Preparing for GDPR: Compliance management and information protection capabilities in Microsoft 365


– Coming up we’ll highlight
a number of improvements to information protection
capabilities in Microsoft 365. To help you go from assessing your compliance posture against GDPR, to determining and implementing the latest information
protection capabilities to help you with compliance. Including what Microsoft delivers as a Cloud Service Provider
and the specific controls that you need to implement. Identifying and protecting
personal and sensitive data wherever it resides either on premises, in the Microsoft Cloud, or
other SaaS applications, classifying and protecting file types, even non-Microsoft file
types across location, services, device platforms, and more. (slow electronic music) So I’m joined today by
Gagan Gulati from the information production
engineering team, welcome. – Thank you, great to be here. – So, we recently did a
show explaining GDPR which really affects organizations
in the European Union, or any organization that really deals with customers or employees in the EU. – That’s right, it’s
really a requirement for organizations to make sure that they’re fully accountable for
the personal information that they hold for their employees and customers in the European Union. Now, if your organization
collects personal data on EU residents, this
regulation applies to you, and it’s broader than private information such as age, race, government ID numbers, or Social Security numbers. It could also be IP addresses
or mailing addresses. – Right and one important
thing to point out is that the deadline is May 25, 2018. Now last time we walked
through all the available tools and guidance, but what has the team been focused on lately to help? – So we’ve delivered several
new features in Microsoft 365 to help with compliance and European Unions GDPR specifically, and while Microsoft
365 is a cloud service, it can help IT get a handle
on hybrid environments, too. That can include a wide range of services, apps, and devices types as well. A key area for focus
for us is how we make it easier for you to assess your
compliance posture with GDPR, and build an implementation plan to protect your information. So the first thing I want to show you is the compliance manager, which
you can start using today, and it will include assessments across other Microsoft services as well. As you can see here, the
compliance manager applies to a number of standards and regulations. We see GDPR and ISO 2701. The compliance manager is
a powerful way to track and manage your data
protection and compliance with the risk base score based
on the actions you’ve taken. So here I would click into GDPR. Here you can see a list of
all the services covered. We will be adding more services over time. As you see here, your assessment is based on two perspectives. The first is Microsoft Managed
Controls in relation to GDPR. These are the controls that Microsoft leverages as a service provider. We provide you in-depth
details on how Microsoft has implemented these controls, and how third-party auditors
have tested the controls. We even give you an update on the status of specific controls, that we are in the
process of implementing. – So, that’s really great, you’re able to quickly see
what Microsoft delivers as a Cloud Service Provider, in this case. – Yes, and the second
view that we give you, is of the specific controls
that you need to implement. What we call Customer Manage Controls, which you are responsible for managing. In this model, there
are a number of controls that we have mapped with GDPR articles, for you to implement. Here, I’m gonna walk you
through these controls, you will see the actions
that you need to take to implement the controls, as well as the space to
document implementation details, and test plans. Remember, these are editable feeds. You can even upload supporting documents that provide evidence for control implementation and effectiveness. Your compliance team can review and update test starters for each article. As you implement these controls, we help you track your progress, and once your team has tested all the articles you’re responsible for, you can export a report to Excel that provides all the details
for controls you’re managing, and what Microsoft manages. At the end of the day,
the course stipulation is the protection of personal information. So now, let me get back to the article, and now, as a compliance officer, I can assign this article to my IT Admin, in this case, you Jeremy. I’m gonna ask you to look into it. So I will click assign,
and assign this to you. – So now, here is the IT Admin, I see than an email has arrived,
and I click view action, and it’s gonna take me directly to what’s been assigned to me then. When I click on that I go
right to the customer actions, and the compliance manager. Now, when I click read
more, in this section it actually drills down
to specific capabilities with links to all these great resources in order to enable this article. So here, the overall guidance around getting me to a state where sensitive docs are basically protected, and
discovered, and classified, that’s all right here. – Yes, and as you can see, we have a comprehensive set of solutions as part of Microsoft 365. We highlight the specific
tools and links to guidance, that’ll help you with this
article, all from one place. One of the key technologies that you use, in this case, is Azure
information protection, within Microsoft 365
which is the technology that my team at Microsoft works on. – So, this is gonna be really good then, so let me check that out. In this case, I’m gonna see a link here for Azure Information Protection. When I click that, it’s actually taking me straight into docs, I can
see all the guidance here to get that set up, read about
it and get it implemented. – That’s right, ultimately
we wanna go from having documents where we are not
aware of the sensitivity of the content, like the
document we have here. In this document, you can
see it’s regular document, with no sensitivity
applied to this document. To where we have identified,
classified, labeled, and applied protection to the files we really need to protect. So, in this case, it’s the same document. You can see that it has a
sensitivity of confidential, you can see a water mark has been applied across the same document. Now, as information
protection does all of this in a consistent, automated way. So here, I’m in the Security
and Compliance center, in the Admin Portal. This gives a consistent
configuration experience for the classification of the content, and can be applied across
all of your workloads. So, we’ll start by creating
a set of standard labels, we need the labels in place before we can start classifying our files. So, as you can see here,
I’ve already created a bunch of these labels. I’m going to set up a new one, we will call it Confidential GDPR. So, I will click on create a label. I will type in the name, we will skip the description in this case, and add the tooltip as well. So, I’m gonna click next. Here, I can apply two types of policies, for protection and for retention. I will turn on protection, in this case. You would see that I have quite a few options available to me. One of them is block users from sending emails
outside the organization. There’s another option
called send incident reports in emails in case somebody
sends these confidential emails outside the organization. But, in our case, we’re going to click
on advised protection, which basically includes encryption. – So, you basically have
the options here then, to kind of monitor what’s going on, or take and start
enforcing these policies. – Correct, and here we get to apply advanced options. I’m going to click on, and you can see that I have quiet a few of advanced
options available to me. Adding water marks, add
a header, add a footer, and apply label to subject. I’m gonna choose applying a water mark. I will click on customize the text, I added Confidential GDPR, and this water mark is now
going to apply diagonally across all the pages of the document, for which this label is applied. – Just like we saw earlier? – That is right, so I’ll click save, and then I’ll click next. This is where it gets really interesting. To enable automated
classification of documents, we give you the ability to
apply labels automatically to new documents, as they’re created, or to existing documents. Here, is an example of a
rule that I will now set. So, I will click on next, and I would click on
adding a new condition. Now remember, in this case, we will try trigger classification, when we detect passport,
or personal ID numbers. We support up to 80
sensitive information types, to help you protect data for EU residents, or you can customize and create your own sensitive information type. So, now I’ll click on create, and here, I’m going to
add the PII information for all French nationals. As you can see, I got four
sensitive information types for French nationals, including
driving license numbers, national ID cards, passport numbers, and Social Security numbers. So, I’m going to click on add, and done. – This is really powerful here because this is gonna
actually allow you to scan all the files that are already preexisting in your entire suite of files and data. Now, another thing to note here, is that we’re gonna be
building out a GDPR template for sensitive information types. But, you don’t need to
wait to get started. – Absolutely. Now, I will publish this
label by clicking next, and clicking create, and once I have published this label, it’s enabled across all Microsoft and non-Microsoft services that support our Information Protection Platform. – Right, and so I know a lot of people are probably watching this are thinking, I’ve been collecting
lots of data and files over the years, and sitting
in file shares, or SharePoint. Can I help find those types of files, and protect those using your tools? – We have just a new
capability called AIP Scanner, which helps you to
protect your data at rest, on your file servers, or
SharePoint on premises. So here, I have a file in front of me, it contains sensitive data in
the form of passport numbers, and we want to absolutely protect it. So, the first thing I’m gonna do is, I’m gonna close the file, and now, we will run the AIP Scanner. You can see that I have
already typed the command Start Service AIP Scanner. – Pay attention to those PDF files, cause I think the icons are gonna change once your on the scanner. – Definitely, so I’m gonna click enter, and as you said, behind the scenes, the AIP Scanner is running, and it’s going to protect
all of these files that contain the sensitive data. As you rightly pointed out, the PDF file icon has now changed, and you’ll see a lock on these files. So basically, what’s
happening behind the scenes, is that the documents are getting automatically
classified, and protected. So now, I’m gonna open this file, and as I open this file, you will see that this file has now been classified as Confidential GDPR data, and
it has also been protected. So, I’ll click on view permissions, and you will see that
this file is now protected to all the people in my organization. – So that’s pretty amazing
here, and in this case, it’s picked up the policy
that you said earlier, and it’s retrospectively
applying and automatically applying all the protection as it scans the content in your files,
server in this case. – Notice that too, that
the scanner will also detect many different file types. There are around 38 to 45
types supported by AIP, and also, after you run the scanner, you also get a full report
of the sensitive content discovered, as you can
see, in this Excel report. We have protected a bunch
of files in that folder, a lot of different
labels have been applied, specifically for the resume that we saw, the confidential label of
Confidential GDPR got applied, and the condition name
was French PII Data. – Now, so that was on premises, and kind of scanning the files that you already collected over the years. But now, as your seeing file-sharing getting more and more ubiquitous, a lot of people are storing
their content in the Cloud, across multiple services. Can AIP protect those files
that extend beyond things like Microsoft services, Microsoft 365? – Yes, Microsoft has it’s own CASB called the Microsoft Cloud App Security. This will help you to discover all the Cloud apps that
you users may be using, and it’s integrated with
information protection, to help the protection
of your sensitive data. So here, I have a file, that we don’t know what the
sensitivity of the file is. I am now going to upload this file to Box. Now, as soon as I do that, notice that the file version has changed. That’s because, behind the scenes, Microsoft Cloud App Security
acts as an intermediary. It first scans a copy of the file, then classifies it,
labels it, and protects it based on the rule that we set up earlier. It then uploads a new version
of this same file to Box. So, Jeremy, why don’t you
try to download this file. – Alright, so I’m gonna
open this here on my Mac, and you can see that I’ve got
the file here as Version 2, it’s just been updated by Gagan. I’m gonna click on the more options here, and Box download the file, and we can see it’s downloaded. Now, if I go ahead and look at
the Word document downloads, there it is, so I’m gonna
go ahead and open that. Here, we can already see that it’s been marked Confidential GDPR. I can read this straight from my Mac, the encryption’s been enabled, and I can see all the protections, if I click on View Protections. All the stuff that we just
saw in your Windows PC, has been applied on my Mac. So, that means only employees
of my company, in this case, can actually open it. – Yes, so now if the Box library is unintentionally shared externally, those external users will not
be able to access this file. – Very cool, so we’ve seen how
then, information protection on local file servers works. Also, in the Cloud, even
non-Microsoft Cloud services, and even across different
device platforms. – That’s not all. All the of functionality
is now available through our information protection SDK, which allows you to take advantage of our consistent labeling,
and protection capabilities across all your apps. For example, we’re working with Adobe now to have the same consistent
labeling and protection of PDFs in Adobe Reader as well. So now, I’m gonna go back to my screen, and you will see that I
have, I am in Abode Reader. I have a confidential
PDF file available to me, I’m going to double click on this, and as I click on this file,
and I click the lock icon, you will see that this file in Abode is actually protected with Microsoft Azure Information Protection. The same protections that you
saw on Microsoft Word on Mac, are now available on Adobe Reader as well. – Now, these are just a
few examples of how can go from assessing compliance posture
against GDPR requirements, to determining and implementing the latest information and protection capabilities to help you with compliance. Now, do you have any other guidance for people that are
watching at home today, about working through
their GDPR requirements? – Yes, don’t wait, get started today. We have a lot of tools, framework,
and guidance to help you. You’ll see us continuously
adding more capabilities over the coming months. In addition to what I’ve shown you today, we recommend that you also take a quick GDPR assessment
at the link shown. Then as I showed you, by implementing the recommendations
from Compliance Manager, you can take your compliance
exposure to the next level, which you can assess here. – Right, and of course this is a topic that we’re gonna be following very closely on Microsoft Mechanics
to help get you ready for GDPR, and it’s deadline, and beyond. So subscribe to Microsoft
Mechanics on YouTube to keep up with the latest shows. That’s about all the time
we have for today’s show, we’ll see you next time. (slow electronic music)

Leave a Reply