Office 365: Everything You Wanted to Know How to Use this Document?


Advanced Data Governance (Preview)



Download 0.81 Mb.
Page31/39
Date20.06.2017
Size0.81 Mb.
#21123
1   ...   27   28   29   30   31   32   33   34   ...   39

Advanced Data Governance (Preview)


Availability: first quarter of 2017. Included as part of the Office 365 Enterprise E5 plan and the new Secure Productive Enterprise E5 offering.

Advanced Data Governance in Office 365 will help you manage the exploding volume and increasing complexity of corporate data. We’re applying intelligence to help you achieve organizational compliance and automate data retention.

You’ll be able to classify, set policy and take action on the data that is most relevant for your organization and industry, with recommendations driven by behavioral analysis and machine learning.



Advanced Data Governance will include the following capabilities:



  • Import—Intelligently import only the data you need from on-premises and third-party archives using classifications such as age, data type, user or groups, sensitivity or importance.

  • Policies—Policy recommendations are provided, based on machine assisted insights of your data, classifications, tenant, organization, industry, geography and more. Recommendations may include delete, move, encrypt or share.

  • Retention—Intelligently preserve only what’s important to you by using classifications such as keywords, age, data type, user or group, sensitivity, importance. Integration with line-of-business systems allows you to trigger retention based upon events, such as creation of a human resources record.

Advanced Data Governance will help organizations apply the right actions to preserve high value data and purge redundant or obsolete data.

Plan Office 365 security & information protection


Office 365 includes many security and information protection capabilities. Microsoft Enterprise Mobility + Security (EMS) includes additional capabilities for protecting data, identities, and devices with Office 365. EMS includes Microsoft Intune and Azure Active Directory Premium. It can be challenging for large organizations to determine which capabilities to implement and in what order. The Plan for Office 365 security and information protection capabilities article provides help.

Deciding which capabilities to use


Our cybersecurity consulting team recommends taking a methodical approach to planning and implementing security and information protection features. If you don’t already have an established approach, here is a recommended starting point.

Step 1: Set information protection standards

First, agree on a set of standards that can be applied across your organization. Here is an example of what this can look like.



A

Establish information protection priorities

The first step of protecting information is identifying what to protect. Develop clear, simple, and well-communicated guidelines to identify, protect, and monitor the most important data assets anywhere they reside.

B

Set organization minimum standards

Establish minimum standards for devices and accounts accessing any data assets belonging to the organization. This can include device configuration compliance, device wipe, enterprise data protection capabilities, user authentication strength, and user identity.

C

Find and protect sensitive data

Identify and classify sensitive assets. Define the technologies and processes to automatically apply security controls.

D

Protect high value assets (HVAs)

Establish the strongest protection for assets that have a disproportionate impact on the organizations mission or profitability. Perform stringent analysis of HVA lifecycle and security dependencies, establish appropriate security controls and conditions.

Step 2: Classify data by sensitivity level

Three levels is a good starting point if your organization doesn’t already have defined standards.



Step 3: Map service capabilities to data sensitivity levels

Some information protection capabilities apply broadly and can be used to set a higher minimum standard for protecting all data. Other capabilities can be targeted to specific data sets for protecting sensitive data and HVAs.

This table includes an example of how capabilities can be mapped to data sensitivity levels. There are two examples for level 1 because the default service will meet this need for some organizations while others require greater protection.

Level

Standard

Description

1

Data is encrypted and available only to authenticated users

This level of protection is provided by default for data stored in Office 365 services. Data is encrypted while it resides in the service and in transit between the service and client devices. For some organizations, this level of protection meets the minimum standard.





Additional data and identity protection applied broadly

Capabilities such as multi-factor authentication (MFA), mobile device management, and Exchange Online Advanced Threat Protection increase protection and substantially raise the minimum standard for protecting devices, accounts, and data. Many organizations will require one or more of these features to meet a minimum standard.


2

Sophisticated protection applied to specific data sets

Capabilities such as Azure Rights Management (RMS) and Data Loss Protection (DLP) across Office 365 can be used to enforce permissions and other policies that protect sensitive data.


3

Strongest protection and separation

You can achieve the highest levels of protection with capabilities such as Customer Lockbox for Office 365, eDiscovery features in Office 365, and SQL Server Always Encrypted for partner solutions that interact with Office 365. Use auditing features to ensure compliance to policies and prescribed configurations. Not all organizations require the highest level of protection.



Protecting data on devices


Many organizations start by implementing controls to protect data on devices. Office 365 includes some built-in capabilities. Intune and Azure Active Directory Premium include additional configurable capabilities for implementing conditional access and other access controls. For more information, see Controlling Access to Office 365 and Protecting Content on Devices.

This table summarizes the capabilities.
Office 365

Intune

BYOD (not enrolled)

Basic multi-factor authentication capabilities for Office 365.

Enforce PIN and encryption requirements, as well as other policy settings, for applications accessing Office 365.

Restrict actions like copy, cut, paste, and save as, to only apps managed by Intune. Enable secure web browsing using the Intune Managed Browser App.



Enrolled devices

Access control for Office 365 email and documents.

Only mobile devices that are enrolled in MDM for Office 365 can access Exchange Online and SharePoint Online.
Configurable conditional access policies for Office 365 apply to SharePoint Online, OneDrive for Business, and Skype for Business.

Configure secure access with certificates, Wi-Fi, VPN and email profiles.

Keep managed computers secure by ensuring the latest patches and software updates are quickly installed.


Additional Azure Active Directory Premium capabilities

Create access policies that evaluate the context of a user's login to make real-time decisions about which applications they should be allowed to access.

For example, you can require multi-factor authentication per application or only when users are not at work. Or you can block access to specific applications when users are not at work.

Microsoft Enterprise Mobility + Security (EMS) is the only comprehensive solution designed to help manage and protect users, devices, apps, and data in a mobile-first, cloud-first world.

Refer to the Enterprise Mobility + Security (EMS) section later in this document.






Download 0.81 Mb.

Share with your friends:
1   ...   27   28   29   30   31   32   33   34   ...   39



The database is protected by copyright ©ininet.org 2024
send message
    Main page
intended audience