www.keyon.ch, info@keyon.ch

Understanding the big picture

Classification- and label-centric security approach for O365 and other applications and platforms V1.1

eberhard@keyon.ch

About Keyon AG

Covering the whole MS Security Suite

Todays Challenges

Business transformation, legal requirements, mobile & cloud first, B2B collaboration, etc.

Goal: Keep control of you data, inside and outside

your organization

Todays Challenges - Government•Changing government – GDPR (example, extract)

• Art. 24 GDPR - Responsibility of the controllerThe controller (data owner) is responsible for any processing of personal data carried out by the controller or on the controller ’s behalf (processor)

• Art. 25 GDPR - Data protection by design and by defaultThe protection of the rights of natural persons with regard to the processing of personal data require that appropriate technical and organizational measures are implemented by default and design.

Todays Challenges - Government•Changing government – GDPR (example, extract)

• Art. 30 GDPR - Records of processing activitiesThe controller or processor shall maintain a record of processing activities under its responsibility (technical and organizational)

• Art. 32 GDPR - Security of processingThe controller and the processor shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk (encryption of personal data, ensure confidentiality, integrity, availability and resilience of processing systems and services, etc.)

Todays Challenges - Government•Changing government – GDPR (example, extract)

• Art. 33 GDPR - Notification of data breach to the supervisory authorityIn case of a personal data breach, the controller shall without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the personal data breach to the supervisory authority.

Todays Challenges - Government•Changing government – GDPR (example, extract)

• Art. 42 GDPR – CertificationData protection certification mechanisms and of data protection seals and marks, for the purpose of demonstrating compliance with this Regulation of processing operations by controllers and processors.

Todays Challenges - Environments•Cloud Computing Top Threats in 2016

1. Data Breaches

2. Weak Identity, Credential and Access Management

3. Insecure APIs

4. System and Application Vulnerabilities

5. Account Hijacking

6. Malicious Insiders

7. Advanced Persistent Threats (APTs)

8. Data Loss (other than malicious attacks, e.g. accidental deletion)

9. Insufficient Due Diligence

10. Abuse and Nefarious Use of Cloud Services

11. Denial of Service

12. Shared Technology Issues

Source: https://cloudsecurityalliance.org/group/top-threats/

Covered by the classification- and label-centric security approach

Todays Challenges - Responsibility•Controller (data owner) is responsible for the appropriate processing and protection of his data.

•Trust into the cloud provider

Location / national legislation

Virtualized infrastructure

Plattform

Application

Hardware

Paa

S

SaaS

IaaS

Cloud Provider

Organization

Paa

S

SaaS

IaaS

Co

mp

lian

ce

Todays Challenges - Summary•Understand the value of your data

•Understand who and where the data is being processed, stored and transferred

• Implement security by default and design

•Monitor activities

•Detect breaches and threats

• Increase user awareness

•Don’t stop business

Why is data classification important?Information security starts with classification…

Classification = Data

+ value determination

+ persistent labelling

… and continues with applying appropriate security and monitoring measures based on the classification

Why is data classification important?•Key questions

• How valuable is the data to the organization?

• How valuable is the data to 3rd parties, competitors or outside individuals?

• What is the impact / risk to the organization if valuable has leaked?

• Who should / should not have access to the data (need to know)?

Classify data based on its value and protect / process it

accordingly

Security Measures - DLP objectives•Prevent intentional and unintentional loss of data

•Own and control data and the usage of the data

• Identify sensitive data and defend against unauthorized access

• Support users in their daily business to meet policies and regulatory provisions

•Ensure e-discovery

•Do not stop business – seamless and broad integration

Classification vs. content matching•Hard to manage DLP processes based on content

•Easy to manage DLP processes based on defined classification or labels

Apply DLP measures – Monitor/Block•DLP monitoring and blocking based on classification

Applications

E-Mail Server

Collaboration Platform

Cloud Application 1

File-Shares

Desktop / Laptop

Mobile

Desktop / LaptopDesktop / Laptop

Desktop / Laptop

Company AAzure Tenant Company A

Partners / Customers

USB Device

Cloud Application 2

Apply DLP measures - RMS•Automated data protection

• Rights Management Security is intrinsically tied to the data, independent of the technology used for data at rest or data in motion

Applications

E-Mail Server

Collaboration Platform

Cloud Application 1

File-Shares

Desktop / Laptop

Mobile

Desktop / LaptopDesktop / Laptop

Desktop / Laptop

Company AAzure Tenant Company A

Partners / Customers

USB Device

Cloud Application 2

CASB

Apply DLP measures – User awareness•Automated user awareness

• Based on classification, labels, recipients

• User gets notified and needs to optionally justify an action

Apply DLP measures – MCAS•Discover sensitive data in SaaS (O365, Box and others)

• Modify access control list or move files into quarantine

• Prevent the download of sensitive data to unmanaged devices / apps

Apply DLP measures – Windows and Mobile

•Automated application security

• A secure environment is required in order to process sensitive data

• Data can only be shared in corporate applications or on corporate file-shares

Success factors•Cloud is different

• Align security- and compliance provisions

• Align business- and security requirements

• Secret data stored in the cloud must be encrypted Secret data stored in the cloud must be HYOK / BYOK / DB / File encrypted

• Sensitive data must be blocked / monitored / classified / encrypted

• on premises / before they get stored in the cloud application / once stored in the cloud application

• define levels of trustworthy for specific cloud providers

• Apply the standardizes cloud offerings to your business cases. Align your requirements to the standardized offerings, there’s no wish list, the degree of freedom is given

Success factors•Automate and provide added business value

• Whenever possible apply automated classification and protection at source (SP / SPO, file-shares, Office templates, applications, data being transmitted, etc.)

• Highlight the sensitivity of data and prevent the user of doing inappropriate actions

• Onboard and train the respective users and support teams, explain the goals

Success factors• Seamless RMS integration

• Provide e-discovery and break-glass processes for RMS protected documents

• Provide IAM processes considering joiners / leavers / movers for RMS protected documents

• Provide a sustainable RMS key management

• Train the helpdesk services and provide supporting tools (especially for RMS protected data)

Success factors•Do good and talk about it

• Highlight Key Performance Indicators in reports / dashboards

• Number of classified / protected documents related to xy

• User behavior w.r.t. classification / re-classification / user justification

• Number of monitored / blocked breaches (DLP measures)

• Occurrence and distribution of sensitive data on-premises and in the cloud

Organizational implementation challenges

• Up to now the implementation of DLP measures was verticallyassigned, i.e. a security team was able to do the implementationwithout the need to involve other teams (e.g. Office, Exchange,Windows).

• In O365 the respective DLP measures are horizontally assigned, i.e.they need to be configured in O365, Exchange and SharePoint Onlineand in the Azure Portal. For such actions Global Admin rights in theO365- and Azure Portal is required (see image in the next slide).

Organizational implementation challengesResponsibilities until now and in O365

DLP Desktop App Exchange (Online) Office (365) SharePoint O365 Portal Azure Portal

O36

5U

nti

l no

w

Security Team Desktop Team Exchange team Office team

DLP Apps Desktop Apps Exchange Office

SharePoint team

SharePoint

Exchange team

Office team

Exchange Online

Office 365

SharePoint team

Global Admin

Security Team

AIP, Azure RMS, Exchange DLP, O365 DLP

Exchange team

Office team

SharePoint team

Global Admin

Global AdminSharePoint Online / OD4B

Security Team

Global Admin

Security Team

Global Admin (For AIP and RMS)

Desktop Team

AIP, Azure RMS, Exchange DLP, O365 DLP

Desktop Team

Global Admin

Desktop Team

Global Admin (For AIP and RMS)

Live demo

Azure Information Protection with RMS

O365 DLP

WIP

www.keyon.ch, info@keyon.ch

Thank you for your attention

Questions & Answers

Appendix

Microsoft Information Protection•Microsoft Enterprise Mobility + Security (1/2)

• Azure Information Protection (AIP), Windows, OS, Android, MAC OS

• Data classification, labeling and protection

• HYOK if you want the sole control of you your crown (DAR, DIM)

• Cloud App Security (CAS)

• Enterprise-grade visibility, control, and protection for your cloud apps

• Detect shadow IT

Source: Microsoft

Microsoft Information Protection•Microsoft Enterprise Mobility + Security (2/2)

• Advanced Threat Analytics (ATA)

• Protection from advanced targeted attacks by applying user and entity behavior analytics

• Intune, Windows, OS, Android, MAC OS

• Mobile device and app management to protect corporate apps and data on any device

• Azure AD Premium

• Identity and access management (IAM)

• Conditional access, SSO, Multi-factor authentication

• Advanced security reportingSource: Microsoft

Microsoft Information Protection•Windows Information Protection (WIP)

• Windows and Application security

•Office Information Protection (OIP)Windows, OS, Android, MAC OS

• Pop-up window for user awareness, DLP

•Trust: Microsoft provides the most comprehensive set of compliance offerings (including certifications and attestations) of any cloud service provider

Source: Microsoft