Er moeten heel wat stappen genomen worden naar GDPR compliance. Voor een aantal van die stappen kan technologie een handje helpen. Microsoft was de eerste wereldwijde cloud-leverancier die contractuele verbintenissen ter beschikking stelde van klanten om belangrijke GDPR-gerelateerde garanties te bieden met betrekking tot haar cloud-diensten. Tijdens deze sessie tonen we u onze oplossing op basis van Microsoft 365 vanuit het perspectief van uw medewerker. Want beveiliging moet niet steeds moeilijk en intrusief zijn.
Injustice - Developers Among Us (SciFiDevCon 2024)
Een praktische aanpak naar GDPR met Microsoft 365
1.
2.
3.
4.
5.
6. How do I get started?
Identify what personal data you have and
where it resides
Discover1
Govern how personal data is used
and accessed
Manage2
Establish security controls to prevent, detect,
and respond to vulnerabilities & data breaches
Protect3
Keep required documentation, manage data
requests and breach notifications
Report4
7.
8. ******
Require MFA
Allow access
Deny access
Force
password reset
Limit access
Controls
Users
Devices
Location
Apps
Conditions
Machine
learning
Policies
Real time
Evaluation
Engine
Session
Risk
3
10TB
Effective
policy
PROTECT AT THE FRONT DOOR WITH
AZURE AD CONDITIONAL ACCESS
9. THE LIFECYCLE OF A SENSITIVE FILE
Data is created, imported,
& modified across
various locations
Data is detected
Across devices, cloud
services, on-prem
environments
Sensitive data is
classified & labeled
Based on sensitivity;
used for either
protection policies or
retention policies
Data is protected
based on policy
Protection may in the
form of encryption,
permissions, visual
markings, retention,
deletion, or a DLP action
such as blocking sharing
Data travels across
various locations, shared
Protection is persistent,
travels with the data
Data is monitored
Reporting on data
sharing, usage,
potential abuse; take
action & remediate
Retain, expire,
delete data
Via data
governance policies
10. How to detect threats before they cause damage
Supporting your GDPR compliance journey with Microsoft Advanced Threat Analytics
Identify
Privilege
Escalation
11:46 PM
Thursday
July 20, 2017
Performed interactive login
from 4 abnormal workstations
Requested access to
6 abnormal resources
Exceeded normal amount
of workinghours
4 abnormal 6 abnormal
computers resources
Recommendations
Disconnect or isolate the relevant
computers from the network
Contact Wayne Hatton and
investigate user activity
Suspicion of Identity Theft
Wayne Hatton exhibited abnormal
behavior based on the following:
Compromised
Credentials
Detect anamolies fast
with built in intelligence
Reduce noise and focus
on relevant information
Stay ahead with adaptive
behavioral analytics
Analyze
Monitor network traffic and events on
the domain controller with non-intrusive
port mirroring while remaining invisible
to attackers
Use a single dashboard
to observe and control
user and admin
permissions
Monitor Security
Vulnerabilities
Recognize attackers attempting to gain admin
permissions and control of your network
Detect
Leverage world class security
research to discover abnormal
behavior and suspicious activities
Learn
Identify entities while automatically
and continuously learning and
profiling behaviors
Alert
Receive reports on an actionable
attack timeline, plus recommendations
for investigation and remediation
Detect Intrusions
and Anomalies
Advanced intruders can lay low in
your network for months undetected
- use ATA to reveal threats
Track abnormal behavior and identify continued
credential exploitation to hinder network accessibility,
lateral movement and resource requests
Enhance Detection
Response
11. Shared responsibilities between Microsoft and you
Microsoft’s
responsibility
Set up access controls that strictly
restrict standing access to customer’s
data or production environment
ACCESS TO PRODUCTION
ENVIRONMENT
Encrypt data at rest and in transit
based on industrial standards
(BitLocker, TLS, etc.)
PROTECT DATA
Strict screening for employees,
vendors, and contractors, and conduct
trainings through onboarding process
PERSONNEL CONTROL
Organization’s
responsibility
Set up access control policy and SOP,
leveraging Customer Lockbox /
identity management solutions
ACCESS TO PRODUCTION
ENVIRONMENT
Encrypt data based on org’s
compliance obligations. E.g. encrypt
PII in transit between users, using its
own encryption key, etc.
PROTECT DATA
Allocate and staff sufficient resources
to implement and operate an
organization-wide privacy program,
including awareness-raising and
training
PERSONNEL CONTROL
12. Compliance Manager
Manage your compliance from one place
Cloud
users
Microsoft
Requirements
Evidences
Regulatory body
(GDPR)
13. Ongoing risk assessment
An intelligent score reflects your compliance posture against evolving regulations or
standards
• Score your compliance
Get a risk-based score that reflects your data
protection and compliance posture.
• Stay up-to-date
Ensure that you are up-to-date with regulatory
changes relevant to Microsoft cloud services.
• Customize the dashboard
Customize based on your organizational needs,
grouping assessments by years or regions.
14. Actionable insights
Recommended actions to improve your data protection capabilities
• Gain rich insights
Understand Microsoft's and your responsibilities
to meet compliance obligations.
• Assess Microsoft-managed controls
Get implementation details, test plan details, and
test results of Microsoft-managed controls from
one dashboard.
• Get recommended actions
Receive clear guidance on actions you can take to
improve your data protection capabilities.
17. Agenda
Check your Office 365 Secure Score
https://securescore.office.com
1
Take the GDPR benchmark
https://assessment.microsoft.com/gdpr-compliance3
Discover more GDPR resources
https://www.microsoft.com/TrustCenter/Privacy/gdpr4
Start with Compliance Manager
https://servicetrust.microsoft.com2
The next step
Your journey to Security & Compliancy