1. Simplifying Security & Compliance in O365

2. Max Fritz
Solutions Architect, SADA Systems MCSA Office 365, MCSE Productivity Founder/Leader of Minnesota Office 365 User Group Working with Office 365 for over 8 years Focus in EM+S, Exchange, and SharePoint Online
Contact Details
Twitter Blog: maxafritz.com LinkedIn : in/maxafritz

3. A Glance at SADA 25M+ 10K+ Workloads Migrated 3000+ Clients Served
Microsoft 365
Office 365
Azure
Skype for Business + Teams
Dynamics 365
EMS
SharePoint Online
Power BI
PRODUCTS
Founded in 2000
HQ in Los Angeles, Washington D.C.
One of Microsoft’s 1st Partners for Office 365
One of Microsoft’s 1st Cloud Accelerate Partners worldwide
Microsoft National Solutions Provider
One of Microsoft’s 1st Cloud Solutions Providers (BETA)
25M+
Users Migrated
10K+ Workloads Migrated
3000+ Clients Served
Business Applications
Apps & Infrastructure
Modern Workplace
Data & AI
OUR SOLUTIONS & EXPERTISE
ABOUT US
3300+
Projects Completed

4. SADA Services Technical Consulting Business Consulting
Full service consultancy applying expertise and experience through your organization
Technical Consulting
Business Consulting
MODERNIZATION
DATA
ASSESSMENT
BUSINESS ALIGNMENT
INFRASTRUCTURE
DATA MANAGEMENT & ANALYTICS
PORTALS
PRODUCTIVITY
INTELIGENT COMMUNICATIONS
CHANGE MANAGEMENT
DELIVERY LEADERSHIP
MANAGED SERVICES
VALUE ENVISIONING
As a full service consultancy we apply experience and expertise throughout the organization incorporating technical and business consulting.

5. Compliance is challenging
12/31/2018 6:08 PM
Compliance is challenging
200+ updates per day from 750 regulatory bodies
Cost of non compliance 3x cost of compliance
Cost of compliance continues to increase year over year
Data is your biggest risk
© 2014 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

6. Challenges on the Customer Journey
12/31/2018 6:08 PM
Challenges on the Customer Journey
Digital Transformation
Compliance in the Cloud
Discover
Tools & Capabilities
© Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

7. Challenges on the Customer Journey
12/31/2018 6:08 PM
Challenges on the Customer Journey
Digital Transformation
Compliance in the Cloud
Discover
Tools & Capabilities
Concerns & blockers to Digital Transformation initiatives!
What is the role of IT Admins?
How does InfoSec’s role change?
© Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

8. Challenges on the Customer Journey
12/31/2018 6:08 PM
Challenges on the Customer Journey
Digital Transformation
Compliance in the Cloud
Discover
Tools & Capabilities
How is Regulatory Compliance managed in Cloud environments?
What are my responsibilities? What are shared responsibilities?
How do you demonstrate Compliance in the Cloud?
© Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

9. Challenges on the Customer Journey
12/31/2018 6:08 PM
Challenges on the Customer Journey
Digital Transformation
Compliance in the Cloud
Discover
Tools & Capabilities
Which Information Protection tools are available to me?
How do I approach these tools and in what order? Where do I start?
What is the thread landscape in the cloud, and how do I stay informed?
© Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

10. Microsoft products for Security & Compliance
Data + apps +
Office Security & Compliance Center
Devices
Windows Defender ATP
Devices + network + apps
Azure Security Center
Devices + apps
Microsoft Intune
Data + apps
Office Secure Score
Users
Azure Identity Protection
Devices + users + apps + data
Microsoft OMS
Apps
Cloud app security

11. Shared responsibility model
Customer management of risk
Data Classification and data accountability
Responsibility
On-Prem
IaaS
PaaS
SaaS
Data classification
and accountability
Application level controls
Network controls
Host Infrastructure
Physical Security
Client & end-point
protection
Identity & access
management
Shared management of risk
Identity & access management | End Point Devices
Provider management of risk
Physical | Networking
Cloud Customer
Cloud Provider

12. Shared Responsibility Model – Examples
12/31/2018 6:08 PM
Shared Responsibility Model – Examples
NIST
Implement access controls that prevent standing access to production environment or customer data
Access to production environment
Set up access control policy and SOP, leverage Customer Lockbox and identity management
Access to production environment
Organization’s responsibility
Encrypt data at rest and in transit using industry standard cryptography (BitLocker, Service Encryption, TLS, etc.)
Protect data
Encrypt data based on compliance obligations
Protect data
Microsoft’s responsibility
Strict screening for employees, vendors, and contractors, and security and privacy training throughout onboarding process
Personnel control
Allocate enough resources to implement an organization-wide privacy program
Personnel control
© Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

13. Microsoft 365 Action Plans for Regulatory Compliance
12/31/2018 6:08 PM
Microsoft 365 Action Plans for Regulatory Compliance
General Data Protection Regulation (GDPR)
ISO/IEC 27001:2013
NIST
Key GDPR Principles:
Protect personal data
New rights for the data subject
Data breach reporting rules
Data privacy officer
Global mandate
Key ISO/IEC Principles:
Information Security Management System (ISMS)
Examine information security risks
Implement comprehensive suite of controls to mitigate risks
Adopt overarching management process
Key NIST Principles:
Security controls for all U.S. federation information systems (except national security)
Protect the confidentiality, integrity, and availability of systems and their information
Access control, incident response, business continuity, disaster recovery
© Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

14. Approach to Microsoft 365 Action Plans
12/31/2018 6:08 PM
Approach to Microsoft 365 Action Plans
30 Days
Powerful Quick Wins
90 Days
Enhanced Protections
Beyond 90 Days
Ongoing Security, Data Governance, and Reporting
Outcomes/Objectives
Actions
GDPR
Outcomes/Objectives
ISO/IEC 27001:2013
Actions
Outcomes/Objectives
NIST
Actions
© Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

15. Demonstrations Compliance Manager Secure Score
12/31/2018 6:08 PM
Demonstrations
30 Days
Powerful Quick Wins
90 Days
Enhanced Protections
Beyond 90 Days
Ongoing Security, Data Governance, and Reporting
Compliance Manager
Secure Score
Data Subject Requests (DSR)
Search and Tagging
Microsoft Information Protection
Label Analytics
Compliance Boundaries
© Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

16. Compliance Manager Manage your compliance in one place
View your compliance posture against evolving regulations.
Take recommended actions to improve your data protection capabilities.
Conduct pre-audits to prepare for external audits.
Compliance Manager is a dashboard that provides a summary of your data protection and compliance stature and recommendations to improve data protection and compliance. This is a recommendation, it is up to you to evaluate its effectiveness in your regulatory environment prior to implementation. Recommendations from Compliance Manager should not be interpreted as a guarantee of compliance. 16

17. 12/31/2018 6:08 PM
© Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

18. 12/31/2018 6:08 PM
© Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

27. `

28. Information Protection & Governance
Data growing at exponential rate
Information Protection & Governance
Unified approach
Comprehensive policies to protect and govern your most important data – throughout its lifecycle
Classify
Label
Discover
Unified approach to discover, classify & label
Automatically apply policy-based actions
Proactive monitoring to identify risks
Broad coverage across locations
Apply policy
Protection
Governance
Encryption
Restrict Access
Watermark
Header/Footer
Retention
Deletion
Records Declaration
Archiving
Monitor
Sensitive data discovery
Data at risk
Policy violations
Policy recommendations
Proactive alerts
Devices
Apps
Cloud services
On-premises
ISVs, 3rd-party

29. Labels to classify and protect s, documents, Sites, Groups for Encryption, Content marking & DLP​
Labels to classify and preserve s & documents in O365 only – Exchange, SPOD & Groups​

30. GDPR Data Set
This data set contains GDPR Personal details relevant to report back to Authorities.
This is an Auto apply label

33. GDPR100

34. GDPR100

46. DPR Content Policy
Data matching GDPR sensitive types will be Auto populated.

65. Microsoft Secure Score
Visibility into your Microsoft security position and how to improve it
Insights into your
security position
Guidance to increase your security level

74. Manage data subject requests
Find data associated with an individual with Office 365 Content Search
Search across Exchange Online, SharePoint Online, OneDrive for business (including Teams and Groups) and public folders
Search for 80+ supported sensitive data types or create custom types
Download results for further review prior to providing reports to requestors 74

82. DSR

91. GDPR Data Set
GDPR PII Data Protection

99. Compliance Boundary Manageability Automation
12/31/2018 6:08 PM
Compliance Boundary
Manageability
Regulatory requirements
Boundaries with retention labels
Automation
Automated retention schedule
Dynamic updates as users change roles
Analytics and Intelligence
Audit report & Alerts
© 2014 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

100. Compliance Boundary Attach Link Configuring Compliance Boundaries
Create a new Compliance Boundary 
(Ex: Department = Finance)
Retention policy
Labels
Attach
Link

101. Compliance Boundary Attach Link Compliance Boundary definition
Create a new Compliance Boundary 
(Ex: Department = Finance)
Retention policy
Labels
Attach
Link

102. Compliance Boundary Attach Link Compliance Boundary definition
Create a new Compliance Boundary 
(Ex: Department = Finance)
Retention policy
Labels
Attach
Link

103. User outside Compliance Boundary

104. User within Compliance Boundary

105. Existing Microsoft products for Security & Compliance
Data + apps +
Office Security & Compliance Center
Devices
Windows Defender ATP
Devices + network + apps
Azure Security Center
Devices + apps
Microsoft Intune
Data + apps
Office Secure Score
Users
Azure Identity Protection
Devices + users + apps + data
Microsoft OMS
Apps
Cloud app security

106. What’s available today
Initial unified Microsoft 365 Security & Compliance Center
protection.microsoft.com
Persona widgets
Four new persona widgets with links to existing experiences

107. Security administrator
Personas
Security
operator
Security administrator
Compliance officer
Data
administrator

108. New Microsoft 365 Specialized Workspaces
Microsoft 365 Security Center
Microsoft 365 Compliance Center
security.microsoft.com
compliance.microsoft.com

109. Microsoft 365 Security & Compliance Experience
Scenario driven based upon targeted personas
Experiences are coherent and seamlessly connected
Microsoft 365 experience is the complete solution
Proactive assistance in solutions is infused throughout