View
221
Download
0
Category
Preview:
Citation preview
✓ Technical requirements of GDPR
Protection of
personal records
Technical requirements of GDPR
Notifications
of data breaches
IT und Trainings
• Training of employees,
how to deal with
personal customer
information
• Awareness of data
protection regulations
• Need of Data Protection
Officer
(for more that 250
employees)
• Need of Customer
contact person
• Threat monitoring and
reporting
• 72h response time for data
loss in case of data breach
• Significant fines
• Effects all organisations,
which deal with personal
informations in the EU
• Need of data protection
for on-prem and cloud
environments
• Need of controlled access
to personal data
Transparency
• User becomes ownerof his personal record
• Need of dataretention policies fordata holder
Shadow
IT
Data breach
Employees
Partners
Customers
Cloud apps
Identity Devices Apps & Data
Transition tocloud & mobility
New attack landscape
Current defenses not sufficient
Identity breach On-premises apps
SaaS
Azure
286 days
80 days
Microsoft Security - Overview
PROTECT
✓ Data Protection using Encryption for SQL and Storage Blobs
✓ NSG Firewall Rules✓ Endpoint Protection
RESPOND
✓ Missing Security policy✓ Clean a compromised
system
DETECT
✓ Unpatched OS ✓ Vulnerabilities (CVE)✓ Missing FW Rules
(NSG)✓ Bruteforce Attacks✓ Compromised Systems✓ Provide Email
Notification
Transparency Control Advisory
State of current threats Define a Security Policy Enhanced Security Control
Threat Intelligence
Security Management
APPS / DATADEVICES
Powered by the
Intelligent Security Graph
IDENTITY INFRASTRUCTURE
INFRASTRUCTUREAPPS / DATADEVICESIDENTITY
Defining a Security Policy on Azure Security Center
DETECT24x7 Threat Monitoring with EmailNotifications
PROTECT
Enable Data Encryption und follow the Security Advisories
Bedingungen
Allow access
Or
Block access
Response
Enforce MFA
per user/per
app
Location
Device state
User/Application
MFA
Risk
User
Layered approach:
- Unstructured datas => Azure Information Protection (AIP/RMS)
- Structured datas (SQL) => Transparant Data Encryption (TDE)
- Virtual Disk => Azure Disk Encryption / Bitlocker
- Storage Container => Storage Blobs Encryption
• Data Encryption 256 bit AES (Industry Standard)
• Data Encryption Keys (DEK) are protected by an asymmetric Key Encryption Key (KEK)
• KEK is signed by a private Key (root of trust)
IMPORTANT: Best practice is always to store the private Key in a Azure KeyVault (HYOK), private Key can also be stored in a Hardware Security Module (HSM) on-prem
Example: Azure Information Protection
consumptionprotection
The application works
with the RMS enlighted
client to create a
“publishing license”,
encrypts the file, and
appends the publishing
license to it.
Recipient clicks file to
open. The application
sends the recipient’s
credentials and the
publish license to the
AAD RMS service,
which validates the
user and issues a “use
license.”
Application renders file and
enforces rights.
encryption key pair
in example for
confidential contentuse license
The Author
distributes the
protected file.aEZQAR]ibr{qU@M]BXNoHp9nMDAtnBfrfC;jx+Tg@XL2,Jzu()&(*7812(*:
Use Rights
+
Author automatically receives AD
RMS credentials the first time they
rights-protect information.
author consumer
Use Rights
+
Request labels
submit label policies
encryption key pair
in example for secret
content use license
Use Rights
+
markwil@microsoft.com
RESPONSE
Solve Security Incidents by following Advisories from Microsoft Intelligence /DCU
http://www.microsoft.com/gdpr
http://www.microsoftgdprdemos.com/
https://demos.microsoft.com
Recommended