with the GDPR?
22. Slide
‹#›
What’s the Impact of GDPR?
Source:
1 http://blogs.forrester.com/enza_iannopollo/16-04-20-the_eu_general_data_protection_regulation_gdpr_is_here, Enza Iannopollo, April 20, 2016
2 Forrester’s Predictions 2017: Six Ways Privacy Will Rock Global Business, By Fatemeh Khatibloo with Christopher McClean, Heidi Shey, Enza Iannopollo, Laura Koetzle,
Srividya Sridharan, Alexander Spiliotes, Christian Austin, Nov 1, 2016
The regulation applies
to companies that trade
products or services
with European
customers or in
European market1.
Potential Global
Impact
GDPR policies require
privacy-by-design and
by-default.
Partners can become
privacy consultants or
implementers to
support customer
GDPR journey.
Operational
Complexity
Fines for non-
compliance can be up
to 4% of your global
revenues or €20
million, whichever is
greater.
A fine of this magnitude
could put many
companies out of
business1.
Significant Fines
There will be a serious
resource shortfall of
Privacy Professionals.
Professional Services
vendors will pick up the
slack2.
Need for Privacy
Professionals
23. Slide
‹#›
How you can Prepare for GDPR
1 2 3 4 5
Discover
Identify what
personal data
they have and
where it resides.
Control
Manage how
personal data is
used and accessed
Protect
Establish security
controls to prevent,
detect, and
respond to
vulnerabilities &
data breaches
Report
Action data
requests and
keep required
documentation
Review
Analyze data and
systems, stay
compliant and
reduce risk
24. Slide
‹#›
Black Belting Office 365 Security with Secure Score | Andy Malone) | 21st June 2017 ] 10.45am – 12.00pm
Follow us:
#O365ENGAGE17
GDPR in a Nutshell
1. This is a regulation, not a directive, i.e. It’s LAW!
2. Data processors will be held responsible for data protection
3. The regulation has global ramifications
4. Users will be able make compensation claims
5. There are tighter rules on transferring data on EU citizens outside the EU
6. Harmonized user request rights
7. New erasure rights
8. It is the controllers responsibility to inform users of their rights
9. Tougher sanctions and streamlined incident reporting
10. Encryption and tokenisation can come to your rescue
30. Slide
‹#› 3
0
The Traditional Data Governance Model
Challenges
Point in time data
Captures data at a point in time which miss any edits in place
or from transport agents in flight
Increased risks
Content may be compromised moving from one environment
to another
Increased time
Waiting for indexing increases time required to find relevant
data
Increased costs
Having a separate copy of the data being stored significantly
increases costs
No service wide insights
Unable to leverage service wide machine learning to draw
correlations between the data
Exchange Data Outsourced Data Journaling
Third party
outsourced
journaling
Many organizations transfer data to a third party hosted archiving service which has challenges
31. Slide
‹#›
3
1
In-Place Office 365 Data Governance
Office 365 In-Place Data Governance
In-Place Compliance over Traditional Journaling
Location, query or policy based
Apply preservation to mailbox or SharePoint site, apply a
query to hold less content, or use preservation policies
Higher fidelity and lower costs
Content stays in Exchange and SharePoint, which results
in lower storage costs, and higher fidelity data
No impact to users
Seamlessly create, edit, and delete without knowing
data is being preserved
Reduce risk
Data is not duplicated to another provider or compliance
boundary. Record all actions taken on the data
Insights
Insights to enable you to keep what’s important, delete
what’s not, and to share according to policy
Data stays in-place and does not need to be continually transferred out of Office 365 providing benefits
32. Slide
‹#›
Office 365 In-place Compliance Solutions
Ensuring data compliance
Preserve vital data
Organization needs
Find relevant data Monitor activity
Data Governance
Import, store, preserve and expire data
eDiscovery
Quickly identify the most relevant data
Auditing
Monitor and investigate actions taken on data
Security & Compliance Center
Manage compliance for all your data across Office 365
36. Slide
‹#›
Getting Started with Office 365 Secure Score
All Cloud Security Controls in one place, with a score-based framework to determine
what the highest impact actions are, and an easy way to do them.
42. Slide
‹#›
Black Belting Office 365 Security with Secure Score | Andy Malone) | 21st June 2017 ] 10.45am – 12.00pm
Follow us:
#O365ENGAGE17
The Risk Triad Assets Vulnerabilities and Threats
• Assets :- are the valuable resources you are trying to protect ,
• People, buildings, property. Intellectual property etc.
• The value or criticality of the asset dictates the safeguards you deploy.
• A threat is a potentially harmful occurrence, such as
• Natural Threats :- Earthquake, Flood, Fire
• Technical Threats :- Power outage, or a network-based worm like
WanaCrypt0r
• Human Threats :- Malicious activity by a disgruntled ex-employee
43. Slide
‹#›
Black Belting Office 365 Security with Secure Score | Andy Malone) | 21st June 2017 ] 10.45am – 12.00pm
Follow us:
#O365ENGAGE17
The Risk Triad Assets Vulnerabilities and Threats
• A vulnerability is a weakness that allows a threat to cause harm.
• Examples of vulnerabilities are
• Buildings that are not built to withstand earthquakes,
• A data centre without proper backup power
• A Microsoft Windows system that has not been patched in a few
years.
• Or if it automatically runs software on a USB token when inserted.
• A Linux system has no vulnerability to a virus therefore runs no risk
from it.
46. 4
6
Ingestion of data outside Office 365 In-Place data creation, retention and archiving In-Place eDiscovery
Auditing
Export
Office 365 Compliance Data Lifecycle
47. Slide
‹#›
Secure Score
Insights into your security position
One place to understand your security
position and what features you have
enabled.
Guidance to increase your security level
Learn what security features are available
to reduce risk while helping you balance
productivity and security.
53. Slide
‹#›
Key Recommendations
Quick Wins
0-3 Months
• Low user impact
• Low implementation cost
3-6 Months
• Low user impact
• Moderate implementation cost
6 Months and
beyond
• Moderate user impact
• Low and moderate implementation cost
Enable MFA for all global admins
Set strong outbound spam policy
Review signs-ins after multiple failures report weekly
Enable audit data recording
Review signs-ins from multiple geographies report weekly
Enable Information Rights Management (IRM) services
Enable Advanced Security Management Console
Enable MFA for all users
Enable Advanced Threat Protection safe attachments policy
Enable Advanced Threat Protection safe links policy
Do not allow anonymous calendar sharing
Require passwords to be reset at least every 60 days
Enable mobile device management services
Enable Data Loss Prevention policies
SPO Sites have classification policies
IRM protections applied to documents
IRM protections applied to email
54. Slide
‹#›
How Secure Score can help
0-3 Months 3-6 Months 6 Months and beyond
Protect
Detect
Respond
Managed security service : Threat detection
Managed security service : Incident response
Establish education program for IT staff and end-users
On-going service: Security Assessment
ModerateLowUser impact:
Implementation cost:
Enable MFA for all
global admins
Enable audit data
recording
Enable Advanced Threat
Protection safe links
policy
Enable Advanced
Security
Management
Console
Enable mobile device
management
services
Enable Data Loss
Prevention policies
IRM protections
applied to
documents
Enable MFA for
all users
Enable Advanced Threat
Protection safe
attachments policy
Managed security service : Reporting
Managed security service: Monitoring, account and credential abuse
IRM protections
applied to email
Set strong
outbound spam
policy
58. Slide
‹#›
Office 365 Secure ScoreAPI
• Monitor and report on customers secure score in downstream reporting tools
• Examine your customers security configuration baseline
• Integrate the data into compliance or cybersecurity applications
• Integrate Secure Score data into SIEM or CASB to drive a hybrid or multi-cloud
framework for security analytics
Resources:
• Using the Office 365 Secure Score API: http://aka.ms/SecureScoreAPI
59. Slide
‹#›
From a Developers Perspective Why use Secure ScoreAPI
1. Monitor and report on your secure
score in downstream reporting tools.
2. Track your security configuration
baseline.
3. Integrate the data into compliance or
cybersecurity insurance applications.
4. Integrate Secure Score data into your
SIEM or CASB to drive a hybrid or
multi-cloud framework for security
analytics.