Part I looked at GDPR. Part II will look at how can Microsoft technologies help with GDPR?
I think you need to go back and look at the most important requirements for GDPR. The key one for me is classification of data. If you don't even know what is qualified as personal data, how can you ensure you are treating it in according with GDPR?
Classifying Personal Data
The easiest way to ensure that personal data is tracked and managed is to mark it as "personal" (not to be confused with "non-business") when the file containing the data is saved. Azure Information Protection (AIP), traditionally associated with Rights Management (the protection and encryption of data), and did evolve from the on premise Rights Management Server (RMS). As well as protecting data and tracking usage, it allows you to set a classification label. Users can be prompted to do this manually, or even better, it can analyse the data and set a classification automatically based on regex constructs and contents of the file. Obviously we are talking about using Office365 applications here for creating/saving data.
The other option here is configuring your SharePoint library for prompt for a classification as part of the metadata when uploading a file.
The good thing is, it is then a simple matter to ensure that meta-data is applied to all data saved to SharePoint, not just Office365 documents. The bad thing, users may resent being forced to enter the metadata, and most importantly, it isn't going to help with data saved elsewhere, such as non-Microsoft platforms, databases, and Onedrive For Business (OnedriveFB).
So really you may need to consider a combination of factors depending on your particular environment and corporate culture.
You of course also need to think about other systems have may have a database backend, either Oracle, Microsoft SQL, a noSQL DB, or something else.
What about existing data? Yes, it is a covered by the GDPR. There seemed to be some confusion around that by some of the customers attending the conference I was at. That is a complex too because it depends where that data is. There simply isn't a single solution here that is going to identify all your presonal data across all of your data sources. If you are already hosting a lot of data in Azure, you can look at the "Microsoft Azure Data Catalog". You can register your datasources here, register your metadata, and then perform searches to find the data you are looking for.
Additionally, "Office 365 eDiscovery" can search across OnedriveFB, SharePoint, Exchange, etc.
There is also "Advanced Data Governance" which can use machine-assisted insights to help find/classify, and set policies on your relevant policies.
Protecting your Data
So, you have identified your personal data, put the policies in place to ensure that new data is classified, and that you are managing it correctly. How do you also ensure you don't have to pay the BIG fines, for losing it through not taking the required steps to protect it?
There are a couple of technologies that can help here.
Windows 10 is the "most secure operating system released by Microsoft". Well of course it is. It does sound like a real-change though from Windows 8.1, and certainly from Windows 7. Really, considering the requirement to stay up-to-date, it is high time IT departments moved away from the "don't update" method of updates. Yes, there is a risk in applying updates, but there is a bigger risk in not applying them, a risk to business reputation which more than outweighs any inconvenience of having to rollback a patch, or even run a pilot ring for a week. Updates have come a long way since Windows 2000, Windows XP, but too many departments are stuck in the past. So if you are not on Windows 10, or at least in the middle of a migration (or the middle of planning one), you really need to get that started ASAP. And if vendor support for a key application is the issue, it is time to look at changing that application.
So the key features in Windows 10 for protecting your data:
Windows Hello is already used by several banks in the UK (not for voice used by HSBC though. Voice isn't considered secure enough to be certified) for authenticating customers. If you are not taking up the option of biometric data to protect your environment, and still relying on passwords, you may not be "state of the art", and may be in trouble with regards to Article 32 if a breach occurs.
Secure Boot ensures that all components used it the loading of the OS are signed and secure. This can make attacks and by rootkits much harder to implement.
Device Guard allows you to lock your device down so only authorised applications can run. You don't need to rely on known Malware variants because if it isn't authorised, it isn't running on your system.
This protects your environment from "pass the hash" attacks. There is a load of very technical information about how this works, but even if your credentials are compromised locally, that attacker isn't getting access to the personal data on your network.
Yep, you need encryption. Bitlocker also supports pre-boot encryption (if that is important to you), and central management. Central management is important in a modern environment. Whether it is GDPR, Cyber Essentials, or whatever, you need to have that visibility that you devices are compliant, and not just when they are joined to your corporate network.
Windows Information Protection
WIP allows you to configure sources of data (Sharepoint, file shares for example, or documents created in Word) and Windows will mark those are "Corporate", preventing you from copying those to non-approved locations (such as a USB stick), or uploading them to Hotmail/Gmail, etc.
This has come a long way since the Windows 7 days. Is it top dog in terms of detection? No. It is good enough for a lot of companies judging by the number using it, so it is worth considering. Have something at least.
Office365 also has a lot of tools for protecting your data.
AIP (Rights Management)
This was discussed already in terms of classifying data, but it has a role to play in terms of protecting data too. You can use it to control who can open a file, and what they can do with it. You can give someone permission to open it for a week or a year, and you can revoke that permission at a later date. You can also track what has happened to the file in terms of successful and unsuccessful attempts to open it. Basically, you are securing the data based on the data. Not securing it based on location (for example, permissions on a SharePoint library or a fileshare only protect the file while it is there).
Secure Score is a feature that will grade your configuration, given you a numeric score based on the options you current have enabled/disabled. It will also make recommendations on what to change to improve that balance between security and productivity.
Lots here too, but here is a selection.
This allows you to set restrictions on individual rows (records) in a SQL database.
- "Always Encrypted", to allow data to be protected inside client applications without the database engine even needing the encryption keys.
- Transparent Data Protection provides encryption at rest for data in a SQL database. TLS can be used to protect data in transit.
Responding to a Breach
If a breach happens, you have all of 72 hours to discover an report it.
Microsoft have several tools to help with understanding what has happened if the worst happens.
Azure Security Center will look at big data and machine learning to evaluate events across the Azure cloud. It will also take data intelligence data from external agencies, as well as from the Microsoft DCU (Digital Crimes Unit), and the MSRC (Microsoft Security Response Center). It will also do pattern analysis, and statistical profiling to avert on deviations.
On the desktop, there is:
Microsoft Threat Analytics (ATA) which will help on premise IT to identify abnormal entry and behaviour. It takes intelligence information from external sources, as well as Active Directory, Event logs, and it will integration with SIEM systems.
Windows Defender Advanced Threat Protection (ATP), which gives you advanced breach and response capabilities across your environment, as well as being able to look through up to six months of internal end-point data, even when those end-points are offline, or no longer exist.
Where to Go From Here
There really are many more components that can be used for GDPR. Some useful links and information can be found here:comments powered by Disqus