Security & Compliance sucks...not anymore

Deutsche Version: LINK

Finally, the General Data Protection Regulation (GDPR) forces companies to think about which data is accessible and editable by whom. With the recent data protection scandals on major platforms such as Facebook etc. the protection of data is not only a very topical issue, but also a very topical business model.

Microsoft offers its customers functions and license models to monitor and secure access to their data and systems. In the end it is a complex story to find out which functions and which licenses are required to implement Security & Compliance requirements in your company. The whole story is further complicated by different license models and feature-sets focusing on Security & Compliance.

At the Ignite 2018 improvements around Security & Compliance were announced. Office 365 becomes Microsoft 365, Azure Information Protection becomes Microsoft Information Protection and so on. But what does this mean for customers, partners and especially the users?

Actually quite a lot. Microsoft services getting more and more aligned to the operational processes and users needs. In the future, management portals, for example, will be grouped and accessed according to their use:

• https://Admin.microsoft.com => Admin Center
• https://security.microsoft.com => Security Settings
• https://compliance.microsoft.com => Compliance

Data classification and encryption is an important requirement for storing sensitive content in SaaS solutions. Azure Information Protection Labels, Site Classifications and Office 365 Labels are now standardized in the Office 365 Security & Compliance Center and does no longer exist separately from each other. This makes the use of these techniques much more efficient.

These are just two examples on how Microsoft Cloud Services successively merge what belongs together.

Microsoft Information Protection or the Microsoft Intune feature for managing devices and apps are focusing explicit scenarios. However, security & compliance projects often do not start with these specific requirements. Starting an Office 365 project the requirement is more about providing basic protection level and setup. Based on this basic configuration further requirements are then successively defined and implemented in the company.

A new provisioned Office 365 Tenant is very open. Basically, every user can share all the data he has access to with anyone. Users can invite external partners to collaborate with them in a SharePoint site or in Teams and anyone can connect to Office 365 using any device by entering his username and password.

This liberal setup of Office 365 is very good for collaboration and communication in the company and with partners and customers. But it is risky in terms of Security & Compliance.

In Microsoft Internet Explorer we could configure the security of the browser with a simple slider. If there is the need to adjust special settings, this was also possible. Unfortunately, it is not quite that easy with Office 365 or Microsoft 365. A slider like we have in the Internet Explorer is unfortunately missing here.

But the whitepaper "A quick guide to secure Office 365" offers something similar. Based on a matrix with the levels Standard, Medium, High and Very High, it gives you an overview how Office 365 can be secured. The whitepaper also describes the effects on user-friendliness and the required licenses for setting up the various scenarios.

The whitepaper outlines a clear overview of the Microsoft technologies and functions for securing Office 365. Covered technologies are:

• Office 365 Secure Score
• Cloud App Security
• Intune & Office 365 MDM
• Azure AD Premium Features
• Office 365 Advanced Threat Protection
• Office 365 Threat Intelligence
• Security & Compliance Reports.

And another tip from me: If a user wants to save a file in his private DropBox folder, then he has a reason for it. Nobody does this accidentally or by mistake. If we don't know this reason and don't respect it, the whole Security & Compliance project will go wrong. Because of so many options that Shadow-IT offers to users today it is no longer possible to enforce security. The goal must is to understand which challenges and processes an employee faces in his daily work. A security and compliance setup must be based on this and acknowledges these factors.

Link to the white paper and my presentation at Ignite 2018 on this topic: LINK

Usage Report, AIP Scanner UI and Data Discovery for Azure Information Protection

Microsoft is enrolling new Azure Information Protection features and a new AIP scanner UI including status of the scanner machine and some statistics like scan rate, version etc.

AIP scanner UI

This new scanner UI feature will include the capability to start the scan on the remote scanner without a need to login to the scanner machine.

We can access this new preview feature using this link: https://portal.azure.com/?Scanner=true#blade/Microsoft_Azure_InformationProtection/DataClassGroupEditBlade/scannerNodesBlade

Latest GA or public preview version of AIP Client is needed in order to see your scanner machines connected to the Azure portal and be able to manage them.

Usage Report

AIP Usage report is showing labels, protected item count and users & computers who are interacting with AIP. We will also get an overview about used labels and about used clients to label content.

Data Discovery

Data Discovery is showing an overview about used Labels, detected Information Types, locations,

labeled and protected files etc.

Usage Report and Data Discovery are based on Azure Log Analytics.

A quick guide to secure Office 365 - UPDATE

Microsoft is investing a lot in security & compliance. At the end it is a complex story to figure out which feature and which license is needed to fulfill your security & compliance needs.

“A quick guide to secure Office 365” is a Whitepaper based on simple tiers like Default, Medium, High and Very High. The matrix shows the usability impact and the needed licenses to setup the different scenarios.

You get a clear overview about the options and the impact of each scenario. In addition, the Whitepaper gives you an overview of Microsoft technologies and features to secure your Office 365 tenant. Covered technologies are Office 365 Secure Score, Cloud App Security, Intune & Office 365 MDM, Azure AD Premium features, Office 365 Advanced Threat Protection & Office 365 Threat Intelligence and the Security & Compliance Reports.

Here you can download the complete Whitepaper:

DOWNLOAD

DOWNLOAD

Watch this video of my session at Microsoft Ignite 2018 about “How to deal with external sharing” covering most if the topics in the Whitepaper:

Here you can download a Sketchnote by Luise Freese based on my session at Ignite 2018 also covering these topics: LINK

Ignite 2018 notes

As every year: Here you can find my Ignite 2018 notes:

Azure Information Protection Part V – advanced features & scenarios

Label an Office document by using an existing custom property

This option allows us to reflect on existing metadata values for example coming from SharePoint or other solutions like for example Secure Islands (which was acquire by Microsoft in 2015).

As a result of this, when a document without an Azure Information Protection label is opened and saved by a user, the document is then labeled to match the corresponding property value.

This configuration requires two settings in the advanced client settings section. The first is named SyncPropertyName, which is the custom property name that has been set from the other classification solution, or a property that is set by SharePoint. The second is SyncPropertyState and must be set to OneWay:

• Key 1: SyncPropertyName
• Key 1 Value: <property name>
• Key 2: SyncPropertyState
• Key 2 Value: OneWay

Keys and corresponding values are good for one custom property.

Example:

We have a SharePoint column named Classification. Possible values are: Public, Internal and Confidential. SyncPropertyName value is then: Classification.

To make this feature work we need labels with the same name (Public, Internal and Confidential) in AIP. Now, when an Office documents from this SharePoint library is opened and saved and this document is labeled as Public, Internal or Confidential in SharePoint Azure Information Protection applies the corresponding AIP label. If no label with a corresponding name exists in AIP, the document remains unlabeled.

More details about how to label an Office document by using an existing custom property: https://docs.microsoft.com/en-us/azure/information-protection/rms-client/client-admin-guide-customizations#label-an-office-document-by-using-an-existing-custom-property

Convert Templates to Labels

When you create a label in AIP under the hood also a new custom template is created. This new template can then be accessed by services and applications also using Rights Management templates. The new template is not shown in Azure AIP portal but can be managed by using PowerShell.

If you delete the label the template will still exists and is then shown in Azure AIP portal. In Azure AIP portal you can convert a template to a label:

If you change the protection settings in this newly created label, you're changing them in the template and any user or service that uses this template will get the new protection settings with the next template refresh.

More details about labels and templates in AIP can be found in this article: https://docs.microsoft.com/en-us/azure/information-protection/configure-policy-templates#to-configure-the-templates-in-the-azure-information-protection-policy

Cloud App Security to auto apply Labels for scenario / location

Microsoft Cloud App Security lets you apply AIP labels as part of a CAS policies. You can also investigate files by filtering for the applied classification label within Cloud App Security.

Scenarios:

• Apply classification labels as a governance action to files that match specific policies
• View all classified files in a central location
• Perform investigation according to classification level
• Create policies to make sure classified files are being handled properly

More details:

• Integrate AIP in CAS: https://docs.microsoft.com/en-us/cloud-app-security/azip-integration
• Automatically apply AIP labels using CAS: https://docs.microsoft.com/en-us/cloud-app-security/use-case-information-protection

Encrypting Emails using Exchange Mail Flow Rule

Exchange Mail Flow Rule can be used to automatically apply AIP labels:

This is based on the RMS template associated to the AIP label.

A step-by-step documentation on how to configure a mail flow rule using a RMS template can be found here: https://blogs.technet.microsoft.com/kemckinn/2018/07/09/encrypting-emails-from-anywhere/

Decommissioning and deactivating protection

If AIP is no longer needed you can deactivate it. Make sure that you have a copy of your Azure Information Protection tenant key before you deactivate the Azure Rights Management service. If you deactivate AIP make sure, that you won’t be locked out of content that was previously protected.

You have the following options to deactivate AIP:

• PowerShell cmdlet Disable-Aadrm to deactivate Rights Management
• Deactivate Rights Management from Office 365:
• Go to the Rights Management page for Office 365 administrators
• On the Rights Management page click deactivate
• Deactivate Rights Management from the Azure portal
• On Azure Information Protection blade => Protection activation blade, select Deactivate

Further details about deactivating AIP: https://docs.microsoft.com/en-us/azure/information-protection/deploy-use/decommission-deactivate

Related posts:

• AzureInformation Protection Part I – Overview
• AzureInformation Protection Part II – PowerShell
• AzureInformation Protection Part III – AIP Scanner
• AzureInformation Protection Part IV – Work with AIP