Microsoft Releases New Tools for Compliance, Information Protection
- By Kurt Mackie
- February 23, 2018
Microsoft 365 product licensees can now take advantage of Microsoft's Compliance Manager dashboard and the Azure Information Protection Scanner, both of which became generally available (GA) this week.
Compliance Manager is designed to track an organization's status with regard to regulations or standards. The deadline of May 25, 2018 for organizations to meet the European Union's General Data Protection Regulation (GDPR) is approaching, and so Microsoft's announcements played up Compliance Manager's improvements along those lines. Microsoft also has a large partner community available to help with GDPR compliance, as listed here. It also announced that it is building a GDPR template, which will be used to "help detect and classify personal data relevant to GDPR." Organizations failing to protect stored customer data could face fines as high as €20 million or 4 percent of their annual turnover globally under GDPR law.
Previewed back in November, Compliance Manager now can be used to assess "Azure, Dynamics 365, and Office 365 Business and Enterprise subscribers in public clouds," according to Microsoft's announcement, although it's not yet available for use with "sovereign clouds," meaning the datacenters used by governments. The Compliance Manager dashboard shows Microsoft's compliance with its apps and services, but organization must also use "Customer Controls" in the dashboard to create a checklist for everything else in their computing environment that's compliance-related.
Compliance Manager users will see a risk assessment in the dashboard via a Compliance Score feature, which is newly integrated into this GA release. However, Compliance Score only works with Office 365 solutions right now. Also new, according to this Microsoft Tech Community post, is the ability to specify groups "for any standard or regulation" that's available in the Compliance Manager dashboard. Microsoft's example is that an organization could "create GDPR assessment for the 2018 group and another one for the 2019 group," or it could create a standards compliance group for a business unit in one country, with a separate standards compliance group for a business unit located abroad.
Compliance Manager will propose recommendations for organizations to get into compliance. However, Microsoft warns that "recommendations from Compliance Manager and Compliance Score should not be interpreted as a guarantee of compliance."
Azure Information Protection Scanner at GA
Microsoft has an Azure Information Protection service, which has been at the GA release stage since 2016, that checks for sensitive information in an organization's e-mails and attached documents. Now there's a Scanner tool addition that's released at GA. It previously was at the preview stage back in October.
The Azure Information Protection Scanner can be used to discover sensitive files at an organization's premises when they are stored on Windows Server or network-attached drives, as well as at SharePoint Server data stores. It works with "sites and libraries for SharePoint Server 2016 and SharePoint Server 2013," according to this TechNet announcement. The Scanner is an "on-premises" tool. For SharePoint Online and Exchange Online, Microsoft offers a scanning service through its Office 365 Data Loss Prevention solutions.
Licensing for Azure Information Protection Scanner is complex. It seems to require an Azure Information Protection P2 license, but the nuances are described at the end of a Microsoft datasheet (PDF download).
Unified Labeling and New Admin Role
Along with the two GA releases, Microsoft described improvements in the labeling process to protect documents, and also announced a new Information Protection administrator role.
Currently, Global Admins and Security Admins can manage the Azure Information Protection service. The newly added Information Protection Admin role, announced in this Microsoft Enterprise Mobility + Security (EMS) post, is yet another privileged role in that respect, but this one lacks "additional management permissions on other Azure services," Microsoft explained. The role is available via the Azure Portal, or "RMS PowerShell" can be used.
Microsoft also has plans to make its information protection labeling consistent across the Azure Information Protection service and Office 365 services. The idea behind this "unified labeling" concept is that a label created for one service will be available for others. Unified labeling is currently at the preview stage for the Office 365 Security and Compliance Center and the Azure Information Protection Admin Portal. The preview permits IT pros to specify a label, apply a protection setting and add data retention policies using a single dashboard interface.
Labeling improvements also are getting integrated into Office documents (Excel, Outlook, PowerPoint and Word). Microsoft is building such capabilities into those apps, which Microsoft calls "native labeling." There's currently a preview of native labeling for Office on Mac applications. "With this preview, you can apply the same labeling and protection that you are used to with AIP [Azure Information Protection] on Windows, now on Mac," Microsoft explained in its EMS post. It's planning to add native labeling to Office apps on the Android, iOS and Windows platforms, as well.
There's also a preview of a new software development kit (SDK) for information protection labeling. The SDK preview is available for the "Windows, Mac and Linux platforms," permitting developers to "label and protect content in a way that works with the rest of Microsoft services, like Office 365, AIP scanner, AIP client or Microsoft Cloud App Security."
Additionally, Microsoft is working on a capability to protect data "stored and processed in cloud apps." To that end, it's working on integrating Microsoft Cloud App Security and Azure Information Protection. It's an effort that has been available at the public preview stage since January.
Office 365 Security Perks
Microsoft has released a new "encrypt-only" policy for e-mails for Office 365 Message Encryption users. Microsoft offers Office 365 Message Encryption via Office 365 E3 and E5 subscriptions, and as an add-on option.
The encrypt-only policy lets end users send encrypted e-mails both inside and outside an organization. Intended recipients "can copy, print and forward the email, but encryption will not be removed," Microsoft explained in this Tech Community post. End users can apply the encrypt-only policy via the Outlook client. IT pros can apply it using the Exchange Admin Center. The encrypt-only policy currently works for Office 365 subscribers using the Web Outlook and Outlook Mobile clients, but Microsoft is planning future support for "Outlook for Windows and Outlook for Mac" clients in the "coming months."
Also this week, Microsoft announced a coming preview of a new Attack Simulator capability for Office 365 Threat Intelligence service subscribers. Attack Simulator provides a means for IT pros to probe end users in an organization to see if they are susceptible to typical attack scenarios. It simulates brute-force password attempts, display name spear-phishing (falsely using the name of someone in an organization in an e-mail) and password spray attacks, where a commonly used password phrase gets tested across many users in an organization.
Attack Simulator uses the Microsoft Intelligent Security Graph to create the simulated attacks. Microsoft plans to release a "pre-release preview" of Attack Simulator on Feb. 21. The preview will show up in the Office 365 Security and Compliance Center for users that are "part of the Office 365 Universal Preview program," the announcement added.
Kurt Mackie is senior news producer for the 1105 Enterprise Computing Group.