• Microsoft MVP | CISSP | CISM |
CCISO | MCSE | PMP………….
• EC-Council CCISO Advisory Board
• CISO100 and CISO50 Award
Winner
• Speaker (ITCamp, MS Ignite Tour,
CISO Africa, SharePoint Saturday,
CSCAMP…….)
• Blogger @ https://itcalls.net
• /AhmedNabilMahmoud
• @ITCalls_anabil

Data is
exploding
It’s created, stored, and
shared everywhere
Platforms
SaaS
Remote
Corporate
Structured
Private cloud
SMS
Vendors
Unstructured
Public
Emails
Documents
Records

Discovering and managing data is challenging
88%
of organizations no
longer have confidence
to detect and prevent
loss of sensitive data¹
>80%
of corporate data is
“dark” – it’s not classified,
protected or governed²
#1
Protecting and
governing sensitive
data is biggest
concern in complying
with regulations
1. Forrester. Security Concerns, Approaches and Technology Adoption. December 2018
2. IBM. Future of Cognitive Computing. November 2015
3. Microsoft GDPR research, 2017

Data regulations
are increasing
around the world
Protection of Personal
Information Act 2013
(POPI)
Australia Privacy Principles
2014
General Data Privacy Law
Data Protection in Act
(pending)
Federal Data Protection
Law 2000
California Consumer
Privacy Act (CCPA) 2018
Personal Information
Protection and Electronic
Documents Act (PIPEDA)
Act on Protection of
Personal Information
(APPI) 2017
Personal Information
Protection Act (PIPA) 2011
Personal Information
Security Specification 2018
Personal Data Protection
Act (PDPA 2012)
Personal Data Protection
Bill 2018
The Privacy Protection
Act (PPA) 2017
General Data Protection
Regulation (GDPR 2016)

What’s your strategy for protecting and
governing sensitive and business critical data?
Do you know where your business critical and
sensitive data resides and what is being done
with it?
Do you have control of this data as it travels
inside and outside of your organization?
Are you using multiple solutions to classify,
label, and protect this data?

Information
Protection &
Governance
Protect and govern data
—wherever it lives 88%
Understand your data landscape and identify
important data across your hybrid environment
Automatically retain,
delete, and store
data and records in
compliant manner
Apply flexible
protection actions
including encryption,
access restrictions
and visual markings
Powered by an intelligent platform
KNOW
YOUR DATA
88%
GOVERN
YOUR DATA
PROTECT
YOUR DATA
Unified approach to automatic data classification, policy
management, analytics and APIs

Information
Protection &
Governance
Protect and govern data
—anywhere it lives 88%
KNOW
YOUR DATA
88%
GOVERN
YOUR DATA
PROTECT
YOUR DATA

Customer lifecycle for Classification, Labeling and
Protection of sensitive files
DEFINE CLASSIFICATION
SCHEME
DEFINE ALL
CLASSIFICATION POLICY
CONDITIONS
CREATE/TEST AND
DEPLOY
CLASSIFICATION POLICY
ONGOING USAGE,
MONITORING AND
REMEDIATION

Office 365
Information Protection
Windows
Information Protection
Azure
Information Protection
What
Where
How
Microsoft information protection—the way it was

What
Where
How
Office 365
Information Protection
Windows
Information Protection
Azure
Information Protection
Microsoft information protection—now

Demo
How Client Look like ?

Know Your Data

How can I see what happens to my data over its lifecycle?
Where can I classify my data?
What methods can I use to classify my data?
Know your Data

Know your data – Top of mind questions
Where is my sensitive data
located?
What are the risky activities
happening in my organization
– files shared externally, across
1st and 3rd party apps?
I need to comply with a new
regulation? Where is my PII
data located & where is it
being generated?
How do I control data
sprawl and build a strategy
for dark data disposal
before I bring data to the
cloud from on-premise?
How do I see activity around
classification and labeling across
retention and sensitivity labels once
they have been used across
governance and retention outcomes?
?? ?
??
How do I monitor
ongoing risk around
label activity?
?

Flexible options to know your data
Scanner: Spanning on-premises to cloud Content explorer
Activity explorer
Use built-in classification methods
Auto-classification
using trainable
classifiers
Understand what’s sensitive, what’s business critical & across your environment

Discover and classify on-premises files
Helps you manage sensitive data prior to
migrating to Office 365 or other cloud services
Use discover mode to identify and report on
files containing sensitive data
Use enforce mode to automatically classify,
label and protect files with sensitive data
Can be configured to scan:
• CIFS file shares
• SharePoint Server 2016
• SharePoint Server 2013

Discover and classify cloud services using Microsoft cloud
app security
Detect content in cloud storage services
Inspect files for sensitive information – based
on policy
Apply sensitivity labels
Automatically apply labels to sensitive files
identified in cloud apps
Enforce protection policies
Use sensitivity labels to apply policy, such as
restricting access to sensitive information,
blocking uploads, blocking downloads

Multiple classification methods
Built-in
90+ information types provided out of
the box to get started
Flexible
Use regex, keywords, and exact data
match for data identification
Organized
Mapped to different industry
regulations

Trainable classifiers
Leverage machine learning to automatically classify unique data
Built-in
Resume, source code, offensive
language provided out-of-box
Build-your-own
Train the system to look for specific
types of data
Integrated
Attach to sensitivity and retention
labels with associated policies

Demo
Built-in Classification

Protect Your Data

How can I balance data security and productivity?
Where can I protect my sensitive data?
How can I protect my sensitive data?
Protect your Data

Customizable
Persists as container
metadata or file metadata
Readable by other systems
Determines DLP policy
based on labels
Extensible to partner solutions
Protect your data using sensitivity labels
Manual or Automated Labels
Apply to content or
containers
Label data at rest, data in use,
or data in transit
Enable protection actions
based on labels
Seamless end user experience
across productivity applications
CONFIDENTIAL

Balance data security and productivity
Enforce conditional access to sensitive data
DLP actions to block sharing
Encrypt files and emails based on sensitivity label
Prevent data leakage through DLP policies based on
sensitivity label
Business data separation on devices
Secure email with encryption & permissions
Manually apply sensitivity label consistently across apps
applications and endpoints
Show recommendations and tooltips for sensitivity labels with
auto-labeling and DLP
Visual markings to indicate sensitive documents across apps and
services (e.g. watermark, lock icons, sensitivity column in SPO)
Co-author and collaborate with sensitive documents
Enable searching of encrypted files in SharePoint
Allow users to open and share encrypted pdf files in Edge in
addition to Adobe Acrobat Reader

Protect your data across environments
Classify and label
data in on-prem
repositories,
including file servers
and SharePoint
Label and protect
Office files natively
across Windows,
Mac, iOS, Android
and Web Clients
Label and protect
sensitive data
manually and
automatically across
content and
container
Automatically label
and protect sensitive
emails in Exchange
Online
Unified Label Management in Microsoft 365 Compliance center
On-prem Exchange
Online
SharePoint,
Teams, Groups,
PowerBI
Office Apps
Across
Platforms
Extend protection
through Microsoft
Cloud App Security
to third party clouds
and SaaS apps
Non-Microsoft
Clouds and
SaaS apps

Unified policy configuration & management
Centralized
Single destination to configure
policies for data protection and
data governance,
across locations
Customized
Customize conditions, rules and
exceptions to granularly define
policy actions
Consistent
Consistent enforcement using
common policy engine

 Native Manual labeling in Office apps across all platforms
 Automated labeling in Office ProPlus and Office on the Web
 Label SharePoint sites, Teams sites, Office 365 Groups, and PowerBI
artifacts at a container level
 Coauthor and collaborate on encrypted files in SharePoint Online
 Enable protected pdf workflows in Outlook and Edge
 Label and protect CAD artifacts with Microsoft Information Protection
Available and Preview since November

Deployment guidelines
for new and existing
Azure information
protection users

New customer: experience

Existing Azure information protection customers:
migration path

Why should I activate unified labeling?

Demo: migrate your AIP
labels to Unified Labels

CONFIDENTIAL
Clients
Android, iOS, Mac, Windows, Web
Windows Explorer
Right-click scenario
PowerShell
End user automation
Power BI
During export from a Power BI report
MCAS
Data at rest and in transit
SDK/3rd party
Adobe, Symantec, etc.
O365 DLP
Preview
PowerShell
Automation
MIP Scanner
Based on policy or All sensitivity
types
Exchange Transport Rules

Begin your data
classification journey
Proactively protect
information against
common threats
Monitor, report and protect
against complex security &
compliance challenges
CONFIDENTIAL CONFIDENTIAL
CONFIDENTIAL

CONFIDENTIAL
Discovery
Deploy MIP Scanner in discovery mode
Design your First Labels
Start with top 3-4 most broadly applicable
labels (General, Internal, Confidential)
Manual Labeling
Start with manual labeling/classification
Set Default Label
Set a default label (General)
User Awareness
No Protection
Go for Unified Labels
Classification is a journey. Start simple.

Begin your data
classification journey
Proactively protect
information against
common threats
Monitor, report and protect
against complex security &
compliance challenges
CONFIDENTIAL CONFIDENTIAL
CONFIDENTIAL

CONFIDENTIAL
Introduce Encryption
Apply encryption on your most sensitive label
Configure Recommendations
Configure recommendations for some labels
Labeling with Scanner
Start labeling with the MIP Scanner
Labeling via MCAS
Configure policy to apply labels in cloud locations
• Apply label based on conditions
Classification is a journey. Start simple.

Begin your data
classification journey
Proactively protect
information against
common threats
Monitor, report and protect
against complex security &
compliance challenges
CONFIDENTIAL CONFIDENTIAL
CONFIDENTIAL

CONFIDENTIAL
Automation/Encryption
Configure automatic labeling via:
• Clients
• Scanner
• O365 DLP (preview at Ignite)
Design Key Management Option
• Microsoft managed
• BYOK
Classification is a journey. Start simple.

References
http://aka.ms/Azure Information protection dag
https://myignite.techcommunity.microsoft.com/
https://aka.ms/UL-Explained
https://aka.ms/aipulvsclassic

@ITCalls_ANabil
/in/ahmednabilmahmoud/
https://itcalls.net/