Securing the Microsoft Cloud and complying with GDPR
As a technology consultant, it would be normal for me to take any given technology problem and work backwards to the business problem that we are trying to solve, before discussing technology solutions. All architectural frameworks drill this in to us for very good reasons. However, with GDPR, we know that every IT vendor in the world is starting from the changes that GDPR introduces, and this vendor will draw some arrows from their offerings to those “solutions”.
It’s fair to say that some of these relationships have been tenuous, overblown, distorted, or simply insufficient, and the echo chamber is a deafening cacophony of GDPR FUD. Everyone agrees that GDPR is a compelling event, but how can we translate the specific Data Protection obligations that will be enforced next May to the technology selection decisions that will support compliance?
Ultimately, for us at Content and Code, this means we keep doing exactly what we have been doing, but first we need to understand which GDPR obligations are meaningful for each organisation. We will return to that, but what are these things we’re already doing?
Microsoft Cloud Security Technologies
At Content and Code, we have spent the last seven years adapting our expertise in on-premises Microsoft productivity, communications and collaboration technologies to the newer online variants.
These projects were always underpinned by an Identity and Access Management layer, which supports the synchronisation of users, groups and other directory objects to the Microsoft Online Services Identity Platform (now known as Azure Active Directory), and the security/usability considerations that come with the Single Sign-On question.
For the first few years of Office 365 we typically helped our clients design, build and operate DirSync and AD FS. Later, we helped our clients choose between DirSync, AADSync and AAD Connect, and understand whether they needed AD FS over Password Hash Sync. Now, we also help our clients understand how these technologies relate to Seamless Sign-On and Modern Authentication, and how this all comes together in Conditional Access Policies. Beyond these foundational capabilities, we also help our clients enhance security with Multi-Factor Authentication (MFA), protect portable data with Rights Management protections, define device compliance policies and much more.
We have a new toolkit in the Azure AD Identity Control Plane, which extends to the related Enterprise Mobility and Security (EM+S) technologies. Cloud technologies often work in ways that on-premises technologists would not expect, and which adapt at a rate that few can follow, so we have invested heavily in creating a standard, repeatable set of consultancy offerings that align to these new technologies.
What GDPR means to a Citizen
So, what does all of this have to do with GDPR? Ultimately, GDPR does not create new technology problems. GDPR creates firm requirements to adopt a mature security posture; GDPR creates a concrete, financially-driven motivation for an organisation to protect personal data. As a citizen of the EU, these protections are good for me and my loved-ones. I can find out if an organisation holds my data and I can compel them to delete it if I don’t trust them. I can compel them to give me my data if I want to move it somewhere else.
In recent years, we have seen too many examples of organisations treating personal data with trivially-defeasible protections. The law had to adapt. The penalties for failing the people who entrusted their data to these organisations have been inconsistent and in some cases the repercussions for the people whose data have been breached could last a lifetime.
“I can get a random Kid Connect account, look through the dump, link them to their circle of friends, and the parent who registered at Learning Lodge [VTech’s app store],” the hacker told Motherboard. “I have the personal information of the parent and the profile pictures, emails, [Kid Connect] passwords, nicknames…of everyone in their Kid Connect contacts list.”
Given that there is a predatory market for this sort of information, this should be deeply concerning. This is one of many examples where our data are not protected with the rigor that we should expect. GDPR updates 22 year-old policy for globalisation, mobility and a new threat landscape, introducing new obligations for those who hold our data. An untrustworthy party could purchase a company I previously trusted. Now I have the legal tools to regain control of what is rightfully mine, and the ability to import it to a new, more trustworthy custodian.
Outside of our roles as technologists, we must remember that GDPR is good for me and you (as ordinary people).
What GDPR means to a Data Controller or Data Processor
The EU GDPR introduces fundamental changes to the obligations of an organisation that controls or processes personal data. Clearly these changes are new burdens to be met, but they are also an opportunity to improve security maturity. Many IT functions have sought to adopt mature controls but have lacked the resources or support from their business to make this a reality. GDPR now makes this compulsory with the following changes:
- Territory: GDPR grants the right of EU citizens to expect the same privacy protections irrespective of where their data are held. In other words, it doesn’t matter if your organisation operates in the EU, you still need to comply if you hold EU citizen data.
- Penalties: fines of 2% of annual global turnover or €10 million (whichever is greater) can be imposed for minor GDPR infractions or 4% of annual global turnover or €20 million (whichever is greater) for “serious infringements”, including violations of Privacy by Design.
- Consent: Terms and Conditions need to be presented in an intelligible/accessible format, and it must be “easy” to withdraw consent.
All of this is built upon these expanded Data Subject Rights:
- Breach Notification
- Right to Access
- Right to be Forgotten
- Data Portability
- Privacy by Design
- Data Protection Officers
The minutiae of these Data Subject Rights quickly drift beyond what we can cover in this article. These are the things an EU citizen can expect of an organistion that holds their data. A GDPR assessment is concerned with how an organisation will satisfy the demands of people exercising these rights.
Microsoft and other organisations have already put forward a great deal of information to help an organisation prepare for these new demands, but it is unlikely that any one organisation will hold all the answers for GDPR compliance. Each technology vendor will have a story to tell. It may be a story about how your current use of their technology can be adapted to these new rights, or about how their technology supports security capabilities that need to be introduced to become compliant. In Microsoft’s case, they have released a helpful whitepaper which illustrates many of the benefits of EM+S technologies in support of GDPR compliance.
Microsoft also puts forward a model for becoming compliant.
As far as Microsoft technology and Microsoft partner expertise are concerned, the Microsoft GDPR compliance toolkit already exists in EM+S and related technologies. As a partner that has built skill in this space, we are adapting what we already do to accept GDPR obligations as an input to our proven ways of working.
What GDPR means to an IT Function
More often than not, the IT Functions we work with will not be responsible for commerce systems, which would often be the primary home of personal data. However, personal data can be held in many places, and equally important, the IT Function needs to be able to control the accidental flow of this information in to their systems. For instance, Office 365 Data Loss Prevention (DLP) provides detection and remediation capabilities for “Sensitive Information Types” such as credit card numbers and national identity numbers, allowing an administrator to forbid users from sending or storing this information.
Perhaps more importantly, the IT Function will often aspire to introduce controls and/or improve security maturity, but the business has not always approved these investments. The costs of data breaches have not always been concrete enough to persuade executives, perhaps because the data are so variable.
Ranges of expected loss by number of records from the Verizon DBIR 2015
Now, GDPR introduces a clearly-quantifiable cost of non-compliance beyond the costs of a breach, which should be a catalyst for investments. For instance, most organisations still do not require multi-factor authentication (MFA), despite the well-known weaknesses of passwords. This is one of the most effective protections against lost or stolen credentials, but until now, many organisations have been slow to add this strength. Likewise, many organisations will not encrypt data at the file level, yet will allow users to access these data from outside the corporate network on any device. If any of these files contain personal data, and the files are only protected by a user’s provisions at home, this organisation would carry the risk. Consider what might happen if:
- The user sent the document to their personal Gmail account, which is secured by a weak password.
- The user uses the same password across many services, and this shared password is disclosed publicly in a data breach.
- The home machine is infected. This malware searches for personal data and exfiltrates these files.
- The home router is unpatched and compromised, DNS is re-routed to a malicious service, and the user is presented with a convincing page to harvest username and password information.
Microsoft offers controls for these risks and others in Office 365 and EM+S, but often the capabilities have been seen to be nice-to-have or low-to-medium priority relative to other demands placed on stretched IT teams. GDPR makes this compulsory.
How we help the IT Function with GDPR
We work with many IT Functions that are embracing cloud technologies to alleviate on-premises IT burdens or to take advantage of evergreen Office 365 features. Many of our customers are primarily concerned with migrating away from their legacy on-premises technologies, and in many cases these projects are facing license expiration or other artificial challenges which mean that security thinking is not always front-and-center.
Even where it is, we find that on-premises knowledge is only partially sufficient to adapt to the new EM+S toolkit. Where skilled experts have spent years building experience in an on-premises context, many surprises await when new services move outside the network perimeter. This may be expectations of sign-on experiences or changes to operations where updates flow to all customers all the time. Often, the teams we work with have never developed deep skill in comparable security technologies. MFA is still new to most IT practitioners, and the compatibility considerations inherent with file-level encryption are not obvious. Although we would say this, we know that organisations need help with these technologies.
There is too much to learn on-the-fly, and the technologies change too quickly for passing attentiveness to suffice. We also know when some capabilities will be too complex for an organisation to operate successfully, which is fundamental to our consultative approach.
Let’s go back to the start
At the beginning of this article, I mentioned that, “we need to understand which GDPR obligations are meaningful for each organisation”. So how do we connect our existing approach directly with GDPR obligations?
We start from a GDPR Compliance Assessment provided by our partner Citric Data Protection. We then take those compliance requirements as inputs for our Cloud Security Roadmap Workshop. We know that EM+S offers many of the tools that help an organisation become compliant, but we also know that it offers much more – so we need to take the opportunity to form a broader view of how an EM+S license investment will provide a return.
For instance, an organisation might need Azure MFA and Azure Information Protection to meet specific compliance obligations, but it is typically a “quick win” to introduce Self-Service Password Reset (SSPR), and some incumbent technologies may be slated for replacement, such as an MDM provider or an ageing reverse proxy infrastructure. We emerge from this workshop with a prioritised roadmap for Microsoft Cloud Security Technology adoption. To round things out, we present an end-to-end view of these activities in a GDPR Assessment Playback.
START YOUR JOURNEY TO GDPR COMPLIANCE
Join us for our rountable events to learn more about our approach to assessing GDPR compliance and how we can help your organisation adopt Microsoft Cloud Security Technologies successfully, in time for GDPR enforcement next May.
About our author
Head of Research and Innovation
Since joining Content and Code in 2009, Tristan has transformed consultative process as a member of the Business Practices team, then lead the infrastructure consultancy team as Principal Infrastructure Architect. In 2013, Tristan transitioned to his current Head of Research and Innovation role, developing expertise in emerging Microsoft technologies and standardising related consultancy offerings. This work has been primarily focused on Microsoft security technologies such as AD FS, AD RMS, and identity synchronisation technologies, as well as a broad set of EM&S consultancy offerings that help our core of Office 365 clients secure their cloud services. Tristan also works closely with Microsoft as an advisor, participant in pre-release programmes and EM&S Partner Technology Solutions Professional (P-TSP).
An Introduction to Modern Desktop Management In the past few years, Microsoft has been engaging with the community, and developing their approach to, Modern Desktop Management. Many organisations are aware of some of the concepts, but are reasonably asking the...read more
An insight into the unwritten rules about your job… The Psychological Contract is the unwritten contract between employers and employees. It is the mutual expectation that both parties have of what they expect from the other. Simply put, it’s the stuff that’s not in...read more
This video from Tristan Watkins, our Security & Networks Head of Service Architecture, looks at the problem with using personal devices in a professional environment. Is there a way in which session controls can help with security in a world where...read more