-->
≡
Home
Woman
Sport
Business
Health
Privacy Policy
Contact Us
Contact Us
Preparing for GDPR: Compliance management and information protection capabilities in Microsoft 365
:
:
2018-02-22T17:35:31Z
Thursday, 22 Feb 2018 - 05:35 PM
- Coming up we'll highlight a number of improvements to
information protection capabilities in Microsoft 365.
To help you go from assessing
your compliance posture against GDPR,
to determining and implementing
the latest information protection capabilities
to help you with compliance.
Including what Microsoft delivers as a
Cloud Service Provider and the specific controls
that you need to implement.
Identifying and protecting personal and sensitive data
wherever it resides either on premises,
in the Microsoft Cloud, or other SaaS applications,
classifying and protecting file types,
even non-Microsoft file types across location,
services, device platforms, and more.
(slow electronic music)
So I'm joined today by Gagan Gulati from the
information production engineering team, welcome.
- Thank you, great to be here.
- So, we recently did a show explaining GDPR which
really affects organizations in the European Union,
or any organization that really deals with
customers or employees in the EU.
- That's right, it's really a requirement for
organizations to make sure that they're
fully accountable for the personal information
that they hold for their employees
and customers in the European Union.
Now, if your organization collects personal data
on EU residents, this regulation applies to you,
and it's broader than private information
such as age, race, government ID numbers,
or Social Security numbers.
It could also be IP addresses or mailing addresses.
- Right and one important thing to point out
is that the deadline is May 25, 2018.
Now last time we walked through all the available
tools and guidance, but what has the team
been focused on lately to help?
- So we've delivered several new features in Microsoft 365
to help with compliance and
European Unions GDPR specifically,
and while Microsoft 365 is a cloud service,
it can help IT get a handle on hybrid environments, too.
That can include a wide range of
services, apps, and devices types as well.
A key area for focus for us is how we make it
easier for you to assess your compliance brochure with GDPR,
and build an implementation plan
to protect your information.
So the first thing I want to show you is
the compliance manager, which you can start using today,
and it will include assessments
across other Microsoft services as well.
As you can see here, the compliance manager applies to
a number of standards and regulations.
We see GDPR and ISO 2701.
The compliance manager is a powerful way to track
and manage your data protection and compliance
with the risk base score based on the actions you've taken.
So here I would click into GDPR.
Here you can see a list of all the services covered.
We will be adding more services over time.
As you see here, your assessment
is based on two perspectives.
The first is Microsoft Managed Controls in relation to GDPR.
These are the controls that Microsoft
leverages as a service provider.
We provide you in-depth details on how Microsoft
has implemented these controls,
and how third-party auditors have tested the controls.
We even give you an update
on the status of specific controls,
that we are in the process of implementing.
- So, that's really great,
you're able to quickly see what Microsoft delivers
as a Cloud Service Provider, in this case.
- Yes, and the second view that we give you,
is of the specific controls that you need to implement.
What we call Customer Manage Controls,
which you are responsible for managing.
In this model, there are a number of controls
that we have mapped with GDPR articles,
for you to implement.
Here, I'm gonna walk you through these controls,
you will see the actions that you need to take
to implement the controls,
as well as the space to document implementation details,
and test plans.
Remember, these are editable feeds.
You can even upload supporting documents
that provide evidence for
control implementation and effectiveness.
Your compliance team can review and update
test starters for each article.
As you implement these controls,
we help you track your progress,
and once your team has tested
all the articles you're responsible for,
you can export a report to Excel
that provides all the details for controls you're managing,
and what Microsoft manages.
At the end of the day, the course stipulation
is the protection of personal information.
So now, let me get back to the article,
and now, as a compliance officer,
I can assign this article to my IT Admin,
in this case, you Jeremy.
I'm gonna ask you to look into it.
So I will click assign, and assign this to you.
- So now, here is the IT Admin,
I see than an email's arrived, and I click view action,
and it's gonna take me directly to
what's been assigned to me then.
When I click on that I go right to the customer actions,
and the compliance manager.
Now, when I click read more, in this section
it actually drolls down to specific capabilities
with links to all these great resources
in order to enable this article.
So here, the overall guidance around
getting me to a state where sensitive docs
are basically protected, and discovered, and classified,
that's all right here.
- Yes, and as you can see,
we have a comprehensive set of solutions
as part of Microsoft 365.
We highlight the specific tools and links to guidance,
that'll help you with this article, all from one place.
One of the key technologies that you use,
in this case, is as information protection,
within Microsoft 365 which is the technology
that my team at Microsoft works on.
- So, this is gonna be really good then,
so let me check that out.
In this case, I'm gonna see a link here
for Azure Information Protection.
When I click that, it's actually taking me
straight into docs, I can see all the guidance here
to get that set up, read about it and get it implemented.
- That's right, ultimately we wanna go from having
documents where we are not aware of the sensitivity
of the content, like the document we have here.
In this document, you can see it's regular document,
with no sensitivity applied to this document.
To where we have identified, classified, labeled,
and applied protection to the files
we really need to protect.
So, in this case, it's the same document.
You can see that it has a sensitivity of confidential,
you can see a water mark
has been applied across the same document.
Now, as information protection does all of this
in a consistent, automated way.
So here, I'm in the Security and Compliance center,
in the Admin Portal.
This gives a consistent configuration experience
for the classification of the content,
and can be applied across all of your workloads.
So, we'll start by creating a set of standard labels,
we need the labels in place
before we can start classifying our files.
So, as you can see here, I've already created
a bunch of these labels.
I'm going to set up a new one,
we will call it Confidential GDPR.
So, I will click on create a label.
I will type in the name,
we will skip the description in this case,
and add the tooltip as well.
So, I'm gonna click next.
Here, I can apply two types of policies,
for protection and for retention.
I will turn on protection, in this case.
You would see that I have
quite a few options available to me.
One of them is block users
from sending emails outside the organization.
There's another option called send incident reports
in emails in case somebody sends these confidential emails
outside the organization.
But, in our case,
we're going to click on advised protection,
which basically includes encryption.
- So, you basically have the options here then,
to kind of monitor what's going on,
or take and start enforcing these policies.
- Correct,
and here we get to apply advanced options.
I'm going to click on,
and you can see that I have
quiet a few of advanced options available to me.
Adding water marks, add a header, add a footer,
and apply label to subject.
I'm gonna choose applying a water mark.
I will click on customize the text,
I added Confidential GDPR,
and this water mark is now going to apply diagonally
across all the pages of the document,
for which this label is applied.
- Just like we saw earlier?
- That is right, so I'll click save,
and then I'll click next.
This is where it gets really interesting.
To enable automated classification of documents,
we give you the ability to apply labels automatically
to new documents, as they're created,
or to existing documents.
Here, is an example of a rule that I will now set.
So, I will click on next,
and I would click on adding a new condition.
Now remember, in this case,
we will try trigger classification,
when we detect passport, or personal ID numbers.
We support up to 80 sensitive information types,
to help you protect data for EU residents,
or you can customize and create your own
sensitive information type.
So, now I'll click on create,
and here, I'm going to add the PII information
for all French nationals.
As you can see, I got four sensitive information types
for French nationals, including driving license numbers,
national ID cards, passport numbers,
and Social Security numbers.
So, I'm going to click on add, and done.
- This is really powerful here
because this is gonna actually allow you to scan
all the files that are already preexisting
in your entire suite of files and data.
Now, another thing to note here,
is that we're gonna be building out a GDPR template
for sensitive information types.
But, you don't need to wait to get started.
- Absolutely.
Now, I will publish this label by clicking next,
and clicking create,
and once I have published this label,
it's enabled across all Microsoft
and non-Microsoft services that support
our Information Protection Platform.
- Right, and so I know a lot of people
are probably watching this are thinking,
I've been collecting lots of data and files
over the years, and sitting in file shares, or share point.
Can I help find those types of files,
and protect those using your tools?
- We have just a new capability called AIP Scanner,
which helps you to protect your data at rest,
on your file servers, or share-point on premises.
So here, I have a file in front of me,
it contains sensitive data in the form of passport numbers,
and we want to absolutely protect it.
So, the first thing I'm gonna do is,
I'm gonna close the file,
and now, we will run the AIP Scanner.
You can see that I have already typed the command
Start Service AIP Scanner.
- Pay attention to those PDF files,
cause I think the icons are gonna change
once you run the scanner.
- Definitely, so I'm gonna click enter,
and as you said, behind the scenes,
the AIP Scanner is running,
and it's going to protect all of these files
that contain the sensitive data.
As you rightly pointed out,
the PDF file icon has now changed,
and you'll see a lock on these files.
So basically, what's happening behind the scenes,
is that the documents are
getting automatically classified, and protected.
So now, I'm gonna open this file,
and as I open this file, you will see
that this file has now been classified
as Confidential GDPR data, and it has also been protected.
So, I'll click on view permissions,
and you will see that this file is now protected
to all the people in my organization.
- So that's pretty amazing here, and in this case,
it's picked up the policy that you said earlier,
and it's retrospectively applying and automatically
applying all the protection as it scans
the content in your files, server in this case.
- Notice that too, that the scanner will also
detect many different file types.
There are around 38 to 45 types supported by AIP,
and also, after you run the scanner,
you also get a full report of the sensitive content
discovered, as you can see, in this Excel report.
We have protected a bunch of files in that folder,
a lot of different labels have been applied,
specifically for the resume that we saw,
the confidential label of Confidential GDPR got applied,
and the condition name was French PII Data.
- Now, so that was on premises,
and kind of scanning the files
that you already collected over the years.
But now, as your seeing file-sharing
getting more and more ubiquitous,
a lot of people are storing their content in the Cloud,
across multiple services.
Can AIP protect those files that extend beyond things like
Microsoft services, Microsoft 365?
- Yes, Microsoft has it's own casby
called the Microsoft Cloud App Security.
This will help you to discover
all the Cloud apps that you users may be using,
and it's intigrated with information protection,
to help the protection of your sensitive data.
So here, I have a file,
that we don't know what the sensitivity of the file is.
I am now going to upload this file to Box.
Now, as soon as I do that,
notice that the file version has changed.
That's because, behind the scenes,
Microsoft Cloud App Security acts as an intermediary.
It first scans a copy of the file,
then classifies it, labels it, and protects it
based on the rule that we set up earlier.
It then uploads a new version of this same file to Box.
So, Jeremy, why don't you try to download this file.
- Alright, so I'm gonna open this here on my Mac,
and you can see that I've got the file here as Version 2,
it's just been updated by Gagan.
I'm gonna click on the more options here,
and Box download the file,
and we can see it's downloaded.
Now, if I go ahead and look at the Word document downloads,
there it is, so I'm gonna go ahead and open that.
Here, we can already see that
it's been marked Confidential GDPR.
I can read this straight from my Mac,
the encryption's been enabled,
and I can see all the protections,
if I click on View Protections.
All the stuff that we just saw in your Windows PC,
has been applied on my Mac.
So, that means only employees of my company, in this case,
can actually open it.
- Yes, so now if the Box library
is unintentionally shared externally,
those external users will not be able to access this file.
- Very cool, so we've seen how then, information protection
on local file servers works.
Also, in the Cloud, even non-Microsoft Cloud services,
and even across different device platforms.
- That's not all.
All the of functionality is now available through
our information protection SDK,
which allows you to take advantage
of our consistent labeling, and protection capabilities
across all your apps.
For example, we're working with Adobe now
to have the same consistent labeling and protection
of PDFs in Adobe Reader as well.
So now, I'm gonna go back to my screen,
and you will see that I have, I am in Abode Reader.
I have a confidential PDF file available to me,
I'm going to double click on this,
and as I click on this file, and I click the lock icon,
you will see that this file in Abode
is actually protected with
Microsoft Azure Information Protection.
- Now, these are just a few examples of how can go
from assessing compliance posture against GDPR requirements,
to determining and implementing the latest
information and protection capabilities
to help you with compliance.
Now, do you have any other guidance
for people that are watching at home today,
about working through their GDPR requirements?
- Yes, don't wait, get started today.
We have a lot of tools, framework, and guidance to help you.
You'll see us continuously adding more capabilities
over the coming months.
In addition to what I've shown you today,
we recommend that you also
take a quick GDPR assessment at the link shown.
Then as I showed you, by implementing
the recommendations from Compliance Manager,
you can take your compliance exposure to the next level,
which you can assess here.
- Right, and of course this is a topic
that we're gonna be following very closely
on Microsoft Mechanics to help get you ready
for GDPR, and it's deadline, and beyond.
So subscribe to Microsoft Mechanics on YouTube
to keep up with the latest shows.
That's about all the time we have for today's show,
we'll see you next time.
(slow electronic music)
Understanding GDPR and the tools in Office 365 and beyond to help meet its requirements Clutch, How does it work ? Understanding the General Data Protection Regulation and your options with Microsoft 365 Microsoft 365 security – Everything you need to know in 8-minutes The World's Future MEGAPROJECTS (2017-2040's) GDPR and Office 365 - BRK2129 What is DevOps? - In Simple English Microsoft Teams and what you need to know in IT Virtual machine migration to Azure: Step-by-step guide for migrating from VMware to Azure The Top 5 Tips for Information Protection
Facebook
Twitter
Google Plus
Microsoft Mechanics
Latest Posts
