GDPR – Transparity and Office365
It’s that four letter word … GDPR (well not a word – but it is four letters!)
By now, most of us will have heard about the regulations being enforced in May 2018 and at Transparity, we want to ensure that you are in the best position possible to be able to understand and implement any changes required to be able to comfortably comply with the regulations.
As experts in Microsoft Cloud. we are best placed to advise on the advantages of adopting Microsoft technologies to provide compliance with GDPR and improved security in general.
Microsoft have recently made a raft of improvements to their GDPR options and a number of these are detailed within this blog post.
The video below provides a good overview of Microsoft’s improved positioning as the market leader in this field:
Microsoft have also released a new White Paper covering the GDPR regulations and how Microsoft Solutions can be used to adhere to the criteria. This paper is definitely worth a read and can be found here
The following section details some of the protection available through the Microsoft platform regarding GDPR. At Transparity we keep abreast of the options and would be pleased to offer advice, demonstrate protection and discuss the options available to you.
New capabilities in Microsoft 365 help simplify your GDPR compliance journey
Microsoft have made several Microsoft 365 security and compliance announcements and updates as part of the news from the Microsoft Ignite conference.
Earlier this year, the Office 365, Enterprise Mobility + Security, and Windows solutions were brought together into a single, always-up-to-date solution called Microsoft 365 – relieving organizations from much of the cost of multiple, fragmented systems that were not necessarily designed to be compliant with modern standards. These additional announcements add to the extensive capabilities that organizations are already using to secure and manage their data, users, and devices.
A platform you can trust, and verify
Microsoft understand that organizations with GDPR responsibilities will have additional needs to demonstrate compliance, and are investing in tools to help them achieve those goals.
Microsoft 365 users enjoy built-in security and compliance for the apps, services, and devices that they use every day. Microsoft has a long history of transparency, defence-in-depth, and privacy-by-design that enabled us to be the first enterprise cloud services provider to implement the rigorous controls needed to earn approval for the EU Model Clauses, the first to achieve ISO’s 27018 cloud privacy standard, and the first to offer contractual commitments to the GDPR.
Accelerate your compliance journey and prepare for the GDPR
Achieving organizational compliance can be very challenging. Therefore, there are several updates being introduced that will help you stay up-to-date with all the regulations that matter to your organization and to define and implement the right controls.
Introducing Compliance Manager
Introducing Compliance Manager, a new compliance solution that helps you manage your compliance posture. Compliance Manager enables you to conduct real-time risk assessment, providing one intelligent score that reflects your compliance performance against data protection regulatory requirements when using Microsoft cloud services. You will also be able to use the built-in control management and audit-ready reporting tools to improve and monitor your compliance posture. This will be coming out in preview in November.
Threat Tracker – Provides a trend summary of different categories of threat campaigns (e.g. noteworthy, targeted, etc.). Threat tracker also gives a detailed view on evolving and trending threats, including attacks targeting specific users in your organization.
- Threat Explorer – New reports showing risky content activity (e.g. files with sensitive data being shared outside the organization) and risky user activities (e.g. a suspicious login).
- Enhanced remediation capabilities – Admins will now be able to remediate content malware (e.g. removing all links to malicious documents in SharePoint) and delete malicious emails.
Example of Compliance Manager dashboard
General availability of service encryption with Customer Key – We’re announcing the availability of service encryption with Customer Key, which can help regulated customers demonstrate additional compliance controls by managing the encryption keys for their Office 365 data.
The video below gives an example of how Customer Key works in SharePoint Online, alongside some additional security and admin control enhancements:
Simplify how you govern data
Organisations face ever increasing quantities of complex electronic data. Gaining control over this data overload so that you know what to keep and find what’s relevant – when you need it – is critical for both security and compliance purposes. Today we are introducing several new features which further enhance the already rich set of capabilities available with Microsoft Information Protection and Advanced Data Governance.
Companies of all sizes and industries need to protect their sensitive data and ensure that it doesn’t get into the wrong hands. Employees are using more SaaS apps, creating more data, and working across multiple devices. While this has enabled people to do more, it has also increased the risk of data loss – it is estimated that 58% of workers have accidentally shared sensitive data with the wrong person.
Microsoft’s Information Protection solutions help you identify, classify, protect and monitor your sensitive data – as it is created, stored, or shared. We made several investments across our information protection solutions – helping provide more comprehensive protection across the data lifecycle. A key part of our vision is to provide a more consistent and integrated classification, labeling, and protection approach across our information protection technologies, enabling persistent protection of your data – everywhere. Microsoft Cloud App Security now deeply integrates with Azure Information Protection to classify and label files that reside in cloud applications.
Advanced Data Governance enhancements, including event based retention in Office 365 Advanced Data Governance, allows customers to create events which will trigger the retention period of data in Office 365 to consistently comply with internal business requirements. Disposing of data in a defensible manner allows organizations to effectively reduce their security and compliance risks. This feature is currently in the standard Office 365 Universal Preview Program and available for you to try.
New Multi-Geo Capabilities in Office 365 enable a single tenant to span multiple Office 365 datacenter geographies (geos) to store data at-rest and on a per-user basis in customer specified geos. Multi-Geo helps customers address organizational, regional, and local data residency requirements and enables modern collaboration experiences for their globally dispersed employees.
Also, Microsoft are announcing the general availability of improvements to Office 365 message encryption, which makes it easier to share protected emails with anybody – inside or outside of your organization. Recipients can view protected Office 365 emails on a variety of devices, using common email clients or even consumer email services such as Gmail, Outlook.com, and Live.com.
Use intelligent tools to better discover and control your data
Many organisations are evaluating how to find and protect the personal data they collect. With the explosion of data and its increasing value – many organisations cannot adequately manage their assets with traditional manual processes.
Unfortunately, even once you know where all the data is and how it should be managed, you must constantly ensure it is protected from threats. The GDPR requires organisations take appropriate measures to prevent unauthorised access or disclosure and to notify stakeholders in the case of breach. Today, on average attacks exist for over 90 days in an environment prior to detection. Microsoft continues to invest in tools that help detect attacks sooner and then remediate, as well as in pre-breach attack prevention tools.
Analysis of non-Office 365 data with Advanced eDiscovery: While the amount of data being generated and stored in Office 365 is growing at an exponential rate, many organisations still have data in legacy file shares and archives. Data is also being generated in other cloud services which may be relevant for an eDiscovery case surrounding a Data Subject Request. Analysis of non-Office 365 data allows organizations to import the case-specific copy of such data into a specifically assigned Azure container and analyze it using Office 365 Advanced eDiscovery. Having one eDiscovery workflow for both Office 365 and non-Office 365 data provides organizations with the consistency they need to make defensible decisions across the entire data set of a case.
This feature is currently in preview and requires an Advanced eDiscovery license for each user whose data is being analysed. Later this year, in addition to Advanced eDiscovery licenses this feature will require the purchase of the eDiscovery Storage plan for all non-Office 365 data imported into the specifically assigned Azure container for analysis by Advanced eDiscovery. The eDiscovery Storage plan comes in increments of 500GB of storage and is priced at circa $100 per month.
Example of Advanced eDiscovery
To better protect your users against threats, Microsoft also improved our anti-phishing capabilities in Office 365 Advanced Threat Protection, with a focus on mitigating content phishing, domain spoofing, and impersonation campaigns. Office 365 Advanced Threat Protection is also expanded to help secure SharePoint Online, OneDrive for business, and Teams. In Windows, we added Windows Defender Application Control, which is powered by the Microsoft Intelligent Security Graph to make it less likely that malicious code can run on that endpoint.
On the post-breach detection side, the limited preview of a brand-new service was announced – Azure Advanced Threat Protection for users – that brings our on-premises identity threat detection capabilities to the cloud and integrates them with the Microsoft Intelligent Security Graph. Finally, as previously announced earlier in the month, Windows Defender Advanced Threat Protection is integrating Hexadite’s AI technology to automatically investigate new alerts, determine the complexity of a threat, and take the necessary actions to remediate it.
Office 365 security management updates – There has also been a few updates to Advanced Security Management to give you even better visibility and control over Office 365. To help organisations in the EU meet their compliance obligations, starting in October, Microsoft will begin hosting Advanced Security Management in our EU datacenter region. There is also additional visibility into the service by adding support for activities from Skype for Business, Yammer and Office 365 Threat Intelligence. The signals from these services will be used to generate activity alerts and be factored into anomaly detection alerts. Lastly, Microsoft are renaming Advanced Security Management to Office 365 Cloud App Security.
Taking the next step on your GDPR compliance journey
The GDPR is compelling every organization to consider how they will respond to today’s security and compliance challenges. It may require significant changes to how your business gathers, uses, and governs data.
As a global company with hundreds of millions of customers around the globe, Microsoft are subject to many stringent regulations including the GDPR and understand the challenges you face. As your trusted partner, both Microsoft and Transparity are committed to going beyond our minimum responsibilities and always working on behalf of your best interests.
For more details on these announcements and the other capabilities of Microsoft 365, read the new whitepaper: Accelerate your GDPR compliance journey with Microsoft 365.
Transparity – Securing Your Cloud Journey
We would be pleased to discuss the challenges and options available to you regarding GDPR and data security in general
Contact Transparity to find out more……
Contact Tim Hannibal or David Jobbins at:
Tel: 01202 800000