Ten things Office 365 tenants can do to prepare for GDPR
The advent of the European Union’s General Data Protection Regulation (GDPR) on May 25, 2018, can be viewed as an opportunity or a problem. I like to focus on the former because GDPR gives Office 365 tenants a reason to take a hard look at how they deal with personal data today and ask the question whether they can do better. In most cases, improvements are possible. In this article, I look at ten areas to consider as you prepare an Office 365 tenant to cope with GDPR. Clearly, a huge amount of work in other areas is also necessary, such as the appointment of a Data Protection Officer (DPO) and consideration of IT systems outside Office 365.
1. Understand GDPR Data Scope
The first, and most obvious, step is to understand what GDPR is and how it affects your company. The “territorial scope” defined in article 3 means that any company that processes personal data belonging to European Union residents, whether the company is physically located inside the EU, must comply with GDPR. The broadness of this scope has led to panic in some quarters, so it’s important to ignore the hype and understand exactly how your IT systems store and process personal data.
It’s also important to draw the line between personal data and personally identifiable information (PII), which is a definition more commonly used in the financial world to describe data like bank account and credit card numbers belonging to an individual. PII is personal data, but GDPR article 4 takes a more expansive view, saying:
“‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;”
Although you might be using technologies like Data Loss Prevention (DLP) to protect PII leakage from the company, GDPR means that you need to consider the processing of other types of personal data. For example, given that organizations often use Word and Excel files to hold information about people (think of all those spreadsheets with salary data, or documents used for annual reviews, CVs, and the like), the loss of a PST with email containing those kind of attachments is as bad (in GDPR terms) as a hacker gaining access to a file of credit card numbers. A company will suffer reputational damage through the loss of PII or personal data, so your GDPR planning should consider both.
2. Prepare and Organize
Sometimes projects like GDPR seem like a mountain to climb, especially when a deadline approaches. Breaking the large task down into smaller chunks helps to organize work within a company. Microsoft offers the Compliance Manager to Office 365 customers to give a structure to compliance projects like GDPR. Although you can use Compliance Manager to assign tasks and track responsibilities, Office 365 tools like Teams and Planner are more functional.
3. Protect with MFA
It is truly amazing how many Office 365 administrative accounts are not protected with multi-factor authentication (MFA). Microsoft tracks the number, and reported at the Ignite 2017 conference that only 0.73% of administrative accounts use MFA. There is no reason why this should be so as Office 365 makes it easy to enable and use MFA. To reduce the chance of data loss caused by an attacker gaining access to an important account in your tenant, all administrative and sensitive accounts (such as those used by anyone who processes personal data) should be MFA-enabled.
If you use MFA, you can follow Microsoft’s advice to use non-expiring passwords for Office 365 accounts, meaning users are more likely to choose complex passwords that are harder to break.
4. Encrypt and Protect Content
Rights management has the reputation of being complex. In fact, Microsoft has made it easy for tenants to protect sensitive data in Office 365 with Azure Rights Management. All E3 and E5 tenants are automatically enabled for protection (the configuration must be updated before users can initiate protected conversations in email) and Microsoft includes out-of-the-box protection templates that can be assigned to messages, documents, and complete SharePoint libraries to protect data.
Once data is protected, only those granted rights to access the content can open it, meaning that even if a data breach occurs and some important documents leak outside the tenant, the content remains safe. All sensitive data should be protected. Period.
5. Break Bad Habits
Over time, people pick up bad habits. A new focus on data protection and compliance offers a chance to eradicate some habits that often result in data leakage. I focus on four habits here. First, the continuing use of PSTs in an era of huge mailbox quotas is an anachronism. It is impossible to apply the range of protection technologies available in Office 365 to PSTs. It’s time to ingest PSTs into Exchange Online and eliminate these hangovers from the 1990s. Use a product like Quadrotech’s PST Flight Deck to automate the process of gathering, preparing, and moving PSTs in a fast, efficient, and secure manner. If you do not feel that you can cut the use of PSTs quickly, at least use BitLocker to protect laptop disks.
Second, tenants should review mailboxes that forward email outside the organization. Although there might be a good business reason for someone to forward their email, in some cases it comes down to personal preference because they want to use a certain client or email system. However, once you allow email forwarding, you lose control of that content for compliance and security purposes. For that reason, it’s a bad idea to let users forward email without oversight. You can write a PowerShell script to find mailboxes with forwarding set, but it’s easier to use Radar Reporting to find and report mailbox configurations.
Third, given the range of storage options available in Office 365, there is no obvious reason to persist with Windows file servers. It is time to move personal shares to OneDrive for Business and file shares to SharePoint Online. Microsoft has a free utility to move data from on-premises file shares or SharePoint servers to SharePoint Online, and there are many other third-party products available to do the same job. If you have a good reason to keep file servers, consider using the Azure Information Protection Scanner to find and protect files holding sensitive personal data.
Lastly, the proliferation of mobile devices connected to corporate networks means that personal data connected to company applications are probably on user’s smartphones. These devices are potential points of leakage that should be closed off by deploying something like Microsoft Intune to secure application data in such a way that the data is removable remotely if the device is lost or otherwise compromised.
6. Apply Labels
Office 365 classification labels are a way to stamp documents and messages with a persistent label. Today, labels are used to make sure that files are kept for set periods, but in the future, you will also be able to use labels to block unauthorized access to documents with Azure Information Protection.
Those who create and work with documents understand the content best. It therefore makes sense to create labels (for instance, a label called “GDPR personal data”) for users to mark sensitive documents holding GDPR-relevant data. Apart from anything else, once a file has a classification label, it becomes much easier to find should the need arise.
If you use Office 365 E5, you can use auto-label policies to apply labels to documents automatically based on keyword searches or the presence of sensitive data types.
7. Stop Leaks
Sensitive data type is a concept used by Office 365 Data Loss Prevention (DLP) policies to define different types of data that might exist in documents and messages. A credit card number is a sensitive data type, so is a passport number. Office 365 includes over 80 different sensitive data types that you can use to create policies to stop users sharing information outside your company. Many of the sensitive data types are relevant to GDPR, and you can combine those data types in a policy to help stop personal data leaving the company.
8. Review Accounts
Accounts are a prime vector for hacker attacks. It therefore makes sense to remove any unused accounts from your tenant. You can preserve mailboxes by putting them into an inactive state by placing the mailboxes on hold before removing the accounts.
Guest accounts are created to allow external people access to Teams, Office 365 Groups, and to share documents. Although guest accounts can still be used for sharing documents, one-time codes are now the preferred sharing method. No matter what they are used for, it is a good idea to review guest accounts to understand how they are used and remove any account that is no longer in use.
9. Archive Groups
Along with a review of accounts, you should look at information repositories like SharePoint sites, Teams, and Office 365 Groups with the aim of removing those that are inactive (the script described in this article will help you to find inactive groups). Do not rush to remove anything until you check it, to ensure that any data that should be preserved is secured. If you wish, you can archive inactive groups and teams to retain information in case it is needed.
At this point, none of us know exactly how GDPR will function in individual circumstances in a specific country. Local implementation of the EU regulations will be followed by interpretation by lawyers and court decisions. However, tenants should be prepared to deal with Article 17 requests “to be forgotten” and respond to data breaches.
If the tenant protects information through a mixture of MFA, encryption, and rights management, the risk that sensitive personal data is exposed outside the tenant is reduced. There is not much you can do if someone loses a PST on something like an unprotected USB except investigate the data on the drive and decide whether it is necessary to report a data breach. However, you can make sure that you are ready to investigate potential problems using tools available inside Office 365 and others that you develop or buy from third parties. These include: conducting searches of the Office 365 audit log to track down suspicious activity, understanding details of user logins, or accesses to confidential information. These steps are often taken to investigate the circumstances surrounding a potential data breach, whether any personal data was compromised, and whom the personal data belongs to before reporting the breach to the “supervisory authority” as set down by article 33.
GDPR requires notifications “without undue delay” or “not later than 72 hours after becoming aware” of a data breach. Although some latitude exists for delayed reports due to the need to gather evidence, it clearly makes sense for Office 365 administrators to understand how to gather the necessary information as quickly as possible. One problem you might face is that Office 365 stores audit data for only 90 days, so if you need to go back further, you need a third-party product like Radar for Security and Audit, which stores data for as long as a tenant wants, or Microsoft Advanced Security, which stores data for 180 days.
Another skill to practice is how to run content searches for Office 365 data, including the construction of efficient search terms to find the right data and then export search results in a form that investigators might need.
GDPR is an Opportunity
Every company differs in terms of the use they make of personal data, so it’s impossible to be prescriptive about the exact steps an Office 365 tenant should take to prepare for GDPR. What’s discussed here is not a recipe for instant success. Instead, we’ve covered some basic improvements that you can make to your Office 365 tenant relatively quickly. Some, like PST eradication, will probably take time because there’s lots of work involved in processing tens of thousands of files. Once you’ve taken care of the ten steps outlined here, you can be sure that there will be more to do.
Although you might view GDPR as the cause of a lot of extra work, a better perspective is to view GDPR as a catalyst for improvement to create a more secure tenant with better protected data. We all need periodic wake-up calls to do better. Will GDPR lead to a better outcome for your tenant?
Microsoft MVP’s Alan Byrne and Paul Robichaux have presented a deep-dive session that touched on many of these topics. View the recording for additional tips on securing your data in Office 365: Best Practices for Office 365 Security and GDPR.