GDPR and Microsoft Cloud Security Features

Over the last couple of years, we have seen several ransom-ware hacks, such as the WannaCry NHS hack, Sony Pictures Hack for publishing the interview, the SWIFT attack etc.
One thing that the above have in common is that they were all Ransom attacks. where-by the criminals demanded money.

The rise of Ransom Attacks is on the rise and it is estimated that the number of people who have paid to get their data back have in fact paid is also on the rise.

The WannaCry ransom attack on the NHS was the biggest ransom-ware outbreak in history – The mega trend that has made ransom ware a phenomenon is crypto-currency, i.e. bitcoins – Bitcoin is the way criminals / hackers can collect a ransom.

Bitcoin is used as a ransom tool, and more commonly a targeted attack – for e.g. a company gets hacked and databases are stolen or encrypted, and the company is contacted by the hacker to ask for a payment in the form of bitcoins. Now from a criminal’s point of view, they don’t really know what size is the right size for a ransom. How can a criminal monetize company information? A criminal will not know how valuable the data they have stolen is.
However, in May 2018, this all changed, as we have entered a new time of GDPR which is the “General Data Protection Regulation”, which states that every organisation that stores data about EU residents can be fined up-to 4% of their global annual turnover if their customer information is leaked or they haven’t taken care of their customer data or a £20million fine.

The general forecast is that criminals will try and seize this an opportunity and hack into an organisation and steal their data. This will give hackers an opportunity to monetize the data and demand half of what the fine the GDPR regulations will give, for e.g. 2% of the overall business revenue OR ~10million worth in bitcoin currency.
GDPR has now set a baseline on what criminals should request.

Companies now must enforce extra security measures to ensure they protect their data, such as Microsoft.

What are Microsoft doing to ensure companies remain compliant within GDPR.

Thankfully, Microsoft have several features / tools within Azure and Office 365 that help you track and manage your personal data within Office 365 and Azure. Below is a list of some of the features / tools that are available to you.

Below is a list of some of the features / tools available to you in relation to Azure:

  • Azure AD – Helps ensure only authorised users can access environments, it includes features such as Multi Factor Authentication
  • Azure Information Protection – This allows you to classify, label and protect, track usage and even revoke access. AIP also includes rich logging and reporting capabilities to monitor the distribution of data
  • Azure Security Centre – Provides you with visibility and control over the security of your azure resources. It continuously monitors your resources and provides recommendations which help prevent, detect and respond to threats
  • Data Encryption – Azure ensure your data is encrypted in transit and at rest.
  • Azure Key Vault – Enables you to safe guard your cryptographic key, certificates by using security modules (HSMs) and is designed so that you maintain control over all your keys and therefore your data. Not even Microsoft can extract your keys
  • Log analytics – Azure provides configurable security auditing and logging options that can help you identify and repair gaps in your security policies to prevent breaches. Additionally, Log Analytics helps you collect and analyse data generated by resources in either your cloud or on-premises environments. It provides real-time insights using integrated search and custom dashboards to readily analyse millions of records across all workloads and servers regardless of their physical location.

In relation to office 365; below are some features that can help you protect your data.

  • Data Loss Prevention – Strategy for making sure that end users do not send sensitive or critical information outside the corporate network.
  • Advanced Data Governance – intelligence to help you find, classify, set policies and act data
  • Advanced Threat Protection – Help protect against sophisticated threats hidden in email attachments and links, and it provides cutting edge defences against zero-day threats, ransomware and other advances malware attempts.
  • Office 365 Threat Intelligence – research threats from a dashboard, track phishing or malware aimed at your users, and search for threat indicators from user reports and other intelligent sources.
  • Microsoft 365 is also an option for users. With Microsoft 365, everything is integrated. Microsoft 365 is available for Business, Enterprise and Education. With the Enterprise edition, you get a complete intelligent solution which brings the best out of Office 365, Windows 10 Enterprise, and Enterprise Mobility + Security, that empowers everyone to be creative and work together and

You can find out lots more information about being GDPR compliant here: https://www.microsoft.com/microsoft-365/partners/GDPR. The GDPR Compliance manager is a data tracking system designed to ensure companies adhere to GDPR, you can login the compliance manager here: https://servicetrust.microsoft.com/ComplianceManager. Compliance Manager enables you to perform real-time assessment on Microsoft cloud services. Provides actionable insights to improve data protection capabilities and simplifies the compliance process through in-built control management and audit-ready reporting.

With the growing number of customer moving to the cloud and the growing rate of cybercrime, there is a rising need for tools to help protect customer data. GDPR attempts to do this by enforcing organisations to remain compliant.  GDPR is all about respect and encourages organisations to build better relationship with customers.  The fines imposed on organisations will certainly sharpen the focus for many organisations out there to remind them to that they have a responsibility to look after customer data.  It’s not just about confidentiality, it’s about integrity, accuracy and availability, and of course just plain good practice.

References.

Source: https://www.youtube.com/watch?v=ZqNSoHFtGM0 – Mike Hyyponen.

Source: https://www.microsoft.com/en-us/trustcenter/privacy/gdpr/solutions#azure

Source : https://www.microsoft.com/en-us/microsoft-365

Security

In light of the recent NHS attack, I wanted to write a blog about Security and re-emphasise what we should be doing to protect our data, especially in regards to SharePoint.

This blog will focus on SharePoint within Office 365 and on Premise and some (of many) pointers of defence to help protect SharePoint.

  • A common security issues I see with many clients is permission governance.

A SharePoint governance plan can help keep your data secure and compliant, by helping you structure, create policies and procedures and implement controls, such as designing security controls, permissions and roles for assigning permissions etc.

SharePoint is used to store data, and on most occasions, sensitive data.  It is important to ensure that this sensitive data is not accessible to the people who do not need to see it, especially as data if shared with external parties, such as contractors, partners etc, therefore it is vital to ensure that access rights remain aligned with the business needs.  There have been many cases known where data has got into the wrong hands, e.g. United States v. Manning.

This also includes using the least privileged accounts and use specific accounts for specific purposes.  I have seen many SharePoint systems where IT use the farm account as their admin account.   Plan for administrative service accounts : https://technet.microsoft.com/en-us/library/cc263445.aspx .

Also you should being using Groups to manage users as much as you can. Using groups gives you a more maintainable security model, meaning If you want to make a change to permission, you apply it to a group, not individual people.

for e.g. different sites require different governance policies. Site such as homepage would be more tightly governed as it would typically be available to everyone in the organisation, whereas the HR department, for example would be more tightly governed than other generic sites such knowledge based areas.

  • Multi Factor Authentication – Within office 365, Multi Factor Authentication (MFA) increases the security of user login. With MFA, users are required to enter an second stage of authentication after their initial entering of their password. The second stage requires the user to receive an email, app notification, phone call or text message to enter a number. Only after the second stage is complete will the user be authenticated to sign in.
  • Virus Protector: For On-Premise installs of SharePoint, there are a growing number 3rd party tools which can be used for anti-virus protection, such as
    1. MacAfee
    2. Bit Defender
    3. Sophos
    4. Trend Micro

However, Microsoft recommend that you install an anti-virus solution based on SharePoint Portal Server Virus Scanning Application (VS API) – this is because SharePoint is continually providing enhancements to SharePoint via, installing a non related SharePoint AV will not guarantee you any support for SharePoint specific issues.

https://support.microsoft.com/en-us/help/322941/microsoft-s-position-on-antivirus-solutions-for-microsoft-sharepoint-portal-server

Within Office 365, files are scanned as they are uploaded. If a file is found to be infected, a property is set so that users cant download that file from the browser or syn the file in the One Drive for business client.

https://blog.qipoint.com/2016/07/27/sharepoint-and-anti-virus/

This is not to say you should not have a virus protector on your local machine

  • Information Rights Management (IRM) – IRM is a technology applied at the list / library level in SharePoint. A document that is IRM permission can either permit / deny a user from doing certain actions within that document such as :
    1. Controlling copy and paste
    2. Preventing printing and editing
    3. Require users to review their credentials at specific intervals
    4. Provide ability to not upload documents that are not IRM protected
    5. Allow people with least the view items permissions to run embedded code or macros on a document.

Now this next step is not strictly a SharePoint security setting. With SharePoint, Online and On-Premise it’s important to have some sort of lock or password on your device, especially as users now bring their own devices into work. SharePoint is available on mobile, apps like Yammer, One Drive for Business can be exposed thus potentially leaking sensitive data.

In addition to this, I wrote a blog on Data Loss Prevention (here) which is another great way of ensuring that sensitive data does not leave the corporate domain.

Data Loss Prevention

To add onto my last blog about Security, I wanted to write about a new feature available with the on premise version of SharePoint 2016,  Data Loss Prevention.

Now I’m sure you have all heard of Data Loss Prevention within the compliance centre in office 365 – but I wanted to discuss what it is and how it works on premise.
This blog will demonstrate how DLP works, and how to set it up on SharePoint 2016.

What is Data Loss Prevention?
Put Simply, “Data Loss Prevention is a way to ensuring that sensitive data is protected against misuse or accidental disclosure”

How does SharePoint know what sensitive data is?
In SharePoint, sensitive information is defined by a pattern which is identified by a regular expression e.g. a bank number. The search engine contains several pre-defined keywords and checksums that are used to identify sensitive information alongside a confidence level process.

For example if a DLP has been configured where a UK Passport Number cannot be sent or seen within a corporate network, the following checks (table below) are checked against via the SharePoint search engine.

Format Nine digits
Pattern Nine consecutive digits
Checksum No
Definition A DLP policy is 75% confident that it’s detected this type of sensitive information if, within a proximity of 300 characters:

  • The function Func_usa_uk_passport finds content that matches the pattern.
  • A keyword from Keyword_passport is found.

Entity id=”178ec42a-18b4-47cc-85c7-d62c92fd67f8″ patternsProximity=”300″ recommendedConfidence=”75″>    <Pattern confidenceLevel=”75″>        <IdMatch idRef=”Func_usa_uk_passport” />        <Match idRef=”Keyword_passport” />    </Pattern></Entity>

 

Keywords
Keyword_uk_drivers_license
Passport Number
Passport No
Passport #
Passport#
PassportID
Passportno
passportnumber
パスポート
パスポート番号
パスポートのNum
パスポート#
Numéro de passeport
Passeport n °
Passeport Non
Passeport #
Passeport#
PasseportNon
Passeportn °

If the document meets the criteria above, then the document will be flagged up and depending on the actions set, the document will be blocked.

Hope that has given you a good understanding of What DLP is, I now I will show you how to set this up in SharePoint 2016 in a few easy steps.

To set up DLP on SharePoint on-premise, there are a few pre-requisites that need to be setup prior.

  • SharePoint Server 2016
  • Search service application configured and running crawls.
  • Compliance Centre
  • eDiscovery Centre
  • Outgoing email with emails configured on users.

From within the eDiscovery site collection you have select ‘Create DLP Query’, as below

Then select New Item

From the New DLP Query pop up box, choose the template you wish to use, for example, for this demo, I will use the “UK Data Protection Act”.
Ensure you change the number at the bottom from 9 to 1 to ensure the rule works if 1 instance of the rule is found
3.template
Select Next

Give the Query a Name, and a start and end data and choose the source you want the DLP to work from.  (For this demo, I will leave the source as ‘Search Everything in SharePoint’), as below

Select Save.

That’s it, the DLP query has been created.

Now upload a document into SharePoint document library which contains nine consecutive numbers and a term from the Keyword, e.g below.

Save the document into SharePoint as Loreum ipsum.

loreum ipsum loreum ipsum loreum ipsum loreum ipsum loreum ipsum loreum ipsum loreum ipsum loreum ipsum loreum ipsum  789208725 passportno loreum ipsum loreum ipsum loreum ipsum loreum ipsum loreum ipsum loreum ipsum loreum ipsum loreum ipsum

run a search crawl, and select Search from the eDiscovery site collection, you should see the document appear (circled below)

5.new

So you can see that the document I uploaded which contained nine consecutive number and a term from the keywords has been flagged up via the eDiscovery Centre results section.

Now we need to create a Policy for this DLP.

Navigate to the Compliance Centre and select ‘Data Loss Prevention Policies’

6.ComplianceSelect New Item and select the a name  for the policy, select the template you chose above and edit the 9 to a 1 to change the number to 1 conflict before the rule to take effect. Insert an email address so that a when a DLP finds a match, it will email this person. And then choose what to do with the file once a match is find, i.e. show a policy tip and block document.  As below

7.complianceTemplate

Select Save.

After the Policy is created, we must assign that policy to a site collection. From the Compliance centre select DLP Policy Assignments for Site Collections

8.

Select New Item and choose, First Choose a site Collection,

9

Select Save

Now under Managed Assigned Policy, assign your Policy to the site collection.

10

Select Save

Please note that when you add a New Policy Assignment, it may take 24 hours to apply, but High Priority rules such as Credit Cards and Passport numbers take up to 15 mins.

11

Policy Tips

In the Compliance Policy above, we ticked a box to say we wanted to enable Policy Tips and to block access to documents which meet the DLP policy rules, well this is what a Policy tips looks is and how it behaves in SharePoint once a rule has been met.

When a document in a library meets a Policy, a Policy tip is shown and the document is blocked, as below

12

The Policy tip displays an error on the document informing the user it is blocked (as we selected in the compliance centre).

The tip informs who the document is open to, the user the problems with the document.  The Owner, last modifier or the site owner can go into the document in remove the passport number, or if they think it’s an error, click resolve.

13

When you click resolve, you can override the policy, which means that you are aware and its normal that the data lives in the document. The other choice is Report an issue, where you think the document in fine and that it shouldn’t trigger a policy.

14

When you click on override, you must give a business justification as to why you want to override the rule, as below

15.businessJustification

The rule has been overwritten, and the error image is now been removed.

16