Presentation is loading. Please wait.

Presentation is loading. Please wait.

Office 365 and Azure Data Governance

Published byMarie Abel Modified over 6 years ago

Similar presentations

Presentation on theme: "Office 365 and Azure Data Governance"— Presentation transcript:

1 Office 365 and Azure Data Governance

2

3

4 About Ben Curry Summit 7 Systems Lead Architect Ten time Microsoft MVP
Principal Architect Summit 7 Systems Lead Architect Ten time Microsoft MVP CISSP, MCP, MCT Author of several SharePoint books by Microsoft PRESS Master SCUBA Diver Trainer Q&A #O365Security

5 Agenda Overview of governance features Is there label equality?
Legacy SPSite-centric controls DLP RMS AIP ODB

6 Overview Office 365 Data Governance is multi-layered
It’s is built by multiple products and features Understand what your requirements are Don’t waste $$ on unneeded licensing

7 Data Security Office 365 Data Loss Prevention (DLP) provides real-time protection of sensitive content. Office 365 Labels provide a way to tag document within Office 365 for the purpose of retention, identification, search, and eDiscovery. Azure Information Protection (AIP) adds additional security to documents in addition to the container they are already secured within. Azure Intune controls how information is consumed, copied, saved, and forwarded on mobile devices and laptops.

8

9 Where do I start?!? Know what you are governing
Differentiate between mandatory and optional requirements Assess your current state Create a security communication plan that’s clear and simple Find and protect sensitive data Protect High Value Assets

10 Do you want a label, label, or label?

11 Office 365 Labels Retention Policy for retaining files based on business requirements Deletion Policy for automatically deleting files after a determined amount of time since last created or modified Search and eDiscovery based on the tag Data Loss Prevention information type based on the Label For example, a DLP policy could prohibit ing documents that are labeled PII This should not be confused with classification labeling within Azure Information Protection These are on the roadmap to be merged into a single solution

12 Office 365 Labels Labels: Label policies
Are independent, reusable, building blocks. Are included in a label policy May be published to different locations Can be used across many policies Label policies Primary purpose - Group together sets of labels Determine where those labels will be available

13 O365 Labels & Retention Only pushed to Mailboxes 10MB or greater
Select where to push them to Need screens for this section Takes up to 24 hours for them to publish All about retention

14 O365 Content Classification
Labels are used to associated specific retention policies with documents and locations within SharePoint Online, Exchange Online and OneDrive for Business. With labels you can create data classifications based off of Microsoft supported "Sensitive Information Types". These information types are based off of 82 common compliance regulations from around the world.

15 Shortest deletion period wins
Approach to classification should not be limited to single layer and must be well planned. Shortest deletion period wins Explicit inclusion trumps implicit inclusion Longest Retention period is king Retention wins over deletion

16 Example Office 365 label Configuration
Configuration Options General Data Deletion Policy SharePoint, OneDrive, Groups Focus All Users 5 Years Content Deletion Deletion Policy Exchange Online Focus 3 Years Content Deletion Contract/Finance Data Retention Policy SharePoint, Exchange, OneDrive, Groups Focus 7 Years Content Deletion Business Development Data Retention Policy 15 Years Content Deletion Customer/Legal Data Retention Policy 10 Years Content Deletion Copyright ©2016 Summit 7 Systems, Inc. All rights reserved.

17 …VS Example AIP label Configuration
AIP Classification Label Configuration Options CUI/CDI Protect access to files, employees only, by default Discoverable by eDiscovery Watermark office documents with CUI/CDI FOUO Protect access to employees only, by default Proprietary Restricted to employees only DLP policy will block outgoing with this label Footer/Header/or watermark will be enabled Protected Limited access, default setting. Items cannot be ed Public Unprotected documents, NOT the default setting Discoverable in eDiscovery Copyright ©2016 Summit 7 Systems, Inc. All rights reserved.

18 Copyright ©2017 Summit 7 Systems, Inc. All rights reserved.
Apply to Libraries Applied to Document libraries May be able to be done via a list template Copyright ©2017 Summit 7 Systems, Inc. All rights reserved.

19 Apply to All OneDrive for Business Accounts
Applied to Document libraries Requires Manual Intervention (for now) Temporary change to classic User Interface to expose setting Must be done on each account Add to onboarding procedure Until Microsoft adds central interface Copyright ©2017 Summit 7 Systems, Inc. All rights reserved.

20 Advanced auto-applying labels
Apply a label to content that contains sensitive information. Select the type of information you want to detect. Filter based on industry vertical in the left hand column, Select the specific sensitive information type in the middle column. As you click on information types you will see an overview of the information detected appear in the far right hand column on the page.

21 Advanced auto-applying labels
Auto-apply labels based on a keyword search. Select the "Apply label to content that contains specific words or phrases". Choose your conditions Enter your keywords or search phrase You can use AND, OR, and NO Support for searchable properties (Subject:) is coming

22 Outlook on the web and Outlook 2010 +
In the Outlook 2010 client (and up) you assign policies from the ribbon (probably by right clicking as well, I can't verify yet). In Outlook 2010 and later you can create rules to apply a label or retention policy.

23 SharePoint, OneDrive, and Office 365 Groups
Behavior in SharePoint Online, OneDrive, and O365 Groups is pretty much identical. OneDrive, Note the “Apply label” option in the file details. SharePoint Online, note the “Apply label” option in the file details.

24 Data Loss Prevention Near real-time protection of sensitive content
Can prevent accidental sharing of specified content Provides for reporting Help identify where protected information is located DLP can span many locations such as OneDrive for Business, SharePoint Online, and Exchange

25 Data Loss Prevention Includes Office 365 MDM (free stack)
Policy Driven It has merged with ExO and is NOT the same UI as On-Premises SharePoint 2016 It is now an active service It can block files on upload Options on how to handle violations Apply policies in “read only” mode first! You WILL get false positives, there’s no way around it Minimize with good testing, get executive buy-in and support

26 Data Loss Prevention (DLP)
DLP allows us to control access to content based on many configurable options using policies. Policies can be created 4 ways: With the built-in sensitive information types found in Azure. Programmed via XML and uploaded to the tenant. Based on managed search properties and document tagging. Based on Office 365 labels Day 1 vs Day 180 planning Copyright ©2016 Summit 7 Systems, Inc. All rights reserved.

27 O365 Sensitive Information Types *
AB Canada Bank Account Number Canada Driver's License Number Canada Health Service Number Canada Passport Number Canada Personal Health Identification Number (PHIN) Canada Social Insurance Number Credit Card Number A Routing Number U.K. Driver's License Number U.K. Electoral Roll Number U.K. National Health Service Number U.K. National Insurance Number (NINO) U.S. / U.K. Passport Number U.S. Bank Account Number U.S. Driver's License Number U.S. Individual Taxpayer Identification Number (ITIN) U.S. Social Security Number (SSN)

28 DLP in Action

29 PowerShell 101 for Security Admins
$UserCredential = Get-Credential $Session = New-PSSession -ConfigurationName Microsoft.Exchange - ConnectionUri - Credential $UserCredential -Authentication Basic -AllowRedirection Import-PSSession $Session

30 Custom Policy based on Metadata
First, create Managed Property in Search New-DlpCompliancePolicy -Name BENTEST_PII_policy - ExchangeLocation All -SharePointLocation All - OneDriveLocation All -Mode Enable New-DlpComplianceRule -Name BENTEST_PII_content- High,Moderate -Policy FCI_PII_policy -AccessScope NotInOrganization -BlockAccess $true - ContentPropertyContainsWords "Personally Identifiable Information:High,Moderate" -Disabled $false New-DlpComplianceRule -Name BENTEST_PII_content-Low -Policy FCI_PII_policy -AccessScope NotInOrganization -BlockAccess $false -ContentPropertyContainsWords "Personally Identifiable Information:Low" -Disabled $false -NotifyUser Owner

31 Custom Sensitive Information Type
information-type-82c382a5-b6db-44fd-995d-b333b3c7fc30?ui=en- US&rs=en-US&ad=US If policies hang, use PowerShell to force remove

32 Legacy Azure Rights Management
Configure from Settings -> Services and Add-ins & SharePoint Online Tenant Settings!! Library and Document scoped It’s now “Azure Information Protection” This is a bit confusing Other features still branded ”Azure Information Protection” Demo Library Demo App in Windows

33 Azure Information Protection
Adds additional security to documents in addition to the container they are already secured within AIP allows us to classify documents, such as Public, Proprietary, CDI/CUI and PII Classify for the purpose of adding technical security and to ensure the visibility of the secure nature of the file For example, a CUI/CDI file could be controlled access and also contain a watermark, automatically, noting it’s file type. This helps to adhere to compliance regulations and keep the content with the need to know circle it was intended for.

34 Have Security, Will Travel…
When a file is moved between systems, the ability to read the file will vary based on location. Protected files moving between SPO/ODB and ExchO will lose any related permissions. Protected files moving between a file share, external drive or external cloud resource and SPO/ODB or ExchO will only retain the AIP and RMS policies associated with that object. A superuser account must be created so that it is always added to the item’s security, this is what allows DLP, search, eDiscovery, and more to keep on working. Copyright ©2016 Summit 7 Systems, Inc. All rights reserved.

35 AIP Global Configuration
AIP is primarily used to protect access to files on the client The following options can be configured on any label: Restricted Actions Encryption Group-scoped Policies (security trimmed labels) Labels apply metadata that can be seen by other systems, i.e. DLP, eDiscovery, Search. Force justification when classifying down, such as with CUI/CDI changes seen in the accompanying graphic: A full version of the AIP client must be installed to author and classify documents. Office Online allows read-only access to AIP protected files – co-authoring is not allowed. Only a Windows machine with the full AIP client will be able to edit AIP documents. Copyright ©2016 Summit 7 Systems, Inc. All rights reserved.

36 Example AIP label Configuration
AIP Classification Label Configuration Options CUI/CDI Protect access to files, employees only, by default Discoverable by eDiscovery Watermark office documents with CUI/CDI FOUO Protect access to employees only, by default Proprietary Restricted to employees only DLP policy will block outgoing with this label Footer/Header/or watermark will be enabled Protected Limited access, default setting. Items cannot be ed Public Unprotected documents, NOT the default setting Discoverable in eDiscovery Copyright ©2016 Summit 7 Systems, Inc. All rights reserved.

37 OneDrive for Business Governance
I’m just going to demo this…are you tired of PPTx yet?

38 Mobile “data” Management Governance

39 Azure Intune data security
Azure Intune will add enhanced protection of files on mobile devices. Office 365 data can only be consumed in Managed Device applications and not by unapproved (unmanaged) applications. Office 365 content cannot be moved between Managed apps to Unmanaged applications. Only unmanaged content can be moved into managed apps. Any user can use unmanaged applications all they want, they cannot use those unmanaged applications to access corporate content. Copyright ©2016 Summit 7 Systems, Inc. All rights reserved.

40 Group Membership (Azure AD)
Assigned vs. Dynamic Assigned is old-school groups Dynamic is new in AAS Set rules base on user attributes (dept, location, etc) Members are automagically added or removed from security group(s) Dynamic Groups are much more powerful than assigned groups Basic Business Logic (user.department -eq "Sales") -or (user.department -eq "Marketing") (user.department -eq "Sales") -and -not (user.jobTitle -contains ”Engineer") (user.location -eq ”NA") -and -not (user.region -contains ”NE")

41 Managed Apps Policies – Limit Data Relocation / Exfiltration
Prevent backup to Cloud (iCloud, etc) Allow Data Transfer (All, none, managed apps) Receive data from other apps (All, none, managed apps) Prevent “Save As” Select None, or a combination of ODB, SharePoint Online, and Local Copy/Paste (Blocked, Any App, managed apps) Encrypt App data Disable Contacts sync Disable Printing

42 Summation Have a roadmap and be realistic Know what you are protecting
Buy the correct licenses Apply a layered approach Borrow our learning curve Find a partner that will transfer knowledge

Download ppt "Office 365 and Azure Data Governance"

Similar presentations

1 of 6 This document is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS DOCUMENT. © 2007 Microsoft Corporation.

1 of 6 This document is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS DOCUMENT. © 2007 Microsoft Corporation.
OFFICE 365 GROUPS Administrative look into Groups July 9, 2015.

OFFICE 365 GROUPS Administrative look into Groups July 9, 2015.
Demos Sharing a document B2B Protected email with Policy Tips Departmental Templates Mac Outlook Protected PDF OneDrive / SharePoint Document Tracking.

Demos Sharing a document B2B Protected with Policy Tips Departmental Templates Mac Outlook Protected PDF OneDrive / SharePoint Document Tracking.
Module 9 Configuring Messaging Policy and Compliance.

Module 9 Configuring Messaging Policy and Compliance.
OFC290 Information Rights Management in Microsoft Office 2003 Lauren Antonoff Group Program Manager.

OFC290 Information Rights Management in Microsoft Office 2003 Lauren Antonoff Group Program Manager.
Module 9 Configuring Messaging Policy and Compliance.

Module 9 Configuring Messaging Policy and Compliance.
Ankur Kothari Microsoft Corporation. In-Place Archive with secondary quota Access documents with SkyDrive Pro Site Mailboxes enable better collaboration.

Ankur Kothari Microsoft Corporation. In-Place Archive with secondary quota Access documents with SkyDrive Pro Site Mailboxes enable better collaboration.
Empowering people-centric IT Unified device management Access and information protection Desktop Virtualization Hybrid Identity.

Empowering people-centric IT Unified device management Access and information protection Desktop Virtualization Hybrid Identity.
Module 7 Planning and Deploying Messaging Compliance.

Module 7 Planning and Deploying Messaging Compliance.
Copyright © 2006 Pilothouse Consulting Inc. All rights reserved. Search Overview Search Features: WSS and Office Search Architecture Content Sources and.

Copyright © 2006 Pilothouse Consulting Inc. All rights reserved. Search Overview Search Features: WSS and Office Search Architecture Content Sources and.
What’s New Data Loss Prevention 14. Information is Everywhere Brings Productivity, Agility, Convenience ……and Problems Copyright © 2015 Symantec Corporation.

What’s New Data Loss Prevention 14. Information is Everywhere Brings Productivity, Agility, Convenience ……and Problems Copyright © 2015 Symantec Corporation.
One Drive for Business: More Than a File Share Erica Toelle

One Drive for Business: More Than a File Share Erica Toelle
Microsoft Virtual Academy Chris Oakman | Managing Partner Infrastructure Team | Eastridge Technology Curtis Sawin | Technical Solutions Professional |

Microsoft Virtual Academy Chris Oakman | Managing Partner Infrastructure Team | Eastridge Technology Curtis Sawin | Technical Solutions Professional |
Microsoft Virtual Academy Jamie McAllister | SharePoint MVP & Solution Architect Rob Latino | Program Manager in Office 365 Support.

Microsoft Virtual Academy Jamie McAllister | SharePoint MVP & Solution Architect Rob Latino | Program Manager in Office 365 Support.
Managing Devices in the Enterprise: From EMS zero to Hero in only 60 minutes Ken Goossens Herman Arnedo Mahr.

Managing Devices in the Enterprise: From EMS zero to Hero in only 60 minutes Ken Goossens Herman Arnedo Mahr.
OneDrive for Business: Administration, Security and Compliance

OneDrive for Business: Administration, Security and Compliance
Intro to the Office 365 Security & Compliance Center

Intro to the Office 365 Security & Compliance Center
Metataxis Can you really implement taxonomies in native SharePoint? Marc Stephenson March 2017.

Metataxis Can you really implement taxonomies in native SharePoint? Marc Stephenson March 2017.
SharePoint 101 – An Overview of SharePoint 2010, 2013 and Office 365

SharePoint 101 – An Overview of SharePoint 2010, 2013 and Office 365
Advanced Data governance – labels (data classification)

Advanced Data governance – labels (data classification)

Similar presentations

Ads by Google