✓ Technical requirements of GDPR

Protection of

personal records

Technical requirements of GDPR

Notifications

of data breaches

IT und Trainings

• Training of employees,

how to deal with

personal customer

information

• Awareness of data

protection regulations

• Need of Data Protection

Officer

(for more that 250

employees)

• Need of Customer

contact person

• Threat monitoring and

reporting

• 72h response time for data

loss in case of data breach

• Significant fines

• Effects all organisations,

which deal with personal

informations in the EU

• Need of data protection

for on-prem and cloud

environments

• Need of controlled access

to personal data

Transparency

• User becomes ownerof his personal record

• Need of dataretention policies fordata holder

Shadow

IT

Data breach

Employees

Partners

Customers

Cloud apps

Identity Devices Apps & Data

Transition tocloud & mobility

New attack landscape

Current defenses not sufficient

Identity breach On-premises apps

SaaS

Azure

286 days

80 days

Microsoft Security - Overview

PROTECT

✓ Data Protection using Encryption for SQL and Storage Blobs

✓ NSG Firewall Rules✓ Endpoint Protection

RESPOND

✓ Missing Security policy✓ Clean a compromised

system

DETECT

✓ Unpatched OS ✓ Vulnerabilities (CVE)✓ Missing FW Rules

(NSG)✓ Bruteforce Attacks✓ Compromised Systems✓ Provide Email

Notification

Transparency Control Advisory

State of current threats Define a Security Policy Enhanced Security Control

Threat Intelligence

Security Management

APPS / DATADEVICES

Powered by the

Intelligent Security Graph

IDENTITY INFRASTRUCTURE

INFRASTRUCTUREAPPS / DATADEVICESIDENTITY

Defining a Security Policy on Azure Security Center

DETECT24x7 Threat Monitoring with EmailNotifications

PROTECT

Enable Data Encryption und follow the Security Advisories

Bedingungen

Allow access

Or

Block access

Response

Enforce MFA

per user/per

app

Location

Device state

User/Application

MFA

Risk

User

Layered approach:

- Unstructured datas => Azure Information Protection (AIP/RMS)

- Structured datas (SQL) => Transparant Data Encryption (TDE)

- Virtual Disk => Azure Disk Encryption / Bitlocker

- Storage Container => Storage Blobs Encryption

• Data Encryption 256 bit AES (Industry Standard)

• Data Encryption Keys (DEK) are protected by an asymmetric Key Encryption Key (KEK)

• KEK is signed by a private Key (root of trust)

IMPORTANT: Best practice is always to store the private Key in a Azure KeyVault (HYOK), private Key can also be stored in a Hardware Security Module (HSM) on-prem

Example: Azure Information Protection

consumptionprotection

The application works

with the RMS enlighted

client to create a

“publishing license”,

encrypts the file, and

appends the publishing

license to it.

Recipient clicks file to

open. The application

sends the recipient’s

credentials and the

publish license to the

AAD RMS service,

which validates the

user and issues a “use

license.”

Application renders file and

enforces rights.

encryption key pair

in example for

confidential contentuse license

The Author

distributes the

protected file.aEZQAR]ibr{qU@M]BXNoHp9nMDAtnBfrfC;jx+Tg@XL2,Jzu()&(*7812(*:

Use Rights

+

Author automatically receives AD

RMS credentials the first time they

rights-protect information.

author consumer

Use Rights

+

Request labels

submit label policies

encryption key pair

in example for secret

content use license

Use Rights

+

markwil@microsoft.com

RESPONSE

Solve Security Incidents by following Advisories from Microsoft Intelligence /DCU

http://www.microsoft.com/gdpr

http://www.microsoftgdprdemos.com/

https://demos.microsoft.com