36
Supporting your GDPR compliance journey with Microsoft Tomas Kibirkštis
Supporting your GDPR compliance journey with Microsoft
Tomas Kibirkštis
Corporate
Public
Private cloud
Vendors SaaS
Remote teamPersonal
Data is shared more often
and more widely than ever.
How do I get started?
Identify what personal data you have and
where it residesDiscover1
Govern how personal data is used
and accessedManage2
Establish security controls to prevent, detect,
and respond to vulnerabilities & data breachesProtect3
Keep required documentation, manage data
requests and breach notificationsReport4
Discover In-scope
Any data that helps
you identify a person
Name
Email address
Social media posts
Physical, physiological,
or genetic information
Medical information
Location
Bank details
IP address
Cookies
Cultural identity
Inventory
Any container where
personal data is
collected and stored
Emails
Documents
Databases
Removable media
Metadata
Log files
Backups
Identify what personal data you have and where it resides
Gain deep visibility and granular controls into cloud app usage with Microsoft Cloud App Security
Cloud discoveryDiscover cloud apps used in your
organization, get a risk assessment
and alerts on risky usage.
Data visibilityGain deep visibility into where
data travels by investigating all
activities, files and accounts for
managed apps.
Data controlMonitor and protect personal and
sensitive data stored in cloud apps
using granular policies.
Get anomalous usage alerts, new app and trending apps alerts.
On-going analytics
Discover 13K+ cloud apps in use across your networks and sensitive data they store.
Discovery of cloud apps and data
Assess risk cloud apps based on ~60 security and compliance risk factors.
Cloud app risk assessment
Protect your employees’ privacy while discovering
cloud apps in your environment.
Log anonymization
Set granular policies to control data in the cloud—either automated or based on file label—using out-of-the-box policies or you can customize your own.
Granular Data loss prevention (DLP) policies
Detect and manage 3rd party app access.
Revoke access for 3rd party apps
Identify policy violations, enforce actions such as quarantine and permissions removal.
Policy enforcement
Cloud App Security reads labels
set by AIP to give admins visibility
into sharing of sensitive files.
Increased visibility
Admins can set policies for
controlling sharing of sensitive
files and also get alerted if the
policies are violated.
Improved control
Manage
Govern how personal data is used and accessed
Data
governance
Defining policies, roles
and responsibilities for
the management and
use of personal data
At rest
In process
In transit
Storing
Recovery
Archiving
Retaining
Disposal
Data
classification
Organizing and
labeling data to
ensure proper
handling
Types
Sensitivity
Context / use
Ownership
Custodians
Administrators
Users
Protect data on-premises and in the cloudwith Azure Information Protection
Classification
and labelingClassify data based on
sensitivity and add labels—
manually or automatically.
ProtectionEncrypt your sensitive
data and define usage
rights or add visual
markings when
needed.
MonitoringUse detailed tracking
and reporting to see
what’s happening with
your shared data and
maintain control over it.
PERSONAL
HIGHLY CONFIDENTIAL
CONFIDENTIAL
GENERAL
PUBLIC
You can override a classification and optionally
be required to provide a justification.
Manual reclassification
Policies can be set by IT Admins for automatically
applying classification and protection to data.
Automatic classification
Based on the content you’re working on, you
can be prompted with suggested classification.
Recommended classification
Users can choose to apply a sensitivity label to the
email or file they are working on with a single click.
User-specified classification
Discover personal data and apply persistent labels
Labels are persistent and
readable by other systems
e.g. DLP engine
Labels are metadata
written to data
Sensitive data is
automatically detected
Discover personal data with auto-classification
Data is
auto-classified
based on content
Sensitive data is
automatically detected
Safely share data with people inside and outside
of your organization.
Define explicit permissions for recipients, e.g.,
allow people to view and edit, but not print or
forward.
Secure sharing
Monitor distribution Log access
11
2
8
8
8
8
2
11
Jane Competitors
Revoke access
Bob
JaneSue
Office 365 Advanced eDiscovery
Identify relevant documents
Predictive coding enables you to train the system
to automatically distinguish between likely relevant
and non-relevant documents.
Identify data relationships
Use clustering technology to look at documents in
context and identify relationships between them.
Organize and reduce the data prior to review
Use near duplicate detection to organize the data
and reconstruct email threads from unstructured
data to reduce what’s sent to review.
Office 365 Advanced Data GovernanceLeverage intelligence to automate data retention and deletion
Protect
Establish controls to prevent, detect, and respond to vulnerabilities and breaches
Preventing
data attacks
Protecting your data
Physical datacenter protection
Network security
Storage security
Compute security
Identity management
Access control
Encryption
Risk mitigation
Detecting &
responding
to breaches
Monitoring for and
detecting system
intrusions
System monitoring
Breach identification
Calculating impact
Planned response
Disaster recovery
Notifying DPA & customers
Bing
Xbox Live
OneDrive
Microsoft Digital
Crimes Unit
Microsoft Cyber Defense
Operations Center
Azure
Microsoft
Accounts
Skype Enterprise Mobility
+ Security
Azure Active Directory
IF
Privileged user?
Credentials found in public?
Accessing sensitive app?
Unmanaged device?
Malware detected?
IP detected in Botnet?
Impossible travel?
Anonymous client?
High
Medium
Low
User risk
10TBper day
THEN
Require MFA
Allow access
Deny access
Force password reset******
Limit access
High
Medium
Low
Session risk
Azure
BingOneDrive
Microsoft
Cyber Defense
Operations Center
Microsoft
Cybercrime Center
Xbox Live
Microsoft
Accounts
Skype
Enforce on-demand, just-in-time administrative access when needed
Use Alert, Audit Reports and Access Review
DomainUser
Global Administrator
Discover, restrict, and monitor privileged identities
DomainUser
Administrator privileges expire after
a specified interval
Managed apps
Personal apps
Advanced device managementEnforce device security policies such as
encryption, password/PIN requirements,
jailbreak/root detection and more.
Remote actions
Enforce device security policies such as
encryption, password/PIN requirements,
jailbreak/root detection and more.
Device security configuration
Restrict access to specific applications or
URL addresses on mobile devices and PCs.
Restrict apps and URLs
Managed apps
Personal appsPersonal apps
Managed apps
Corporate data
Personaldata
Multi-identity policy
Multi-identity allows you to separate company
data from personal data within an app.
Data separation
Control what happens to docs and data after
they’ve been accessed with app protection
policies.
• App encryption at rest
• App access control—PIN or credentials
• Save as/copy/paste restrictions
• App-level selective wipe
• Apply policies for Windows 10 InformationProtection for even greater control
Data control
On-premises abnormal behavior and advanced threat detection
Advanced
Threat Analytics
Identity-based attack and threat detection
AzureActive Directory
Anomaly detectionfor cloud apps
Cloud AppSecurity
!!
!
ATA builds the organizational security graph,
detects abnormal behavior, protocol attacks, and
weaknesses.
3. Detect
ATA observes and learns all entities’ behaviors
automatically.
2. Learn
ATA uses context to prevent false positives and
presents alerts as an attack timeline.
4. Alert
ATA analyzes all Active Directory-related traffic
and collects relevant events from SIEM.
1. Analyze
Gain useful insights from user, file, activity, and
location logs.
Advanced investigation
Assess risk in each transaction and identify anomalies in your cloud environment that may indicate a breach.
Behavioral analytics
Enhance behavioral analytics with insights from the Microsoft Intelligent Security Graph to identify anomalies and attacks.
Threat intelligence
Safe
Multiple filters + 3 antivirus engineswith Exchange Online protection
Links
RecipientUnsafe
Attachment• Supported file type• Clean by AV/AS filters• Not in Reputation list
Detonation chamber (sandbox)Executable?
Registry call?
Elevation?
……?
Sender
Report
Keep detailed records about how personal data is handled
Record-keeping
Enterprises will need
to record the:
Purposes of processing
Classifications of
personal data
Third-parties with
access to the data
Organizational and
technical security
measures
Data retention times
Reporting tools
Implement reporting
capabilities
Cloud services
(processor)
documentation
Audit logs
Breach notifications
Handling Data Subject
Requests
Governance reporting
Compliance reviews
Displays all sign-in events to applications that
contain personal and sensitive data.
Access and usage reporting
• Security reports. Displays risky users and sign-ins e.g., sign-ins from anonymous IPs, impossible travel, unfamiliar locations and infected devices.
• User-specific reports. Displays device/sign-in activity data for a specific user.
• Activity logs. Displays all audited events e.g., group activity changes, password resets and registration activity.
Azure Management Portal
• Rights management
• Access management
• User/device management
• Security policies
• Threat management
• Data search and discovery
• Compliance management
• Logs and reporting
