Index:

1. Security and Compliance center
2. Service Encryption
3. Advanced E-Discovery
4. Windows Virtual Desktop, RDMI & Windows 10 Multi-User

Security and Compliance center

Microsoft covers a big part protecting us from malicious tools and attackers, but there is still a part that we must do. And I can tell you that it is the most important part, like activating MFA, encrypting sensitive data etc. This slides covers what Microsoft does and what you have to do.

So about the part that we are responsible of, Microsoft provides us multiple tools. How do AIP and OME help with compliance? Check this slide.

There are certain scenario’s that you don’t want that Microsoft manages your key. Some regulatory reasons might require you to manage your key so the security is end-to-end. BYOK might be sufficient since you can store your own key in Azure Key Vault. If that isn’t even good enough you have the HYOK where you store it on-premises. Keep in mind that this option is much less flexible. You only have access to your secured documents as long as you can reach the on-premises key for decryption. Here is an overview of licensing.

Here is a great overview of BYOK. It makes clear that it is as flexible as the Microsoft-managed keys, but it does give you more overhead since you need to manage the key now.

Some good insights when using BYOK.

Service Encryption

Some good news, if we use the Microsoft-managed keys or BYOK, we will have service encryption in Exchange Online, starting to rollout in January 2019 (already available in SharePoint). Once we create a Data Encryption Policy (DEP), It will encrypt our data at storage level. This is required if you want to meet compliance.

Advanced E-Discovery

With the advanced E-Discovery set in Office 365 by using the analytics, we can further minimize the data. It will deduplicate data for example and only present us with relevant data. We are also presented now with a much better E-Discovery dashboard. We see what kind of data the hold holds, but we are also able to communicate with the persons in a specific hold, make searches in it etc. Great improvement!

Now creating a Legal Hold is doable, but not that easy. But it will be! Here is a great overview of how it is now and how it will be very soon.

So these are some great new features! For sure you will see a more in-depth bog when it’s available.

Windows Virtual Desktop, RDMI & Windows 10 Multi-User

Now also a little bit of info about Windows Virtual Desktop, as I can imagine you want to see some updates about this as well. One of the bigger announcements is Windows 10 Multi-User within Windows Virtual Desktop, so you will connect to shared hardware. If you spin up a Windows Virtual Desktop, you can decide how many users you want to connect to that VM which makes it a lot cheaper. There will be a Windows Desktop Calculator soon which gives some recommendations of this, based on the chosen size.

Automatic scaling will be available as well. You can auto scale based on two methods: Breath Mode and Depth Mode. The Breath Mode needs reserved instances so turning off a Virtual Desktop doesn’t help you. However, this can still be cheaper, that’s something you need to calculate. The Depth Mode is based on activity. If no users are logged in anymore in a Virtual Desktop, it will automatically turn off the VM and it will save you money. On the other hand if it’s too busy, it will spin up some new VM’s.

Windows Virtual Desktop will be available through the Azure Marketplace.

The post Microsoft Ignite day 5 appeared first on Erjen Rijnders.

Because this is such a great feature (within Microsoft Information Protection), I will dedicate a seperate blogpost about this, instead of processing this in the Ignite Day 2 blogpost (which you should still read by the way for an overview of selected updates).

All the labeling and encryption technologies throughout the Microsoft stack (currently Windows Information Protection, Office Information Protection and Azure Information Protection), will be manageable from one interface: https://admin.microsoft.com and will be called Microsoft Information Protection. At the end of this year, we should have it all. But not only that, we will also have native labeling and encryption with all Microsoft Office apps! So also on Mac, Android and iOS. That’s very cool right? Notice that if you want this native encryption without installing the AIP client, you should use Microsoft Information Protection. Those labels are cross-application compatible. Microsoft will bring out some sort of migration possibility from AIP to WIP by the way.

Index:

1. Unified labeling
2. Sensitivity Labels
3. Retention Labels
4. Conclusion

Sensitivity Labels

Microsoft is now using one unified way for labeling: Sensitivity label. This label is customizable as you are used to with Azure Information Protection. So let’s try it out how this new unified way of labeling works.

Go to https://protection.microsoft.com > Classification > Labels > Sensitivity > Create a label.

Name your label.

Here you have basically the same options as with Azure Information Protection in the Azure Portal.

Here starts a great unified feature, enable Windows Information Protection!

Again, a great unified feature, enable Office Information Protection.

Last but not least, enable auto labeling as you are used to configure with AIP in the Azure Portal.

After this, you should publish your label.

To me, this is really a step up. Now we still have some highly requested items, like add dynamic permissions in WIP but that will come for sure (since it’s already available in Office Message Encryption).

One caveat for now, this label is not synced yet to Exchange Online so you cannot use it with Exchange rules. Hopefully they will solve this very soon since they only made these new functionalities available yesterday.

Retention labels

But that is not all, we also have retention labels now which have some very cool features. Let’s check it out. Click on retention labels and click Create a label. You will be presented with some groundbreaking features: Trigger a disposition review!

If you select this option, you give the choice to an admin, he or she can decide if that specific document must be deleted or kept. Like if job interviews are still open, you might want to hold the CV’s a little longer. Really great feature. But wait, there is even a more great feature! We can delete content based on an event. That is exactly what we need.

You can customize your events by going to “Data Governance > Events”. For extensive documentation, I recommend you to should the Microsoft Docs which is a really good document.

Conclusion

Microsoft’s products are getting better and better. The tight integration is getting phenomenal. In this document we have seen the possibilities of Sensitivity Labels and Retention Labels. Both serve different purposes which you should check out for sure, especially regarding sensitive content.

The post Microsoft Information Protection: Unified labeling! appeared first on Erjen Rijnders.

All PDF-readers that use ISO standard will understand the encrypted PDF-file, however, it’s not possible yet to open the PDF with those readers. It’s only possible to open an encrypted PDF-file with the Azure Information Protection Viewer. I expect that this will be possible in the near future.
Encrypting the PDF-file directly from the Adobe Reader will also be possible soon, Microsoft is currently working with Adobe to get this feature completed.

To activate the encryption, right click a PDF-file and click “Classify and protect”.

Choose your label on which encryption is enabled.

As you can see we still have the .pdf file extension after protecting.

Now opening the protected file with Adobe gives you this message.

In my opinion this is user friendly, but still eagerly waiting for the possibility to open protected PDF-files integrated in Adobe.

To get the new features, you need to update your Azure Information Protection client to version 1.36.18.0 (currently in preview).

More great features coming with this version!

This version added more sensitive information types:

EU Phone Number
EU Mobile Phone Number
EU Passport Number
EU Driver’s License Number
EU GPS Coordinates
EU National Identification Number
EU Social Security Number (SSN) or Equivalent ID
EU Tax Identification Number (TIN)
Thai Population Identification Code
Turkish National Identification number
Japanese Residence Card Number

The “Send Us Feedback” button is now replaced with “Report an issue” and is fully customizable, even the email address used behind that button doesn’t have to be Microsoft anymore. It can be a company email now.

The post Protect PDF-files with Azure Information Protection! appeared first on Erjen Rijnders.

So, in case when you have an applicant on a job offer, the person sends you its resumé somehow (by e-mail, sharing through OneDrive etc.) and you download it to the company share (SharePoint Online or locally). In all scenario’s you need to make sure that, whatever way the resumé is received, you catch it and set an expiration date.

Note: Every product to accomplish this have its caveats. You need to make sure that you align the job applications with the way you handle your sensitive data.

Depending on the license you have, you can use these products for achieving above:

1. 1. Azure Information Protection;
   2. Cloud App Security;
   3. AIP Scanner;
   4. Data Loss Prevention;
   5. Exchange Online Retention Policies
   6. Conclusion

Let’s see how these products can achieve this.

1. Azure Information Protection

First you need to configure a label with content expiration. Go to the “Azure Portal > Azure Information Protection > Labels > Protect”. Under “Content expiration”, set the content to expire “By days” or “By date”. When the content expires, you can no longer decrypt the content which makes it unreadable:

Now classify the document You can easily do this by right clicking a PDF or Word document and click “Classify and protect”:

Click the label you configured with “Content expiration”:

If you view the custom properties of the document, you can see it’s now classified as “Confidential”:

In my opinion, the problem with this approach is the chance on forgetting classifying a document. So, if you choose Azure Information Protection for achieving this, make sure no documents get through without classification and give your users clear instructions.

Another way with Azure Information Protection is the automatic labeling function. You can do this, based on document content. With PDF-files however (and any filetype other than docx, pptx, xlsx), you can only achieve this with the AIP scanner (check point 3). To configure automatic labeling, take the same steps as before but also configure a condition and create a regex policy or fill in predefined keywords:

2. Cloud App Security

Using Cloud App Security, you can automatically classify documents when they reside in a specific folder or when the document contains sensitive information. Personally, I would love the last one, but it’s currently not possible to scan PDF files with Cloud App Security so the first option is the only working option at the moment.

We will discuss both options however. First let’s see how it works when sensitive files are stored in a specific folder. Go to https://portal.cloudappsecurity.com/, click “Control > Policies > Create policy > File policy”:

Select as condition “Parent folder” and select the folder:

Apply a classification label beneath “Microsoft OneDrive for Business” and “Microsoft SharePoint Online”:

Create the policy, now all content in that folder will have automatically the content expiration activated. Of course, you need to configure content expiration for the label set. See step 1 for more details.

Let’s see how automatic labeling with Cloud App Security works. Create a File policy again and scroll down till the “Inspection method” part. We skip the conditions for now since we did that just before and it’s straight forward as well.

Select “Data Classification Service > Match if Any of the following occur > Choose inspection type… > Select a sensitive information type”:

Here you can select a sensitive information type, or you can add a custom information type. You need to know regular expressions, but it’s not too hard.

For adding a custom information type, click the + button on the right:

Once added, click “Done” and navigate to the bottom. Now again select the classification label you want to apply for “Microsoft OneDrive for Business” and “Microsoft SharePoint Online”:

All matched files are now automatically classified with “Confidential” (make sure you configure the content expiration again in Azure Information Protection).

Remember, it’s not working yet with PDF-files but will be available in future versions.

3. AIP Scanner

This is more or less the same as step 2, only the tool is different and it’s possible to scan PDF files. You still need to know regular expressions (or you need to choose predefined templates like “Credit Card Number”). the scanner uses the Office 365 data loss prevention (DLP) service. For configuration of the filetypes in DLP, see point 4.

The actual configuration of the AIP scanner is not covered in this post, since there are already many great posts how to do this.

4. Data Loss Prevention

DLP has great potential for achieving this task, especially because you can connect with Exchange Online which means you can scan e-mail attachments and restrict or encrypt the content when a condition matches.

However, one big flaw is that DLP cannot scan PDF files (yet), same goes for Cloud App Security. They both use the same core functionality, but I expect this possibility the coming months. Till then, we cannot use this functionality for scanning PDF files.

To create a custom classification type to use within a DLP policy, go to “https://protection.office.com > Classifications > Custom sensitive information types”:

Now click “Create” and add a Regular expression:

At this point, click “Finish” and add a DLP policy. Click on “Data loss prevention > Policy > Create a policy”. Walk through the steps, at the “Policy settings” tab click “Use advanced settings”:

Click “New rule” and within the “Conditions” tab, click “Content contains > Sensitive info types”:

Now select your just created custom policy. On the “Actions” tab, select “Block people from sharing and restrict access to shared content” and “Everyone. Only the content owner, the last modifier, and the site admin will continue to have access”:

Fill in the other desired settings and save the policy.

5. Exchange Online retention policies

With Exchange Online retention policies, you can achieve best of all worlds. You can just delete content matching a custom information type that you created with regex. So, it’s possible to apply this to Exchange, SharePoint and OneDrive!

Go to “https://protection.office.com > Data governance > Retention > Create”. Create a custom retention policy and add a “Sensitive info types”:

Make sure you delete the content after the period you define, from the data when it was labeled.

One caveat with this option is that you don’t have much conditions. You can only choose to which location you want to apply it (SharePoint Online, OneDrive or Exchange Online).

Conclusion

As you figured out by now, it’s impossible to use one tool for scanning your complete environment (if you both use on-premises file server and cloud-based file servers). Also, scanning PDF-files is apparently hard and even impossible to scan Exchange Online PDF files with a tool like Azure Information Protection, Data Loss Prevention or Cloud App Security. Fortunately, it’s possible with retention policies.

In the scenario where you only use SharePoint, OneDrive and Exchange Online and you also want to scan PDF-files, the best option would be using retention policies. Keep in mind that you do not have much options in conditions. In case you need more freedom in conditions and still need to scan PDF-files, you have to wait for this functionality to become available in AIP, DLP and MCAS.

You might have an on-premises file server as well, where you want to apply labels automatically, you need the AIP-scanner since it can scan PDF files.

If you have any questions, feel free to contact me or place a comment below.

The post GDPR: how to automatically delete sensitive content appeared first on Erjen Rijnders.

At first, this is officially not supported but it’s working flawlessly and since you make use of the e-mail header, it’ll always work.

Lets pick a label in Word, for example “Confidential”. I have configured that Outlook automatically takes over the label from the document as you can see in below screenshots:

Now we want to make sure that this e-mail is encrypted, without the need for the user to select the “Do Not Forward” button (which is also only available with the AIP client) and without the need for the AIP client to be installed.

Go to “Exchange admin center > mail flow > new rule > select Apply Office 365 Message Encryption and rights protection to messages…”

If you check the e-mail header from an e-mail where you selected “Confidential”, you will see that the sensitivity is set to “Confidential”:

So we have to make sure that OME is applied when an e-mail header matches “Confidential”.

the header name is called “msip_labels”

Configure it like this (make sure you configure multiple if you use multiple languages with AIP):

Now wait a few minutes (can take up to one hour before your changes are synced through the 220 thousand Exchange servers) and try it out! You should you receive the e-mail now as a protected e-mail:

Note that if you encrypt the e-mail, by default it will also encrypt Office documents. And because they are encrypted by OME, you cannot track the document (yet).

The post AIP label-based encryption appeared first on Erjen Rijnders.