This post is authored by Alym Rayani, Director Office 365 Security.
New capabilities in Microsoft 365 help simplify your GDPR compliance journey
Today we made several Microsoft 365 security and compliance announcements and updates as part of the news from the Microsoft Ignite conference. I wanted to share how these new capabilities provide customers with a more complete and protected solution to simplify their journey to compliance with the General Data Protection Regulation (GDPR).
Earlier this year, we brought together Office 365, Enterprise Mobility + Security, and Windows into a single, always-up-to-date solution called Microsoft 365 – relieving organizations from much of the cost of multiple, fragmented systems that were not necessarily designed to be compliant with modern standards. These announcements at Ignite add to our extensive capabilities that organizations are already using to secure and manage their data, users, and devices.
A platform you can trust, and verify
We understand that organizations with GDPR responsibilities will have additional needs to demonstrate compliance, and we’re investing in tools to help them achieve those goals.
Microsoft 365 users enjoy built-in security and compliance for the apps, services, and devices that they use every day. Microsoft has a long history of transparency, defense-in-depth, and privacy-by-design that enabled us to be the first enterprise cloud services provider to implement the rigorous controls needed to earn approval for the EU Model Clauses, the first to achieve ISO’s 27018 cloud privacy standard, and the first to offer contractual commitments to the GDPR.
Introducing Compliance Manager – We understand that achieving your organizational compliance goals can be very challenging. It’s hard to stay up-to-date with all the regulations that matter to your organization, and to define and implement the controls.
We’re pleased to introduce Compliance Manager, a new compliance solution that helps you to manage your compliance posture from one place. Compliance Manager enables you to conduct real-time risk assessment, providing one intelligent score that reflects your compliance performance against data protection regulatory requirements when using Microsoft cloud services.
You will also be able to use the built-in control management and audit-ready reporting tools to improve and monitor your compliance posture. Read our Tech Community Blog to learn more about Compliance Manager, and sign up for the preview program, which will be available starting in November.
Example of Compliance Manager dashboard
General availability of service encryption with Customer Key – We’re announcing the availability of service encryption with Customer Key, which can help regulated customers demonstrate additional compliance controls by managing the encryption keys for their Office 365 data. Here is an example of how Customer Key works in SharePoint Online:
Simplify how you govern data
Organizations face ever increasing quantities of complex electronic data. Gaining control over this data overload so that you know what to keep and find what’s relevant – when you need it – is critical for both security and compliance purposes. Today we are introducing several new features which further enhance the already rich set of capabilities available with Microsoft Information Protection and Advanced Data Governance.
Companies of all sizes and industries need to protect their sensitive data and ensure that it doesn’t get into the wrong hands. Employees are using more SaaS apps, creating more data, and working across multiple devices. While this has enabled people to do more, it has also increased the risk of data loss – it is estimated that 58% of workers have accidentally shared sensitive data with the wrong person.
Microsoft’s Information Protection solutions help you identify, classify, protect and monitor your sensitive data – as it is created, stored, or shared. We made several investments across our information protection solutions – helping provide more comprehensive protection across the data lifecycle. A key part of our vision is to provide a more consistent and integrated classification, labeling, and protection approach across our information protection technologies, enabling persistent protection of your data – everywhere. Microsoft Cloud App Security now deeply integrates with Azure Information Protection to classify and label files that reside in cloud applications.
Advanced Data Governance enhancements, including event based retention in Office 365 Advanced Data Governance, allows customers to create events which will trigger the retention period of data in Office 365 to consistently comply with internal business requirements. Disposing of data in a defensible manner allows organizations to effectively reduce their security and compliance risks. This feature is currently in the standard Office 365 Universal Preview Program and available for you to try.
New Multi-Geo Capabilities in Office 365 enable a single tenant to span multiple Office 365 datacenter geographies (geos) to store data at-rest and on a per-user basis in customer specified geos. Multi-Geo helps customers address organizational, regional, and local data residency requirements and enables modern collaboration experiences for their globally dispersed employees. Learn more about Multi-Geo.
Also, we are announcing the general availability of improvements to Office 365 message encryption, which makes it easier to share protected emails with anybody – inside or outside of your organization. Recipients can view protected Office 365 emails on a variety of devices, using common email clients or even consumer email services such as Gmail, Outlook.com, and Live.com.
Use intelligent tools to better discover and control your data
Many organizations are evaluating how to find and protect the personal data they collect. With the explosion of data and its increasing value – many organizations cannot adequately manage their assets with traditional manual processes.
Unfortunately, even once you know where all the data is and how it should be managed, you must constantly ensure it is protected from threats. The GDPR requires organizations take appropriate measures to prevent unauthorized access or disclosure and to notify stakeholders in the case of breach. Today, on average attacks exist for over 90 days in an environment prior to detection. Microsoft continues to invest in tools that help detect attacks sooner and then remediate, as well as in pre-breach attack prevention tools.
Analysis of non-Office 365 data with Advanced eDiscovery: While the amount of data being generated and stored in Office 365 is growing at an exponential rate, many organizations still have data in legacy file shares and archives. Data is also being generated in other cloud services which may be relevant for an eDiscovery case surrounding a Data Subject Request. Analysis of non-Office 365 data allows organizations to import the case-specific copy of such data into a specifically assigned Azure container and analyze it using Office 365 Advanced eDiscovery. Having one eDiscovery workflow for both Office 365 and non-Office 365 data provides organizations with the consistency they need to make defensible decisions across the entire data set of a case.
This feature is currently in preview and requires an Advanced eDiscovery license for each user whose data is being analyzed. Later this year, in addition to Advanced eDiscovery licenses this feature will require the purchase of the eDiscovery Storage plan for all non-Office 365 data imported into the specifically assigned Azure container for analysis by Advanced eDiscovery. The eDiscovery Storage plan comes in increments of 500GB of storage and is priced at $100 per month.
Example of Advanced eDiscovery
To better protect your users against threats, we also improved our anti-phishing capabilities in Office 365 Advanced Threat Protection, with a focus on mitigating content phishing, domain spoofing, and impersonation campaigns. Office 365 Advanced Threat Protection is also expanded to help secure SharePoint Online, OneDrive for business, and Teams. In Windows, we added Windows Defender Application Control, which is powered by the Microsoft Intelligent Security Graph to make it less likely that malicious code can run on that endpoint.
On the post-breach detection side, we announced the limited preview of a brand-new service – Azure Advanced Threat Protection for users – that brings our on-premises identity threat detection capabilities to the cloud and integrates them with the Microsoft Intelligent Security Graph. Finally, as previously announced earlier in the month, Windows Defender Advanced Threat Protection is integrating Hexadite’s AI technology to automatically investigate new alerts, determine the complexity of a threat, and take the necessary actions to remediate it.
Office 365 security management updates – We have also made a few updates to Advanced Security Management to give you even better visibility and control over Office 365. To help organizations in the EU meet their compliance obligations, starting in October, we will begin hosting Advanced Security Management in our EU datacenter region. We are also giving you additional visibility into the service by adding support for activities from Skype for Business, Yammer and Office 365 Threat Intelligence. The signals from these services will be used to generate activity alerts and be factored into anomaly detection alerts. Lastly, to better align our Microsoft 365 investments, we are renaming Advanced Security Management to Office 365 Cloud App Security.
Taking the next step on your GDPR compliance journey
The GDPR is compelling every organization to consider how they will respond to today’s security and compliance challenges. It may require significant changes to how your business gathers, uses, and governs data.
As a global company with hundreds of millions of customers around the globe, we are subject to many stringent regulations including the GDPR and we understand the challenges you face. As your trusted partner, we are committed to going beyond our minimum responsibilities and always working on behalf of your best interests. To that end, Microsoft is an active participant in a community of compliance experts that can support all aspects of your GDPR journey – such as audit and consulting, cloud migration assistance, as well as delivering specific point solutions.