Accelerate GDPR compliance with the Microsoft...

Accelerate GDPR compliance with the Microsoft CloudOle Tom SeierstadNational Security OfficerMicrosoft Norway

This presentation is intended to provide an overview of GDPR and is not a definitive statement of the law.

Leverage guidance from experts

Simplify your privacy journey

GDPRCompliance

GDPRCompliance

GDPRCompliance

Uncover risk & take action

Centralize, Protect, Comply with the Cloud

Centralize processing in a single system, simplifying data management,

governance, classification, and oversight.

Protect data with industry leading encryption and security technology

that’s always up-to-date and assessed by experts.

Utilize services that already comply with complex, internationally-

recognized standards to more easily meet new requirements, such as

facilitating the requests of data subjects.

Maximize your protections

Process all in one place

Streamline your compliance

Protecting customer

privacy with GDPR

99.9% 46%

50% 23%

We will stand behind you with contractual commitments

for our cloud services that:

• Meet stringent security requirements

• Support customers in managing data subject requests

• Provide documentation that enables customers to

demonstrate compliance for all the other requirements

of the GDPR applicable to processors and more

Microsoft was the first major cloud services provider to

make these commitments to its customers. Our goal is to

simplify compliance for our customers with both the

GDPR and other major regulations.

The GDPR commitments are now available in the Online

Services Terms (OST) at www.microsoft.com/licensing

http://www.microsoft.com/licensing

How do I get started?

Identify what personal data you have and

where it residesDiscover1

Govern how personal data is used

and accessedManage2

Establish security controls to prevent, detect,

and respond to vulnerabilities & data breachesProtect3

Keep required documentation, manage data

requests and breach notificationsReport4

Discover:

In-scope:

•

•

•

•

•

•

•

•

•

•

Inventory:

•

•

•

•

•

•

•

Microsoft AzureMicrosoft Azure Data Catalog

Enterprise Mobility + Security (EMS)Microsoft Cloud App Security

Dynamics 365Audit Data & User Activity

Reporting & Analytics

Office & Office 365 Data Loss Prevention

Advanced Data Governance

Office 365 eDiscovery

SQL Server and Azure SQL Database

SQL Query Language

Windows & Windows ServerWindows Search

Example solutions

1

2

Example solutions

Manage:

Data governance:

•

•

•

•

•

•

•

•

Data classification:

•

•

•

•

•

•

•

Microsoft AzureAzure Active Directory

Azure Information Protection

Azure Role-Based Access Control (RBAC)

Enterprise Mobility + Security (EMS)Azure Information Protection

Dynamics 365Security Concepts

Office & Office 365 Advanced Data Governance

Journaling (Exchange Online)

Windows & Windows ServerMicrosoft Data Classification Toolkit

3

Example solutions

Protect:

Preventing data attacks:

•

•

•

•

•

•

•

•

Detecting & responding to breaches:

•

•

•

•

•

•

Microsoft AzureAzure Key VaultAzure Security CenterAzure Storage Services Encryption

Enterprise Mobility + Security (EMS)Azure Active Directory PremiumMicrosoft Intune

Office & Office 365 Advanced Threat ProtectionThreat Intelligence

SQL Server and Azure SQL DatabaseTransparent data encryptionAlways Encrypted

Windows & Windows ServerWindows Defender Advanced Threat ProtectionWindows HelloDevice Guard

4

Example solutions

Record-keeping:

•

•

•

•

•

Reporting tools:

•

•

•

•

•

•

Microsoft Trust CenterService Trust Portal

Microsoft AzureAzure Auditing & LoggingAzure Data LakeAzure Monitor

Enterprise Mobility + Security (EMS)Azure Information Protection

Dynamics 365Reporting & Analytics

Office & Office 365 Service AssuranceOffice 365 Audit LogsCustomer Lockbox

Windows & Windows ServerWindows Defender Advanced Threat Protection

Report:

Data governance &

rights management

Responsibility SaaS PaaS IaaS On-prem

Client endpoints

Account & access

management

Identity & directory

infrastructure

Application

Network controls

Operating system

Physical network

Physical datacenter

CustomerMicrosoft

Physical hosts

West US

West US 2

38 Cloud regions worldwide

Central US

East US

North Central US

Brazil South

West Europe

Japan East

South India

Southeast

Asia

Australia Southeast

Australia East

Central India

West India

Japan West

East Asia

China West1

North EuropeGermany

Northeast2Canada East

Canada Central

South Central US

China East1

Germany

Central2

Korea

South3

East US 2

Korea Central3

United Kingdom West

United Kingdom

South

West Central US

US Gov Virginia

US Gov Iowa

US DoD East

US DoD

West

France3

France3

100+ datacenters

One of 3 largest networks in the world

1China datacenters operated by 21 Vianet

2German data trustee services provided by

T-systems

3France, South Korea and US Gov datacenter

regions have been announced but are not

currently operational

Sovereign datacenters

Global datacenters

US Gov Texas3

US Gov Arizona3

Our commitment to you

To simplify your path to compliance, we are committing to

GDPR compliance across our cloud services when

enforcement begins on May 25, 2018.

We will share our experience in complying with complex

regulations such as the GDPR.

Together with our partners, we are prepared to help you

meet your policy, people, process, and technology goals on

your journey to GDPR.

HIPAA /

HITECH ActFERPA

GxP

21 CFR Part 11

Singapore

MTCS

UK

G-Cloud

Australia

IRAP/CCSL

FISC Japan

New Zealand

GCIO

China

GB 18030

EU

Model Clauses

ENISA

IAF

Argentina

PDPA

Japan CS

Mark Gold

CDSAShared

Assessments

Japan My

Number Act

FACT UK GLBA

Spain

ENS

PCI DSS

Level 1MARS-E FFIEC

China

TRUCS

Canada

Privacy Laws

MPAA

Privacy

Shield

India

MeitY

Germany IT

Grundschutz

workbook

Spain

DPA

HITRUST IG Toolkit UK

China

DJCP

ITARSection 508

VPATSP 800-171 FIPS 140-2

High

JAB P-ATOCJIS

DoD DISA

SRG Level 2

DoD DISA

SRG Level 4IRS 1075

DoD DISA

SRG Level 5

Moderate

JAB P-ATO

GLO

BA

LU

S G

OV

IND

US

TR

YR

EG

ION

AL

ISO 27001

SOC 1

Type 2ISO 27018CSA STAR

Self-AssessmentISO 27017SOC 2

Type 2SOC 3ISO 22301

CSA STAR

Certification

CSA STAR

AttestationISO 9001

Azure has the deepest and most comprehensive compliance coverage in the industry

http://www.asd.gov.au/infosec/irap/index.htm

https://www.fisc.or.jp/

Microsoft.com/GDPR

• Integrate Azure search for hosted applications to locate personal data across user-defined indexes

• Trace and identify personal data stored in different data sources

Search & identify

personal data

Protect data in the cloud

Control access

Detect & Remediate

threats

Classify data

Record-keeping

• Securely manage access to your data, applications and other resources

• Enforce separation of duties

• Easily determine and assign relative values to your data

• Employ advanced encryption, cryptography, and monitoring

• Restore data availability with a variety of recovery and Geo-redundant storage options

• Proactively prevent, detect and respond quickly to threats

• Deliver verifiable transparency and delivers tamper-resistant insights with activity log

• Leverage comprehensive compliance and privacy documentation for Azure

Discover Manage Protect Report

• Utilize eDiscovery templates to identify types of personal data

• Easily find, classify, set policies on and manage data with Advanced Data Governance

Identify personal data

Control access

Safeguard environment

Set retention policies

Respond to threats

Transparency assurances

Classify content

Record-keeping

• Use Advanced eDiscovery to export and/or delete personal data from Exchange, SharePoint, etc.

• Archive and preserve content across your Office 365 systems

• Automatically protect against accidental disclosure by enforcing policy on sensitive data

• Protect email from today’s sophisticated malware attacks with Advanced Threat Protection

• Prevent sensitive records from being used by unauthorized users with Data Loss Protection

• Proactively uncover and protect against advanced threats and risks with Threat Intelligence and Advanced Security Management

• Conduct risk assessments using built-in tools in the Service Assurance Dashboard

• Track and report on user activities with detailed Audit Logs


• Quickly identify sensitive data across your environment with Azure Information Protection

• Discover cloud apps in your environment

• Gain deeper visibility into user activity


Protect data, identities, devices &

apps

Detect threats & remediate

Gain rich logging & reporting

• Deliver consistent data protection with Azure Information Protection

• Protect personal data with risk-based conditional access and Privileged Identity Management

• Protect data in mobile devices and mobile apps with Microsoft Intune

• Detect data breaches with behavioral analytics and anomaly detection technologies

• Gain rich logging and reporting to analyze how sensitive data is distributed

• Monitor activities on shared data and revoke access in unexpected events with Azure Information Protection

Classify & label data

• Define a classification scheme for better data manageability

• Use Azure Information Protection to configure policies for classifying, labeling and protecting personal data


• Easily query databases to uncover personal data

• Tag data with sensitivity labels using Extended Properties

Identify and track

personal data

Safeguard data

Respond to breaches

• Encrypt data whether at rest, in transit or in client applications

• Track and log database events to identify potential threats or security violations

• Use continuously learning algorithms to identify unusual or suspicious activity

• Track and report on all database activities with granularly configurable auditing

• Securely authenticate to your database and apply granular authorization policies

• Restrict access to users using Dynamic Data Masking and Row-Level Security

Control access

Record-keeping


• Create reports that uncover personal data

• Discover, analyze and visualize personal data using Power BI

Record-keeping

• Securely manage access to your data by roles, applications and other resources

• Classify data and protect against accidental disclosure

• Protect data by limiting access based on user roles

• Restrict access to specific high-impact fields or records

• Monitor service health and stay-up-to-date on the latest security updates

• Explore Microsoft’s comprehensive documentation on Dynamics 365’s compliance, security, privacy and trust offerings


Define access privileges

Monitor service status

Control access

Classify content


• Uncover personal data on local and connected machines

Locate personal data

Safeguard environment

Respond to threats

Record-keeping

• Move from password to more secure forms of authentication

• Protect devices with both detection-based solutions and secure-by-design techniques

• Prevent data from leaking to unauthorized documents or locations

• Easily detect, investigate, contain and respond to data breaches on your network

• Audit detailed user and application actions to meet reporting auditing requirements

• Utilize sample search expression and rules to ease compliance requirements

Meet compliance

requirements


Accelerate GDPR compliance with the Microsoft...

Documents

Transcript of Accelerate GDPR compliance with the Microsoft...