Simplifying Security & Compliance in O365
Max Fritz Solutions Architect, SADA Systems MCSA Office 365, MCSE Productivity Founder/Leader of Minnesota Office 365 User Group Working with Office 365 for over 8 years Focus in EM+S, Exchange, and SharePoint Online Contact Details Email : max.fritz@sadasystems.com Twitter : @TheCloudSherpa Blog: maxafritz.com LinkedIn : in/maxafritz
A Glance at SADA 25M+ 10K+ Workloads Migrated 3000+ Clients Served Microsoft 365 Office 365 Azure Skype for Business + Teams Dynamics 365 EMS SharePoint Online Power BI PRODUCTS Founded in 2000 HQ in Los Angeles, Washington D.C. One of Microsoft’s 1st Partners for Office 365 One of Microsoft’s 1st Cloud Accelerate Partners worldwide Microsoft National Solutions Provider One of Microsoft’s 1st Cloud Solutions Providers (BETA) 25M+ Users Migrated 10K+ Workloads Migrated 3000+ Clients Served Business Applications Apps & Infrastructure Modern Workplace Data & AI OUR SOLUTIONS & EXPERTISE ABOUT US 3300+ Projects Completed
SADA Services Technical Consulting Business Consulting Full service consultancy applying expertise and experience through your organization Technical Consulting Business Consulting MODERNIZATION DATA ASSESSMENT BUSINESS ALIGNMENT INFRASTRUCTURE DATA MANAGEMENT & ANALYTICS PORTALS PRODUCTIVITY INTELIGENT COMMUNICATIONS CHANGE MANAGEMENT DELIVERY LEADERSHIP MANAGED SERVICES VALUE ENVISIONING As a full service consultancy we apply experience and expertise throughout the organization incorporating technical and business consulting.
Compliance is challenging 12/31/2018 6:08 PM Compliance is challenging 200+ updates per day from 750 regulatory bodies Cost of non compliance 3x cost of compliance Cost of compliance continues to increase year over year Data is your biggest risk © 2014 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
Challenges on the Customer Journey 12/31/2018 6:08 PM Challenges on the Customer Journey Digital Transformation Compliance in the Cloud Discover Tools & Capabilities © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
Challenges on the Customer Journey 12/31/2018 6:08 PM Challenges on the Customer Journey Digital Transformation Compliance in the Cloud Discover Tools & Capabilities Concerns & blockers to Digital Transformation initiatives! What is the role of IT Admins? How does InfoSec’s role change? © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
Challenges on the Customer Journey 12/31/2018 6:08 PM Challenges on the Customer Journey Digital Transformation Compliance in the Cloud Discover Tools & Capabilities How is Regulatory Compliance managed in Cloud environments? What are my responsibilities? What are shared responsibilities? How do you demonstrate Compliance in the Cloud? © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
Challenges on the Customer Journey 12/31/2018 6:08 PM Challenges on the Customer Journey Digital Transformation Compliance in the Cloud Discover Tools & Capabilities Which Information Protection tools are available to me? How do I approach these tools and in what order? Where do I start? What is the thread landscape in the cloud, and how do I stay informed? © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
Microsoft products for Security & Compliance Data + apps + email Office Security & Compliance Center Devices Windows Defender ATP Devices + network + apps Azure Security Center Devices + apps Microsoft Intune Data + apps Office Secure Score Users Azure Identity Protection Devices + users + apps + data Microsoft OMS Apps Cloud app security
Shared responsibility model Customer management of risk Data Classification and data accountability Responsibility On-Prem IaaS PaaS SaaS Data classification and accountability Application level controls Network controls Host Infrastructure Physical Security Client & end-point protection Identity & access management Shared management of risk Identity & access management | End Point Devices Provider management of risk Physical | Networking Cloud Customer Cloud Provider
Shared Responsibility Model – Examples 12/31/2018 6:08 PM Shared Responsibility Model – Examples NIST 800-53 Implement access controls that prevent standing access to production environment or customer data Access to production environment Set up access control policy and SOP, leverage Customer Lockbox and identity management Access to production environment Organization’s responsibility Encrypt data at rest and in transit using industry standard cryptography (BitLocker, Service Encryption, TLS, etc.) Protect data Encrypt data based on compliance obligations Protect data Microsoft’s responsibility Strict screening for employees, vendors, and contractors, and security and privacy training throughout onboarding process Personnel control Allocate enough resources to implement an organization-wide privacy program Personnel control © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
Microsoft 365 Action Plans for Regulatory Compliance 12/31/2018 6:08 PM Microsoft 365 Action Plans for Regulatory Compliance General Data Protection Regulation (GDPR) ISO/IEC 27001:2013 NIST 800-53 Key GDPR Principles: Protect personal data New rights for the data subject Data breach reporting rules Data privacy officer Global mandate Key ISO/IEC 27001 Principles: Information Security Management System (ISMS) Examine information security risks Implement comprehensive suite of controls to mitigate risks Adopt overarching management process Key NIST 800-53 Principles: Security controls for all U.S. federation information systems (except national security) Protect the confidentiality, integrity, and availability of systems and their information Access control, incident response, business continuity, disaster recovery © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
Approach to Microsoft 365 Action Plans 12/31/2018 6:08 PM Approach to Microsoft 365 Action Plans 30 Days Powerful Quick Wins 90 Days Enhanced Protections Beyond 90 Days Ongoing Security, Data Governance, and Reporting Outcomes/Objectives Actions GDPR Outcomes/Objectives ISO/IEC 27001:2013 Actions Outcomes/Objectives NIST 800-53 Actions © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
Demonstrations Compliance Manager Secure Score 12/31/2018 6:08 PM Demonstrations 30 Days Powerful Quick Wins 90 Days Enhanced Protections Beyond 90 Days Ongoing Security, Data Governance, and Reporting Compliance Manager Secure Score Data Subject Requests (DSR) Search and Tagging Microsoft Information Protection Label Analytics Compliance Boundaries © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
Compliance Manager Manage your compliance in one place View your compliance posture against evolving regulations. Take recommended actions to improve your data protection capabilities. Conduct pre-audits to prepare for external audits. Compliance Manager is a dashboard that provides a summary of your data protection and compliance stature and recommendations to improve data protection and compliance. This is a recommendation, it is up to you to evaluate its effectiveness in your regulatory environment prior to implementation. Recommendations from Compliance Manager should not be interpreted as a guarantee of compliance. 16
12/31/2018 6:08 PM © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
12/31/2018 6:08 PM © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
`
Information Protection & Governance Data growing at exponential rate Information Protection & Governance Unified approach Comprehensive policies to protect and govern your most important data – throughout its lifecycle Classify Label Discover Unified approach to discover, classify & label Automatically apply policy-based actions Proactive monitoring to identify risks Broad coverage across locations Apply policy Protection Governance Encryption Restrict Access Watermark Header/Footer Retention Deletion Records Declaration Archiving Monitor Sensitive data discovery Data at risk Policy violations Policy recommendations Proactive alerts Devices Apps Cloud services On-premises ISVs, 3rd-party
Labels to classify and protect emails, documents, Sites, Groups for Encryption, Content marking & DLP Labels to classify and preserve emails & documents in O365 only – Exchange, SPOD & Groups
GDPR Data Set This data set contains GDPR Personal details relevant to report back to Authorities. This is an Auto apply label
GDPR100
GDPR100
DPR Content Policy Data matching GDPR sensitive types will be Auto populated.
Microsoft Secure Score Visibility into your Microsoft security position and how to improve it Insights into your security position Guidance to increase your security level
Manage data subject requests Find data associated with an individual with Office 365 Content Search Search across Exchange Online, SharePoint Online, OneDrive for business (including Teams and Groups) and public folders Search for 80+ supported sensitive data types or create custom types Download results for further review prior to providing reports to requestors 74
DSR
GDPR Data Set GDPR PII Data Protection
Compliance Boundary Manageability Automation 12/31/2018 6:08 PM Compliance Boundary Manageability Regulatory requirements Boundaries with retention labels Automation Automated retention schedule Dynamic updates as users change roles Analytics and Intelligence Audit report & Alerts © 2014 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
Compliance Boundary Attach Link Configuring Compliance Boundaries Create a new Compliance Boundary (Ex: Department = Finance) Retention policy Labels Attach Link
Compliance Boundary Attach Link Compliance Boundary definition Create a new Compliance Boundary (Ex: Department = Finance) Retention policy Labels Attach Link
Compliance Boundary Attach Link Compliance Boundary definition Create a new Compliance Boundary (Ex: Department = Finance) Retention policy Labels Attach Link
User outside Compliance Boundary
User within Compliance Boundary
Existing Microsoft products for Security & Compliance Data + apps + email Office Security & Compliance Center Devices Windows Defender ATP Devices + network + apps Azure Security Center Devices + apps Microsoft Intune Data + apps Office Secure Score Users Azure Identity Protection Devices + users + apps + data Microsoft OMS Apps Cloud app security
What’s available today Initial unified Microsoft 365 Security & Compliance Center protection.microsoft.com Persona widgets Four new persona widgets with links to existing experiences
Security administrator Personas Security operator Security administrator Compliance officer Data administrator
New Microsoft 365 Specialized Workspaces Microsoft 365 Security Center Microsoft 365 Compliance Center security.microsoft.com compliance.microsoft.com
Microsoft 365 Security & Compliance Experience Scenario driven based upon targeted personas Experiences are coherent and seamlessly connected Microsoft 365 experience is the complete solution Proactive assistance in solutions is infused throughout