Accelerate GDPR compliance with the Microsoft Cloud

Accelerate GDPR compliance with the Microsoft Cloud Samuel Marín – Sr. Sales Solutions Specialist

This presentation is intended to provide an overview of GDPR and is not a definitive statement of the law.

What are the key changes to address the GDPR?

Personal privacy Individuals have the right to:

Controls and notifications Organizations will need to:

Access their personal data

•

Correct errors in their personal data

•

•

Erase their personal data

•

•

Object to processing of their personal data

•

Export personal data

• •

•

Protect personal data using appropriate security Notify authorities of personal data breaches Obtain appropriate consents for processing data Keep records detailing data processing

Transparent policies Organizations are required to: • • •

Provide clear notice of data collection Outline processing purposes and use cases Define data retention and deletion policies

IT and training Organizations will need to:

•

Train privacy personnel & employee

•

Audit and update data policies

•

Employ a Data Protection Officer (if required)

•

Create & manage compliant vendor contracts

Protecting customer privacy with GDPR

Our commitment to you To simplify your path to compliance, we are committing to GDPR compliance across our cloud services when enforcement begins on May 25, 2018. We will share our experience in complying with complex regulations such as the GDPR. Together with our partners, we are prepared to help you meet your policy, people, process, and technology goals on your journey to GDPR.

GDPR Compliance

Simplify your privacy journey

Uncover risk & take action

Leverage guidance from experts

Centralize, Protect, Comply with the Cloud

Process all in one place Centralize processing in a single system, simplifying data management, governance, classification, and oversight.

Maximize your protections Protect data with industry leading encryption and security technology that’s always up-to-date and assessed by experts.

Streamline your compliance Utilize services that already comply with complex, internationallyrecognized standards to more easily meet new requirements, such as facilitating the requests of data subjects.

The Trusted Cloud GLOBAL

Microsoft has the deepest and most comprehensive compliance coverage in the industry

REGIONAL

INDUSTRY

US GOV

ISO 27001

ISO 27018

Moderate JAB P-ATO

PCI DSS Level 1

Argentina PDPA

ISO 27017

High JAB P-ATO

CDSA

EU Model Clauses

DoD DISA SRG Level 2

MPAA

UK G-Cloud

FACT UK

China DJCP

China GB 18030

DoD DISA SRG Level 4

Shared Assessments

China TRUCS

SOC 1 Type 2

ISO 9001

ISO 22301

DoD DISA SRG Level 5

FISC Japan

Singapore MTCS

SP 800-171

HIPAA / HITECH Act

Australia IRAP/CCSL

SOC 2 Type 2

New Zealand GCIO

HITRUST

Japan My Number Act

CSA STAR Self-Assessment

SOC 3

FIPS 140-2

Section 508 VPAT

GxP 21 CFR Part 11

MARS-E

ENISA IAF

Japan CS Mark Gold

Spain ENS

ITAR

IG Toolkit UK

Spain DPA

CSA STAR Attestation

CSA STAR Certification

India MeitY

CJIS

FERPA

Canada Privacy Laws

IRS 1075

GLBA

Privacy Shield

FFIEC

Germany IT Grundschutz workbook

Shared responsibility Customer management of risk Data Classification and data accountability

Responsibility Data classification and accountability Client & end-point protection

Shared management of risk Identity & access management | End Point Devices

Identity & access management Application level controls Network controls

Provider management of risk Host Infrastructure

Physical | Networking

Physical Security Cloud Customer

Cloud Provider

On-Prem IaaS

PaaS

SaaS

How do I get started? 1

Discover

Identify what personal data you have and where it resides

2

Manage

Govern how personal data is used and accessed

3

Protect

Establish security controls to prevent, detect, and respond to vulnerabilities & data breaches

4

Report

Keep required documentation, manage data requests and breach notifications

1

Discover:

Example solutions Microsoft Azure

Microsoft Azure Data Catalog

In-scope:

Inventory:

Enterprise Mobility + Security (EMS) Microsoft Cloud App Security

Dynamics 365

•

•

•

•

•

•

• •

• • • • • •

• • •

Audit Data & User Activity Reporting & Analytics

Office & Office 365

Data Loss Prevention Advanced Data Governance Office 365 eDiscovery

SQL Server and Azure SQL Database SQL Query Language

Windows & Windows Server Windows Search

2

Manage:

Example solutions Microsoft Azure

Data governance:

Data classification:

Azure Active Directory Azure Information Protection Azure Role-Based Access Control (RBAC)

Enterprise Mobility + Security (EMS) Azure Information Protection •

•

•

•

•

•

•

•

•

•

•

•

•

•

•

Dynamics 365

Security Concepts

Office & Office 365

Advanced Data Governance Journaling (Exchange Online)

Windows & Windows Server Microsoft Data Classification Toolkit

3

Protect:

Example solutions Microsoft Azure

Preventing data attacks:

Detecting & responding to breaches:

Azure Key Vault Azure Security Center Azure Storage Services Encryption

Enterprise Mobility + Security (EMS)

•

Azure Active Directory Premium Microsoft Intune

•

Office & Office 365

•

•

•

•

•

•

•

•

•

•

•

•

Advanced Threat Protection Threat Intelligence

SQL Server and Azure SQL Database Transparent data encryption Always Encrypted

Windows & Windows Server

Windows Defender Advanced Threat Protection Windows Hello Device Guard

4

Report:

Example solutions Microsoft Trust Center Service Trust Portal

Record-keeping:

Reporting tools:

Microsoft Azure

•

•

Enterprise Mobility + Security (EMS) Azure Information Protection

• • • •

• • •

•

Azure Auditing & Logging Azure Data Lake Azure Monitor

•

Dynamics 365

Reporting & Analytics

Office & Office 365 Service Assurance Office 365 Audit Logs Customer Lockbox

Windows & Windows Server

Windows Defender Advanced Threat Protection

MICROSOFT CLOUD APP SECURITY

MICROSOFT INTUNE Make sure your devices are compliant and secure, while protecting data at the application level

Gain deep visibility, strong controls and enhanced threat protection for data stored in cloud apps

Classify

CONDITIONAL ACCESS

AZURE INFORMATION PROTECTION

Location Apps !

Classify, label, protect and audit data for persistent security throughout the complete data lifecycle

Access granted to data

Risk

Audit

Label

!

Device !

Protect AZURE ACTIVE DIRECTORY Ensure only authorized users are granted access to personal data using risk-based conditional access

!

MICROSOFT ADVANCED THREAT ANALYTICS Detect breaches before they cause damage by identifying abnormal behavior, known malicious attacks and security issues

Office 365 In-place Compliance Solutions Meeting organizational data compliance needs

Organization needs

Preserve vital data

Find relevant data

Monitor activity

Data Governance

eDiscovery

Auditing

Import, store, preserve and expire data

Quickly identify the most relevant data

Monitor and investigate actions taken on data

Security & Compliance Center Manage compliance for all your data across Office 365

Security and Compliance Center Powerful for experts, and easier for generalists to adopt Scenario oriented workflows with cross-cutting policies spanning features Powerful content discovery across Office 365 workloads Proactive suggestions leveraging Microsoft Security Intelligence Graph

Advanced data governance enables organizational compliance by intelligently leveraging machine assisted insights to find, import, classify, set policy and take action on the data most important to you Building Blocks of Office 365 Data Governance:

Personas of Office 365 Data Governance: IT Administrator

Compliance Officer

Records Manager

Information Worker

Import

• Intelligent import of on-premises Microsoft and 3rd party data

Classification, Policy & Sensitive Types

• Manual and autoclassification of content to apply right governance policies

Retention, Archival & Disposition

• System enforced lifecycle, disposition workflows and defensible deletion process

Dashboard, Insights & Reporting

• Monitoring, reports and intelligent trend identification and suggestions

Audit, Supervision & Defensibility

• Data investigations, forensics, automated audit alerts and notifications

Advanced Data Governance in Office 365 Leverage intelligence to automate data retention and deletion

Automatic Classification

Classify data based on automatic analysis (age, user, type, sensitive data and user provided fingerprints)

Intelligent Policies

Policy recommendations based on machine learning and cloud intelligence

Take Action

Apply actions to preserve high value data in-place and purge what’s redundant, trivial or obsolete

Beyond litigation: Investigations Wide range of scenarios

Regulatory compliance, employment law, HR, financial, internal business requirements

Secure access

Provide access based on role, delegated access and enable security filters to scope access

Self service case management tools

Investigators can create & manage cases, put data on hold, perform searches and export

Identify subjects, witnesses, custodians

Search for relevant subjects or witnesses or custodians

Identify relevant data

Search for data relevant to the investigation across Office 365 and imported data

Enable collaboration

Between investigators & attorneys overseeing the case

Office 365 eDiscovery

Quickly find what’s relevant and reduce risk with intelligent eDiscovery in Office 365

Simplified eDiscovery Streamlined data preservation and legal hold management for each case

Actionable Intelligence Organize unstructured data with machine learning to reduce volume of data for review and reduce cost

Efficient Collaboration Case workspace with roles, data permissions, and built in auditing enables collaboration across the organization

eDiscovery model implemented in Office 365

Identify and Preserve Data

Search for Documents that might be relevant

Rank documents by their relevance

Organize documents & recognize topics

Do all of these activities within a specific case

View and tag documents sorted by relevance, similarity

Why auditing is important

Increasing risk Losing intellectual property and customer data Compliance risks if data isn’t preserved

Multiple sharing options Productivity requires easier collaboration Adding online services to your environment Vendors, external partners, malicious insiders

What data is audited? Exchange Online

Admin activity, end-user (mailbox) activity

Security and Compliance Center Admin activity

Azure Active Directory

Office 365 logins, directory activity

Power BI

Admin activity

SharePoint Online and OneDrive for Business File activity, sharing activity

Customer Lockbox Meet Compliance Needs

Customer Lockbox can help customers meet compliance obligations by demonstrating that they have procedures in place for explicit data access authorization

Extended access Control

Use Customer Lockbox to control access to customer content for service operations

Visibility into actions

Actions taken by Microsoft engineers in response to Customer Lockbox requests are logged and accessible via the Management Activity API and the Security and Compliance Center

100101 011010 100011 Microsoft Approved

Submits request

Customer

Microsoft Engineer

Lockbox system

Microsoft Manager

Customer Approved

Microsoft Engineer Customer

Microsoft.com/GDPR