Accelerate GDPR compliance with the Microsoft Cloud Samuel Marín Sr. Sales Solutions Specialist

Size: px

Start display at page:

Download "Accelerate GDPR compliance with the Microsoft Cloud Samuel Marín Sr. Sales Solutions Specialist"

Muriel Malone
5 years ago
Views:

1 Accelerate GDPR compliance with the Microsoft Cloud Samuel Marín Sr. Sales Solutions Specialist This presentation is intended to provide an overview of GDPR and is not a definitive statement of the law.

data Object to processing of their personal data Export personal data Organizations will need to: Protect personal data using appropriate security Notify authorities of personal data breaches Obtain

2 What are the key changes to address the GDPR? Personal privacy Controls and notifications Transparent policies IT and training Individuals have the right to: Access their personal data Correct errors in their personal data Erase their personal data Object to processing of their personal data Export personal data Organizations will need to: Protect personal data using appropriate security Notify authorities of personal data breaches Obtain appropriate consents for processing data Keep records detailing data processing Organizations are required to: Provide clear notice of data collection Outline processing purposes and use cases Define data retention and deletion policies Organizations will need to: Train privacy personnel & employee Audit and update data policies Employ a Data Protection Officer (if required) Create & manage compliant vendor contracts

3 Protecting customer privacy with GDPR

Our commitment to you To simplify your path to compliance, we are committing to GDPR compliance across our cloud services when enforcement begins on May 25, 2018.

4 Our commitment to you To simplify your path to compliance, we are committing to GDPR compliance across our cloud services when enforcement begins on May 25, We will share our experience in complying with complex regulations such as the GDPR. Together with our partners, we are prepared to help you meet your policy, people, process, and technology goals on your journey to GDPR.

5 GDPR Compliance Simplify your privacy journey Uncover risk & take action Leverage guidance from experts

6 Centralize, Protect, Comply with the Cloud Process all in one place Centralize processing in a single system, simplifying data management, governance, classification, and oversight. Maximize your protections Protect data with industry leading encryption and security technology that s always up-to-date and assessed by experts. Streamline your compliance Utilize services that already comply with complex, internationallyrecognized standards to more easily meet new requirements, such as facilitating the requests of data subjects.

7 The Trusted Cloud GLOBAL Microsoft has the deepest and most comprehensive compliance coverage in the industry REGIONAL INDUSTRY US GOV ISO ISO Moderate JAB P-ATO PCI DSS Level 1 Argentina PDPA ISO High JAB P-ATO CDSA EU Model Clauses DoD DISA SRG Level 2 MPAA UK G-Cloud FACT UK China DJCP China GB DoD DISA SRG Level 4 Shared Assessments China TRUCS SOC 1 Type 2 ISO 9001 ISO DoD DISA SRG Level 5 FISC Japan Singapore MTCS SP HIPAA / HITECH Act Australia IRAP/CCSL SOC 2 Type 2 New Zealand GCIO HITRUST Japan My Number Act CSA STAR Self-Assessment SOC 3 FIPS Section 508 VPAT GxP 21 CFR Part 11 MARS-E ENISA IAF Japan CS Mark Gold Spain ENS ITAR IG Toolkit UK Spain DPA CSA STAR Attestation CSA STAR Certification India MeitY CJIS FERPA Canada Privacy Laws IRS 1075 GLBA Privacy Shield FFIEC Germany IT Grundschutz workbook

8 Shared responsibility Customer management of risk Data Classification and data accountability Responsibility On-Prem IaaS PaaS SaaS Data classification and accountability Client & end-point protection Shared management of risk Identity & access management End Point Devices Provider management of risk Physical Networking Identity & access management Application level controls Network controls Host Infrastructure Physical Security Cloud Customer Cloud Provider

9 How do I get started? 1 Discover Identify what personal data you have and where it resides 2 Manage Govern how personal data is used and accessed 3 Protect Establish security controls to prevent, detect, and respond to vulnerabilities & data breaches 4 Report Keep required documentation, manage data requests and breach notifications

11 1 Discover: Example solutions Microsoft Azure Microsoft Azure Data Catalog In-scope: Inventory: Enterprise Mobility + Security (EMS) Microsoft Cloud App Security Dynamics 365 Audit Data & User Activity Reporting & Analytics Office & Office 365 Data Loss Prevention Advanced Data Governance Office 365 ediscovery SQL Server and Azure SQL Database SQL Query Language Windows & Windows Server Windows Search

12 2 Manage: Example solutions Data governance: Data classification: Microsoft Azure Azure Active Directory Azure Information Protection Azure Role-Based Access Control (RBAC) Enterprise Mobility + Security (EMS) Azure Information Protection Dynamics 365 Security Concepts Office & Office 365 Advanced Data Governance Journaling (Exchange Online) Windows & Windows Server Microsoft Data Classification Toolkit

13 3 Protect: Example solutions Preventing data attacks: Detecting & responding to breaches: Microsoft Azure Azure Key Vault Azure Security Center Azure Storage Services Encryption Enterprise Mobility + Security (EMS) Azure Active Directory Premium Microsoft Intune Office & Office 365 Advanced Threat Protection Threat Intelligence SQL Server and Azure SQL Database Transparent data encryption Always Encrypted Windows & Windows Server Windows Defender Advanced Threat Protection Windows Hello Device Guard

14 4 Report: Example solutions Microsoft Trust Center Service Trust Portal Record-keeping: Reporting tools: Microsoft Azure Azure Auditing & Logging Azure Data Lake Azure Monitor Enterprise Mobility + Security (EMS) Azure Information Protection Dynamics 365 Reporting & Analytics Office & Office 365 Service Assurance Office 365 Audit Logs Customer Lockbox Windows & Windows Server Windows Defender Advanced Threat Protection

MICROSOFT INTUNE Make sure your devices are compliant and secure, while protecting data at

enhanced threat protection for data stored in cloud apps CONDITIONAL ACCESS Location Apps

audit data for persistent security throughout the complete data lifecycle! Risk Device Audit!

data using risk-based conditional access Protect!

16 MICROSOFT INTUNE Make sure your devices are compliant and secure, while protecting data at the application level MICROSOFT CLOUD APP SECURITY Gain deep visibility, strong controls and enhanced threat protection for data stored in cloud apps CONDITIONAL ACCESS Location Apps Access granted to data Classify AZURE INFORMATION PROTECTION Classify, label, protect and audit data for persistent security throughout the complete data lifecycle! Risk Device Audit!! Label AZURE ACTIVE DIRECTORY Ensure only authorized users are granted access to personal data using risk-based conditional access Protect! MICROSOFT ADVANCED THREAT ANALYTICS Detect breaches before they cause damage by identifying abnormal behavior, known malicious attacks and security issues

17 Office 365 In-place Compliance Solutions Meeting organizational data compliance needs Organization needs Preserve vital data Find relevant data Monitor activity Data Governance Import, store, preserve and expire data ediscovery Quickly identify the most relevant data Auditing Monitor and investigate actions taken on data Security & Compliance Center Manage compliance for all your data across Office 365

18 Security and Compliance Center Powerful for experts, and easier for generalists to adopt Scenario oriented workflows with cross-cutting policies spanning features Powerful content discovery across Office 365 workloads Proactive suggestions leveraging Microsoft Security Intelligence Graph

19 Advanced data governance enables organizational compliance by intelligently leveraging machine assisted insights to find, import, classify, set policy and take action on the data most important to you Building Blocks of Office 365 Data Governance: Personas of Office 365 Data Governance: IT Administrator Compliance Officer Records Manager Information Worker

20 Import Classification, Policy & Sensitive Types Retention, Archival & Disposition Dashboard, Insights & Reporting Audit, Supervision & Defensibility Intelligent import of on-premises Microsoft and 3 rd party data Manual and autoclassification of content to apply right governance policies System enforced lifecycle, disposition workflows and defensible deletion process Monitoring, reports and intelligent trend identification and suggestions Data investigations, forensics, automated audit alerts and notifications

Advanced Data Governance in Office 365 Leverage intelligence to automate data retention and deletion Automatic Classification Classify data based on automatic analysis (age, user, type, sensitive

21 Advanced Data Governance in Office 365 Leverage intelligence to automate data retention and deletion Automatic Classification Classify data based on automatic analysis (age, user, type, sensitive data and user provided fingerprints) Intelligent Policies Policy recommendations based on machine learning and cloud intelligence Take Action Apply actions to preserve high value data in-place and purge what s redundant, trivial or obsolete

Beyond litigation: Investigations Wide range of scenarios Regulatory compliance, employment law, HR, financial, internal business requirements Secure access Provide access based on role, delegated

22 Beyond litigation: Investigations Wide range of scenarios Regulatory compliance, employment law, HR, financial, internal business requirements Secure access Provide access based on role, delegated access and enable security filters to scope access Self service case management tools Investigators can create & manage cases, put data on hold, perform searches and export Identify subjects, witnesses, custodians Search for relevant subjects or witnesses or custodians Identify relevant data Search for data relevant to the investigation across Office 365 and imported data Enable collaboration Between investigators & attorneys overseeing the case

Organize unstructured data with machine learning to reduce volume of data for review and reduce cost Efficient

23 Office 365 ediscovery Quickly find what s relevant and reduce risk with intelligent ediscovery in Office 365 Simplified ediscovery Streamlined data preservation and legal hold management for each case Actionable Intelligence Organize unstructured data with machine learning to reduce volume of data for review and reduce cost Efficient Collaboration Case workspace with roles, data permissions, and built in auditing enables collaboration across the organization

24 ediscovery model implemented in Office 365 Identify and Preserve Data Search for Documents that might be relevant Rank documents by their relevance Organize documents & recognize topics View and tag documents sorted by relevance, similarity Do all of these activities within a specific case

Why auditing is important Increasing risk

easier collaboration Adding online services to

25 Why auditing is important Increasing risk Losing intellectual property and customer data Compliance risks if data isn t preserved Multiple sharing options Productivity requires easier collaboration Adding online services to your environment Vendors, external partners, malicious insiders

and Compliance Center Admin activity Azure Active Directory Office 365

26 What data is audited? Exchange Online Admin activity, end-user (mailbox) activity Security and Compliance Center Admin activity Azure Active Directory Office 365 logins, directory activity Power BI Admin activity SharePoint Online and OneDrive for Business File activity, sharing activity

27 Customer Lockbox Meet Compliance Needs Customer Lockbox can help customers meet compliance obligations by demonstrating that they have procedures in place for explicit data access authorization Extended access Control Use Customer Lockbox to control access to customer content for service operations Visibility into actions Actions taken by Microsoft engineers in response to Customer Lockbox requests are logged and accessible via the Management Activity API and the Security and Compliance Center Submits request Microsoft Approved Customer Approved Customer Microsoft Engineer Lockbox system Microsoft Manager Microsoft Customer Engineer

28 Microsoft.com/GDPR