Embed Size (px)
Citation preview
Accelerate GDPR compliance with the Microsoft CloudSamuel Marín –Sr. Sales Solutions Specialist
This presentation is intended to provide an overview of GDPR and is not a definitive statement of the law.
What are the key changes to address the GDPR?
Personal
privacy
Controls and
notifications
Transparent
policies
IT and training
Organizations will need to:
• Train privacy personnel
& employee
• Audit and update data
policies
• Employ a Data
Protection Officer (if
required)
• Create & manage
compliant vendor
contracts
Organizations will need to:
• Protect personal data
using appropriate security
• Notify authorities of
personal data breaches
• Obtain appropriate
consents for processing
data
• Keep records detailing
data processing
Individuals have the right to:
• Access their personal
data
• Correct errors in their
personal data
• Erase their personal data
• Object to processing of
their personal data
• Export personal data
Organizations are required
to:
• Provide clear notice of
data collection
• Outline processing
purposes and use cases
• Define data retention
and deletion policies
Protecting customer
privacy with GDPR
Our commitment to you
To simplify your path to compliance, we are committing to
GDPR compliance across our cloud services when
enforcement begins on May 25, 2018.
We will share our experience in complying with complex
regulations such as the GDPR.
Together with our partners, we are prepared to help you
meet your policy, people, process, and technology goals on
your journey to GDPR.
Leverage guidance from experts
Simplify your privacy journey
GDPRCompliance
GDPRCompliance
GDPRCompliance
Uncover risk & take action
Centralize, Protect, Comply with the Cloud
Centralize processing in a single system, simplifying data management,
governance, classification, and oversight.
Protect data with industry leading encryption and security technology
that’s always up-to-date and assessed by experts.
Utilize services that already comply with complex, internationally-
recognized standards to more easily meet new requirements, such as
facilitating the requests of data subjects.
Maximize your protections
Process all in one place
Streamline your compliance
The Trusted CloudMicrosoft has the deepest and most comprehensive compliance coverage in the industry
HIPAA /
HITECH ActFERPA
GxP
21 CFR Part 11
Singapore
MTCS
UK
G-Cloud
Australia
IRAP/CCSL
FISC Japan
New Zealand
GCIO
China
GB 18030
EU
Model Clauses
ENISA
IAF
Argentina
PDPA
Japan CS
Mark Gold
CDSAShared
Assessments
Japan My
Number Act
FACT UK GLBA
Spain
ENS
PCI DSS
Level 1MARS-E FFIEC
China
TRUCS
Canada
Privacy Laws
MPAA
Privacy
Shield
India
MeitY
Germany IT
Grundschutz
workbook
Spain
DPA
HITRUST IG Toolkit UK
China
DJCP
ITARSection 508
VPATSP 800-171 FIPS 140-2
High
JAB P-ATOCJIS
DoD DISA
SRG Level 2
DoD DISA
SRG Level 4IRS 1075
DoD DISA
SRG Level 5
Moderate
JAB P-ATO
GLO
BA
LU
S G
OV
IND
US
TR
YR
EG
ION
AL
ISO 27001SOC 1Type 2ISO 27018
CSA STARSelf-AssessmentISO 27017
SOC 2Type 2 SOC 3ISO 22301
CSA STARCertification
CSA STARAttestationISO 9001
Shared responsibility
Provider management of riskPhysical | Networking
Customer management of riskData Classification and data accountability
Shared management of riskIdentity & access management | End Point Devices
Cloud Customer Cloud Provider
Responsibility On-Prem IaaS PaaS SaaS
Data classificationand accountability
Applicationlevel controls
Network controls
Host Infrastructure
Physical Security
Client & end-pointprotection
Identity & accessmanagement
How do I get started?
Identify what personal data you have and
where it residesDiscover1
Govern how personal data is used
and accessedManage2
Establish security controls to prevent, detect,
and respond to vulnerabilities & data breachesProtect3
Keep required documentation, manage data
requests and breach notificationsReport4
Discover:
In-scope:
•
•
•
•
•
•
•
•
•
•
Inventory:
•
•
•
•
•
•
•
Microsoft AzureMicrosoft Azure Data Catalog
Enterprise Mobility + Security (EMS)Microsoft Cloud App Security
Dynamics 365Audit Data & User Activity
Reporting & Analytics
Office & Office 365 Data Loss Prevention
Advanced Data Governance
Office 365 eDiscovery
SQL Server and Azure SQL Database
SQL Query Language
Windows & Windows ServerWindows Search
Example solutions
1
2
Example solutions
Manage:
Data governance:
•
•
•
•
•
•
•
•
Data classification:
•
•
•
•
•
•
•
Microsoft AzureAzure Active Directory
Azure Information Protection
Azure Role-Based Access Control (RBAC)
Enterprise Mobility + Security (EMS)Azure Information Protection
Dynamics 365Security Concepts
Office & Office 365 Advanced Data Governance
Journaling (Exchange Online)
Windows & Windows ServerMicrosoft Data Classification Toolkit
3
Example solutions
Protect:
Preventing data attacks:
•
•
•
•
•
•
•
•
Detecting & responding to breaches:
•
•
•
•
•
•
Microsoft AzureAzure Key VaultAzure Security CenterAzure Storage Services Encryption
Enterprise Mobility + Security (EMS)Azure Active Directory PremiumMicrosoft Intune
Office & Office 365 Advanced Threat ProtectionThreat Intelligence
SQL Server and Azure SQL DatabaseTransparent data encryptionAlways Encrypted
Windows & Windows ServerWindows Defender Advanced Threat ProtectionWindows HelloDevice Guard
4
Example solutions
Record-keeping:
•
•
•
•
•
Reporting tools:
•
•
•
•
•
•
Microsoft Trust CenterService Trust Portal
Microsoft AzureAzure Auditing & LoggingAzure Data LakeAzure Monitor
Enterprise Mobility + Security (EMS)Azure Information Protection
Dynamics 365Reporting & Analytics
Office & Office 365 Service AssuranceOffice 365 Audit LogsCustomer Lockbox
Windows & Windows ServerWindows Defender Advanced Threat Protection
Report:
Apps
Risk
MICROSOFT INTUNE
Make sure your devices are
compliant and secure, while
protecting data at the
application level
AZURE ACTIVE
DIRECTORY
Ensure only authorized
users are granted access
to personal data using
risk-based conditional
access
MICROSOFT CLOUD
APP SECURITY
Gain deep visibility, strong
controls and enhanced
threat protection for data
stored in cloud apps
AZURE INFORMATION
PROTECTION
Classify, label, protect and
audit data for persistent
security throughout the
complete data lifecycle
MICROSOFT ADVANCED THREAT ANALYTICS
Detect breaches before they
cause damage by identifying
abnormal behavior, known
malicious attacks and security
issues
!
Device
!
Access granted to data
CONDITIONAL
ACCESS
Classify
LabelAudit
Protect
!
!
Location
Office 365 In-place Compliance SolutionsMeeting organizational data compliance needs
Preserve vital data
Organization needs
Find relevant data Monitor activity
Data GovernanceImport, store, preserve and expire data
eDiscoveryQuickly identify the most relevant data
AuditingMonitor and investigate actions taken on data
Security & Compliance CenterManage compliance for all your data across Office 365
Security and Compliance Center
Powerful for experts, and easier for generalists to adopt
Scenario oriented workflows with cross-cutting policies spanning features
Powerful content discovery across Office 365 workloads
Proactive suggestions leveraging Microsoft Security Intelligence Graph
Advanced data governance enables organizational compliance by intelligently
leveraging machine assisted insights to find, import, classify, set policy and
take action on the data most important to you
IT Administrator Compliance Officer Records Manager Information Worker
Building Blocks of Office 365 Data Governance:
Personas of Office 365 Data Governance:
Import
• Intelligent import
of on-premises
Microsoft and 3rd
party data
Classification, Policy
& Sensitive Types
• Manual and auto-
classification of
content to apply
right governance
policies
Retention, Archival
& Disposition
• System enforced
lifecycle,
disposition
workflows and
defensible
deletion process
Dashboard, Insights
& Reporting
• Monitoring,
reports and
intelligent trend
identification and
suggestions
Audit, Supervision &
Defensibility
• Data
investigations,
forensics,
automated audit
alerts and
notifications
Advanced Data Governance in Office 365
Intelligent PoliciesPolicy recommendations based on machine learning and cloud intelligence
Take ActionApply actions to preserve high value data in-place and purge what’s redundant, trivial or obsolete
Automatic ClassificationClassify data based on automatic analysis (age, user, type, sensitive data and user provided fingerprints)
Leverage intelligence to automate data retention and deletion
Beyond litigation: Investigations
Self service case management toolsInvestigators can create & manage cases, put data on hold, perform searches and export
Wide range of scenariosRegulatory compliance, employment law, HR, financial, internal business requirements
Enable collaborationBetween investigators & attorneys overseeing the case
Identify subjects, witnesses, custodiansSearch for relevant subjects or witnesses or custodians
Identify relevant dataSearch for data relevant to the investigation across Office 365 and imported data
Secure accessProvide access based on role, delegated access and enable security filters to scope access
Office 365 eDiscoveryQuickly find what’s relevant and reduce risk with intelligent eDiscovery in Office 365
Streamlined data preservation and legal hold
management for each case
Simplified eDiscovery
Organize unstructured data with machine learning to
reduce volume of data for review and reduce cost
Actionable Intelligence
Case workspace with roles, data permissions, and built in
auditing enables collaboration across the organization
Efficient Collaboration
eDiscovery model implemented in Office 365
Identify and
Preserve
Data
Search for
Documents
that might
be relevant
Rank
documents
by their
relevance
Organize
documents &
recognize
topics
View and tag
documents
sorted by
relevance,
similarity
Do all of these activities within a specific case
Why auditing is important
Increasing risk
Losing intellectual property and customer data
Compliance risks if data isn’t preserved
Multiple sharing options
Productivity requires easier collaboration
Adding online services to your environment
Vendors, external partners, malicious insiders
Exchange OnlineAdmin activity, end-user (mailbox) activity
Security and Compliance CenterAdmin activity
Azure Active DirectoryOffice 365 logins, directory activity
Power BIAdmin activity
SharePoint Online and OneDrive for BusinessFile activity, sharing activity
What data is audited?
Meet Compliance Needs Customer Lockbox can help customers meet compliance obligations by demonstrating that they have procedures in place for explicit data access authorization
Extended access Control Use Customer Lockbox to control access to customer content for service operations
Visibility into actions Actions taken by Microsoft engineers in response to Customer Lockbox requests are logged and accessible via the Management Activity API and the Security and Compliance Center
Microsoft Engineer Microsoft Manager
Microsoft
Approved
CustomerMicrosoft EngineerLockbox systemCustomer
Submits
request
100101011010100011
Customer
Approved
Customer Lockbox
Microsoft.com/GDPR
