3. 88 %
of organizations no longer have
confidence to detect and prevent loss
of sensitive data
of employees use non-approved SaaS
apps at work80%
85 %
of enterprise organizations keep
sensitive information in the cloud
58 %
Have accidentally sent sensitive
information to the wrong person
4.
5. “I can’t apply unified
policies across
various data sources
or to a specific
repository”
“My data is scattered
across sources and
the data continues to
grow”
“When enforcing
compliance our
business users’
productivity is
disrupted”
“I need complete
coverage of all my
devices and
applications”
“How do I protect
sensitive information
such as sensitive PII
data across my
enterprise?”
“How do I find only
relevant data when I
need it?”
6.
7.
8. LabelDiscover Classify
Sensitivity Retention
Encryption
Restrict Access
Watermark
Header/Footer
Retention
Deletion
Records Management
Archiving
Sensitive data discovery
Data at risk
Policy violations
Policy recommendations
Proactive alerts
Unified approach to discover, classify & label
Automatically apply policy-based actions
Proactive monitoring to identify risks
Broad coverage across locations
Apply label
Unified approach
Monitor
11. Scan & detect sensitive
data based on policy
Classify and label data
based on sensitivity
Apply protection actions,
including encryption,
access restrictions
13. CONFIDENTIAL
Tag that is customizable,
readable by other systems,
and persistent.
It becomes the basis for applying and enforcing data
protection policies.
In files and emails, the label is persisted
as document metadata
In SharePoint Online, the label is
persisted as container metadata
14.
15.
16.
17.
18.
19.
20.
21.
22.
23.
24.
25.
26.
27. Consistent and easy for users
Apply and update labels while working in
Office apps – Word, PowerPoint, Excel and
Outlook
Built-in
Integrated natively into Office apps; no
plug-ins or add-ons required for latest
Office 365 apps.
Broad platform support
Starting next week: Mac, iOS and Android
public preview via Office Insider
Office on Windows and Outlook mobile
public preview by EOY
Azure Information Protection add-in
available today
28.
29.
30.
31.
32.
33.
34.
35.
36.
37.
38.
39.
40.
41.
42.
43.
44.
45.
46. Leverage ad-hoc end user controls or
automatic policies
Protect
Mitigates risk of unintended
disclosure through encryption and
rights protection
Control
Leverage automatic policies or ad
hoc end-user controls, for emails
shared inside or outside the
organization
Compliance
Meet compliance obligations that
require encrypting data or
encryption key control
Recipients can read
protected messages using
consumer identities
Easily read protected
emails on any device
47.
48.
49.
50.
51. Windows protects file
based on sensitivity label
Prevent data from being
accidentally copied to
unmanaged apps and sites
Available starting with
Windows 10 version 1809
Understand labels, apply policy
52.
53.
54.
55.
56. Helps you manage sensitive data prior to
migrating to Office 365 or other cloud services
Use discover mode to identify and report on
files containing sensitive data
Use enforce mode to automatically classify,
label and protect files with sensitive data
Can be configured to scan:
• CIFS file shares
• SharePoint Server 2016
• SharePoint Server 2013
61. Adobe Acrobat will be able to
understand and honor labels and
protection
View protected files natively on Adobe
Acrobat on Windows
Labeling experience will be built
natively into Acrobat
Integration enabled by the Microsoft
Information Protection SDK
Public Preview: October 2018
GA: January 2019
62. Scan & detect sensitive
data based on policy
Classify and label data
based on sensitivity
Apply protection actions,
including encryption,
access restrictions
View reports and assess
classified, labeled and
protected data
63.
64. Better visibility into classified, labeled
and protected files – across workloads
Help identify information protection
anomalies and risks
View by label type, service/app and
label method (e.g. manual, automatic)
Recommendations to tune policy
settings
65.
66.
67.
68.
69. PCs, tablets, mobile
Office 365 DLP & Message EncryptionWindows Information Protection
Azure Information Protection
Exchange Online, SharePoint
Online & OneDrive for Business
Highly regulated
Microsoft Cloud App Security
Office 365 Advanced Data Governance
Datacenters, file
shares
Azure SaaS & ISVs
O F F I C E 3 6 5D E V I C E S C L O U D S E R V I C E S , S A A S
A P P S & O N - P R E M I S E S
Intune App Protection Policies
72. Discover compliance-related sensitive data
across locations, including on-premises
GDPR-specific sensitive information types
helps protect personal data in EU countries
Assess whether or not your cloud apps are
GDPR compliant
Gain visibility into classification, labeling and
protection of personal data (including
endpoints, locations, users)
Guide end-users when working with
personal data – with policy tips and
recommendations
73. Capabilities
O365
E3
O365
E5
EMS
E3
EMS
E5
Classification & labeling of
sensitive data
Create and manage sensitivity labels in Security & Compliance Center unified labeling experience ● ● ● ●
Manual labeling of files in Office 365 services (Exchange Online, SharePoint Online,OneDrive for Business) ● ●
Manual labeling in Office apps (Word, PowerPoint, Excel, Outlook) using native labeling ● ● ● ●
Manual labeling in Office apps on Windows using AIP client ●
Automated classification and labeling of files in Office 365 services (Exchange Online,SharePoint Online,
OneDrive for Business)
● ●
Discover sensitive data in on-premises file servers, apply label to entire repository or folder 1 ● ●
Automated classification and labeling of files in on-premises file servers (AIP scanner) ●
Automated classification and labeling in Office apps (Word, PowerPoint, Excel, Outlook) using native labeling ● ●
Automated classification and labeling inf Office apps on Windows using AIP client ●
Information Protection SDK to apply labels to files ● ●
Encryption & rights-based
restrictions
Add ad-hoc protection to Office documents ● ●
Encrypt emails to internal or external recipients ● ●
Data Loss Prevention (DLP)
Block sharing of sensitive files in Office 365 services (Exchange Online, SharePoint Online, OneDrive for
Business)
● ●
Cloud App Security Classify and label data in 3rd-party SaaS apps and cloud services ●
Windows Information
Protection
Prevent copying and sharing of data from a business location to a non-business location on Windows 10
devices
● ●
Apply Windows Information Protection policy based on sensitivity label in document ●
1 Running AIP scanner in “Discover all” mode
BRK2495: What's new in Microsoft Information Protection solutions to help you protect your sensitive data - wherever it lives or travels
SEC20: Configuring and deploying Microsoft Information Protection solutions to help protect your sensitive data
So now, let's talk about the second piece of our platform story, and that's around information protection.
Sensitive data is at risk more than ever before. We have all seen and heard about the inadvertent or inappropriate sharing of sensitive information – either in the news or perhaps in your own organization. This data shows that the concern is real, but of course it becomes even more real when it happens to you and your company, and have to deal with potentially severe consequences.
11% source: https://www.otalliance.org/system/files/files/initiative/documents/ota_cyber_incident_trends_report_jan2018.pdf
58% source: http://www.strozfriedberg.com/wp-content/uploads/2014/01/Stroz-Friedberg_On-the-Pulse_Information-Security-in-American-Business.pdf
So, we know that with the shift to the mobile-first cloud-first world, the perimeter is only a single component of protecting information.
It’s important that customers balance their goals of security and productivity:
Customers want to enable and foster collaboration to create new business value, and this requires data sharing and data mobility
At the same time, they want to prevent unauthorized disclosure, modification, or destruction of data and important information
Customers also want to reduce and manage the risk of user errors – such as unintentional sharing or inappropriate usage of important information
Ultimately, data must be protected at all time, both inside and outside of the network.
Adding to the complexity are the increasing compliance demands that many companies must navigate. This is driving the need to implement robust data protection and data governance policies. With the explosion of data – at an exponential rate – customers are looking for a unified approach and streamlined process to target the most relevant sensitive data, and apply the right controls. All while ensuring that end user productivity is not negatively impacted. For many customers, GDPR is the most important compliance matter facing them over the next year or so. There are certain steps that customers can take to protect their sensitive information and accelerate their compliance with their internal requirements as well as regulatory bodies or GDPR.
OLD DATA-POINTS:
80% of enterprises allow BYOD
730 cloud apps are being used, on average
85% of enterprises keep sensitive data in the cloud. https://www.vormetric.com/company/newsroom/press-releases/85-of-enterprises-keeping-sensitive-data-in-the-cloud-70-very-or-extremely-concerned-about-it-2016-vormetric-data-threat-report-cloud-big-data-and-iot-edition
Employees work on nearly 2x the number of teams than they did five years ago
Information overload wastes 25% of employee time, costing U.S. business $997B each year
Clearly, there are several reasons why a comprehensive information protection approach is so important. People are working in new ways. Data is being created and shared across boundaries – across a variety of devices, apps and cloud services. Compliance concerns add a layer of scrutiny to how data is being used and shared. Now let’s take a closer look at a framework for how customers can define and implement their own information protection strategy.
We see four primary elements of the information protection lifecycle: Discover, classify, protect and monitor. Each step has its own set of requirements and unique considerations.
First, let’s talk about the Discover phase: Discovering sensitive data is the first step. As data travels to various location – often outside of the organization’s environment, you want to know what sensitive data you have and where it’s located. Data may have different levels of sensitivity, and not all data needs the same level of protection.
Classify: After sensitive data has been discovered, it’s important to classify the data into distinct categories so that custom controls, such as policies and actions, can be applied. Once the classification scheme is set by the organization, policies can be configured and customized so that sensitive data such as intellectual property, customer info, health records, etc., are protected, stored and shared in a manner that adheres to the organization’s unique requirements. Classification and labeling persists with the file and can be understood and honored by other services, avoiding the need to reclassify and re-label throughout the file’s journey.
Protect: Classifying and labeling data often results a policy rule to apply some level of protection to sensitive data.
Monitor: Gaining visibility into how users are using or distributing sensitive information is an important component of your information protection strategy. In the case of unexpected activity or events involving sensitive information, organizations also need to be able to respond quickly and accurately.
- Comment Exchange MRM Policies
First, let’s look at the Detect phase of information protection. This involves scanning and detecting sensitive data – all based on the policy defined and configured by your organization.
Key considerations:
Is there an automated way to discover important data?
Which regulations and compliance factors matter?
Is my data spread out across devices, cloud & on prem?
Is my data spread out geographically?
Are certain employees or groups more relevant for discovery?
Do I know the characteristics of sensitive or important data?
In order to achieve comprehensive protection across your organization, it’s important that you are able to discover sensitive information no matter where it is created or lives. That means having sensitive data discovery capabilities across your on premises file shares or datacenters, on individual devices as well as across cloud services and SaaS applications.
We are also investing in building labeling capabilities natively into Office applications, across all platforms (Mac, iOS, Android, Windows). Along with the unified labeling schema, this will provide a consistent and better end-user experience. Customers won’t need to download and install any separate plug-ins, since the labeling experience will be built right into Office.
The native labeling experience for Office for Mac is currently in public preview in the Office Insider program (with iOS and Android Office coming shortly thereafter) and we are targeting general availability for most platforms by the end of CY18.
Talking point: OME is enabled for ~100M Office 365 users.
Context: Email is also main source of sharing information therefore Email prone to unintended disclosure. Encryption typically is also too difficult to use. For a lot of organizations one of their biggest hurdles is making it easy enough so users can adopt the technology and collaborate securely.
At Ignite we announced new capabilities in Office 365 Message Encryption that protect and control your sensitive emails. These enhancements are aimed squarely at helping you better safeguard your sensitive email communications without hampering the ability for your users to be productive and to easily collaborate with those inside or outside of your organization.
PROTECT: Mitigate the risk of unintended disclosure of emails to anyone inside or outside your organization, so that only the indented recipient with the right identity can read the encrypted message. Recipients outside of the organization can use their email provider. OME provides added layer of encryption at the content level. OME also enables organizations to rights protect the email so only the people with the right identity can read the message and the Office application that’s attached also inherit the protections applied to the email.
Ex. Greg from Big Bank needs to send a sensitive message to his client on his recommended stock picks but does not want him to forward.
CONTROL: Admins can apply automatic policies and end users can be empowered to apply ad hoc policies that encrypt and rights protect messages sent inside and outside the organization. Additionally, recipients can easily read protected messages using their consumer identities such as Google, Yahoo or Microsoft Accounts – or use a one time passcode.
Ex. secret acquisition, company wishes to encrypt all messages between the external company. Admin applies mail flow rule.
Ex. Doctor wants to communicate with his/her patients who uses gmail. Patient can authenticate using their Google identity to read and reply to the protected message
COMPLIANCE: We’re also providing more enterprise grade capabilities - for regulated customers, Office 365 Message Encryption will enable you to provide and manage your own tenant encryption keys with BYOK with Azure Information Protection for Exchange Online.
The recently released AIP scanner can you help discover, classify, label and protect sensitivity information in your on-premises file servers. We know that customers still hold a lot of data on-premises, even if they are moving to the cloud. The AIP scanner can help in providing greater visibility into the presence of sensitive data on-premises, or you can apply the desired labeling and protection before migrating your files to Office 365, for example.
First, let’s look at the Detect phase of information protection. This involves scanning and detecting sensitive data – all based on the policy defined and configured by your organization.
Key considerations:
Is there an automated way to discover important data?
Which regulations and compliance factors matter?
Is my data spread out across devices, cloud & on prem?
Is my data spread out geographically?
Are certain employees or groups more relevant for discovery?
Do I know the characteristics of sensitive or important data?
63
This summarizes the primary solutions that can be implemented to protect sensitive information on devices, within your Office 365 environment, and then beyond your Office 365 environment to Azure, 3rd party cloud services and apps and on-premises environments.
At the device level: Windows Information Protection and BitLocker help protect sensitive information on Windows 10 devices. Beyond Windows devices, Intune mobile device management and mobile application management provides similar protection capabilities.
Many customers use Office 365 as their main productivity solution. We protect information whether it resides in email in Exchange Online, SharePoint Online or OneDrive for Business.
Office 365 Advanced Data Governance enables you to classify and label documents for the purpose of applying retention, expiration and deletion policies to important information
This is complemented with Office 365 Data Loss Prevention (DLP), which enables you to prevent sensitive information in Office 365 from getting into the wrong hands or being accidentally shared
Beyond Office 365, customers are increasingly using Azure and/or a combination of cloud services and cloud apps, often in conjunction with legacy on premises data centers and file shares.
Azure Information Protection helps protect sensitive information across cloud services and on premise environments
Microsoft Cloud App Security provides visibility and control across cloud app usage
Each of these components work together to provide end-to-end protection of sensitive data across your environment. Let’s take a closer look at each and how it can help you.
Meeting compliance requirements is a top priority for many companies. GDPR is obviously a concern, and similar regulations are either in place or will soon be in place in most parts of the world. We have several capabilities that can help your in your compliance journey.
You can configuring your policies to discover, classify and protect compliance-related sensitive data across a variety of locations. This includes Office 365, cloud services, and even on-premises file serves (using the AIP scanner).
We just recently released several new GDPR related sensitive information types in Office 365 that you can use to detect personal data in EU countries. We are targeting at making this available in Azure Information Protection later in CY18, as well as expanding the list of sensitive information types.
Microsoft Cloud App Security recently made enhancements to be able to assess which of your cloud apps are GDPR compliant.
Microsoft Field: Please view associated material at https://microsoft.sharepoint.com/sites/Infopedia_G01/Pages/AIP.aspx and Office 365 OnRamp at https://microsoft.sharepoint.com/sites/Infopedia_G03/officeonramp/SitePages/Office365Security.aspx#Security
