6. Chapter 1: General
Provisions
Chapter 2: Principles
Chapter 3: Rights of
the Data Subject
Chapter 4: Controller
and Processor
Chapter 5: Transfer of
personal data to third
countries of
international
organizations
Chapter 6:
Independent
Supervisory
Authorities
Chapter 7: Co-
operation and
Consistency
Chapter 8: Remedies,
Liability, and
Sanctions
Chapter 9: Provisions
relating to specific
data processing
situations
Chapter 10: Delegated
Acts and
Implementing Acts
Chapter 11: Final
provisions
https://www.eugdpr.org/article-summaries.html
7. Chapter 1: General
Provisions
Chapter 2: Principles
Chapter 3: Rights of
the Data Subject
Chapter 4: Controller
and Processor
Chapter 5: Transfer of
personal data to third
countries of
international
organizations
Chapter 6:
Independent
Supervisory
Authorities
Chapter 7: Co-
operation and
Consistency
Chapter 8: Remedies,
Liability, and
Sanctions
Chapter 9: Provisions
relating to specific
data processing
situations
Chapter 10: Delegated
Acts and
Implementing Acts
Chapter 11: Final
provisions
https://www.eugdpr.org/article-summaries.html
8. Chapter 1: General
Provisions
Chapter 2: Principles
Chapter 3: Rights of the
Data Subject
Chapter 4: Controller
and Processor
Chapter 5: Transfer of
personal data to third
countries of
international
organizations
Chapter 6: Independent
Supervisory Authorities
Chapter 7: Co-
operation and
Consistency
Chapter 8: Remedies,
Liability, and Sanctions
Chapter 9: Provisions
relating to specific data
processing situations
Chapter 10: Delegated
Acts and Implementing
Acts
Chapter 11: Final
provisions
Download the Whitepaper and further information: http://www.sharepointtalk.net/search/label/GDPR
12. Identity & Access
Management
Mobile Device
& Application
Management
Data Loss
Prevention
User &
Entity
Behavioral
Analytics
Cloud Access
Security
Broker
Information
Rights
Management
Protect at the
front door
Detect &
remediate attacks
Protect your
data anywhere
Cloud Access Security Broker
Mobile Device &
App Management
Identity & Access
Management
User & Entity
Behavioral Analytics
Data Loss Prevention
Cloud Access Security Broker
13. Mobile device &
app management
Information
protection
Identity and access
management
Threat
protection
Protect at the
front door
Detect &
remediate attacks
Protect your
data anywhere
23. IF
Privileged user?
Credentials found in public?
Accessing sensitive app?
Unmanaged device?
Malware detected?
IP detected in Botnet?
Impossible travel?
Anonymous client?
High
Medium
Low
User risk
THEN
Require MFA
Allow access
Deny access
Force password reset******
Limit access
High
Medium
Low
Session risk
24. USER
Role: Sales Account Rep
Group: London Users
Client: Mobile
Config: Corp Proxy
Location: London, UK
Last Sign-in: 5 hrs ago
CONDITIONAL
ACCESS RISK
Health:Fully patched
Config:Managed
Last seen: London, UK
High
Medium
Low Allow access
TRAVEL EXPENSE
APP
25. USER
Role: VP Marketing
Group: Executive Users
Client: Mobile
Config: Corp Proxy
Location: London, UK
Last Sign-in: 5 hrs ago
CONDITIONAL
ACCESS RISK
Health:Fully patched
Config:Managed
Last seen: London, UK
High
Medium
Low Require MFA
CONFIDENTIAL
SALES APP
CONDITIONAL
ACCESS POLICY
User is a member of
a sensitive group.
Application is classified
High Business Impact.
26. USER
Role: Sales Account Representative
Group: London Users
Client: Mobile
Config: Corp Proxy
Location: London, UK
Last Sign-in: 5 hrs ago
SALES APP
CONDITIONAL
ACCESS RISK
Health: Unknown
Client: Browser
Config: Anonymous
Last seen: Asia
High
Medium
Low
Anonymous IP
Unfamiliar sign-in location for this user
Block access
Force password
reset
27. Enforce on-demand,just-in-time administrative access when needed
Use Alert, Audit Reports and Access Review
Domain
User
Global
Administrator
Discover, restrict, and monitor privileged identities
Domain
User
Administrator
privileges expire after
a specified interval
35. SECRET
CONFIDENTIAL
INTERNAL
NOT RESTRICTED
IT admin can set policies,
templates, and rules.
Classifications, labels and encryption can be
applied automatically based on file source,
context, and content
EMS extends Office 365 manual protection of files
with automatic protection to ensure policy
compliance
Encryption stays with the
file wherever it goes,
internally and externally
Files can be tracked by sender and access
revoked if needed
Classification and labeling
Classify data based on sensitivity and add
labels—manually or automatically
Protection
Encrypt sensitive data & define usage rights,
add visual markings when needed
Monitoring
Detailed tracking and reporting to
maintain control over shared data
36. LabelDiscover Classify
Sensitivity Retention
Data growing at exponential rate
Encryption
Restrict Access
Watermark
Header/Footer
Retention
Deletion
Records Management
Archiving
Sensitive data discovery
Data at risk
Policy violations
Policy recommendations
Proactive alerts
Comprehensive policies to protect and govern your
most important data – throughout its lifecycle
Unified approach to discover, classify & label
Automatically apply policy-based actions
Proactive monitoring to identify risks
Broad coverage across locations
Apply label
Unified approach
Monitor
37. CONFIDENTIAL
What is a sensitivity label?
Tag that is customizable,
in cleartext,
and persistent.
It becomes the basis for applying and enforcing
data protection policies.
In files and emails, the label is persisted
as document metadata
In SharePoint Online, the label is
persisted as container metadata
46. Advanced device
management
Enforce device encryption,
password/PIN requirements,
jailbreak/root detection, etc.
Device security configuration
Restrict access to specific
applications or URL
addresses on mobile
devices and PCs.
Restrict apps and URLs
Managed apps
Personal appsPersonal apps
MDM (3rd party or Intune) optional
Managed apps
Corporate
data
Personal
data
Multi-identity policy
Control company data after
it has been accessed, and
separate it from personal
data.
Data control / separation
52. USER
User is prompted
to create a PIN
User edits
document stored
in OneDrive for
Business
User saves
document to…
User adds
business account
to OneDrive app
Intune configures
app protection policy
OneDrive
for Business
Allow
access
• Copy/Paste/SaveAs controls
• PIN required
• Encrypt storage
53. User is prompted
to enroll device
Device checked
for compliance
Business email
account is added
User adds
business account
to email app
Intune enrolls device
and applies policies
CORPORATE
EMAIL
Allow
access
• PIN required
• Encrypt storage
• Image is not jailbroken
USER
57. On-premises abnormal behavior
and advanced threat detection
Identity-based attack
and threat detection
Anomaly detection
for cloud apps
!
!
!
58. Time-of-click protection against malicious URLs
URL reputation checks along with detonation of
attachments at destination URLs.
Zero-day protection against malicious attachments
Attachments with unknown virus signatures are assessed
using behavioral analysis.
Critical insights into external threats
Rich reporting and tracking features provide critical insights
into the targets and categories of attacks.
Integrated across apps & services
Protection across Exchange Online, SharePoint Online,
OneDrive for Business, and Office apps.
Intelligence sharing with devices
Integration with Windows Advanced Threat Protection to
correlate data across users and devices.
59. Gain useful insights from user, file, activity, and
location logs.
Advanced investigation
Assess risk in each transaction and identify
anomalies in your cloud environment that may
indicate a breach.
Behavioral analytics
Enhance behavioral analytics with insights from
the Microsoft Intelligent Security Graph to identify
anomalies and attacks.
Threat intelligence
60.
61. Role: Finance
Group: Contoso Finance
Office: London, UK
INTERNAL
Azure information
protection
Identifies document tagged
INTERNAL being shared publicly
Move to
quarantine
Restricted
to owner
USER
Uploaded to
public share
Admin notified
about problem.
CLOUD APP
SECURITY PORTAL
65. VISIBILITY CONTROL GUIDANCE
Understand the security
state and risks across
resources
Define consistent security
policies and enable controls
Elevate security through
built-in intelligence and
recommendations
APPS / DATADEVICES
Powered by the
Intelligent Security Graph
IDENTITY INFRASTRUCTURE
Enhanced security through
simplified and intelligent
security management with
Microsoft
Azure Active
Directory
Windows Defender
Security Center
- Office 365 Security &
Compliance Center
- Microsoft Cloud
Application Security
Azure Security
Center
66.
67.
68.
69.
70. Mobile device &
app management
Information
protection
Holistic and innovative solutions for protection across users, devices, apps and data
Azure Active Directory
Premium
Microsoft
Intune
Azure Information
Protection
Microsoft Cloud
App Security
Microsoft Advanced
Threat Analytics
Identity and access
management
Threat
protection
71. Technology Benefit E3 E5
Azure Active Directory
Premium P1
Secure single sign-on to cloud and on-premises app
MFA, conditional access, and advanced security reporting ● ●
Azure Active Directory
Premium P2
Identity and access management with advanced protection for
users and privileged identities ●
Microsoft Intune
Mobile device and app management to protect corporate apps
and data on any device ● ●
Azure Information Protection P1
Encryption for all files and storage locations
Cloud-based file tracking
● ●
Azure Information Protection P2
Intelligent classification and encryption for files shared inside
and outside your organization ●
Microsoft Cloud App Security
Enterprise-grade visibility, control, and protection for your
cloud applications ●
Microsoft Advanced Threat Analytics
Protection from advanced targeted attacks leveraging user
and entity behavioral analytics ● ●
Identity and access
management
Managed mobile
productivity
Information
protection
Threat protection
72. Internet of Things
Unmanaged & Mobile Clients
Sensitive
Workloads
Overall Cybersecurity Reference Architecture
Extranet
Azure Key Vault
Microsoft Azure
On Premises Datacenter(s)
NGFW
Nearly all customer breaches that Microsoft’s Incident
Response team investigates involve credential theft
63% of confirmed data breaches involve weak, default,
or stolen passwords (Verizon 2016 DBR)
Colocation
$
Mac
OS
Multi-Factor
Authentication
MIM PAM
Network Security Groups
Azure AD PIM
Windows
Info Protection
Enterprise Servers
VPN
VPN
VMs VMs
Certification
Authority (PKI)
Security Operations Center (SOC)
WEF
SIEM
Integration
IoT
Identity &
Access
Windows 10Managed Clients
Software as a Service
ATA
Azure
Information
Protection (AIP)
• Classify
• Label
• Protect
• Report
Endpoint DLP
ClassificationLabels
Office 365
Information
Protection
Legacy
Windows
Hold Your Own
Key (HYOK)
80% + of employees admit
using non-approved SaaS apps
for work (Stratecast, December 2013)
IPS
Edge DLP
SSL Proxy
Azure AD
Identity Protection
Security
Appliances
Last updated July 2017 – latest at http://aka.ms/MCRA
EPP - Windows Defender AV
EDR - Windows ATP
Azure SQL
Threat Detection
Windows Server 2016 Security
Shielded VMs, Device Guard, Credential Guard, Just Enough Admin, Hyper-V
Containers, Nano server, Defender AV, Defender ATP (Roadmap), and more…
Azure App Gateway
Azure Antimalware
SQL Encryption &
Data Masking
SQL Firewall
Disk & Storage Encryption
Conditional Access
Office 365 ATP
• Email Gateway
• Anti-malware • Threat Protection
• Threat Detection
Azure Security Center (ASC)
Analytics / UEBA
MSSP
Windows
Security
Center
Azure
Security
Center
Vulnerability
Management
SIEM
Office 365
• Security & Compliance
• Threat Intelligence
Hello for
Business
Windows 10 Security
• Secure Boot
• Device Guard
• Exploit Guard
• Application Guard
• Credential Guard
• Windows Hello
• Remote
Credential Guard
• Device Health
Attestation
Security Development Lifecycle (SDL)
Cybersecurity Operations
Service (COS) Incident Response and
Recovery Services
Office 365 DLP
Cloud App Security
Lockbox
ASM
Intune MDM/MAM
DDoS attack mitigation
Backup & Site RecoverySystem Center Configuration Manager + Intune
Privileged Access Workstations (PAWs)
Shielded VMs
ESAE
Admin Forest
Domain Controllers
73. 2. Setup your solution for some
testuser
2. Testing
3. Evaluate | v2 of your solution
4. Rollout https://www.xpertsatwork.com/workshops