protect your data in / with the cloud
TRANSCRIPT
Informations Rights Management
ANK Business Services GmbH
Michael Kirst-Neshva
Microsoft MVP Office 365
GWAVACon EMEA 2016Daten in der / mit der Cloud schützen
2016
Michael Kirst-Neshva
ANK Business Services GmbH
Senior IT-Infrastructure Architect
Microsoft MVP Office 365
Communities: Office 365 Community Deutschland (Lead)UserGroup Office 365 Deutschland (Lead)Azure Community Deutschland (Mitglied)Verband „Voice of Information“ (Mitglied) http://www.voi.deCompetence Center „SharePoint Major League“http://www.mlsharepoint.dehttp://www.ankbs.deE-Mail: [email protected]: [email protected]: @ankbs
Blog | http://blog.ugoffice365.ms
Is it possible to keep up?
Employees
Business partners
Customers
Is it possible to stay secure?
Apps
Devices
Data
Users
Data leaks
Lost device
Compromised identity
Stolen credentials
Is it possible to keep up?
Employees Business partners Customers
The Microsoft vision
Secure and protect against new threats
Maximum productivity experience
Integrate with what you haveApps
Devices
Data
Users
User freedomSecure against new threats Do more with less
Customers need
Identity – driven security Productivity without
compromise
Comprehensive
solutions
Microsoft solution
ENTERPRISE MOBILITY + SECURITY
Identity-drivensecurity
Comprehensive solution
Managed mobile productivity
The current reality
Identity as the core of enterprise mobility
Single sign-onSelf-service
Simple connection
On-premises
Other directories
Windows ServerActive Directory
SaaSAzure
Publiccloud
CloudMicrosoft Azure Active Directory
1000s of apps, 1 identity
Provide one persona to the workforce for SSO to 1000s of cloud and on-premises apps
Manage access at scale
Manage identities and access at scale in the cloud
and on-premises
Cloud-powered protection
Ensure user and admin accountability with better security and governance
Enable business without borders
Stay productive with universal
access to every app and
collaboration capability
Azure Active Directory. Identity at the core of your business
Secure remote access to on-
premises
apps
Single sign
-on to mobile
apps
Support for
lift-and-
shift of
traditional
apps to
the cloud
Provide one persona to the modern workforce for SSO to 1000s of cloud and on-premises applications
Single sign-on
to SaaS apps
1000s of apps,1 identity
"Azure AD Premium makes life simpler for the business and for employees. It gives them access to enterprise applications from any device with a single sign-on that is secure and reliable. That is fundamental in increasing the adoption of cloud technology.Bristow is also using Application Proxy,
and Azure AD Connect”- Kapil Mehta
Productivity & Directory Services Manager, Bristow Group Inc.
Conditions
Allow access or
Block access
Actions
Enforce MFA per
user/per app
User, App sensitivity
Device state
LocationUser
NOTIFICATIONS, ANALYSIS, REMEDIATION, RISK-BASED POLICIES
CLOUD APP DISCOVERY PRIVILEGED IDENTITY MANAGEMENT
MFA
IDENTITY PROTECTION
Risk
CLOUD-POWERED PROTECTION
CLOUD-POWERED PROTECTION
Identity Protection at its best
Risk severity calculation
Remediation recommendations
Risk-based conditional access automatically protects against suspicious logins and compromised credentials
Gain insights from a consolidated view of machine learning based threat detection
Leaked credentials
Infected devices Configuration
vulnerabilities Risk-
based
policiesMFA Challenge Risky Logins
Block attacks
Change bad credentials
Machine-Learning Engine
Brute force attacks
Suspicious sign-in activities
Collaboration in a borderless worldUsers want collaboration and productivity, you want protection and control
Data
Apps
DevicesUsers
Access everything
from everywhere
Share and store data
across boundaries
Protect sensitive data
Employees Business partners Customers
Intune
Azure Information
Protection
Protect your users, devices, and apps
Detect problems early with visibility and threat analytics
Protect your data, everywhere
Extend enterprise-grade security
to your cloud and SaaS apps
Manage identity with hybrid
integration to protect application
access from identity attacks
Advanced Threat Analytics
Cloud App Security
Azure Active Directory
Identity Protection
Azure Information
ProtectionProtect your data,
everywhere
Challenges with the complex environment
Employees
Business partners
Customers
Apps
Devices
Data
Users
Data leaks
Lost device
Compromised identity
Stolen credentials
The problem is ubiquitous
Intellectual Property theft has
increased
56% rise data theft
Accidental or malicious breaches due to lack of internal controls
88% of organizations are Losing control
of data
80% of employees admit to
use non-approved SaaS app 91% of breaches could have
been avoided
Organizations no longer confident in their ability to detect and prevent threats
Saving files to non-approved cloud storage apps is common
Sources:
2016
Unregulated, unknown
Managed mobile environment
How much control do you have?
On-premises
Perimeter protection
Identity, device management protection
Hybrid data = new normal It is harder to protect
DOCUMENT
TRACKING
DOCUMENT
REVOCATION
Monitor &
respond
LABELINGCLASSIFICATION
Classification
& labeling
ENCRYPTION
Protect
ACCESS
CONTROLPOLICY
ENFORCEMENT
Azure InformationProtection
The evolution of Azure RMS
DOCUMENT
TRACKING
DOCUMENT
REVOCATION
Monitor &
respond
LABELINGCLASSIFICATION
Classification
& labeling
ENCRYPTION
Protect
ACCESS
CONTROLPOLICY
ENFORCEMENT
Full Data
Lifecycle
Our solution: Data Lifecycle Classification and Protection
At data creation
Manual and automatic -as much as possible
Persistent labels
Industry standard thatenables a wide ecosystem
User awareness through visual labels
Encryption with RMS
DLP & compliance actions
Audit trails to track data
Orchestrate
SECRET
CONFIDENTIAL
INTERNAL
NOT RESTRICTED
IT admin sets policies,
templates, and rules
PERSONAL
Classify data based on sensitivity
Start with the data that is most sensitive
IT can set automatic rules; users can complement it
Associate actions such as visual markings and protection
Constoso Page|1 CONFIDENTIAL
DueDiligenceDocumentationDueDiligenceCategory DocumentationTask Owner Status
BusinessPlan,CorporateStructure,Financing
Businessplan Currentfive-yearbusinessplan
Priorbusinessplan
Corporateorganization
Articlesofincorporation
Bylaws
Recentchangesincorporatestructure
Parent,subsidiaries,andaffiliates
Shareholders’agreements
Minutesfromboardmeetings
Shareholders Numberofoutstandingshares
Stockoptionplan
Samplesofcommonandpreferredstockcertificates,debentures,andotheroutstandingsecurities
Warrants,options,andotherrightstoacquireequitysecurities
Currentshareholders,includingnumberofsharesowned,datesthatshareswereacquired,considerationsreceived,andcontact
information
Relevantprivateplacementmemorandaandotherofferingcirculars
Lenders Convertible,senior,orotherdebtfinancing
Banklinesofcredit,loanagreements,orguarantees
Loandefaultsorexpecteddefaults
Recentcorporatetransactions
Descriptionandrationaleforeachtransaction
Purchaseandsaleagreements
Regulations Businesslicenses
Environmentalpermits
Workers’healthandsafetypermits
Marketing,Products,Sales,Service
Marketanalysis Competitionbyproductline(includecontactdetails,marketsize,marketshare,andcompetitiveadvantagesanddisadvantages)
Industryandmarketresearch
Tradepublicationsandcontactinformation
Reclassification
You can override a
classification and
optionally be required
to provide a justification
Automatic
Policies can be set by IT
Admins for automatically
applying classification and
protection to data
Recommended
Based on the content you’re
working on, you can be
prompted with suggested
classification
User set
Users can choose to apply a
sensitivity label to the email
or file they are working on
with a single click
FINANCE
CONFIDENTIAL
Persistent labels that travel with the document
Labels are metadata written to
documents
Labels are in clear text so that other
systems such as a DLP engine can
read it
VIEW EDIT COPY PASTE
Email attachment
FILE
Protect data needing protection by:
Encrypting data
Including authentication requirement and a
definition of use rights (permissions) to the data
Providing protection that is persistent and travels
with the data
Personal apps
Corporate apps
Share internally, with business partners, and customers
Bob
Jane
Internal user
*******
External user
*******
Any device/
any platform
Roadmap
Sue
File share
SharePoint
LoB
Information protection
Identity-driven security
Managed mobile productivity
Identity and access management
Azure Information
Protection
Premium P2
(includes P1 features)
Azure Information
Protection
Premium P1
Microsoft Cloud
App Security
Microsoft Advanced
Threat AnalyticsMicrosoft Intune
Azure Active Directory
Premium P2
(includes P1 features)
Azure Active
Directory
Premium P1E3
E5
Azure Information Protection Premium P1/P2
Feature Azure Information
Protection Premium P1
(EMS E3)
Azure Information
Protection Premium P2
(EMS E5)
View labels and watermarks in Office Yes Yes
Manual labeling (user driven) Yes Yes
Apply content marking and RMS protection in Office Yes Yes
Automatic and recommended labeling Yes
Classification, labeling and protection with MCAS Yes
HYOK (Hold you own key – multi RMS server support) Yes
Apps and Data
SaaS
Microsoft protecting you
Malware Protection Center Cyber Hunting Teams Security Response Center
DeviceInfrastructure
CERTs
PaaS IaaS
Identity
INTELLIGENT SECURITY GRAPH
Cyber Defense
Operations Center
Digital Crimes Unit
Antivirus NetworkIndustry Partners
SECURE MODERN ENTERPRISE
Identity Apps
and Data
Infrastructure Devices
Identity Embraces identity as primary security perimeter and protects
identity systems, admins, and credentials as top priorities
Apps and Data Aligns security investments with business priorities including
identifying and securing communications, data, and applications
InfrastructureOperates on modern platform and uses cloud intelligence to
detect and remediate both vulnerabilities and attacks
Devices
Accesses assets from trusted devices with hardware security
assurances, great user experience, and advanced threat detectionSecure Platform (secure by design)
Identity Pillar
Phase 2: IdentityEmbraces identity as primary security perimeter and protects identity systems, admins, and credentials as top priorities
Identity Pillar
Phase 2: IdentityEmbraces identity as primary security perimeter and protects identity systems, admins, and credentials as top priorities
Azure Active Directory (AAD)Cloud App Security (CAS)
Windows 10 Windows Hello
Cybersecurity Architect
Windows 10 Credential GuardMicrosoft Passport
Managed ATA
Windows Server 2016 Shielded VMsCode Integrity
Advanced Threat Analytics (ATA)
• Enhanced Security Administrative Environment (ESAE)
• Active Directory Service Hardening (ADSH)
• Windows Server 2016 Deployment
Windows 10 Deployment
Managed ATA
Apps and Data Pillar
Phase 2: Apps and DataAligns security investments to business priorities and applies both security fundamentals and modern protections
Apps and Data Capability Mapping
Phase 2: Apps and DataAligns security investments to business priorities and applies both security fundamentals and modern protections
Cloud App Security (CAS)
Cybersecurity Architect
• Windows 10 Deployment
Cybersecurity Architect
• Rights Management Services• Azure RMS• Office 365 Integration
• Office 365 • Data Leakage Protection
(DLP)• Exchange Online Advanced
Threat Protection• Conditional Access
• Intune• Azure Active Directory
• Windows 10 • Enterprise Data Protection
• Cloud App Security (CAS)• Conditional Access
2016
Michael Kirst-Neshva
Thank You!
Kommen Sie an unseren Stand und wir beraten Sie gerne über die weiteren Schritte