Configuring Data Security Policies in Microsoft Azure CONFIGURING DATA CLASSIFICATION IN MICROSOFT AZURE Reza Salehi CLOUD CONSULTANT @zaalion linkedin.com/in/rezasalehi2008
t h s Understanding data risks, governance and compliance What is data classification? Overview Classifying resources and data in Azure - Resource Manager tags - Azure Information Protection labels - Service specific (Azure SQL Database) Demo: - Working with ARM tags - Working with Azure SQL Database Advanced Data Security (ADS)
Understanding Security Requirements To achieve better ROI on security, the organization needs to first understand its security requirements & priorities Governance – How is the organization’s security going to be monitored, audited, and reported? Risk – What types of risks does the organization face while trying to protect information? Compliance – Are there specific industry, government, or regulatory requirements?
Understand the security requirements first.
Understanding Security Requirements Risks Governance Compliance
Data Security Risks The risks you face while trying Intellectual Property (IP), PII, to protect identifiable financial information, etc. information Who may be interested or Addressing Disaster Recovery could leverage this and Business Continuity information if stolen?
Compliance Are there industry, government, or regulatory requirements that dictate or provide recommendation on your organization’s security controls?
Governance How do you know if your Monitoring, auditing, and protection is working as reporting of security expected? Are there new security requirements? Is there any Auditing the compliance mandatory reporting?
Understand your data by classifying it.
Data Classification You have identified the To apply security rules, you security priorities and ready need to classify your data to define security rules
Data Classification in Your Organization Public Internal Confidential Top Secret
Data Classification Allows you to assign Is a common Categorizes data by metadata to your starting point for sensitivity and organization's data governance business impact Then, data can be Extremely managed to prevent important for cloud theft or loss data
Data Classification Is the process of associating a metadata to a digital asset, which identifies the type of data associated with that asset.
Example: Microsoft's Data Classification Non-business General Public Data from your personal Business data that is not Business data that is freely life that does not belong meant for a public available and approved for public consumption to Microsoft audience Confidential Highly confidential Business data that could Business data that would cause harm to Microsoft if cause extensive harm to overshared Microsoft if overshared
You know your data/industry better than anyone else. Classify the data following your own criteria.
Data Classification in Azure Microsoft suggests that any asset in the cloud should have documented metadata The data classification (public, internal, etc.) Business criticality (non-critical, critical, etc.) Billing responsibility (department, branch name, etc.)
Data Classification in Azure Resource type Azure Information Azure Resource specific Protection labels Manager tags e.g. Advanced Data Most resources in Azure For Microsoft Office Security for Azure SQL support tags documents and emails Database
Azure Resource Manager Tags In the case of Azure, resource tags are the suggested approach for metadata storage These tags can be used to apply data classification information to deployed resources They provide a valuable tool for managing resources and applying policies Can be managed in the portal or programmatically
Azure Resource Manager Tags You can apply tags to your Azure resources to logically organize them into a taxonomy Each tag consists of a name and a value pair (e.g. department = IT) After you apply tags, you can retrieve all the resources in your subscription with that tag name and value Tags enable you to retrieve related resources from different resource groups
T ag can be applied manually or automatically.
Tags and Azure Policies You can use an Azure You can create a policy Helps to comply with Policy to enforce that automatically the expected tags tagging rules and applies tags during standards for your conventions resource deployment organization
Resource Manager Tags Limitations Tag name 512 Tag names can't Maximum of 50 characters (128 for contain storage), value 256 tags < > % & \ ? / characters Tags can't be Resource group Generalized VMs applied to classic tags are not resources such as inherited by the don't support tags Cloud Services children
Tag Support for Azure Resources
Azure Information Protection A cloud-based solution that helps an organization to classify and protect its documents and emails by applying labels Labels can be applied automatically by administrators who define rules and conditions Or manually by users, or a combination where users are given recommendations
Azure Information Protection
Azure Information Protection Analyze data flows Detect risky Track access to to gain insight into behavior and take documents your business corrective measures Labels can include Prevent visual markings data leakage or (header, footer, or misuse watermark)
Azure Information Protection
Provisioning Azure Information Protection Provision Azure Install the Azure Information Protection Information Protection in the portal client
Provisioning Azure Information Protection
You must have either of the following: - Azure Information Protection Premium P1 (included within Enterprise Mobility and Security E3) - Azure Information Protection Premium P2 (included within Enterprise Mobility and Security E5) - Office 365 subscription that includes Azure Rights Management
Download the Client
Data Classification for Azure SQL Databases
Data discovery & classification provides advanced capabilities built into Azure SQL Databases.
Data Classification for Azure SQL Databases Provides discovering, classifying, labeling & protecting the sensitive data in your Azure SQL databases and data warehouse Business, financial, healthcare, personally identifiable data (PII), and so on Data discovery & classification is part of the Advanced Data Security (ADS) offering Can be accessed and managed via the central SQL ADS in the Azure portal
Enabling Advanced Data Security
Enabling Advanced Data Security
Enabling Advanced Data Security
t h s Demo Classify Azure resources using ARM tags - Assign tags to different resources - Enforce tags using Azure Policy
t h s Demo Classifying data in Azure SQL Database using Advanced Data Security (ADS)
t h s Understanding data risks and importance of governance Summary Data classification Data classification in Azure - ARM tags - Azure Information Protection labels - Service specific (Azure SQL Database) Demo: ARM tags Demo: Azure SQL Database ADS
Recommend
More recommend
