What's new in Microsoft Information Protection solutions to help you protect your sensitive data

[MUSIC] >> Nice to meet you-all. Hi, Amsterdam My name is Lior Lukov, Senior Program Manager from Azure Information Protection Team I hope that you’re in the right session, Microsoft Information Protection Before we begin, how many of you are actively using Azure Information Protection today? Please raise your hands. Very nice I would say more than half of the audience here So what we’d like to do today is basically go over the greatest and latest of Azure Information Protection and how it basically transforms into Microsoft Information Protection Those of you who are less familiar with Azure Information Protection concept as a whole, we’ll have an overview We’ll show you the main capabilities of Azure Information Protection, how it transformed into Microsoft Information Protection, and for those of you who are familiar with this product, you’ll see basically what is unified labeling about, how Microsoft Information Protection would help you better utilize the product across various workloads within Microsoft and using third-party solutions as well You’ll learn how to better use and protect your data, your crown jewels, your most sensitive data inside your organization using endpoints, on-prem, also on the Cloud We’ll have a deep dive into some of the new look and feel, how you can use Azure Information Protection across the various products We’ll have plenty of demos to cover today to keep you busy with and interested about our new features I hope we’ll have enough time to cover them all, and we’ll also talk a bit about our roadmap, what we’ve been doing so far, what is coming next in the future So hope you will all be interested and keep you excited during this session So let’s have a look at how a typical organization looks like You-all know that you’re using sensitive data Your end users are using sensitive data on the day to day For instance, I can go to Salesforce, download the booking results for my next quarter, download it to my endpoint device, then share it to my colleagues either using Outlook, maybe put it on SharePoint, maybe send it externally How can I make sure that my most sensitive data is always protected, that I always have control of what’s sensitive to my organization? My crown jewels are always protected How can I track it? How how can I revoke it if needed? How can I make sure that it’s only been used by the people who intend to use this information protection? These are the main challenges that you as CISOs, security admins, or anybody who are concerned about the security of your organization should have to deal with on your day to day Data today, as you know, plenty of organizations pretty much encourage your end users to use various platforms It can be Windows, it can be a Mac, it can be on an Android or iOS Data travels inside and outside the organization, crosses the organization boundaries, and you have to be in full control in order to be able to track and make sure that the most sensitive data is been used by the right people So these are the main challenges that you have to deal with How can you deal with them today? So part of you might ask, if I’ll ask you, how many in this audience can raise their hand and say that they have full control in their data and they fully know who has been using it? I wouldn’t see too many, and if there are, I bet I can challenge you and ask you, do you actually know who has been using it in your mobile devices, on your on-prem? What happens when the data is being shared externally or externally? Do you have actually rules to prevent this data from being shared externally using third-party solutions? Once the data goes there, for instance, I just upload a document, put it on Dropbox or Box or any other third-party solution and now it become like a shadow IT problem, how can I make sure that these kind of actions do not happen, and if they happen, I have full control into those actions? So in order to be able to design it carefully, you first of all needs to identify or even to define what sensitive information is How do you know what sensitive information is? How your users, how the employees in your organization can better utilize your tools or the tools that you provide them with to identify sensitive information? How can they label it? How you can classify it? Can you help them classify it more efficiently? Once the data is classified, can you tell where do you have in your organization,

GDPR data, PII data, PCI data or any regulated data of interest and so on? So these are the main questions that we are going to deal with today, and I’m going to show you few demos of, after having the session, you’ll better understand how you can answer them in your organization In fact, some of the questions that we hear, it’s also for customers who are already using our product, is, “All right I’m using Azure Information Protection, but I’m also using O365 I’m also using Intune I also have data on Box or Dropbox How can I make sure that I came up, I created a policy and I can make sure that this policy is going to be active across all these different workloads? I do not want to go and create one security policy for endpoint devices and other security policy for third-party Clouds and another one for O365 I want to make sure that I create one policy, deploy it easily and all these different workloads can take actions upon my policy.” So we’ll learn that Another very common question that we hear from customers, “I have sensitive data within my on-premise servers I’d like to migrate my data to the Cloud.” Let’s say that you want to put it on SharePoint or on any other solution, how can you make sure that your crown jewels are protected? So before putting your document which contains sensitive information data such as PII or credit card, you’d like to make sure first that this data is already protected before moving it to the Cloud and plenty of other challenges So I think that we’re quite familiar with these kind of challenges that can be, but what would be a typical solution? So first of all, in Azure Information Protection, basically, we’re looking at four main pillars So the first one is all about discovery, how you can discover easily what is sensitive information is within your organization We come up with a language that your end users are going to understand On day to day, not everyone is fully security conscious You have in your organization people from HR Department, Finance Department, Legal Department and so on They all deal with sensitive data on a day-to-day However, there are less security conscious, the new guys, and you need to provide them with the right tools of how they can easily label and classify those documents So for that purpose, we came up with a very easy classification tool to use that your end users, even if they’re not technical at all, they can easily use it, and we’ll see that in a couple of minutes Once the data is classified, you’d like to make sure that maybe other data, which is located in other locations in your service is also classified, so you might need to come up with some automatic tools to classify that data as well So you classified all the data in your organization, and you would like to make sure that these data or at least the one which is highly confidential is protected So we need also to provide you with some very easy tools to consume so you can protect your data The most important piece, so after all your data is classified, some of that is protected, you’d like to be able to have full control and monitor what are the different actions that had been used by your users, how the data is being consumed, what kind of sensitive data is being consumed Do they have the right access to access these sensitive data? Do you have control to know which kind of data has been basically cross the boundaries of your organization and how it’s been used outside? All right. So before we begin that, let’s start with understanding what is classification Actually, what is the label? So as a first action, we came up with the concept that allows you to classify documents using labels So a label is basically a metadata So each file in your organization now is going to contain this metadata, which is basically going to tell what is the classification of that document Is it sensitive? Is it confidential? Is it highly confidential? Is it personal? So you can come up and define your own label taxonomy So, for instance, some organizations are simply have a very flat level taxonomy We simply just want to be able to distinct a classified and unclassified documents This is very easy. Others have a more complex requirements They like to have multi-levels of classification Also they’d like to take different actions So, for instance, most of the documents in the organization are going to be sensitive, so you can simply just classify them with general A smaller minority of documents should be also protected So for that case, you need a different label, which is going to include protection as well

Also you might be interested to restrict the data from different users So, for instance, if you have users or part of the financial team, they should have their own label So they can label documents with that specific label of confidential financial data, making sure that people who are not part of this organization or not part of this team should not be able to consume that Let me show you how it actually works So I’ll start with a very easy example Let’s just create a Word document All right. So I’d like to start by creating a document This is a new contract, and here we go Let’s just save it somewhere All right. So now I’m an information worker, I just created a document, and I’m less security aware as you might expect me to be, but I know that you’ve been running all kind of education sessions within your organization and you told me that I have to classify all my documents with a certain label So first of all, what you have here is this is the toolbar when you can actually set the sensitivity of your documents So if you’re end-user, you do not have to think that much about security, you simply just know that you’re currently working on something which is sensitive or a bit sensitive, you can go and choose the security level or the sensitivity level of that document very easily I would like now to show you another example Let’s say that I’d like to take some sensitive information from my previous contracts So here I have some PIA data, personally identifiable data, which contains some Netherlands citizenship, service number, and I have some Belgium number, UK driving license number, and so on So I’m going simply just to copy that Here’s the new contract that I’m working on, and I’m simply just going to paste that into that contracts Look what happens, as soon as I just pasted this and saved it, I got a pop-up saying, “Hey, it is recommended that your document should be classified as confidential.” Why? Because you have these sensitive PIA data within your organization Quite cool. You can totally do that behind the scene Your end-users shouldn’t be aware about security, although you can come up with predefined rules and give them the recommendation whenever you detected that the information contains those sensitive information types Let me create a new document, and let’s call it just Test2 This is yet another document But what if, for example, I’m going to copy highly confidential data? For instance, here’s a document which contains credit card numbers So I’m simply just going to copy those credit card numbers into that document Now, you may come up with a policy and saying, okay, it is okay that users might use some sensitive data and I’ll give it up to them to choose if whether they like to classify it or not But whenever a document contains credit card numbers, now this is part of a regulation, you have to classify those documents Due to PCI regulations, you have to classify this document as highly confidential So I’m just going to save it and look what happens I no longer get this popup saying, “Hey, would you like to choose to set it as confidential?” No. That document was automatically classified as highly confidential only because I pasted these information of credit card numbers Also look it up, I got watermarks here saying this document is highly confidential, I got the header and I got a footer, and basically, I can fully configure what’s going to be the look and feel whenever I have these sensitive information within my document So this is still all news This is like 2016, early 2017 So we’re keeping up Anyone who had no clue about what Azure Information Protection is, now understand what Azure Information Protection is From the rest of these presentation, we are going to see some of the latest and

greatest of Azure Information Protection as part of Microsoft information protection This is the end user experience So as you see, this is really easy that you can come up and set a label, you can override the label, for instance, if I was wrong We heard the case of a false positive when we accidentally identified just a serial number of equipment as credit card numbers, so you can go and override it if you need to Let’s go back to our deck So the main challenge that we mentioned earlier is about data discovery So we understand how we can discover data on end points Basically, we let our end-users to classify the data for us But on a large scale, we need some other tools, more powerful tools that we can classify documents in a bulk So for that purpose, if you have plenty of data which is on-prem, we came up with a tool called the Azure Information Protection scanner The API scanner allows you to scan a file repositories and to set this classification automatically for you based on kind of all set of rules and conditions that you can predefine For instance, whenever you find credit card numbers classified as highly confidential, whenever you find PIA data classified as confidential, and so on We also have the ability to do the classification on the devices by the end users, and we have another layer for the Cloud with the Microsoft Cloud access security focus solution which helps you classify documents which resides on O365, or on SharePoint, or in any other third-party solution who integrates with Microsoft information protection, and we’ll see number of examples of that shortly Now, I’d like to show you to switch from the end user experience for your information workers to the admin experience How you can actually control what’s going to be the labeled taxonomic within your organization I showed you an example with different labels is personal general confidential highly confidential, but you can create obviously any type of labels that you choose So in order to do that, first of all you have to go to the O365 Security and Compliance Center So other O365, you’ll have to go to classification and other that you have here labels From this section, you can basically set the label taxonomy of your organization For those of you who are familiar with Azure Information Protection, so you had exactly the similar experience here from Azure portal, and let me just enlarge it a bit, when we’re creating your labeled taxonomy Now basically, we migrated all these labeled taxonomy from Azure into O365 The reason is that we basically expanded the coverage of consuming those Information Protection labels not only for endpoints you are using or using it from their Office applications but also across various Microsoft products So we’re looking at having discoverability in O365, on Exchange, on SharePoints, on Teams As we will see, there are going to be other third parties who are going to use that as well So let’s switch back to the Security and Compliance Center So currently, I have a predefined list of labels that I already created, this is the default set of labels So whenever you start from scratch deploying Azure Information Protection in your organization, you are going to have that list If you’d like to create an additional label, so what you have to do here, let’s call it Confidential Finance, put your description here just to keep it the same toolkit Now I can decide if I’d like to apply for encryption yes or no Of course, this is for the financial team I’d like to apply protection Now I can choose if I’d like to apply it on files, on e-mails, on both So in that case, I’d like to keep it both I can also choose which users in my organization should be able to use it In that case I’m going to choose users from specific group I can just type here finance, and see that I already have two groups which belong to the financial teams I’m going to add them I’m going to do that really quickly for

now just that you get idea Here I can define content marking As we’ve seen in the previous example, you can set the watermarks, the header and footer fully supported from the Security Compliance Center, you can customize the message of course Just put it here confidential, and save You can set an endpoint data loss prevention policy Let’s keep it for now You can also dictate if this is going to be applicable for SharePoint sites and groups You can create rules Just have we seen earlier, whenever certain condition happens, you’d like to automatically classify that label How you can create those rules, very easily So what do you have to do is simply just choose a condition So, for example, whenever I have a content that contains sensitive information type, and I can choose from almost 100 different information types of interests So, for instance, I’m just going to type your EU, and you’ll see that I can choose from or that I have a variety of sensitive information types specifically for GDPR for the European Union, such as debit cards, driving licenses, and so on From the same menu exactly, you can choose also credit card numbers, social security numbers, or any other PII financial or health information type of interests This can go even more complicated if you’d like to choose all kind of settings For example, how many instances of the same occurrence is required in order to trigger it to fire the rule? What is the confidence level that is required? Finally, you simply just create the policy Now we have a new label which is called finance confidential, and I can apply it for specific users within my organization So only them are going to be the ones who are going to consume that label Now what you can do with your labels, so it’s not only about creating those labels, but it’s all about creating the enforcements of what you can do with that label So I’m going to show you an example Needs better Internet probably So I’m going to show you an example I’m going to go into the data loss prevention section Here, I already created the policy So you can see various policies around, where it’s coming, it says connected So in the data loss prevention policies section, you can basically create various policies of interest in your organization For example, in what cases would like to apply a label? In what cases you’d like to take an action on that label? So for instance, whenever the data leaves the boundaries of your organization, you should do that For some reason, it’s not loaded, but I already created the policy, so actually it’s going to show you the impact of that policy So let’s go to my Outlook I’m user Adele, and basically I’d like to create now a new document Okay. Let’s call it, Some docs with credit cards and numbers Okay. I’m going now to attach a document Okay. This is the same document that we’ve seen earlier, which is basically nothing except that we have some patterns that match credit card numbers So far, everything is legit I might be sending these document internally, so there’s nothing wrong about that But now I’m going to send it to a Gmail account Okay. Look what happens Basically, for those of you who are sitting behind, it’s going to be a bit difficult to tell what happens, so I’m going to resize it a bit But I got the policy tip That’s policy tips tells me, “Hey, this message appears to contain sensitive information.” Clicking on “Learn More”, I can see that I’d been sending a document which contains sensitive information, which contains credit card number to somebody who’s outside the boundaries of my organization All right. I can do something with that A legit normal user would basically would stop here But let’s say that I still like to send that e-mail You think that it went through?

No, I just got now some notification saying, “Hey message was blocked.” All right. Why it was blocked? Here’s the actual attachment Here’s the actual content of my mail, and I can see that it conflicts with my organization policy It also contains some European debit card numbers, and so on If I actually switch now to the data admin view, I’m starting to get all these alerts Let’s go here Okay. It’s here under “Other” Okay. I got all warnings here that basically say that something went wrong, and I can go there and actually go directly to the “Alerts” section, and under the “Alerts” dashboards, I can view the alerts and see that there was some issue here with sensitive data exfiltration The reason why it could detect that is by simply by giving me the option to create those policies using the sensitive information that we’ve just used All right. The beauty of this solution is that it can live totally transparent within your organization, so whenever your information workers are just doing legit work, nothing is going to happen You’d like to have the minimum intrusive way to stop them from doing what they should do, but whenever something that they are doing is violating one of the rules, you can easily monitor that, track that, and also set an alert or actually block that action from happening All right. Okay. So we’ve seen the user experience, we’ve seen the admin experience Now, what I’d like to show you, this was released quite recently, is the ability to have the same functionality also across multiple platforms So far, you could do it at only on Office applications running on Windows Two months ago, we released the exactly the same functionality, also for Office apps running on Mac So for instance, this is a screenshot taken for Mac You can see the same label taxonomy here right on top, where you can choose the label of interest This is a screenshot from an Excel spreadsheets running on Mac This is from Outlook This one is from iOS, it was released very recently as well on a PowerPoint running on iOS This one is Outlook running on iOS, this was not released yet, this is still in preview, will be coming out as general availability during later this year, same goes for Android So the beauty is that no matter which platform are you using running Office, you can get all the benefits of label classification on your applications But division doesn’t stop here So we understood why is it so important having it on Office applications but now look deeper So we’re basically what we’ve done with Microsoft information protection is that we enhanced the capability to consume these labels now across various products within Microsoft So we have it for SharePoint, we have it from Windows Defender ATP, we have it from the Microsoft Cloud Access Security Broker, we have it as part of the integration with Office 365, and we have it for Windows Information Protection, and all kind of different products now can easily consume the information protection taxonomy You can use the same policies that you defined under the Security and Compliance Center and can actually take actions, so this is really, really powerful I’d like to show you another example now of how this is done on Windows 10 endpoints So basically, with Windows Defender ATP, Windows Defender ATP has announced public preview of using Microsoft Information Protection SDK What does it mean is that whenever you have an endpoint which is running Windows Defender, they are also protected with information protection, and they can actually also take the power of Windows Information Protection, which is called in short WIP So for instance, if you have a sensitive information, and you have Windows Defender ATP enabled on that endpoints,

whenever you copy that sensitive information, and that document is labeled as sensitive information, and you, for instance, paste it to your Twitter account, or you simply just copy it and paste that file into USB cards, your Windows Defender ATP can actually block it in real time So it actually leverages the power of the Microsoft Information Protection labels, and they can take actions automatically just due to the fact that that document was classified So this is really really powerful solution, currently in public preview, will be GA later this year Here’s an example when you simply just copied the document, open a Gmail account, dragged it into your Gmail account, and Windows Information Protection can actually block it right away, just because it contains sensitive information All right. So that was an example of how you can use it from your endpoints I’d like now to show you, basically, I’m sure that all of you are using mail applications in order to send and share documents within your peers But what would happen if you’d like to share a sensitive information we serve on outside your organization? For instance, you are a bank, and you’d like to share sensitive information with your customers, you’re a health institute and you’d like to share health information with your customers as well We’d like to give you a very easy way to use and to share legit sensitive data with your users, making sure that they’ll be able to consume it even if they’re not using Microsoft solution Let’s go back to our example Okay. Here is again my Outlook Now I’d like to share a document Let me share it with John again I’m going to choose John I’m going to choose the Gmail account of John, and let’s call it, PR announcements, and say “Hi, John Here is our PR announcement.” All right. Okay, never mind. You’ve got it “Please review.” I’m simply just going now to attach a document On my desktop. Here we go But I’d like to make sure because this is extremely sensitive It’s not confidential It’s extremely sensitive I want to make sure that this document is going to be protected So only John is the person who can actually consume that document So we integrated a button here which called “Protect”, and from this button, you can choose what level of protection you would like to apply By default, it’s called “Do not forward” So that means that join is going to receive that document, but John wouldn’t be able to forward it or to copy it or to print it Maybe this is a bit restrict Maybe I’d like to change his permission and simply just encrypt it So I just chose “Encrypt” That means that the document can be consumed only by John Nobody else can consume it But once the document has been opened, John would be able to do with that document whatever he wants to I’m going to send it now. All right Document is sent Now let’s go to John’s inbox Okay. Not there yet. Let me try it Here we go. Just received an e-mail from Adele with the title ‘PR announcements’ Look, I’m here at Gmail. All right Gmail is not aware of Microsoft Information Protection Actually, they are fully aware of Microsoft Information Protection, but they do not want to integrate with Microsoft Information Protection as you might imagine So what you can do? Can John still consume my sensitive data? You’ll find out in a second So I’m going to open that document, and we’ll see, hey, we just identified that there is a document which contains protected information Obviously, you can brand it with the colors or text of your choice for your organization Also there is an attachment here That attachment is.rpmsg This is a protected document So if I’d like to consume it from my Gmail account, what do I have to do? Simply just clicking on this button here,

and that would basically take me into Microsoft Information Protection portal directly I have to sign in with my Google credentials I’ve done it just before this session, so probably it’s going to remember them from my cookies Here we go. We got the e-mail content here, and I got the attachment, which is protected Can I consume it? In order to consume it, again, I do not have any protection tools on John’s device So simply just going to click on it, and that one is also going to be opened from Microsoft Information Protection portal Here we go. I can actually see the full details of my PR You find it cool? You are quiet >> It looks like a phishing >> Excuse me? >> It looks like a phishing e-mail >> Phishing e-mail? All right This is all about PR announcements There are bit phishing in a sense Okay. So we’ve seen an example of how you can send information, how you can protect information from various ways Now I’d like to show you, we mentioned earlier that the same label taxonomy can also be used by other products of Microsoft So, for instance, if you’d like to classify documents which resides on Salesforce, on Box, on Dropbox, and so on, for that purpose, you need the Microsoft Cloud Access Security Broker So far, the MCAS solution wasn’t aware of Microsoft Information Protection labels Now they’re fully aware So, for instance, let me enlarge it again So whenever you create a rule, for example, of exporting data into Box and allowing MCAS solution to classify documents on Box, now they can create a rule for certain conditions what kind of label would you like to apply Okay. This one, I’m going to show you later on as part of the demo But the beauty of this solution doesn’t stop here So obviously you would expect that Microsoft products would be speaking the same language, but what would happen with other third parties? We’ve been integrating with various products and various vendors, for example, with the top leader DLP vendors out there So we have Forcepoint, we have Digital Guardian, we have McAfee, we have Varonis All of them are fully aware of Microsoft Information Protection, and that’s means that they can actually take an action whenever the detected document which is protected If you’ll be putting one of those DLP solutions on a gateway, for instance, and one of your end users would be sending a document which is fully protected through their gateways, they’ll be able to open that document, inspect the content of that document and then take actions based on that content So we really help them empower their own solutions by being fully aware of what Microsoft Information Protection is and by letting them also to classify documents So any of the solution, any of the vendors that you see here, and we are currently integrating with a work-in-progress to integrate into Microsoft Information Protection, are fully aware of the Information Protection taxonomy and can apply labels automatically as well A very nice example is an integration that we just announced very recently is about Adobe Acrobat Adobe Acrobat also would like to be able to consume Information Protection labels and to apply certain protection Remember, the PR document that we’ve just seen that one of you here said that this is a bit phishy Let me open this document and here’s the PR announcement Let me just open it now with my browser to be more aggressive I just get this message saying “Hey, this is protected but cannot be consumed.” Why? Because my browser is not fully integrated with Information Protection yet However, if I’m going now to try and open it with Adobe Acrobat, let’s see what happen. Here we go Adobe Acrobat easily opened my document, and actually if I’m going to click here on this icon, I can get more details about the protection of the document So I can see that it’s been protected by Azure Information Protection

Here, I can also get information about what kind of protection was applied I’m now allowed to do printing, I’m now allowed to copy the document, I’m now allowed to share it with others, and so on This is really powerful I hope you’ll find it useful in your organization as well, and as we continue our work, we are going to expand this integration with more and more vendors In fact, already today we have more than 50 different security vendors who are currently integrating with Microsoft information protection or are about to release a GA version of their product very, very soon If we have here in this audience vendors from other companies who would like to integrate, please talk to me after this session I’ll give you-all the details that you need This is really, really easy In fact, you can also search on Bing or in Google or any search engine of your choice for Microsoft Information Protection SDK, and you’ll get the full information of what’s required in order to consume the Information Protection taxonomy All right. So so far we’ve seen various aspects of information protection, how we can be consumed by your users, how we can be automatically classified by Microsoft, how it can be automatically classified by any of our vendors But the most important parts in my opinion, maybe because I’m the [inaudible] who is in charge of this, is how you can actually monitor those actions, how you can tell where the sensitive information is within your organization So let me switch into Azure Information Protection Analytics Is there anyone in this room who’s using Azure Information Analytics? No one? All right So I really hope that after this session you’ll start using it Let me show you what is it about So we’ll start with the Landing Page Okay. Can you see that at the back? Yes? All good? Excellent. All right So first of all the Landing Page of Azure Information Protection and gives you a high-level view of how documents are being consumed and used within your organization You not going to be too many numbers because this is my personal my lab, but you can imagine how this environment looks like in a live environment, and I can tell you it’s really really busy So for instance, you can see how many documents have been labeled within your organization How many of them have been protected? How many users are using Information Protection from our many different devices? It also gives you a nice breakdown of what is the label taxonomy, how many documents your end users are using, and classify them as “General”, as “Confidential”, as “Highly Confidential”, by which applications? Do they apply it from Outlook, from Word, or from Excel? How frequently they are are being used? But so far this is quite basic This is just the high level view of how your product is being used and consumed within the organization Let’s take a look at a more interesting and more deeper view So for that purpose, we have the “Activity Logs” played The Activity Logs give you a true power of understanding what kind of sensitive information is out there and by who it’s being consumed So for instance, I can choose, I can slice and dice this view for a specific or a particular user, by a particular file name, for a specific activity, by labels of interests are devices or certain applications, also risk So for instance, let’s take a look at what kind of actions have been used by your user, my user, Candy Simply just going to type here the name, and I can see that Candy is basically, let me enlarge it a bit, so you can also see that Here are the different actions I can see which files Candy has accessed I can see which files she actually managed their sensitivity In that case, she upgraded those documents I can actually filter it and let’s search for [inaudible] labeled downgrades because that might be a bit suspicious To identify files which used to contain, which used to be labeled as highly confidential and now they are not So I can see that here is an example of a document called “Vendor Data”, might be a suspicious activity and that currently, that document is no longer classified as confidential Let’s take a look at another example I can choose specific activities only in interests by an actual application So let’s take a look at what my AIP Scanner came up with, I run Azure Information Protection scanner for automatic classifications

Now, I have here the old different files that my scanner found Clicking on a document would basically give you-all kinds of information about the document itself, where it is located, who is the user, who’ve been using this document, the actual path of that document I just actually want to give you another example, which is going to be more interesting. Hold on Okay. So let’s just take a look at the actions by my scanner and pick that one for example So after running my Azure Information Protection Scanner, I cannot only tell what the document name is, but I can actually have a deeper inspection into what kind of sensitive information that document contains So for instance, this document here AIP Scanner identified that it contains credit card numbers It contains German driver license and in other parts of EU GDPR data as well So that basically would help you take that button of saying, “Hey, now I know where my GDPR information is.” In fact, you can even configure AIP Scanner not only to tell you what kind of information types it contains, but actually tell you the actual contents So for privacy reasons, this box is disabled by default So only for those of you who are interested to have this information, you’ll have to check that box and say, “Okay We are fully aware of what does it means.” But what it means after you check that box is that now if you open the credit card number, piece, you’ll actually be able to see the actual credit card numbers in those documents You can search for specific users and to know what kind of data they have been consuming into that specific level Last but not least, so we’ve seen the activity blade This is more like an investigation tool that you can search for specific activity by specific user or specific device But what if now you’re CISO, and you’d like to have an overview of where your sensitive data resides within your organization So for that purpose, we develop the “Data Discovery” blade Clicking on “Data Discovery” gives you a posture of what kind of labels do you have within your organization and what kind of sensitive information they contain So you know exactly how many documents within your organization contain credit card numbers, European GDPR data, and so on, and you can also tell where they reside So for instance, if I’m going to filter now my information here and choose for instance, let’s take a look only at credit card numbers Okay, and run that filter Now, I can find all the file repositories in my organization that contains credit card numbers You’d like to look at the specific files very easily Simply just clicking on that, and now you get the full list of files which were identified that contains credit card numbers Let me show you another example I’m sure that this happened to many of you at least once You have your usernames and passwords and in order not to forget them, you just paste it into Word document, and saved it somewhere Because you knew that you are going to use it just for the next day or so, and delete that document Let you tell me you-all, 99 percent, I would say even more than that, but I’ll try to be not that strict In vast majority of the cases, that document would remain there, with the username and password over there, and that means that if accidentally you copy that document and put it in “Open Share” somebody else would be able to access that document Let’s see an example, so we integrated credential scanning capabilities into Data Discovery, and now if I’m going to choose each one of those, we started with those ones which are related to relevant to Azure, but we are going to expand it into the ability to be able to identify usernames and passwords in general Let me filter that Now, I can see locations Actually, I have one file repository, which seems to contain one of those sensitive information types of interest, which might contain sensitive credentials So opening this one here, I can simply just click on that one, and I can see that that document was identified as it contains Publish Setting Password and Azure DocumentDB Auth Keys Here you can actually get the keys The power of this tool is that not only by generating those alerts, but now you as Data Admins can basically

or periodically run these reports, identify the data owners, and warn them and say, “Hey, we just identified that under your file repository, here are the different files which contains credit card numbers, and you should take care of them.” I’ll tell you that by running it at Microsoft, we’re basically giving exactly the same tool before giving you to do, we’re using Microsoft does a lab obviously, and we were running that on our public shares We found some very very sensitive information with usernames and passwords on some documents and due to that tool we were really able to revoke it So my bet is that if you run it in your organization, you’ll be surprised what kind of sensitive information you can find >> Can we ask some questions? >> Sure >> [inaudible] >> Can you please repeat that? >> [inaudible] credit cards, are they also logged? >> Yes. So currently those actions are logged from Security and Compliance Center Okay? If you’re asking specifically about the actions that you see from this view here These ones are are still not logged Okay? So all the actions that you are doing from the Security Compliance Center are logged under Office The ones that you have just conducted here are, actually what I said is partially true It’s currently logged as, we know what the action is, but currently we haven’t opened it yet to customers to consume But this is coming on our roadmap in order to also show you what kind of user, what kind of data have been exposed to reach Admin Last thing that I like to show you Any more questions by the way about the monitoring capabilities that I just showed you before we jump to the next topic, to the last topic in fact? >> [inaudible] >> Very good question So actually that would bring us to the next slide Currently OCR capabilities are not supported yet, however, this is coming in the near future This is definitely on our horizon and we’d like to be able to detect data also from images and make it fully available from the data discovery So I’ll start with what’s been released so far and what’s coming next So we’ve seen unified labeling, how you can create information protection from Security and Compliance Center, we’ve seen the native labeling support, we’ve seen the Information Protection SDK that would help you, as security vendors or not, we’re working externally but still would like to consume the information protection data to take it We’ve seen the examples with Adobe and we’ve seen how you can basically identify GDPR data by using the tools that we have today On our horizon, you asked about OCR capabilities, absolutely there are some additional capabilities that we’d like to add to Security and Compliance Center in order to be fully compatible with the Azure information protection solution We’re working on releasing information protection on more products for instance SharePoint online today is still unaware of the Information Protection labels There is a work in progress there, there are preview available It will be GA later on We’re going to expand more the DLP story and giving you a greater DLP solution also to your Office applications Similarly, to the example that I just showed you from Outlook, you’ll be able to do the same from your Words applications running on the end points Finally we are going to give you those capabilities also around data discovery on specific files with specific labels from SharePoint OneDrive and so on So this is about it This is the content that I wanted to cover with you Let’s have some open questions. Yes please >> [inaudible] >> Can you please repeat it louder >> [inaudible] >> Yes. So very good question So the question was, is it possible to add or create more information types, custom information types of interests? So the systems come predefined with nearly hundreds predefined information types If you’d like to create your own custom information types for instance, you’re working on a top secret project which you call it project X and we’d like to automatically be able to identify those specific keywords,

you can create your own Regex expression and be able to tag that way >> [inaudible] >> Okay. So currently, for end-users, the main assumption is that information workers are less security conscious than you as an admin So we come up with the ability to create those predefined labels We do not let you as an end user as information worker to create that on the fly If you have a request that you’d like to create like a new label, so you’ll have to contact your admin and ask the admin to create it for you The reason for it or the rationale behind this decision is that, in order to make those labels effective, you do not want to let your information worker just to create labels, because that means that they are not going to be attached to any DLP rule yet So there is one person, the admin who basically attach those labels into rules and you’re in charge of making sure that all the ones which are created and classified as confidential can actually also take actions on that >> Thank you very much >> You’re welcome >> So I scan and label existing data? >> Yes. So the example that we have seen earlier with Azure Information Protection scanner basically allows you to scan file repositories That means that any file repository you choose is type SharePoint’s, on-prem for instance, or any file repository which can be accessed via SIFS, actually I can show it to you Let me jump here So here’s the configuration screen of the AIP scanner So from the configuration screen, I created here a profile You can create a number of profiles and you can actually dictates what are the locations, what are default repositories of interests that you’d like to scan So you simply just create a repository here Here these are the different paths You can create a new repository, you can actually dictate if you’d like to scan this repository and only as in discovery mode, meaning that it will not classify the documents, but simply just let you know in the discovery screen, hey, I just found those locations and here is the sensitive information that we detected or you can run it in the Enforce Mode and actually classify and assign a label to those documents. You’re welcome >> [inaudible] >> Great question. Okay. So regarding the licensing piece, we opened Azure Information Protection scanner in discovery mode also for the Light License for the Azure Information Protection P1 or for the EMSE3 So you do not need any premium capabilities in order to run your scanner in discovery mode and to go to the Discovery screen into identify where your sensitive data resides However, if you’d like to classify it and you’d like to automatically classify it, so any automatic classifications would require the Premium license If you are doing that manually, if your end-users would like to classify it manually, they can do that with the E3 license If you’d like the scanner to classify automatically, this is a powerful solution that requires the E5 license. Yes please >> [inaudible] >> If you are using Windows Defender ATP, it doesn’t break the Azure information product >> For example, [inaudible] >> Okay. Great question The question was if Windows Defender ATP, if it’s running on an endpoint which is also using Azure Information Protection, will it break? So we designed it that way that they are fully aware of each other The Windows Defender ATP would be able to consume the information protection labels and basically to send in events, while Azure information protection would be running on the same endpoints giving your end user the ability to classify documents manually All right guys. Thank you very much [MUSIC]