Welcome to the 4th and final post in our Ready, Set Protect! Series. To recap our journey, in Part 1 of the series we showed you how to get going with classification and labeling, and FAST. In Part 2 we focused in on how you can take the learnings and benefits of classification and labeling and protect your information. Part 3 was for those of you who are either Information Protection skeptics or have yet to kick off a proper evaluation of the technology in this space, and we wanted to help you hone in on what’s really important in an enterprise solution for Classifying, Labeling and Protecting (CLP) your information.
Today’s blog post is for those of you who have needs to comply with data protection regulations and want to understand how you can use Azure Information Protection (AIP) to help meet some of those needs. By way of example so it’s a little more real, we will use the EU-GDPR (European Union General Data Protection Regulation) as an example in this discussion.
To set the scene, the GDPR not only applies to organizations located within the EU but it will also apply to organizations located outside of the EU if they are processing personal data in connection with goods or services offered to EU data subjects or are processing personal data in connection with monitoring the behavior of EU data subjects. It applies to companies processing and holding the personal data of data subjects in the European Union, regardless of their location.
As you can see, this has far reaching implications, and as such for organizations who are subject to such laws, this is a topic of intense discussion and debate. The breadth of the regulations and the implications of non-compliance have led to customers (in particular CIO/CISO/DPO leaders) having to re-evaluate data protection and handling.
The challenge with compliance
Many data protection regulations like the GDPR are essentially privacy laws. When organizations are compliant with the law, they will have, among other things:
- Adequate knowledge about the Personal Data that is being processed
- Safeguards documented and implemented to protect the data
- The means to audit the storage and protection of the data
- The means to control access to this data
- The awareness of a breach, and adequate knowledge of the Personal Data that has been lost to limit the liability
Systems and processes put in place now can possibly provide coverage for new data. However, organizations must also deal with mountains of existing unstructured data* in the form of documents and emails – collected and archived over the years. This too could contain Personal Data that has been processed, and therefore may need to be identified and secured.
* Microsoft offers solutions around structured data, which is outside of the scope of this blog post.
The question is: how can organizations ensure better compliance with this volume of unstructured data?
The building blocks of compliance
Data protection laws like the GDPR usually define the safeguards that need to be in place to handle Personal Data. However, they also go to great lengths to articulate how organizations must prove that the safeguards exist and how they handle Personal Data in different scenarios. In its distilled form, regulations and compliance makes you responsible for inventory, security, and audit of all Personal Data in a provable manner.
To break this down into actionable steps and help customers comprehend the larger picture around management of Personal Data, the framework in the diagram below will help:
The Azure Information Protection product is part of a larger Microsoft solution for helping customers with their efforts around data protection regulatory compliance and provides capabilities to inventory, secure, and audit Personal Data. In conjunction with other services – like Microsoft Office 365 Data Loss Prevention and Microsoft Cloud App Security (MCAS) – it provides customers with insight, monitoring, protection and control over the data flowing through their organizations. Let’s look at how AIP and other Microsoft Information Protection services plug into this framework and help with compliance.
The first step in the lifecycle of managing Personal Data is to first identify where it is.
Microsoft provides an organization with capabilities to analyze unstructured data residing in its file shares, SharePoint sites/libraries, online repositories, and desktop/laptop drives. With the access to the file, an organization can use these solutions to scan the contents of each file and determine whether certain classes of Personal Data exist in the file. The organization can then classify and tag with a label each file based on the kind of data present. Additionally, the organization can generate reports of this process, with information about the files scanned, classification policies that matched, and the label that was applied. These reports are one of the artifacts of the Data Inventory phase that can be used by the organization in audit scenarios.
The data inventory step is not a one-time event. As the files change and new content gets added, repeating the steps in the inventory phase helps keep the organization up-to-date with compliance requirements.
As the file containing Personal Data travels, other services that are part of the data flow can help the organization track this data. For example, organizations can use Office DLP to inspect data flowing out of Office applications, and use MCAS to monitor data flowing to and from different online locations and SaaS apps. This ecosystem of offerings can help you keep the inventory report up-to-date.
With the data inventory phase correctly identifying documents with Personal Data, securing it and ensuring authorized processing is the next responsibility. This means that access to Personal Data should be controlled and policed – and Azure Information Protection provides an identity-based security solution that can be used for this purpose. The organization can establish policies in AIP that outline the rings of access for various departments, in which scenarios, and for what types of Personal Data. These policies would tie to the applicable compliance needs for the Personal Data.
AIP provides the organization with flexibility in defining its policies. With its policies in place, the organization can use AIP to encrypt the files having Personal Data and manage access rights in accordance with the appropriate policy. Decryption will be conditional to the user being authorized by the access policy – thereby enforcing the intended safeguards around the Personal Data (i.e., unauthorized persons will not have access). With the rights-based encryption in place, sharing becomes less cumbersome. You have the means to prevent Personal Data from leaking to unauthorized persons, with audit logs to track each access.
Securing data is also about controlling its flow. DLP systems and MCAS tap into this flow and enforce the policy with actions such as Warn, Encrypt, Notify, Block, Quarantine, and Revoke access. The flexibility of the systems allows the definition of complex rulesets to abstract the organization’s policies for handling data, including Personal Data.
Compliance monitoring phase
Reporting on compliance is an important function in any compliance regime, and there are a number of artifacts and processes that should be created and maintained. There are two broad categories in the GDPR:
- Proving compliance in a manner sufficient for the organization’s data protection officer to fulfill his or her duties
- Reporting data breaches and remediation
Azure Information Protection stores information about the state of protection on unstructured Personal Data, and can plug into the reporting that is useful for both compliance and breaches. The platform also allows you to audit actions taken by the users and by automated systems. By evaluating these signals, you get a chance to enhance the policies that underpin your organization’s compliance. Fine-tuning the policies also reduces any unintentional friction in the system that users might encounter due to compliance restrictions.
As a final note, we used GDPR as an example to show how we can help with data protection needs. There are other regulations that mandate different treatment for different categories of data, and organizations can use AIP to help with its compliance regime for other regulations that protect other categories of data.
Getting to a compliant state with data protection regulations can be a daunting task, but we are here to help you, provide support and guidance and help you get a good handle on what you need to do.
We know this is a lot to absorb, and we are here to help. Engage with us on Yammer, Twitter or send us an e-mail to firstname.lastname@example.org.
It really is very easy to get started. We have a lot of information available to help you, from great documentation to engaging with us via Yammer and e-mail. What are you waiting for? Get to it!