information protection...blog –announcing azure information protection intro to microsoft cloud...
TRANSCRIPT
Information ProtectionProtect and manage your sensitive data
throughout its lifecycle
NEW WORLD OF WORK IS DRIVING CHANGE
88 %of organizations no longer have confidence to detect and prevent loss of sensitive data
of employees say mobile business apps change how they work41%
85 %of enterprise organizations keep sensitive information in the cloud
58 %Have accidentally sent sensitive information to the wrong person
IN THE PAST, THE FIREWALL WAS THE SECURITY PERIMETER
devices datausers apps
On-premises /Private cloud
On-premises
Dynamics 365
COMPLIANCE IS TOP-OF-MIND
45 %of organizations state lack of governance opens them to security and compliance risks
year over year growth rate in electronic data50%
41 %of organizations state enforcing of governance is their biggest issue
“I can’t apply unified policies across various
data sources or to a specific repository”
“My data is scattered across sources and the
data continues to grow”
“When enforcing compliance our business users’ productivity is
disrupted”
“How do I find only relevant data when I
need it?”
“How do I protect sensitive information
such as sensitive PII data across my
enterprise?”
“I want data governance to be automatic - not
something I have to think about”
HOW DO I PROTECT SENSITIVE INFORMATION?
Detect
Scan & detect sensitive data based on policy
Classify
Classify data and apply labels based on sensitivity
Protect
Apply protection actions, including encryption, access
restrictions
Monitor
Reporting, alerts, remediation
I N F O R M A T I O N P R O T E C T I O N L I F E C Y C L E
THE LIFECYCLE OF A SENSITIVE FILE
Data is created, imported,
& modified across
various locations
Data is detected
Across devices, cloud
services, on-prem
environments
Sensitive data is
classified & labeled
Based on sensitivity;
used for either
protection policies or
retention policies
Data is protected
based on policy
Protection may in the
form of encryption,
permissions, visual
markings, retention,
deletion, or a DLP
action such as blocking
sharing
Data travels across
various locations, shared
Protection is persistent,
travels with the data
Data is monitored
Reporting on data
sharing, usage,
potential abuse; take
action & remediate
Retain, expire,
delete data
Via data
governance
policies
Dynamics 365Dynamics 365
MICROSOFT’S APPROACH TO INFORMATION PROTECTION
Detect ProtectClassify Monitor
C L O U DD E V I C E S O N P R E M I S E S
Comprehensive protection of sensitive data throughout the lifecycle – inside and outside the organization
Detect ProtectClassify Monitor
Scan & detect sensitive data based on policy
Classify data and apply labels based on sensitivity
Apply protection actions, including encryption,
access restrictions
Reporting, alerts, remediation
aDETECT SENSITIVE INFORMATION
CLOUD & SaaS APPS
Dynamics 365
DETECT SENSITIVE INFORMATION ON DEVICESAcross Windows 10 devices and non-Windows devices
Business data
Non-business data
Sensitive data in
Office apps
DETECT:
Windows 10 devices
Other platforms (iOS & Android)
Corporate-issued devices
Employee-owned devices
Use built-in information types to detect financial, healthcare, PII, and other sensitive information
Create custom sensitive information types, unique dictionaries and document fingerprinting
Detect cloud apps usage, get a risk assessment and analyze by users, files, activities, locations and managed apps for detailed investigation
Customize content searches and queries for data governance
DETECT SENSITIVE INFORMATION ACROSS CLOUD SERVICES & ON-PREMISES
Detect ProtectClassify Monitor
Scan & detect sensitive data based on policy
Classify data and apply labels based on sensitivity
Apply protection actions, including encryption,
access restrictions
Reporting, alerts, remediation
HIGHLY CONFIDENTIAL
CONFIDENTIAL
GENERAL
PUBLIC
PERSONAL
Business-lead policies & rules; configured by ITAutomatic classification
Policies can be set by IT Admins for automatically applying classification and protection to data
Recommended classificationBased on the content you’re working on, you can be prompted with suggested classification
Manual reclassificationYou can override a classification and optionally be required to provide a justification
User-specified classificationUsers can choose to apply a sensitivity label to the email or file they are working on with a single click
CLASSIFY INFORMATION BASED ON SENSITIVITY
FINANCE
CONFIDENTIAL
SENSITIVITY LABELS PERSIST WITH THE DOCUMENT
Document labeling – what is it? Metadata written into document files
Travels with the document as it moves
In clear text so that other systems such as a DLP engine can read it
Used for the purpose of apply a protection action or data governance action – determined by policy
Can be customized per the organization’s needs
CLASSIFICATION & LABELING ENABLES POLICY-DRIVEN ACTIONS
Protection actions across locations
Classification and labeling is used to apply
protection policies – encryption, permissions,
DLP actions, end-user notifications and IT
alerts
Data governance actions for Office 365 files
Classification and labeling is used to apply
data governance policies in Office 365,
including data retention, expiration and
deletion
Exchange Online
SharePoint Online
OneDrive for Business
Dynamics 365
Policies for specific groups or departmentsCan be viewed and applied only by members of that group
Policies targeting specific locationsDetermine which locations are subject to policy, such as Exchange Online and SharePoint Online
Configure label schema and settingsCustomize labels, sub-labels and settings like mandatory labeling, default label and justifications
DEFINE AND CUSTOMIZE POLICIES
System automatically detects certain data types in documents and recommends policies
Easy starting point for further customizations
POLICY RECOMMENDATIONS HELP YOU GET STARTED
Labels are persistent and readable by other systems e.g. DLP engine
Label is metadata written to data
Sensitive data is automatically detected
CLASSIFICATION & LABELING EXAMPLE – SENSITIVE DATADiscover personal data and apply persistent labels
Labeling can be end-user driven
or automatically applied
CLASSIFICATION & LABELING EXAMPLE – DATA
GOVERNANCE
Detect ProtectClassify Monitor
Scan & detect sensitive data based on policy
Classify data and apply labels based on sensitivity
Apply protection actions, including encryption,
access restrictions
Reporting, alerts, remediation
PROTECT SENSITIVE DATA ACROSS YOUR ENVIRONMENT
Drive encryption
Remote wipe
Business data separation
File encryption
Permissions and rights-based
restrictions
DLP actions to prevent sharing
Policy tips & notifications for
end-users
Visual markings in documents
Control and protect data in
cloud apps with granular policies
and anomaly detection
Data retention, expiration,
deletion
Devices
Cloud & on-premises
Device encryptionDrives in devices are easily encrypted can not be accessed by unauthorized users when a device is lost or stolen
Removable storage encryptionEncrypt information on removable storage devices, such as a USB drive
Remote wipeDelete data on devices – on demand
PROTECT INFORMATION ON LOST OR STOLEN DEVICES
Separation and containment of business informationPrevents accidental leaks by automatically separating and containing business information
Business-lead policies & IT stays in controlPolicies enable IT to define which apps and users are authorized to access business information as well as the rights users have when using it (e.g.: copy and paste)
Easy for end usersBuilt directly into Windows and works behind the scenes –only notifying users when they’re attempting to take unauthorized actions
PROTECT BUSINESS INFORMATION ON WINDOWS 10 DEVICES
Device security configurationEnforce device security policies such as encryption, password/PIN requirements, jailbreak/root detection and more
Remote actionsEnforce device security policies such as encryption, password/PIN requirements, jailbreak/root detection and more
Restrict apps and URLsRestrict access to specific applications orURL addresses on mobile devices and PCs
SECURE DEVICES WITH MOBILE DEVICE MANAGEMENT CAPABILITIES
Data controlControl what happens to docs and data after they’ve been accessed with app protection policies
▪ App encryption at rest
▪ App access control—PIN or credentials
▪ Save as/copy/paste restrictions
▪ App-level selective wipe
▪ Apply policies for Windows 10 InformationProtection for even greater control
Data separationMulti-identity allows you to separate company data from personal data within an app
PROTECT DATA ON DEVICES AT THE APP LEVEL WITH MOBILE APP PROTECTION POLICIES
MANAGED APPS
Restrict features,
sharing and downloads
MDM (3rd party or Intune) optional
App-level protection available with or without
enrollment.
Corporate data
Multi-identity policy
Personal data
Dynamics 365
PROTECT SENSITIVE INFORMATION ACROSS CLOUD SERVICES & ON PREMISES
Data encryption built into
Azure & Office 365Revoke app access
File-level encryption and permissions
Policy tips to notify and educate end users
DLP actions to block sharingVisual markings to indicate sensitive documents
Control cloud app access & usage
Retain, expire or delete documents
PROTECTION EXAMPLE: DLP POLICY TO LIMIT DOCUMENT SHARING
Policy tips to warn end users
Restrict or block sharing –internally or externally
Across Office client applications –
mobile, desktop & tablets
PROTECT DATA IN CLOUD APPS WITH CLOUD APP SECURITY
Granular data loss prevention (DLP) policies
Set granular policies to control data in the cloud—
either automated or based on file label—using out-of-
the-box policies or you can customize your own
Policy enforcement
Identify policy violations, enforce actions such as
quarantine and permissions removal
Understands classification & labeling
Reads classification and labeling in the document – so
you can gain visibility into sharing of sensitive files and
create policies
Revoke access for 3rd party apps
Detect and manage 3rd party app access
Dynamics 365
RetentionRetain content in sites, mailboxes, and public folders indefinitely or for a specific duration
In-placeData remains in its original location in Office 365 and users can continue to work with their documents or mail, but a copy of the content as it existed when you initiated the policy is preserved
Delete dataA retention policy can both retain and then delete data, or simply delete old data without retaining it
AUTOMATICALLY RETAIN AND DELETE DOCUMENTS IN OFFICE 365 WITH DATA GOVERNANCE
Detect ProtectClassify Monitor
Scan & detect sensitive data based on policy
Classify data and apply labels based on sensitivity
Apply protection actions, including encryption,
access restrictions
Reporting, alerts, remediation
MONITOR INFORMATION PROTECTION EVENTS FOR GREATER CONTROL
Policy violations
Document access & sharing
App usage
Anomalous activity
End-user overrides
False positives
Visibility
Tune & revise policies
Revoke access
Quarantine file
Quarantine user
Integrate into workflows & SIEM
Take Action
Know when policy is violatedIncident report emails alert you in real time when content violates policy
See the effectiveness of your policiesBuilt in reports help you see historical information and tune policies
Integrates with other systemsLeverage the Activity Management API to pull information into SIEM and workflow tools
MONITOR DLP AND DATA GOVERNANCE EVENTS
Distribution visibilityAnalyze the flow of personal and sensitive data and detect risky behaviors
Access loggingTrack who is accessing documents and from where
Access revocationPrevent data leakage or misuse by changing or revoking document access remotely
MONITOR DOCUMENT SHARING & ACCESS
Advanced incident investigation toolsInvestigate on users, file, activities, locations and managed apps, quantify exposure and risk
Cloud data visibilityIdentify how data – both classified and not classified – is shared across cloud apps and identify risk
Cloud app risk assessmentAssess risk cloud apps based on ~60 security and compliance risk factors.
On-going analytics & anomaly detectionGet anomalous usage alerts, new app and trending apps alerts
MONITOR CLOUD APP USAGE
MICROSOFT’S INFORMATION PROTECTION SOLUTIONS
Detect ProtectClassify Monitor
C L O U DD E V I C E S O N P R E M I S E S
Comprehensive protection of sensitive data throughout the lifecycle – inside and outside the organization
PCs, tablets, mobile
Office 365 DLPWindows Information Protection
& BitLocker for Windows 10
Azure Information Protection
Exchange Online, SharePoint Online & OneDrive for Business
Highly regulated
Intune MDM & MAM for iOS & Android
Microsoft Cloud App Security
Office 365 Advanced Data Governance
Datacenters, file shares
Azure 3rd-Party SaaS
MICROSOFT’S INFORMATION PROTECTION SOLUTIONSComprehensive protection of sensitive data across devices, cloud services and on-premises environments
O F F I C E 3 6 5D E V I C E S C L O U D S E R V I C E S , S A A S A P P S & O N - P R E M I S E S
Use Windows Information Protection for your
Windows 10 devices and Intune Mobile Device
Management & Mobile App Management policies for
iOS and Android devices
Use Office 365 DLP to protect your Office 365
email and documents
Use Office 365 Advanced Data Governance for
data governance, retention & expiration
Use Azure Information Protection to protect beyond
Office 365 – on the supported versions of Office,
Windows and mobile devices
GETTING STARTED:
Azure Information ProtectionLearn more about Azure Information Protection
Blog – Announcing Azure Information Protection
Intro to Microsoft Cloud App Security (video)
Office 365 Information ProtectionOverview of Office 365 Data Loss Prevention (DLP)
Blog – Announcing the release of Office 365 Advanced Data Governance
File Protection Solutions in Office 365
Windows Information ProtectionBlog – Introducing Windows Information Protection
Protect your enterprise data using Windows Information Protection
RESOURCES
Thank You