Regulations and data management in a hybrid world
I speak with a lot of organizations and often they’re interested in locating, tagging, and controlling data for various reasons such as legal, regulatory, or protecting personal and proprietary information.
However, there’s one regulation that keeps popping up and it’s the new EU General Data Protection Regulation or GDPR. GDPR will be enforced on May 25, 2018, which is just around the corner. Unfortunately, GDPR is not a one-time process, it’s an ongoing regulation and failure to comply could result in heavy fines. For most organizations, data may be stored across all types of systems and services including backups so locating and managing data across those environments may be difficult.
For this post, Microsoft provides guidance around GDPR and I’ve utilized some of the terms and guidance provided to simply the overview.
To learn more about how Microsoft is addressing GPDR please visit: https://www.microsoft.com/en-us/TrustCenter/Privacy/gdpr/default.aspx
The categories below align with the Microsoft GDPR guidance provided in documentation above, however I’ve attempted to simplify while targeting Office 365 and Enterprise Mobility + Security. The last topic I’ll discuss is how to identity and classify information across SharePoint Server and file shares.
Let’s take a look at the four pillars of addressing data management requirements:
![clip_image001[4]](https://msdntnarchive.blob.core.windows.net/media/2017/11/clip_image00141.png "clip_image001[4]")
Tying everything together, we have a process to identify, manage, protect, and report on data:
![clip_image002[4]](https://msdntnarchive.blob.core.windows.net/media/2017/11/clip_image00241.png "clip_image002[4]")
Now that we have a definable process, let’s align the Microsoft services around all four categories, again the area of focus here is EMS and O365:
![clip_image003[4]](https://msdntnarchive.blob.core.windows.net/media/2017/11/clip_image0034.png "clip_image003[4]")
Let’s take close look at some of the details across the Microsoft offerings:
Azure Active Directory
- Lay the foundation for your organization by protecting access to sensitive information, which starts with modernizing your identities with Azure Active Directory. Whether a cloud or on premises application, Azure Active Directory will act as a controlled gateway to your data.
Azure Information Protection
- Automated Classification, Labeling, and Protection + File scanner for file servers and SharePoint.
Office 365 Data Loss Prevention
- Identify and retain data by applying retention policies to data across O365 services. Discover data through eDiscovery and actions on data via O365 audit logs.
Exchange Online
- Prevent data from leaking by creating message rules to stop sensitive information from being sent through email. Ties into Data Loss Prevention as described above.
Microsoft Cloud App Security
- Discover, monitor access, and apply governance to sensitive data across cloud services.
Microsoft Intune Application Protection
- Protect information from leaking to non-protected applications and accounts across devices such as iOS, Android, and Windows.
Microsoft Power BI
- Create insightful and visual reports by importing audit data into Power BI.
SharePoint Server and File Shares
I understand the previously mentioned services are great for managing data across cloud services, however what about on premises environments?
Azure Information Protection includes a scanning tool called the Azure Information Protection scanner or AIP scanner. The AIP scanner is used to comb through file shares and SharePoint and identity and/or classify + protect data.
Once the AIP scanner is installed, use it to report on information you’re looking for and when discovery is complete, run the AIP scanner and apply classification and protection across those files.
Below is the output of an AIP scanner scan I ran against a few sample files. The AIP scanner will look for specific information based on the AIP policies that are configured (e.g. credit card info).
For more information about the Azure Information Protection scanner please visit: /en-us/information-protection/deploy-use/deploy-aip-scanner
All the services described above dovetail nicely with GDPR and other regulations requiring control of data. If you don’t believe your organization is affected by a regulation such as GDPR I highly encourage further research as you may find out that your organization actually is. Unfortunately, there are steep penalties with non-compliance so doing some research before May will save organizations time and money.
Again, to learn more about how Microsoft is addressing GPDR as well as managing data across other services such as Microsoft Azure, Dynamics 365, SQL Server, etc. please visit: https://www.microsoft.com/en-us/TrustCenter/Privacy/gdpr/default.aspx