Protecting Sensitive Cloud Data
•Download as PPTX, PDF•
0 likes•297 views
This session is all about Azure Information Protection, including the new Office 365 sensitivity labels.
Recommended
Recommended
More Related Content
What's hot
What's hot (20)
Similar to Protecting Sensitive Cloud Data
Similar to Protecting Sensitive Cloud Data (20)
More from Albert Hoitingh
More from Albert Hoitingh (20)
Recently uploaded
Recently uploaded (20)
Protecting Sensitive Cloud Data
- 2. Protecting your sensitive information in the cloud • Azure Information Protection • Cloud App Security • Office 365 Sensitivity labels
- 3. Albert Hoitingh • Solution Architect • Motion10 • The Hague • Working for over 25 years in IT (sigh…..) • Microsoft MVP for Enterprise Mobility
- 4. © 20184 Our four goals for this session • Have an understanding of AzureIP from a functional and IT management perspective • Know about Office 365 message encryption • Know the AzureIP roadmap • Use best practices to implement classification and labeling
- 5. © 20185 Data lives and travels everywhere beyond the firewall On-premises
- 6. Three reasons for information protection • Regulatory compliance (GDPR anyone?) • Information/knowledge workers need to be aware of data classification within the enterprise • Secure internal and external sharing without data losses © 20186
- 7. Microsoft Information Protection © 20187
- 8. Discover • Manually by the user • Automatic classification based on criteria • Azure Information Protection Scanner © 20189
- 9. Classify • Microsoft Office, Adobe • Windows Explorer, Mac Finder, Scanner and Cloud App Security • Label stays with content • Visual markings applied • Label dashboard © 201810
- 10. Protect • Standard permissions or custom • Based on label or “do it yourself” • User, group or domain based • Super-user role • Owner stays in control • Protection stays with content © 201811
- 11. Monitor • Track, trace, revoke rights • Label insights • Azure Information Protection Scanner dashboard © 201812
- 12. © 2018 Scenario - document classification and protection Confidential Limited access Selected users have reader access Full access Selected users have co- owner access No access Most users do not have access Document labeled and protected in Office or Windows/Mac Open | Confidential | Closed (secret) Document labeled and protected in Office or Windows/Mac
- 13. © 201814 Some technical details • Document encryption: AES (128 and 256 bits) • Key protection: RSA (2048 bits) • Certificate signing: SHA-256 • Client required, can be protected using conditional access
- 14. © 201815 (Active) Directory is key Azure Active Directory Trustedsocial providers
- 15. Demo Azure Information Protection for the user and admin
- 16. © 201817 Azure Information Protection Scanner • Detect, label and protect content on file-shares and on- premises SharePoint farm • Exchange on-premises is not covered by the scanner • New scanner dashboard is now available
- 17. © 201818 Microsoft Cloud App Security • Label and protect content in SaaS applications • Can scan for sensitive content across SaaS applications • Applications included are Office 365, DropBox, OneDrive, Salesforce and more • Can apply policies when a label is detected
- 19. © 201820 Office 365 message encryption • Part of Office 365 licensing • Allows for “Do-not-forward” and “Encrypt only” • Works for any e-mail recipient • Can make use of Exchange routing rules • Encryption includes the attachments (heads up!)
- 20. © 2018 Scenario – e-mail protection Do not forward Internal or external party Cannot be forwarded E-mail labeled and protected in Outlook or web Encrypt onlyE-mail labeled and protected in Outlook or web Any e-mail address
- 22. © 201823 Office 365 sensitivity labels • Aims to bring AzureIP and Office 365 together • Offers both labels and settings for SharePoint sites • Managed using the Security & Compliance Center • Requires a new sensitivity client (not the AzureIP client) • Note the distinction between sensitivity and retention labels!
- 23. © 201824 Labels extend to SharePoint sites and groups
- 25. © 201826 How to start? • Start with the default labels • Start small and work outwards • Define labels, define one use case, grow from there. • Example: e-mail “do not forward” or a specific department • Work with workspace team to package and deploy • Use recognizable labels and sub-labels • Use scope policies
- 26. • Unified Labeling in Office SCC (Now) • Unified Labeling in new M365 SCC (EOY18) • Labeling in Office apps on Mac and mobile (Preview now) • Labeling in Office apps on Windows (Preview EOY18) • Labeling in Outlook mobile (Preview EOY18) • Adobe PDF Preview and GA with MIP • Windows GA with MIP labels • MCAS + MIP GA • MIP SDK GA • AIP customers starting migration on pre-prod tenants • Partner ISVs going GA with MIP Now – 3 Months • Auto-classification for sensitivity outcomes • AIP customers migrate to using M365 SCC for admin experiences 3 – 6 Months © 201827 Microsoft roadmap
- 27. © 201828 Five take aways • There’s a lot happening with Microsoft Information Protection • Sensitivity labels vs. Azure Information Protection • Windows 10 Data Loss Prevention • (Azure) Information Protection is a piece of the puzzle • Protect identities (MFA, AAD identity protection) • Protect the end-point • Automate Azure Information Protection for the important stuff (PII, highly confidential, etc) • Content is everywhere, use Cloud App Security/PowerShell/AIP scanner to identify and protect • Look at the new sensitive labels and Office 365 integration
- 28. Thank you!
Editor's Notes
- Eventview van werkplek logt acties. MS overweegt hiervoor een dashboard te maken FIPS: The Federal Information Processing Standard (FIPS) SHA: Secure Hash Algorithm 2 AES: Advanced Encryption Standard (AES) - Allow HTTPS traffic on TCP 443 to api.informationprotection.azure.com. - Do not terminate the TLS client-to-service connection (for example, to do packet-level inspection). Doing so breaks the certificate pinning that RMS clients use with Microsoft-managed CAs to help secure their communication with Azure RMS. - If you use a web proxy that requires authentication, you must configure it to use integrated Windows authentication with the user's Active Directory logon credentials.
- Toegang goed uitleggen! https://docs.microsoft.com/en-us/azure/information-protection/secure-collaboration-documents#example-configuration-for-a-label-to-apply-protection-to-support-internal-and-external-collaboration Azure AD (eigen, gesynced of via RMS account microsoft) Federated social (Google, Yahoo, Microsoft) Office account (heb je Office2016 click to run voor nodig) Iedereen (werkt alleen met Office 365 message encryption) – werkt met one time passcode
- Eventview van werkplek logt acties. MS overweegt hiervoor een dashboard te maken FIPS: The Federal Information Processing Standard (FIPS) SHA: Secure Hash Algorithm 2 AES: Advanced Encryption Standard (AES) - Allow HTTPS traffic on TCP 443 to api.informationprotection.azure.com. - Do not terminate the TLS client-to-service connection (for example, to do packet-level inspection). Doing so breaks the certificate pinning that RMS clients use with Microsoft-managed CAs to help secure their communication with Azure RMS. - If you use a web proxy that requires authentication, you must configure it to use integrated Windows authentication with the user's Active Directory logon credentials.
- Eventview van werkplek logt acties. MS overweegt hiervoor een dashboard te maken FIPS: The Federal Information Processing Standard (FIPS) SHA: Secure Hash Algorithm 2 AES: Advanced Encryption Standard (AES) - Allow HTTPS traffic on TCP 443 to api.informationprotection.azure.com. - Do not terminate the TLS client-to-service connection (for example, to do packet-level inspection). Doing so breaks the certificate pinning that RMS clients use with Microsoft-managed CAs to help secure their communication with Azure RMS. - If you use a web proxy that requires authentication, you must configure it to use integrated Windows authentication with the user's Active Directory logon credentials.