www.keyon.ch, [email protected]
Understanding the big picture
Classification- and label-centric security approach for O365 and other applications and platforms V1.1
About Keyon AG
Covering the whole MS Security Suite
Todays Challenges
Business transformation, legal requirements, mobile & cloud first, B2B collaboration, etc.
Goal: Keep control of you data, inside and outside
your organization
Todays Challenges - Government•Changing government – GDPR (example, extract)
• Art. 24 GDPR - Responsibility of the controllerThe controller (data owner) is responsible for any processing of personal data carried out by the controller or on the controller ’s behalf (processor)
• Art. 25 GDPR - Data protection by design and by defaultThe protection of the rights of natural persons with regard to the processing of personal data require that appropriate technical and organizational measures are implemented by default and design.
Todays Challenges - Government•Changing government – GDPR (example, extract)
• Art. 30 GDPR - Records of processing activitiesThe controller or processor shall maintain a record of processing activities under its responsibility (technical and organizational)
• Art. 32 GDPR - Security of processingThe controller and the processor shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk (encryption of personal data, ensure confidentiality, integrity, availability and resilience of processing systems and services, etc.)
Todays Challenges - Government•Changing government – GDPR (example, extract)
• Art. 33 GDPR - Notification of data breach to the supervisory authorityIn case of a personal data breach, the controller shall without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the personal data breach to the supervisory authority.
Todays Challenges - Government•Changing government – GDPR (example, extract)
• Art. 42 GDPR – CertificationData protection certification mechanisms and of data protection seals and marks, for the purpose of demonstrating compliance with this Regulation of processing operations by controllers and processors.
Todays Challenges - Environments•Cloud Computing Top Threats in 2016
1. Data Breaches
2. Weak Identity, Credential and Access Management
3. Insecure APIs
4. System and Application Vulnerabilities
5. Account Hijacking
6. Malicious Insiders
7. Advanced Persistent Threats (APTs)
8. Data Loss (other than malicious attacks, e.g. accidental deletion)
9. Insufficient Due Diligence
10. Abuse and Nefarious Use of Cloud Services
11. Denial of Service
12. Shared Technology Issues
Source: https://cloudsecurityalliance.org/group/top-threats/
Covered by the classification- and label-centric security approach
Todays Challenges - Responsibility•Controller (data owner) is responsible for the appropriate processing and protection of his data.
•Trust into the cloud provider
Location / national legislation
Virtualized infrastructure
Plattform
Application
Hardware
Paa
S
SaaS
IaaS
Cloud Provider
Organization
Paa
S
SaaS
IaaS
Co
mp
lian
ce
Todays Challenges - Summary•Understand the value of your data
•Understand who and where the data is being processed, stored and transferred
• Implement security by default and design
•Monitor activities
•Detect breaches and threats
• Increase user awareness
•Don’t stop business
Why is data classification important?Information security starts with classification…
Classification = Data
+ value determination
+ persistent labelling
… and continues with applying appropriate security and monitoring measures based on the classification
Why is data classification important?•Key questions
• How valuable is the data to the organization?
• How valuable is the data to 3rd parties, competitors or outside individuals?
• What is the impact / risk to the organization if valuable has leaked?
• Who should / should not have access to the data (need to know)?
Classify data based on its value and protect / process it
accordingly
Security Measures - DLP objectives•Prevent intentional and unintentional loss of data
•Own and control data and the usage of the data
• Identify sensitive data and defend against unauthorized access
• Support users in their daily business to meet policies and regulatory provisions
•Ensure e-discovery
•Do not stop business – seamless and broad integration
Classification vs. content matching•Hard to manage DLP processes based on content
•Easy to manage DLP processes based on defined classification or labels
Apply DLP measures – Monitor/Block•DLP monitoring and blocking based on classification
Applications
E-Mail Server
Collaboration Platform
Cloud Application 1
File-Shares
Desktop / Laptop
Mobile
Desktop / LaptopDesktop / Laptop
Desktop / Laptop
Company AAzure Tenant Company A
Partners / Customers
USB Device
Cloud Application 2
Apply DLP measures - RMS•Automated data protection
• Rights Management Security is intrinsically tied to the data, independent of the technology used for data at rest or data in motion
Applications
E-Mail Server
Collaboration Platform
Cloud Application 1
File-Shares
Desktop / Laptop
Mobile
Desktop / LaptopDesktop / Laptop
Desktop / Laptop
Company AAzure Tenant Company A
Partners / Customers
USB Device
Cloud Application 2
CASB
Apply DLP measures – User awareness•Automated user awareness
• Based on classification, labels, recipients
• User gets notified and needs to optionally justify an action
Apply DLP measures – MCAS•Discover sensitive data in SaaS (O365, Box and others)
• Modify access control list or move files into quarantine
• Prevent the download of sensitive data to unmanaged devices / apps
Apply DLP measures – Windows and Mobile
•Automated application security
• A secure environment is required in order to process sensitive data
• Data can only be shared in corporate applications or on corporate file-shares
Success factors•Cloud is different
• Align security- and compliance provisions
• Align business- and security requirements
• Secret data stored in the cloud must be encrypted Secret data stored in the cloud must be HYOK / BYOK / DB / File encrypted
• Sensitive data must be blocked / monitored / classified / encrypted
• on premises / before they get stored in the cloud application / once stored in the cloud application
• define levels of trustworthy for specific cloud providers
• Apply the standardizes cloud offerings to your business cases. Align your requirements to the standardized offerings, there’s no wish list, the degree of freedom is given
Success factors•Automate and provide added business value
• Whenever possible apply automated classification and protection at source (SP / SPO, file-shares, Office templates, applications, data being transmitted, etc.)
• Highlight the sensitivity of data and prevent the user of doing inappropriate actions
• Onboard and train the respective users and support teams, explain the goals
Success factors• Seamless RMS integration
• Provide e-discovery and break-glass processes for RMS protected documents
• Provide IAM processes considering joiners / leavers / movers for RMS protected documents
• Provide a sustainable RMS key management
• Train the helpdesk services and provide supporting tools (especially for RMS protected data)
Success factors•Do good and talk about it
• Highlight Key Performance Indicators in reports / dashboards
• Number of classified / protected documents related to xy
• User behavior w.r.t. classification / re-classification / user justification
• Number of monitored / blocked breaches (DLP measures)
• Occurrence and distribution of sensitive data on-premises and in the cloud
Organizational implementation challenges
• Up to now the implementation of DLP measures was verticallyassigned, i.e. a security team was able to do the implementationwithout the need to involve other teams (e.g. Office, Exchange,Windows).
• In O365 the respective DLP measures are horizontally assigned, i.e.they need to be configured in O365, Exchange and SharePoint Onlineand in the Azure Portal. For such actions Global Admin rights in theO365- and Azure Portal is required (see image in the next slide).
Organizational implementation challengesResponsibilities until now and in O365
DLP Desktop App Exchange (Online) Office (365) SharePoint O365 Portal Azure Portal
O36
5U
nti
l no
w
Security Team Desktop Team Exchange team Office team
DLP Apps Desktop Apps Exchange Office
SharePoint team
SharePoint
Exchange team
Office team
Exchange Online
Office 365
SharePoint team
Global Admin
Security Team
AIP, Azure RMS, Exchange DLP, O365 DLP
Exchange team
Office team
SharePoint team
Global Admin
Global AdminSharePoint Online / OD4B
Security Team
Global Admin
Security Team
Global Admin (For AIP and RMS)
Desktop Team
AIP, Azure RMS, Exchange DLP, O365 DLP
Desktop Team
Global Admin
Desktop Team
Global Admin (For AIP and RMS)
Live demo
Azure Information Protection with RMS
O365 DLP
WIP
Appendix
Microsoft Information Protection•Microsoft Enterprise Mobility + Security (1/2)
• Azure Information Protection (AIP), Windows, OS, Android, MAC OS
• Data classification, labeling and protection
• HYOK if you want the sole control of you your crown (DAR, DIM)
• Cloud App Security (CAS)
• Enterprise-grade visibility, control, and protection for your cloud apps
• Detect shadow IT
Source: Microsoft
Microsoft Information Protection•Microsoft Enterprise Mobility + Security (2/2)
• Advanced Threat Analytics (ATA)
• Protection from advanced targeted attacks by applying user and entity behavior analytics
• Intune, Windows, OS, Android, MAC OS
• Mobile device and app management to protect corporate apps and data on any device
• Azure AD Premium
• Identity and access management (IAM)
• Conditional access, SSO, Multi-factor authentication
• Advanced security reportingSource: Microsoft
Microsoft Information Protection•Windows Information Protection (WIP)
• Windows and Application security
•Office Information Protection (OIP)Windows, OS, Android, MAC OS
• Pop-up window for user awareness, DLP
•Trust: Microsoft provides the most comprehensive set of compliance offerings (including certifications and attestations) of any cloud service provider
Source: Microsoft