Skip to content

Enterprise Mobility + Security


How to provide persistent data protection on-premises and in the cloud

In the previous blog we discussed the challenges and complexity that stored data, be it structured, logs, or unstructured data pose for GDPR compliance and how Microsoft EMS can help you address the key data protection challenges. As a part of our GDPR webcast, we have also showcased how information protection capabilities across Windows, Office and Azure can help you in your journey to GDPR compliance. In this blog, we will dive deeper into the data lifecycle and how Azure Information Protection can help you provide persistent data protection both on-premises and in the cloud.

The realm of discovery

GDPR is a new data protection law that aims to protect personal data from potential abuse. For organizations that need to be compliant, it is important to understand that not all data falls under the purview of the GDPR. The first step in GDPR compliance is to discover personal data, as only that limited set is subject to the GDPR. A great discovery process turns the challenge of protecting personal data from an unbounded, unknown risk into a scoped, targeted, and manageable problem.

The discovery of personal data in an ongoing process that spans the entire data lifecycle – from the time content is created, through multiple updates, until the time it is deleted. The regulation applies to all historical data as well as to new content created after the GDPR comes into effect. Thus, the discovery strategy for companies must be two-fold:

  • Regularly scan the known data stores to identify personal data. This is a scheduled activity that targets existing data stores for discovery. Large organizations tend to have tens to hundreds of these “unstructured” data stores – SharePoint sites, File Servers, user devices like desktops and laptops, archived mailboxes, tapes etc.
  • Identify personal data at the time of creation or update. By tapping into important sources of data entering existence, personal data can be discovered at the source. This is applicable to emails processed by your mail server, to documents and emails being created/updated by users, and a variety of tools being used to handle data.

Azure Information Protection helps with the discovery process in a number of ways:

  1. It provides built-in rules that identify personal data. Customers can add more rules that can identify personal data not covered by the default rule set.
  2. It will provide a scanner tool that can run scheduled scans of designated data repositories (preview coming soon).
  3. It provides plugins for Office applications (Word, Excel, PowerPoint, Outlook) to identify personal data as emails and documents get created, opened, or updated.
  4. It provides an SDK for 3rd party applications to integrate with, and bring the discovery process into the application.

Once data is discovered, Azure Information Protection can follow-up with additional actions:

  • The most common action is labelling – the data is tagged and can therefore be identified later by other tools, applications, and users. Once a document or email is tagged with a label it can be tracked and monitored through its lifecycle. For example, Microsoft Cloud App Security can read files labeled by Azure Information Protection and quarantine it if it is being shared outside the organization without adequate security controls.
  • The second most common action is protection – the data is encrypted, and access is controlled by administrator-defined policies.
  • Content marking can also be applied, such as watermarks, headers, and footers.
  • The audit logs generated from the discovery process enables organizations to report on their compliance activities.

Protection as the first line of defense

The GDPR highlights the need for protection of personal data held by organizations. Depending on the circumstances and content sensitivity, encryption may be appropriate.  And auditable access policies, access tracking and complete information about how the data has been shared can also help ensure that data is protected. With the increasing number of cybersecurity attacks, holistic data protection is the only way to ensure that personal data is not misused.

Azure Information Protection helps with data protection in a few ways:

  1. Identity-based access to encrypted data. Administrators have fine-grained control over which users have access to encrypted data and can update this access on the fly. Conditional access policies enforced through Intune and Azure AD Premium can control the environmental constraints under which content relevant to GDPR is opened.
  2. Tracking of protected documents to users and administrators. Reporting on any unauthorized access attempts is possible and this feeds into the GDPR requirements of data breach reporting and notification.
  3. The ability to revoke future accesses to the document. In case there is a suspected breach this acts as a mitigation step.
  4. Integration in to Office applications (Word, Excel, PowerPoint, Outlook) and protection can be set manually by the user as well.
  5. An SDK for 3rd party applications to integrate with, and bring the protection process into the application. Microsoft Cloud App Security can quarantine files with personal data but are not protected and can also encrypt the files as they pass through.

AIP Infographic_Final

With Azure Information Protection, you get a well-integrated, holistic service helping you in your compliance journey to the GDPR.

I encourage you to:

In the next blog, we will discuss how to grant and restrict access to data with Azure Active Directory.

Thank you for attention and support!

Dan Plastina