Académique Documents
Professionnel Documents
Culture Documents
Protection for Microsoft provides the most complete set of capabilities to protect your corporate assets. This model helps Three levels is a good starting point if your organization doesn t Some information protection capabilities apply broadly and can
already have defined standards. be used to set a higher minimum standard for protecting all data.
organizations take a methodical approach to information protection.
Other capabilities can be targeted to specific data sets for
protecting sensitive data and HVAs.
Office 365 A
Establish information
protection priorities
The first step of protecting information is identifying what to protect. Develop
clear, simple, and well-communicated guidelines to identify, protect, and monitor
the most important data assets anywhere they reside.
Example
Capability grid
Use this grid of information protection capabilities to plan your
strategy for protecting data. Capabilities are categorized by protect
scenario (row). Capabilities increase in control and protection as you
move to the right. Start here Capabilities increase in control and protection as you move to the right.
More control & protection
Plan or standalone add-on Use Azure Rights Management Train users to protect sensitive Configure Data Loss Prevention
Control e-mail attachment handling Use Intune to manage applications
Use the Intune App Wrapping Tool Use Azure Key Vault for line of Use SQL Server Always Encrypted
Configure Office encryption settings (RMS) with Office 365 to protect documents by using the RMS (DLP) across Office 365 services and to apply policies to line-of-business business solutions that interact with for partner solutions using a SQL
in Outlook Web App on mobile devices
data from unauthorized access sharing application applications applications Office 365 database
Windows 10
2 Allow Control the way data is encrypted
when Office applications are used:
Apply encryption, identity, and
authorization policies. Configure
Through the web, document owners
can track activities such as recipients
Enforce policies and analyze how users
adhere. Use built-in templates and
Set policies that determine how
attachments are handled. For
Manage applications on mobile
devices regardless of whether the
Use this tool to manage your own
applications on mobile devices with
Encrypt keys and passwords using
keys stored in hardware security
Protect sensitive data, such as credit
card numbers or identification numbers,
collaboration Access, Excel, OneNote, PowerPoint, templates to make it easy for users to who open files, unauthorized users customizable policies. Policies include example, restrict access to devices are enrolled for mobile device the Mobile Application Management modules (HSMs). Import or generate stored in Azure SQL Database or SQL
management. Deploy apps, including
Enterprise Mobility + Security Project, and Word. apply policies. who are denied access, and the latest
state of files. You can also view the
transport rules, actions, and exceptions
that you create. Inform mail senders
documents from public networks. Or,
block attachments from being LOB apps. Restrict actions like copy,
policies. your keys in HSMs that are validated
to FIPS 140-2 Level 2 standardsso
Server databases. Clients encrypt
sensitive data inside client applications
(EMS)
and prevent
Encryption in Office 365 geographical locations where files that they are about to violate a policy. synchronized to mobile devices. cut, paste, and save as, to only apps Configure and deploy mobile that your keys stay within the HSM and never reveal the encryption keys to
Azure Rights Management
were accessed, and revoke access to Set up policies for SharePoint Online managed by Intune. Enable secure application management policies in boundary. Microsoft does not see or the Database Engine (SQL Database or
Azure AD Premium Activate Rights Management (RMS) a shared file. and OneDrive for Business that Public attachment handling in web browsing using the Intune the Microsoft Intune console extract your keys. Monitor and audit SQL Server). This provides separation
leaks
in the Office 365 admin center automatically apply to Word, Excel, and Exchange Online Managed Browser App. Enforce PIN key use. Use Azure Key Vault for between those who own the data (and
Intune Blog: Collaborate confidently using
Track and revoke your documents
when you use the RMS sharing
PowerPoint 2016 applications. and encryption requirements, offline workloads both on premises and can view it) and those who manage the
access time, and other policy settings. cloud hosted. data (but should have no access).
Azure Rights Management Rights Management application Overview of data loss prevention
Configure and deploy mobile
policies Azure Key Vault Always Encrypted (Database Engine)
Comparison of RMS Offerings Blog: Welcome to Azure RMS application management policies
Document Tracking Data loss prevention in Blog: SQL Server 2016 includes new
Exchange Online Intune application partners advances that keep data safer
capabilities. Configure settings for disable an account. Built-in alerts consuming the security audit feed. Administrator changes, and regularly two different geographic locations trusted applications. Device Guard Monitor your on-premises identity Microsoft Advanced Threat Keep Windows PCs up to date with
environment with Office 365 Enterprise your organization s objectives. scan user activities and evaluate risk Office 365 includes basic reports. review configuration changes. within the same timeframe. Or, detect prevents tampering by users or infrastructure and synchronization Analytics (TechNet) software updates in Microsoft Intune
against over 70 different indicators, Azure Active Directory Premium a spike in the use of RMS-protected malware that are running with services in the cloud
E5, EMS, and Azure trial subscriptions. Exchange Online Advanced Threat including sign-in failures, includes advanced reports. Exchange auditing reports data at an unexpected time. administrative privileges.
Blog: Microsoft Advanced Threat
Analytics
Protection (Features) administrator activity and inactive
Look for the test lab guide (TLG) icon in the View your access and usage reports Logging and Analyzing Azure Rights Device Guard overview (TechNet)
accounts.
grid for capabilities that can be tested within Service Description (TechNet)
Overview of Advanced Security Management Usage Blog: What is Windows 10
Azure Active Directory Audit
these environments. Here s the current set: How it works (TechNet) Management in Office 365 Device Guard?
Report Events
Base configuration dev/test environment Blog and video
Simplified intranet in Azure IaaS to simulate an
enterprise configuration Use Message records management
Monitor and manage external Use retention policies in SharePoint Apply security restrictions in Exchange Use Advanced eDiscovery to speed Audit user and administrator actions Retain inactive mailboxes in
(MRM) in Exchange Online to manage Conduct eDiscovery in Office 365 Use data spillage features in Office 365
sharing in Office 365 and OneDrive for sites and documents Online to protect messages up the document review process in Office 365 for compliance Exchange Online
Office 365 dev/test environment email lifecycle and reduce legal risk
Create and Office 365 E5 trial subscription
4 Stay compliant Monitor or restrict sharing in
SharePoint, OneDrive for Business,
Keep messages needed to comply
with company policy, government
Compliance officers can apply
policies that define when sites or
Require encryption, digitally sign
messages, and monitor or restrict
Identify, preserve, search, analyze, and
export email, documents, messages,
Perform analysis on discovered data
by applying the text analytics,
Search and remove leaked data in
mailboxes, SharePoint Online sites,
Use the Office 365 Security &
Compliance Center to search the
Preserve former employees email
after they leave your organization. A
DirSync for your Office 365 dev/test and Skype for Business. Setup regulations, or legal needs, and documents are retained, expire, close, forwarding. Create partner connectors and other types of content to machine learning, and Relevance/ and OneDrive for Business. unified audit log to view user and mailbox becomes inactive when a
environment External Sharing Policies with remove content that has no legal or or are deleted. to apply a set of restrictions to investigate and meet legal obligations. predictive coding capabilities of administrator activity in your Office Litigation Hold or an In-Place Hold is
Install and configure Azure AD Connect partners. business value. messages exchanged with a partner Advanced eDiscovery. These eDiscovery in Office 365 365 organization. placed on the mailbox before the
Retention in the Office 365 organization or service provider. Compliance Search in the Office 365 capabilities help organizations quickly corresponding Office 365 user
Manage external sharing for your Message records management Compliance Center Compliance Center reduce the data set of items that are Search the audit log in the Office account is deleted. The contents of
Advanced Security Management for your Encryption in Office 365 365 Security & Compliance Center
SharePoint Online environment most likely relevant to a specific case. an inactive mailbox are preserved for
Office 365 dev/test environment the duration of the hold that was
Create policies and monitor your environment Set up connectors for secure mail Office 365 Advanced eDiscovery placed on the mailbox before it was
flow with a partner organization
made inactive.
Advanced Threat Protection for your Set-RemoteDomain
Manage inactive mailboxes in
Office 365 dev/test environment Exchange Online
Keep malware out of your email
Secure admin
capabilities
access
environment naming convention to make them attackers are targeting these organization s policy. Regularly administrator accounts that can be permissions to ensure that a single to resources in Azure AD and in other administrator, investigate leaks, or unexpected behavior or to verify that can access your SharePoint Online,
Add an EMS trial subscription to your Office 365 discoverable. accounts and other elements of monitor critical settings for used in scenarios where federated administrator doesn t have greater Microsoft services such as Office 365 verify that compliance requirements compliance requirements are met. OneDrive for Business, or Exchange
trial environment privileged access to rapidly gain unauthorized changes. access is not possible. access than necessary. or Microsoft Intune. Implement just are being met. Online information. It gives you
Protect administrative identities and access to targeted data and systems in time elevation for privileged Exchange auditing reports explicit control over access to your
MAM policies for your Office 365 and credentials by using workstations using credential theft attacks like Focus first on administrative control Assigning admin roles in Office 365 actions. View the administrator audit log content. In a rare event where you
that are hardened for this purpose. Pass-the-Hash and Pass-the-Ticket of the tenant and controls that allow need Microsoft support to resolve an
EMS dev/test environment broad access to data in the Office
Azure AD Privileged Identity
issue, customer lockbox lets you
Create MAM policies for iOS and Android devices Management
Securing privileged access Securing Privileged Access 365 tenant. control whether an engineer can
access your data and for how long.
Enroll iOS and Android devices in your
Office 365 Customer Lockbox
Office 365 and EMS dev/test environment Requests
Enroll and manage these devices remotely
September 2016 2016 Microsoft Corporation. All rights reserved. To send feedback about this documentation, please write to us at ITSPdocs@microsoft.com.