Finally,
the General Data Protection Regulation (GDPR) forces companies to think about
which data is accessible and editable by whom. With the recent data protection
scandals on major platforms such as Facebook etc. the protection of data is not
only a very topical issue, but also a very topical business model.
Microsoft
offers its customers functions and license models to monitor and secure access
to their data and systems. In the end it is a complex story to find out which
functions and which licenses are required to implement Security &
Compliance requirements in your company. The whole story is further complicated
by different license models and feature-sets focusing on Security &
Compliance.
At the
Ignite 2018 improvements around Security & Compliance were announced.
Office 365 becomes Microsoft 365, Azure Information Protection becomes
Microsoft Information Protection and so on. But what does this mean for
customers, partners and especially the users?
Actually
quite a lot. Microsoft services getting more and more aligned to the
operational processes and users needs. In the future, management portals, for
example, will be grouped and accessed according to their use:
- https://Admin.microsoft.com
=> Admin Center
- https://security.microsoft.com
=> Security Settings
- https://compliance.microsoft.com
=> Compliance
Data
classification and encryption is an important requirement for storing sensitive
content in SaaS solutions. Azure Information Protection Labels, Site
Classifications and Office 365 Labels are now standardized in the Office 365
Security & Compliance Center and does no longer exist separately from each
other. This makes the use of these techniques much more efficient.
These are
just two examples on how Microsoft Cloud Services successively merge what
belongs together.
Microsoft
Information Protection or the Microsoft Intune feature for managing devices and
apps are focusing explicit scenarios. However, security & compliance
projects often do not start with these specific requirements. Starting an
Office 365 project the requirement is more about providing basic protection
level and setup. Based on this basic configuration further requirements are
then successively defined and implemented in the company.
A new
provisioned Office 365 Tenant is very open. Basically, every user can share all
the data he has access to with anyone. Users can invite external partners to
collaborate with them in a SharePoint site or in Teams and anyone can connect
to Office 365 using any device by entering his username and password.
This
liberal setup of Office 365 is very good for collaboration and communication in
the company and with partners and customers. But it is risky in terms of
Security & Compliance.
In
Microsoft Internet Explorer we could configure the security of the browser with
a simple slider. If there is the need to adjust special settings, this was also
possible. Unfortunately, it is not quite that easy with Office 365 or Microsoft
365. A slider like we have in the Internet Explorer is unfortunately missing
here.
But the
whitepaper "A quick guide to secure Office 365" offers something
similar. Based on a matrix with the levels Standard, Medium, High and Very
High, it gives you an overview how Office 365 can be secured. The
whitepaper also describes the effects on user-friendliness and the required
licenses for setting up the various scenarios.
The
whitepaper outlines a clear overview of the Microsoft technologies and
functions for securing Office 365. Covered technologies are:
- Office
365 Secure Score
- Cloud
App Security
- Intune
& Office 365 MDM
- Azure
AD Premium Features
- Office
365 Advanced Threat Protection
- Office
365 Threat Intelligence
- Security
& Compliance Reports.
And another
tip from me: If a user wants to save a file in his private DropBox folder, then
he has a reason for it. Nobody does this accidentally or by mistake. If we
don't know this reason and don't respect it, the whole Security &
Compliance project will go wrong. Because of so many options that Shadow-IT
offers to users today it is no longer possible to enforce security. The goal
must is to understand which challenges and processes an employee faces in his
daily work. A security and compliance setup must be based on this and
acknowledges these factors.
Link to the
white paper and my presentation at Ignite 2018 on this topic: LINK
