2. Configuring & deploying
Microsoft Information Protection
solutions to help protect your
sensitive data
Andrew Bettany MVP
IT Masterclasses Ltd
andrew@itmasterclasses.com
3. IN THE PAST, THE FIREWALL
WAS THE SECURITY PERIMETER
devices datausers apps
On-premises /
Private cloud
7. MICROSOFT CLOUD APP SECURITY
Visibility into 15k+ cloud apps, data access & usage,
potential abuse
AZURE SECURITY CENTER INFORMATION PROTECTION
Classify & label sensitive structured data in Azure SQL, SQL
Server and other Azure repositories
OFFICE APPS
Protect sensitive information while working in Excel, Word,
PowerPoint, Outlook
AZURE ADVANCED THREAT PROTECTION
Identify advanced data related attacks and insider threats
OFFICE 365 DATA LOSS PREVENTION
Prevent data loss across Exchange Online, SharePoint Online,
OneDrive for Business
SHAREPOINT & GROUPS
Protect files in libraries and lists
OFFICE 365 ADVANCED DATA GOVERNANCE
Apply retention and deletion policies to sensitive and
important data in Office 365
ADOBE PDFs
Natively view labeled and protected PDFs on Adobe Acrobat
Reader
WINDOWS INFORMATION PROTECTION
Separate personal vs. work data on Windows 10 devices,
prevent work data from traveling to non-work locations
OFFICE 365 MESSAGE ENCRYPTION
Send encrypted emails in Office 365 to anyone
inside or outside of the company
CONDITIONAL ACCESS
Control access to files based on policy, such as identity, machine
configuration, geo location
Discover | Classify | Protect | Monitor
SDK FOR PARTNER ECOSYSTEM & ISVs
Enable ISVs to consume labels, apply protection
8. Personal data
Any information related to an identified or identifiable
natural person including direct and indirect identification.
Examples include:
• Name
• Identification number (e.g., SSN)
• Location data (e.g., home address)
• Online identifier (e.g., e-mail address, screen names,
IP addresses, device IDs)
Sensitive personal data
Personal data afforded enhanced protections:
• Genetic data (e.g., an individual’s gene sequence)
• Biometric Data (e.g., fingerprints, facial recognition,
retinal scans)
• Sub categories of personal data including:
• Racial or ethnic origin
• Political opinions, religious or philosophical beliefs
• Trade union membership
• Data concerning health
• Data concerning a person’s sex life or sexual
orientation
GDPR challenges
Personal privacy rights
Must protect data
Mandatory data breach reporting
Big penalties for non-compliance
9. Scan & detect sensitive
data based on policy
Classify and label data
based on sensitivity
Apply protection actions,
including encryption,
access restrictions
11. Data Classification Service (DCS)Service Integration Client apps
Microsoft Cloud App Security
• Consistent Auto Classification across Microsoft services
• Native integration
• Deep Content Scanning with 90+ built-in sensitive types
• Fully extensible scanning with custom type support
NEW GDPR template with EU sensitive types
NEW Custom sensitive type authoring and fine tuning
NEW Exact Data Match based classification
NEW Image classification with OCR
Uniform Content Discovery & Classification
AIP Scanner
On Premises
Discover & Classify across Microsoft Services
Azure Service
13. Centralised management
Configure and manage labels across apps
and services in Office, Azure and Windows –
all from the S&C Center
Unified classification
Uniform content classification to protect and
preserve data across Office, Azure, Windows
Consistent across Microsoft 365
Consistent integration and experience across
Microsoft 365 apps & services – extensible to
3rd party apps & solutions
55. • Security & Compliance Center enhancements
• Native labeling experience in Word, PowerPoint &
Excel, Outlook on Windows, Mac, iOS, Android
and web apps (general availability)
• Automatically classify, label and protection in
Office apps
• Additional automatic DLP integrations with labels
• DLP in Microsoft Teams chat messages
• Information Protection analytics (GA)
• Advanced detection and classification methods
(OCR, exact data match, ML)
• Ability to reason over (view, search, index) labeled
& protected Office documents in SharePoint
Online and OneDrive for Business
On the horizon
• Unified label management in Security & Compliance
Center
• Native labeling in Office apps on Mac, iOS, Android
(preview)
• Information Protection SDK
• View protected PDFs on Adobe Acrobat Reader
(preview)
• Apply Windows Information Protection based on
sensitivity labels
• GDPR sensitive information types (Office 365 & Azure
Information Protection)
• Create custom sensitive information types
• Message encryption enhancements
• Information protection analytics (preview)
Recent
57. Azure Information Protection technical documentation
Microsoft Cloud App Security technical documentation
Overview of Office 365 Data Loss Prevention (DLP)
Protect your enterprise data using Windows Information Protection
Microsoft IT showcase: Automate data protection with Azure Information
Protection scanner
Microsoft IT showcase: Using Azure Information Protection to classify and label
corporate data
Video: Configuring and deploying Azure Information Protection (September
2018)
Editor's Notes
The accelerating digital transformation has broad implications. The way we work and the tools we use are changing rapidly: including the rise of employees bringing their own devices to the work environment and pervasive use of SaaS applications. Because of this, the way organizations manage and secure their data must also evolve. Companies no longer operate solely within their own walls, protected by a moat that surrounds their border. Data travels to more locations than ever before – across both on-premises and cloud environments. While this has helped increase users’ productivity and their ability to collaborate with others, it has also made protecting sensitive data more challenging.
So, we know that with the shift to the mobile-first cloud-first world, the perimeter is only a single component of protecting information.
It’s important that customers balance their goals of security and productivity:
Customers want to enable and foster collaboration to create new business value, and this requires data sharing and data mobility
At the same time, they want to prevent unauthorized disclosure, modification, or destruction of data and important information
Customers also want to to reduce and manage the risk of user errors – such as unintentional sharing or inappropriate usage of important information
Ultimately, data must be protected at all time, both inside and outside of the network.
Do you have a strategy for protecting and managing sensitive information?
Do you know where your sensitive data resides?
Sounds simple but complex issue for most orgs of any size
2. Do you have control of your data as it travels both inside and outside of your organization?
Shared with customers
Onto a mobile device
3. Are you using multiple solutions to classify, label, and protect sensitive data?
We find many customers are = disjointed, don’t work together
Remember, this is about protecting information wherever it goes. And so, the question for our customers is, do you have a strategy for protecting and managing sensitive information? Do you know where your sensitive data resides? This seems like a very simple question, but trust me it is a complex issue for most organizations of any size. Trying to understand: “where is all of our sensitive information?” can be a huge project of its own.
The second question is, do you have control of your data as it travels both inside and outside of your organization? When it gets shared with customers and partners via email or SharePoint sites or other online services, when it goes out on someone's mobile device?
And lastly, are you using multiple solutions to classify, label, and protect sensitive data? We find that many of our customers are, and that it's a disjointed set of solutions that don't work together for a common solution.
No matter how much data your organization owns, losing it is costly. Every organization is a target and threats are increasing.To protect what you own, you first need to know what you have, and classify each piece of data automatically according to its impact to your organization. It sounds scary, but it doesn’t have to be! With Microsoft Information protection you can help customers discover, classify, and protect all their data, no matter where it is stored or who it is shared with.
-----------------So, our approach at Microsoft is to detect and classify sensitive information. This is really about understanding where is that sensitive information and what of it is sensitive?
Is it all sensitive? Is there just a portion of it? This is really applying those ideas of something that's confidential, highly classified and confidential, not so classified, public information, etc.
That can be a subject of intense debate inside of any large organization, involving the legal team and the risk management team and the IT organization and the business organizations.
The second piece is applying intelligent protection based on that policy. Knowing that the information is sensitive, what type of information protection am I going to apply to it? What is the policy that governs that?
And then lastly, monitoring and remediating. So, understanding where is information going? Who's accessing it? How much control do we actually have over it? And then remediating, understanding how we can make it better in the next cycle. And we want to make sure that we do this across a pretty broad surface area, from devices to applications, to cloud services and to on-premises systems. Across all of those surfaces we really need to make sure that we're understanding how we apply that protection policy.
This gives a more comprehensive view of the different information protection technologies that customers might evaluate as part of their overall strategy. Many of these capabilities already work closely together, and we will continue to build in the right connections so that sensitive information is protected – throughout its journey.
Purpose of slide: Explain how the GDPR defines personal data and sensitive personal data.
Key takeaways
The GDPR considers personal data to be any information related to an identified or identifiable natural person.
Direct identification (e.g., your legal name)
Indirect identification (i.e., specific information that makes it clear it is you the data references).
Online identifiers (e.g., IP addresses, mobile device IDs) and location data (this was previously unclear in the EU Data Protection Directive).
Sensitive personal data is afforded enhanced protections and generally requires an individual’s explicit consent where these data are to be processed.
The GDPR introduces specific definitions for genetic data (e.g., an individual’s gene sequence) and biometric data (e.g., fingerprints, facial recognition, retinal scans).
Other sensitive personal data include:
Personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership
Data concerning health
Data concerning a person’s sex life or sexual orientation.
First, let’s look at the Detect phase of information protection. This involves scanning and detecting sensitive data – all based on the policy defined and configured by your organization.
Key considerations:
Is there an automated way to discover important data?
Which regulations and compliance factors matter?
Is my data spread out across devices, cloud & on prem?
Is my data spread out geographically?
Are certain employees or groups more relevant for discovery?
Do I know the characteristics of sensitive or important data?
In order to achieve comprehensive protection across your organization, it’s important that you are able to discover sensitive information no matter where it is created or lives. That means having sensitive data discovery capabilities across your on premises file shares or datacenters, on individual devices as well as across cloud services and SaaS applications.
Classification: you find the data before you can determine whether it’s sensitive or not
We’re excited to show you that controls like GDPR are built into the service: you don’t have to go figure out whether a Luxembourg passport ID is sensitive or not, VS a UK passport ID.
As part of the cloud intelligence work that we do we’re building right into these DCS notions such as what is GDPR sensitive types – these gets you bootstrapped with discovering GDPR sensitive data very quickly.
We have built in 90+ sensitive data types but you can also create custom sensitive types as per your org requirements.
Exact data match: where you may have a payroll or personal DB: we will do classification of your content, intersecting in real time what is your company secrets held in a DB across all of these locations. If you have a payroll system, it can be part of the process of figuring out what emails contain that sensitive data.
Las but not least, emails or PDFs with images, maybe stored in SPO, we can use ML to identify the text embedded in images as pictures and determine whether this includes secrets.
Powerful: apply to file shares, sharepoint servers, cloud apps and any other service where data is moving. This starts to define our platform. Consistent, ubiquitous cloud-powered classification of your content.
12
Now you’ve defined policies and you don’t want to do this 3, 4, 5 times across all of these locations.
What we recently announced at the end of last year in Ignite is that we’ve unified the admin and console in which we as IT professionals and/or decision makers administer the solution as well as where we get insights as to what is going on with the insights we deploy.
Labelling
You have content, it’s been classified, you’ve gone through our platform, you start indicating what’s your sensitive content.
The dashboard will start showing you how many labels you have, how many hits you get, content types.
If we look at a security label, let’s have a look at the actions I can take with them: encryption, content marking, DLP (which you usually have to attach or bolt on somewhere else), you can even do auto-label.
Encryption: you turn these boxes on and data will start getting encrypted. If you send it to consumers, it will transparently work with them as well.
Content marking: super useful lightweight visual marking
DLP: think about making sure that data doesn’t exit mailboxes or doesn’t get shared to SPO sites
Auto labelling
A lot of us have had experience with data classification where we ask our users to classify content.
We’re also showing you today that MIP includes some of the tech that has been available with AIP where you auto-classify content is coming together also in the MIP service with auto-labelling: determine how many instances with the same content need to appear before you trigger the label and set it per groups (finance but not marketing)
You go through and publish these labels.
This isn’t a 1 size fits all for the org: you can pick different departments that this policy goes to and define different hierarchies.
We’re only unpacking a little bit today but I encourage you to go ahead and try it.
A typical question we get is: “I’m an AIP customer, we’ve deployed the client, you’ve showed me this nice portal, what does that mean for me?
The labels are 100% interoperable, we’re using the same label schema in the S&C center and this portal - if you have AIP labels and deployed the client you don’t have to do anything: it will work
You don’t have to re-create any labels, when your tenant is ready at that point your S&C center and this portal will show the same labels
What happens to your onprem data?
In the last couple of years we’ve been working on the AIP scanner which runs across your file servers and SharePoint (2010, 2013 and 2016) and gives you the same level of classification, labelling and protection of data that you see in O365.
The scanner has a scanner or discovery and an enforce mode which will apply the label.
It’s been fully GA available for some time now and it’s the way to get full coverage across cloud and onprem. Some customers use it to discover onprem data before moving it to the cloud – especially for GDPR compliance.
When you run the scanner in discovery mode (drop the MSI in one node or more file server nodes to discover the data across all your onprem estate), you now get visibility that the scanner is running in all your nodes.
For people that have used the scanner in the past, it was all presented in an Excel sheet. One of the improvements we’ve introduced is that all of it will be available in a UX. You can click on each node and understand the data that is being discovered in each.
Here’s an example of that, the scanner running a file repository called \\sislands\plubic in “enforce mode”
The scanner ran against the file server, started discovering data, labelling it and protecting it
Then you click on each file server and get this view where we actually show you each file: the file it ran against, whether it was classified or not, labelled or not, protected or not
The user creates the email and tags it as “Condidential”
So this kind of shows you the investments we are making in this area, which provides you with a much better, cleaner experience.
Our goal has been to show you how we discover, classify, label, protect and monitor sensitive data across your entire estate.
And we have a pretty big roadmap coming up to continue to improve MIP.
Some key elements that have come up or which are coming up include
Unified label management – we talked about
Native labelling in Office apps in Mac, iOS and Android
Apply WIP policies based on sensitivity labels
We’ll keep workign on the new portals
Add labelling for web apps
DLP for Teams chat messages
Microsoft Field: Please view associated material at https://microsoft.sharepoint.com/sites/Infopedia_G01/Pages/AIP.aspx and Office 365 OnRamp at https://microsoft.sharepoint.com/sites/Infopedia_G03/officeonramp/SitePages/Office365Security.aspx#Security