Accelerate Azure Information Protection Deployment and Adoption 5/16/2018 12:12 AM BRK3017 Accelerate Azure Information Protection Deployment and Adoption Tom Moser - Sr. Program Manager Anthony Roman - Information Security Engineer (Quicken Loans) Chris Hall – Sr. Systems Engineer (Quicken Loans) © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
Session Objectives and Takeaways At the end of this session you should be better able to: Use best practices to implement classification and labeling Describe and deploy advanced CLP capabilities Determine where AIP fits in to data compliance efforts
Agenda Get started! Data Centric Protection Strategy (Is AIP DLP?) 5/16/2018 12:12 AM Agenda Get started! Data Centric Protection Strategy (Is AIP DLP?) Develop Success Criteria Regulation and Compliance © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
5/16/2018 12:12 AM Get Started! © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
What Can I Do Today? Start with the default labels Start small. 5/16/2018 12:12 AM What Can I Do Today? Start with the default labels Start small. Define labels, define one use case, grow from there. Solving everything on day one will result in solving nothing. Use labels to define permissions, define rights by groups Work with desktop/mobile teams to package and deploy. Deployment is a pretty standard MSI with few options © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
Use Standard, Approachable Labels 5/16/2018 12:12 AM Use Standard, Approachable Labels Labels should resonate with user thought patterns Label names should not use jargon, standards, or other acronyms PII, PCI, HIPAA, LBI, MBI, HBI, BBQ, WTH These may be classes of Confidential or Highly Confidential Information Internal is not a classification. It’s a scope* *What if it’s Internal – External Approved? © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
Create Sub-Labels for Key Departments 5/16/2018 12:12 AM Create Sub-Labels for Key Departments Define boundaries by risk of internal consumption Engineering drawing vs. Salary information Define boundaries by need for external consumption Rights policies permit domain based external sharing External PR, Legal, HR firms may need to securely collaborate Question each new ask for a different sub-label What’s the risk of an internal user seeing this data? Does it enable an approval external organization to collaborate? © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
Used Scoped Policies Help to keep interface uncluttered 5/16/2018 12:12 AM Used Scoped Policies Help to keep interface uncluttered Avoid crossover. CEO shouldn’t have label for every team in the company. Too many choices = wrong choice Too many choices = no choice © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
Encourage the Correct Behavior 5/16/2018 12:12 AM Encourage the Correct Behavior Automation is great, but overuse or misclassification will frustrate users and generate helpdesk calls Recommend first. Evaluate success. Use automatic later. Mandatory labeling might be frustrating, but required © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
Automate the Really Important Stuff 5/16/2018 12:12 AM Automate the Really Important Stuff Build AIP automation policies Built in rules detect easy items Regex can tackle more complex information © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
Enhance Existing DLP Capabilities 5/16/2018 12:12 AM Enhance Existing DLP Capabilities Labeled data helps reduce false negatives We assume Confidential or Highly Confidential data is properly labeled DLP engines can take action to restrict flow, provide notification, etc. © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
Monitor MCAS has native AIP support 5/16/2018 12:12 AM Monitor MCAS has native AIP support Any service that can read metadata can find the labels Learn where classified data is flowing and act if desired © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
Customer Profile: Quicken Loans
5/16/2018 12:12 AM I’m Not Buying It © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
Back in My Day We had DLP and we liked it! 5/16/2018 12:12 AM Back in My Day We had DLP and we liked it! “Why do I need AIP with my product installed?” –DLP Vendor* Users will find some way around DLP, accidentally or intentionally *Actual Quote © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
Today – Data Centric Protection 5/16/2018 12:12 AM Today – Data Centric Protection Classify, Label, and Protect at creation Protected data, even if it avoids DLP, is protected External data, outside DLP control, is still protected Audit what, who, when, where, how after egress © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
Microsoft’s approach to information protection 5/16/2018 12:12 AM Microsoft’s approach to information protection Comprehensive protection of sensitive data throughout the lifecycle – across devices, apps, cloud services and on-premises Detect Classify Protect Monitor Devices cloud On premises © 2014 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
Enterprise Grade Partner and Support 5/16/2018 12:12 AM Enterprise Grade Partner and Support Do you trust that your security partner will still exist in 6/12/24 months? What happens if they’re acquired and completely change strategy? Microsoft has a long history of well-defined support policies and software/service lifecycles © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
Your Requirements are a Priority 5/16/2018 12:12 AM Your Requirements are a Priority Hosting Requirements What are encryption/log requirements? Public, private, or hybrid cloud? Compliance More certifications and compliance coverage than any other cloud provider. Detailed information at the Microsoft Azure Trust Center © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
Demo
Regulation and Compliance 5/16/2018 12:12 AM Regulation and Compliance © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
Compliance Framework Inventory: What’s important and where’s it live? Secure: What action can we take to protect the identified information? Audit: How can we investigate, or prevent, misuse? © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
Identify In-Scope Data 5/16/2018 12:12 AM Identify In-Scope Data Unstructured* data resides in many places File Shares, SharePoint, Exchange, OneDrive, etc. Leverage scanner/scripting to discover existing data and to classify and label Start with user-driven protection today! The problem doesn’t get any better by waiting. Users applying labels now reduces future scanning work. Label data drives security and monitoring efforts. *Structured data is out of scope © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
5/16/2018 12:12 AM Secure In-Scope Data Apply AIP protection at creation for authorized users only Apply AIP protection to discovered items Leverage CASB and DLP rules to block unauthorized actions in addition to AIP protection © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
5/16/2018 12:12 AM Monitor In-Scope Data Two facets of monitoring: Compliance reporting and breach reporting/remediation Labels make reporting on breach much easier What type of data was stolen? Was protection in place on stolen information? Labels make compliance reporting easier What type of data lives where? How is access to this information restricted and controlled? © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
AIP is Just a Piece of the Puzzle 5/16/2018 12:12 AM AIP is Just a Piece of the Puzzle First and third-party services still required DLP and CASB integration, SharePoint, Exchange, etc. Identity-bound protection requires strong identity MFA, Azure AD Identity Protection Workstation Protections WIP, Credential Guard, application whitelisting, etc. © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
In review: session objectives and takeaways Tech Ready 15 5/16/2018 In review: session objectives and takeaways Leverage best practices to implement classification and labeling Describe and deploy advanced CLP capabilities Determine exactly where AIP fits in to data compliance efforts Get started! Talk your customer off the “solve it all” ledge and start simple. Identify one or two easy use cases and begin POC. © 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
Information Protection related sessions Date / Time Keep what you need and don’t horde everything with intelligent data governance in Office 365 Tues, 9:00am-10:15am Protecting complete data lifecycle using Microsoft information protection capabilities Tues, 10:45am-12:00pm Elevating your security with Office 365 clients Tues, 4:30pm-5:45pm Discover what’s new in Azure Information Protection and learn about the roadmap and strategy Weds, 9am-10:15am Protect sensitive information with Office 365 DLP Weds, 10:20am-10:40am Accelerate Azure information protection deployment and adoption Weds, 12:30pm-1:45pm Understanding best practices in classifying sensitive data as part of your information protection strategy Weds, 2:00pm-2:45pm Deploying and managing Windows Information Protection Weds, 4:00pm-5:15pm Extending classification, labeling and protection to third-parties with Azure Information Protection Weds, 5:05pm-5:25pm Encryption key management strategies for compliance Thu, 10:15am-11am Protect your sensitive emails through encryption and rights management capabilities in Office 365 Thurs, 2:00pm-2:45pm Understanding advanced concepts in getting the most out of Office 365 Data Loss Prevention Fri, 9:00am-10:15am
Session resources Blog 1 Blog 2 Blog 3 Blog 4 5/16/2018 12:12 AM Session resources Blog 1 Blog 2 Blog 3 Blog 4 Microsoft Ready content can be found at https://digital.microsoftready.com/ © 2016 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
Please evaluate this session Tech Ready 15 5/16/2018 Please evaluate this session From your Please expand notes window at bottom of slide and read. Then Delete this text box. PC or tablet: visit MyIgnite https://myignite.microsoft.com/evaluations Phone: download and use the Microsoft Ignite mobile app https://aka.ms/ignite.mobileapp Your input is important! © 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
5/16/2018 12:12 AM © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.