Downloaded 148 times
Uploaded byAndrew Bettany
2 Modern Security - Microsoft Information Protection
The document provides an overview of Microsoft 365 training focused on security and compliance, particularly the configuration and deployment of Microsoft Information Protection solutions. It addresses the challenges posed by fewer security boundaries and increased data complexity, including GDPR requirements and specific strategies for data classification, encryption, and protection across various Microsoft services. Key features discussed include data loss prevention, advanced threat protection, and integration of compliance tools for managing sensitive information across platforms.
More Related Content
Similar to 2 Modern Security - Microsoft Information Protection
![[IGNITE2018] [BRK2495] What’s new in Microsoft Information Protection solutio...](https://cdn.slidesharecdn.com/ss_thumbnails/10h50mignite2018brk2495-181215035055-thumbnail.jpg?width=640&height=640&fit=bounds)
2 Modern Security - Microsoft Information Protection
- 1. Microsoft 365 Training Series: Securityand Compliance
- 2. Configuring & deploying MicrosoftInformation Protection solutions to help protect your sensitive data Andrew Bettany MVP IT Masterclasses Ltd andrew@itmasterclasses.com
- 3. IN THE PAST,THE FIREWALL WAS THE SECURITY PERIMETER devices datausers apps On-premises / Private cloud
- 4. On-premises NOW THERE’S FEWERBOUNDARIES, MORE DATA, MORE COMPLEXITY
- 6. MICROSOFT INFORMATION PROTECTIONSOLUTIONS
- 7. MICROSOFT CLOUD APPSECURITY Visibility into 15k+ cloud apps, data access & usage, potential abuse AZURE SECURITY CENTER INFORMATION PROTECTION Classify & label sensitive structured data in Azure SQL, SQL Server and other Azure repositories OFFICE APPS Protect sensitive information while working in Excel, Word, PowerPoint, Outlook AZURE ADVANCED THREAT PROTECTION Identify advanced data related attacks and insider threats OFFICE 365 DATA LOSS PREVENTION Prevent data loss across Exchange Online, SharePoint Online, OneDrive for Business SHAREPOINT & GROUPS Protect files in libraries and lists OFFICE 365 ADVANCED DATA GOVERNANCE Apply retention and deletion policies to sensitive and important data in Office 365 ADOBE PDFs Natively view labeled and protected PDFs on Adobe Acrobat Reader WINDOWS INFORMATION PROTECTION Separate personal vs. work data on Windows 10 devices, prevent work data from traveling to non-work locations OFFICE 365 MESSAGE ENCRYPTION Send encrypted emails in Office 365 to anyone inside or outside of the company CONDITIONAL ACCESS Control access to files based on policy, such as identity, machine configuration, geo location Discover | Classify | Protect | Monitor SDK FOR PARTNER ECOSYSTEM & ISVs Enable ISVs to consume labels, apply protection
- 8. Personal data Any informationrelated to an identified or identifiable natural person including direct and indirect identification. Examples include: • Name • Identification number (e.g., SSN) • Location data (e.g., home address) • Online identifier (e.g., e-mail address, screen names, IP addresses, device IDs) Sensitive personal data Personal data afforded enhanced protections: • Genetic data (e.g., an individual’s gene sequence) • Biometric Data (e.g., fingerprints, facial recognition, retinal scans) • Sub categories of personal data including: • Racial or ethnic origin • Political opinions, religious or philosophical beliefs • Trade union membership • Data concerning health • Data concerning a person’s sex life or sexual orientation GDPR challenges Personal privacy rights Must protect data Mandatory data breach reporting Big penalties for non-compliance
- 9. Scan & detectsensitive data based on policy Classify and label data based on sensitivity Apply protection actions, including encryption, access restrictions
- 10. a CLOUD & SaaSAPPS
- 11. Data Classification Service(DCS)Service Integration Client apps Microsoft Cloud App Security • Consistent Auto Classification across Microsoft services • Native integration • Deep Content Scanning with 90+ built-in sensitive types • Fully extensible scanning with custom type support NEW GDPR template with EU sensitive types NEW Custom sensitive type authoring and fine tuning NEW Exact Data Match based classification NEW Image classification with OCR Uniform Content Discovery & Classification AIP Scanner On Premises Discover & Classify across Microsoft Services Azure Service
- 12.
- 13. Centralised management Configure andmanage labels across apps and services in Office, Azure and Windows – all from the S&C Center Unified classification Uniform content classification to protect and preserve data across Office, Azure, Windows Consistent across Microsoft 365 Consistent integration and experience across Microsoft 365 apps & services – extensible to 3rd party apps & solutions
- 25.
- 27. Scenario I wantto find out what’s on my on premises storage
- 36.
- 37. Scenario I wantto protect Business to Business email
- 47. Scenario I wantto protect my crown jewels
- 54. MICROSOFT INFORMATION PROTECTIONSOLUTIONS
- 55. • Security &Compliance Center enhancements • Native labeling experience in Word, PowerPoint & Excel, Outlook on Windows, Mac, iOS, Android and web apps (general availability) • Automatically classify, label and protection in Office apps • Additional automatic DLP integrations with labels • DLP in Microsoft Teams chat messages • Information Protection analytics (GA) • Advanced detection and classification methods (OCR, exact data match, ML) • Ability to reason over (view, search, index) labeled & protected Office documents in SharePoint Online and OneDrive for Business On the horizon • Unified label management in Security & Compliance Center • Native labeling in Office apps on Mac, iOS, Android (preview) • Information Protection SDK • View protected PDFs on Adobe Acrobat Reader (preview) • Apply Windows Information Protection based on sensitivity labels • GDPR sensitive information types (Office 365 & Azure Information Protection) • Create custom sensitive information types • Message encryption enhancements • Information protection analytics (preview) Recent
- 56.
- 57. Azure Information Protectiontechnical documentation Microsoft Cloud App Security technical documentation Overview of Office 365 Data Loss Prevention (DLP) Protect your enterprise data using Windows Information Protection Microsoft IT showcase: Automate data protection with Azure Information Protection scanner Microsoft IT showcase: Using Azure Information Protection to classify and label corporate data Video: Configuring and deploying Azure Information Protection (September 2018)
Editor's Notes
- #4 The accelerating digital transformation has broad implications. The way we work and the tools we use are changing rapidly: including the rise of employees bringing their own devices to the work environment and pervasive use of SaaS applications. Because of this, the way organizations manage and secure their data must also evolve. Companies no longer operate solely within their own walls, protected by a moat that surrounds their border. Data travels to more locations than ever before – across both on-premises and cloud environments. While this has helped increase users’ productivity and their ability to collaborate with others, it has also made protecting sensitive data more challenging.
- #5 So, we know that with the shift to the mobile-first cloud-first world, the perimeter is only a single component of protecting information. It’s important that customers balance their goals of security and productivity: Customers want to enable and foster collaboration to create new business value, and this requires data sharing and data mobility At the same time, they want to prevent unauthorized disclosure, modification, or destruction of data and important information Customers also want to to reduce and manage the risk of user errors – such as unintentional sharing or inappropriate usage of important information Ultimately, data must be protected at all time, both inside and outside of the network.
- #6 Do you have a strategy for protecting and managing sensitive information? Do you know where your sensitive data resides? Sounds simple but complex issue for most orgs of any size 2. Do you have control of your data as it travels both inside and outside of your organization? Shared with customers Onto a mobile device 3. Are you using multiple solutions to classify, label, and protect sensitive data? We find many customers are = disjointed, don’t work together Remember, this is about protecting information wherever it goes. And so, the question for our customers is, do you have a strategy for protecting and managing sensitive information? Do you know where your sensitive data resides? This seems like a very simple question, but trust me it is a complex issue for most organizations of any size. Trying to understand: “where is all of our sensitive information?” can be a huge project of its own. The second question is, do you have control of your data as it travels both inside and outside of your organization? When it gets shared with customers and partners via email or SharePoint sites or other online services, when it goes out on someone's mobile device? And lastly, are you using multiple solutions to classify, label, and protect sensitive data? We find that many of our customers are, and that it's a disjointed set of solutions that don't work together for a common solution.
- #7 No matter how much data your organization owns, losing it is costly. Every organization is a target and threats are increasing. To protect what you own, you first need to know what you have, and classify each piece of data automatically according to its impact to your organization. It sounds scary, but it doesn’t have to be! With Microsoft Information protection you can help customers discover, classify, and protect all their data, no matter where it is stored or who it is shared with. ----------------- So, our approach at Microsoft is to detect and classify sensitive information. This is really about understanding where is that sensitive information and what of it is sensitive? Is it all sensitive? Is there just a portion of it? This is really applying those ideas of something that's confidential, highly classified and confidential, not so classified, public information, etc. That can be a subject of intense debate inside of any large organization, involving the legal team and the risk management team and the IT organization and the business organizations. The second piece is applying intelligent protection based on that policy. Knowing that the information is sensitive, what type of information protection am I going to apply to it? What is the policy that governs that? And then lastly, monitoring and remediating. So, understanding where is information going? Who's accessing it? How much control do we actually have over it? And then remediating, understanding how we can make it better in the next cycle. And we want to make sure that we do this across a pretty broad surface area, from devices to applications, to cloud services and to on-premises systems. Across all of those surfaces we really need to make sure that we're understanding how we apply that protection policy.
- #8 This gives a more comprehensive view of the different information protection technologies that customers might evaluate as part of their overall strategy. Many of these capabilities already work closely together, and we will continue to build in the right connections so that sensitive information is protected – throughout its journey.
- #9 Purpose of slide: Explain how the GDPR defines personal data and sensitive personal data. Key takeaways The GDPR considers personal data to be any information related to an identified or identifiable natural person. Direct identification (e.g., your legal name) Indirect identification (i.e., specific information that makes it clear it is you the data references). Online identifiers (e.g., IP addresses, mobile device IDs) and location data (this was previously unclear in the EU Data Protection Directive). Sensitive personal data is afforded enhanced protections and generally requires an individual’s explicit consent where these data are to be processed. The GDPR introduces specific definitions for genetic data (e.g., an individual’s gene sequence) and biometric data (e.g., fingerprints, facial recognition, retinal scans). Other sensitive personal data include: Personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership Data concerning health Data concerning a person’s sex life or sexual orientation.
- #10 First, let’s look at the Detect phase of information protection. This involves scanning and detecting sensitive data – all based on the policy defined and configured by your organization. Key considerations: Is there an automated way to discover important data? Which regulations and compliance factors matter? Is my data spread out across devices, cloud & on prem? Is my data spread out geographically? Are certain employees or groups more relevant for discovery? Do I know the characteristics of sensitive or important data?
- #11 In order to achieve comprehensive protection across your organization, it’s important that you are able to discover sensitive information no matter where it is created or lives. That means having sensitive data discovery capabilities across your on premises file shares or datacenters, on individual devices as well as across cloud services and SaaS applications.
- #12 Classification: you find the data before you can determine whether it’s sensitive or not We’re excited to show you that controls like GDPR are built into the service: you don’t have to go figure out whether a Luxembourg passport ID is sensitive or not, VS a UK passport ID. As part of the cloud intelligence work that we do we’re building right into these DCS notions such as what is GDPR sensitive types – these gets you bootstrapped with discovering GDPR sensitive data very quickly. We have built in 90+ sensitive data types but you can also create custom sensitive types as per your org requirements. Exact data match: where you may have a payroll or personal DB: we will do classification of your content, intersecting in real time what is your company secrets held in a DB across all of these locations. If you have a payroll system, it can be part of the process of figuring out what emails contain that sensitive data. Las but not least, emails or PDFs with images, maybe stored in SPO, we can use ML to identify the text embedded in images as pictures and determine whether this includes secrets. Powerful: apply to file shares, sharepoint servers, cloud apps and any other service where data is moving. This starts to define our platform. Consistent, ubiquitous cloud-powered classification of your content.
- #13 12
- #14 Now you’ve defined policies and you don’t want to do this 3, 4, 5 times across all of these locations. What we recently announced at the end of last year in Ignite is that we’ve unified the admin and console in which we as IT professionals and/or decision makers administer the solution as well as where we get insights as to what is going on with the insights we deploy.
- #15 Labelling You have content, it’s been classified, you’ve gone through our platform, you start indicating what’s your sensitive content. The dashboard will start showing you how many labels you have, how many hits you get, content types.
- #16 If we look at a security label, let’s have a look at the actions I can take with them: encryption, content marking, DLP (which you usually have to attach or bolt on somewhere else), you can even do auto-label.
- #17 Encryption: you turn these boxes on and data will start getting encrypted. If you send it to consumers, it will transparently work with them as well.
- #18 Content marking: super useful lightweight visual marking
- #19 DLP: think about making sure that data doesn’t exit mailboxes or doesn’t get shared to SPO sites
- #20 Auto labelling A lot of us have had experience with data classification where we ask our users to classify content. We’re also showing you today that MIP includes some of the tech that has been available with AIP where you auto-classify content is coming together also in the MIP service with auto-labelling: determine how many instances with the same content need to appear before you trigger the label and set it per groups (finance but not marketing)
- #23 You go through and publish these labels. This isn’t a 1 size fits all for the org: you can pick different departments that this policy goes to and define different hierarchies. We’re only unpacking a little bit today but I encourage you to go ahead and try it.
- #26 A typical question we get is: “I’m an AIP customer, we’ve deployed the client, you’ve showed me this nice portal, what does that mean for me? The labels are 100% interoperable, we’re using the same label schema in the S&C center and this portal - if you have AIP labels and deployed the client you don’t have to do anything: it will work You don’t have to re-create any labels, when your tenant is ready at that point your S&C center and this portal will show the same labels
- #30 What happens to your onprem data? In the last couple of years we’ve been working on the AIP scanner which runs across your file servers and SharePoint (2010, 2013 and 2016) and gives you the same level of classification, labelling and protection of data that you see in O365. The scanner has a scanner or discovery and an enforce mode which will apply the label. It’s been fully GA available for some time now and it’s the way to get full coverage across cloud and onprem. Some customers use it to discover onprem data before moving it to the cloud – especially for GDPR compliance.
- #32 When you run the scanner in discovery mode (drop the MSI in one node or more file server nodes to discover the data across all your onprem estate), you now get visibility that the scanner is running in all your nodes. For people that have used the scanner in the past, it was all presented in an Excel sheet. One of the improvements we’ve introduced is that all of it will be available in a UX. You can click on each node and understand the data that is being discovered in each.
- #34 Here’s an example of that, the scanner running a file repository called \\sislands\plubic in “enforce mode” The scanner ran against the file server, started discovering data, labelling it and protecting it
- #35 Then you click on each file server and get this view where we actually show you each file: the file it ran against, whether it was classified or not, labelled or not, protected or not
- #42 The user creates the email and tags it as “Condidential”
- #56 So this kind of shows you the investments we are making in this area, which provides you with a much better, cleaner experience. Our goal has been to show you how we discover, classify, label, protect and monitor sensitive data across your entire estate.
- #57 And we have a pretty big roadmap coming up to continue to improve MIP. Some key elements that have come up or which are coming up include Unified label management – we talked about Native labelling in Office apps in Mac, iOS and Android Apply WIP policies based on sensitivity labels We’ll keep workign on the new portals Add labelling for web apps DLP for Teams chat messages
- #59 Microsoft Field: Please view associated material at https://microsoft.sharepoint.com/sites/Infopedia_G01/Pages/AIP.aspx and Office 365 OnRamp at https://microsoft.sharepoint.com/sites/Infopedia_G03/officeonramp/SitePages/Office365Security.aspx#Security