IAPP CIPT – How Technology can help in achieving GDPR compliance Part 3

5. Classification, Labelling and Protection of Information demo (AIP)

Hi guys. In this lesson we will discuss about information protection and how we can classify, label and protect the data in files and also in emails. I’ve chosen for this lesson Azure Information Protection. Another tenant from the Azure Cloud platform that I’m using for these demonstrations. This is a separate if I go to the demo dashboard is a separate blade over here, so I can even search for it.

The good thing is that all these can be accessible and managed through the same management portal, asia Portal so, Asian Information Protection you see here I have a global policy and some scoped policies. Global policies means this applies to all users in my organization, translated to all users in my Asia Active Directory. As we discussed previous, scope policies are different policies related to smaller groups of users that have specific requirements.

Let’s say I don’t know the HR department that needs to treat documents in a different way. For them, confidential is not similar to confidential for a normal user or general for HR. And finance may be different in regards to general label for normal user. So they most probably have a more sensitive classification than the other.

So that’s why a scope policies may be specific for them. Here in Global Policies. You see, I have different labels. These labels can be applied to files and emails based on the sensitivity and we can configure the conditions and also the protection actions that can be applied under these labels. The label will stay with the file no matter where the file will go. So the label is persistent with the file from the creation.

So if I open a Word document, Excel document, let’s say I start writing things there, save it. Then the document will start with a default label that may be general. So you can see here, select the default label, right? So I will put, say general for the default label. So when I start a new document, it will have a default label as general and based on the content, and this is really important, the tool is doing content inspection based on the content and the rules I’m specifying here. The files are classified and relabeled with a new and maybe more sensitive label. Let’s go for one of these credit card data. So I have here the name, the description, a color that will allow you to recognize it.

And in the protect area over here, what you can do is you can specify which users will have different rights for that file, and only the users specified over here will be able to do some actions at the file level. No other users will have no right. Somebody, for example, me, I will not be able even to read and to view the file if I’m not here. And here you can add if I just add it, you can select users from your directory, or you can enter details like everything@gmail. com, right? Sorry, it’s just@gmail. com so everything@gmail. com will receive just viewer access, right? And they’ll click okay, and you see@gmail. com is View, Access, and again with Yahoo and so on and so forth. So that means all the Gmail addresses that I send this file to will have access to view that document.

Megan, it will be a co owner. And by co owner you mean this is the permission. So I have five roles over here, corner Coaltor, Reviewer, Viewer, and the custom one corner practically has full rights, View, Open Rights, Print, Save, Copy, and all this here culture, minus something reviewer, minus something viewer, just View and Allow Macros. And the custom, I can create my own. So I’m specifying who will have access and with what rights to my file.

Then I can allow offline access. So the user needs to read and to address his actions or permissions to the file once. And after that, he doesn’t need to be connected to the Internet and to this Azure service in order to read again the document for the next seven days. After seven days, he needs to be connected again to the Internet and connect this cloud service in order to be authenticated. And the right should be checked again. And then I can specify just for this label, some visual markings. I have a header, I have a footer, I have a watermark that it’s in a diagonal, let’s say, or horizontal. And then I have the conditions for this content inspection. Content inspection is done in a recommended or automatic manner. Automatic means wherever I see the pattern, I apply the label. Recommended means I’m recommending the user to apply or to change the label.

The user has a button, he may change it. If he refuses, then a log is generated into the system for the administrator. Automatic does not allow the user to do this thing. It’s just applying the label. And from that moment in time, the file will become, let’s say, credit card data, as in this example, and only these users here will have access to it. And then if I add this file as an attachment to an email, the email will have a general label, right? So if I’m attaching a more sensitive file, meaning a more sensitive label attached to this file, then the label of the email will change automatically to this credit card number. And only these people over here will have access to open the file as an attachment to the email. This is using practically the old rights management features or systems from Microsoft, which is right now integrated in Azure Information Protection. To allow these new classification and labeling options for the files that are already created, there is a tool which is based on some scripts, partial scripts. It’s called Azure Information Protection scanner.

And this scanner will go for file servers or SharePoint Server or different storage areas. And it will go inspect and use the policies from here and add and reclassify and relabel all the files that it finds on these areas. If it’s a file server, it needs to support VCI file classification infrastructure, but more or less all the new after 2010, I believe, supports Windows environment, supports this infrastructure. And then you can apply the labeling and classification for the files that you already have, right? Not only for the new ones that you will create. And this is how you can control. And this is different from a DLP data loss prevention solution because with this one, you can allow files to go in the external, but only the specified users will have access to this. I don’t want to get into too much detail about how encryption is provided and how decryption and what keys.

What I can tell you is that the tool uses a symmetric key first to encrypt the message, and then it’s using a pair of public and private key for the organization in order to encrypt the rights plus the symmetric key and send the communication from one user to the other. The external users, in order to access those files, like Gmails or Yahoo accounts, when they try to access it, will create for them an individual account in Asia Active Directory. So they will be managed and the user account will be created in a directive directory. Either it’s not existing in the moment when the file was sent. And also what Microsoft did is a tracking system. They’re a separate portal. And the tracking system that you can see where the file went worldwide level in a map. So you can see that the file was sent to Brazil and it was opened and that user added or performed a copy or save or a print action on the file.

6. Cloud application visibility and security demo (Cloud App Sec)

Hi guys. In this lesson I will show you how you can get application visibility, and I mean cloud applications visibility for all your users in your environment. So let’s say you have some users that are accessing cloud applications from the internal environment or they are going at home using corporate devices, connecting through VPN and using some cloud applications coming into the same firewall, corporate or enterprise file. They can use this from their mobile devices or from their laptop devices. And it can be, let’s say Dropbox or Box or it can be Office 365. It can be any other cloud application that you are not aware about. And practically what you need to know is that you need to know about shadowing it. So applications that your users are using, but you have no idea that they are doing it. They can even use a lot of traffic and bandwidth from your firewall by using those applications. And what’s most important is that they may use files or corporate data in order to communicate into these applications. And you want to get track of this.

You want to know if there is some suspicious activity or some suspicious patterns involving the cloud applications that you don’t know about and your users are using. And if I have some corporate data in there. How this tool works, it’s called Cloud Security from Microsoft, again is a subscription in Azure. How the tool works you need to upload the logs from your enterprise firewall or to set up an automation, a connector on the onprem environment that will grab the logs from the firewall and upload them immediately to cloud up security. And you’ll have per log. It can be once a day, it can be once a week, depending how you want to track or to monitor this. You’ll have a dashboard for the log it was uploaded regarding what happened in your environment. First thing the tool is doing is discovering your apps. So in the Discovered Apps section over here, you see all the applications your users are using. And you may see something that you know, like Exchange, Cisco, Concur, Adobe. But you may see something that probably you don’t know, like, I don’t know, Console, Exact, Target, Mint, who knows what these applications are. The tool is creating a risk score over here. Let’s go to Google Drive and see how the risk score is created.

And when you click on an application, you see all the users involved, all the IP addresses, how much upload or download traffic it was performed, and the total number of transactions. You see some graphics over here, nice graphics. And again the up top uploading users. So you may know who is really using this application and who is doing the downloading or the uploading and the IP address is involved. And in order to see different relationships between metadata inside this application and how Microsoft setting up the risk score. You go to the info and you can find even interesting things that you didn’t know about this logo. URL the privacy policy if they are GDPR readiness, when they are registered, who is the holding company, if they are public or private, where do they lack in terms of security or where do they are good, what kind of encryption they are using and so on and so forth. Compliance with different standards. And you can see where they stay good with the green and where they lack some compliance or some features with the red.

And this is how Microsoft is addressing this risk score that you can even go and edit and change and say, okay, you said this is a five. But for me, it’s important that I know this application and I trust it. And for me, this is a tent. And then you may see, even if there are alerts associated with this application coming back to Discovered apps, there are some categories over here that you can see different applications bundled into different categories. And they say that they can recognize thousands of applications or tens of thousands of applications.

Right now, for this log, they generated around 298 discovered apps. Then what’s important, it can break down or normalize this traffic into activity files or user accounts. In terms of files and user accounts, they have the integration with the Microsoft tools. So they get info from active directory. And in terms of files, they get info from Azure Information Protection that we discussed in the Information Protection video. And if these are integrated, you may see what labels of the files or what labeled files were used in cloud applications. And if you go to files, you may see different info here. Like, this JPEG file was used by two collaborators in this Asia Ed group that is considered external. And it was used in the OneDrive application. And you may see different details about this one drive application. And then you see this doc international marketing strategy, again using OneDrive shared. This is the URL. It was shared again with other collaborators. And this is the information of the file, what type of the file it is. You can see the error here in the path. And again, let’s take one folder for SharePoint, for example, not for OneDrive. This is a file that was shared in SharePoint with 27 collaborators.

So you can see all the groups and all the other users that was shared this file too, and all the files involved. Again. He’s grabbing this information from Azure Information Protection. So he cannot do this by his own. And what’s really nice, he can perform. He can apply policies based on these traffic patterns. And the policy may say something like, look, if I see a new application in my environment with a risk score between three and five and then this is associated with download from box or dropbox for more than 50. Megabits. And I can see this traffic generated by more than three users in the last five days. Then generate an alarm or an alert. And what is this doing is getting all these traffic and patterns. He’s applying some sort of correlation and is offering you an information. Then you can go and take this log, put it in a seam secure information, event management, and investigate further or correlate more with other information from the on prem environment. But this allows a really interesting visibility related to cloud applications. And there are a lot of policies or patterns or templates for the policies already created, say activity from infrequent country, impossible travel, anonymous IP address and so on. But you can create your own, it can be app discovery, it can be file policy, session policy, let’s go for anomaly Detection policy. And you can use some templates or not, let’s put anomalous behavior in discovered users or no, let’s write it from the beginning.

And you can apply different filters here if I see a risk factor, if I see a risk score, if I see a specific app or domain or a specific category. And you can apply all this here app domains or just apps, no, app and domains equals in apps only equals dropbox, and then I want to be risk or equal something. And you can add all the filters over here and you can apply this to specific users or IP addresses. You can set an alert range regarding the sensitivity of these alerts. But let me just cancel this and show you something more. Let’s go for anomaly detection. Right, these are available, but I don’t want these available policies, anomaly detection policies, available policies.

Okay, let’s take the Impossible Travel and try to change it a bit. No, this should be just applied, so this cannot be changed. Let me check file policy and File policy says access level of the file last modified. I can go and put different collaborators, different file ID, file name, owner of the file and all this application classification label. So if I see this happening in a sort of communication between different apps, then I raise an alert or let me go for some activities. I can create activity policy, and here I can say single or repeated activity, and I can put activity type, activityid, activity type, it can be all this apply block up, change, authentication token, different things that you may see over here. And then you may have administrative activity, an app on applied action and device tag, IP address locations. So you can have different filters over here that can generate an alert and you may use these alerts to have a view of what’s happening.

So see activity from a frequent country right now and say this was used in Romania for the first time in the past 13 days and this is not okay. You see the log on coming in from this IP address is the username involved, and you can go into deeper on that. It can be an unusual stuff, but also it can be something that is or publisher confidential file. And you can see over here that this file was shared by this user with this sort of collaborators and different users were downloading the file, creating a link, sharing again this file and doing all other actions over here.

And you can even do sort of governance directly from here with integration to a new information rotation, like applying a classification label, putting the user in quantum time, putting the admin in quantum time, or doing other actions. If you apply a classification, then if you remember, you can specify one of these labels. So I want credit card data to be applied to this file over here. And by integration with Azure Information Protection, this is applied automatically. Well, okay, this is not good, but you got the point. And this is what you can do with this tool. And it’s okay to have visibility for the cloud environment and also visibility for the onprem and business application environment. And you can correlate both and understand more exactly what’s happening in your environment. Island.

• Category: Uncategorized