Transcription
This topic is 1 of 6Page 1Security and Information Protection for Multi-RegionOrganizations with a Single Microsoft 365 TenantOverviewUsing a single Microsoft 365 tenant for your globalorganization is the best choice and experience for manyreasons. However, many architects wrestle with how tomeet security and information protection objectives acrossdifferent regions. This set of topics providesrecommendations.Two approaches for multi-national organizationsApply security and informationprotection globally (recommended)Create custom policies and isolatethese to specific regions(not recommended)Security and information protection areapplied consistently across the entire globalorganizationUse security and information protectionboundaries to craft policies that apply tospecific regions Apply multi-factor authentication to all users,regardless of region. Establish a baseline of security, including conditionalaccess and related policies, and apply these to allusers. Apply information protection policies consistentlyacross the organization, regardless of regionalrequirements. Instead of exempting locations from informationprotection policies, focus on tuning sensitiveinformation types and policies to reduce falsepositives. Also configure overrides that inform usersand give them the option to take the right action forthe flagged data.This approach provides the most comprehensivesecurity and information protection and leaveshackers with less opportunity to accomplish theirgoals by traversing laterally. Evaluate the requirements for each region. Craftspecific security policies for each region and usesecurity groups and other boundaries to isolatethese to the targeted region. Apply information protection policies only to theregions with these requirements. Customize sensitive information types for eachregion to reduce false positives within that region.Do not use these across other regions. Isolate sites and data to specific regions and limitaccess from outside the region.This approach is not recommended. Isolating dataand policies leaves security and informationprotection gaps and reduces the opportunity forcollaboration. Hackers can accomplish their goalsby traversing laterally, where less restrictive securityis applied to accounts and then target data acrossthe organization.Approaching security and information protection systematicallyA recommended systematic approach for implementingsecurity and information protection includes these phases: Protect privileged accounts Reduce the surface of attack Protect against known threats Protect against unknown threats Assume breach Continuous monitoring and auditingMarch 2020For more information, including a spreadsheet for trackingyour progress, see Microsoft 365 Security for BusinessDecision Makers (BDMs). 2020 Microsoft Corporation. All rights reserved. To send feedback about this documentation, please write to us at CloudAdopt@microsoft.com.
Security and information protection strategyThis topic is 2 of 6Page 2Apply protection consistently across regionsSecurityInformation protection Define and apply the same security policies across theentire organization. Configure a baseline level of security through conditionalaccess policies and apply these to all users. Some users might warrant increased security, such assenior leaders or researchers who have access toclassified data. For these users, established a set ofcontindional access policies that are appropriate andapply these consistently across your organization. Don’t configure unique policies for specific regions orcountries. Apply Microsoft threat protection capabilities globallyusing the recommended roadmap (later in this guide) asa guide. Create policies to protect specific types of data and thenapply these policies uniformly across the entireorganization. Craft policies to target data, not specific regions orcountries. Instead of creating policies for specific regions, tune theorganization-wide policies to reduce false positives anduse overrides appropriately.Not recommended: Trying to craft geo-specific policies. Allowing admins of different regions to craft differentpolicies.Define tiers of protection and apply these uniformlyRather than defining region-specific policies, Microsoftrecommends defining a small number of tiers of protectionfor your organization and applying these protectionsconsistently everywhere. For example, protect sensitiveusers and content in Japan with the same protections thatare applied to sensitive users and content in Europe.Baseline protectionTiers of protection work well for protecting user accounts,sites and libraries, and Microsoft Teams in uniform ways,depending on their sensitivity. Additionally, sensitivitylabels, retention labels, and data loss prevention policiestarget and protect data regardless of where it resides.Sensitive protectionHighestprotectionUsersMost usersSome usersVery few usersMost dataSome dataVery little dataDataApply a consistent baseline of protection across your entire organizationEstablish a baseline for your entire organization and apply it uniformly.Resources:Recommended identity and device access policiesRecommended conditional access policies for baseline, sensitive, andhighly regulated protection.Secure SharePoint Online sites and filesRecommended protection for SharePoint Online sites and files forbaseline, sensitive, and highly regulated protection.Teams for highly regulated dataProtect highly regulated data in Teams.March 2020Some user accounts and data require higher levelsof protectionDefine higher tiers of protection for yourorganization and apply these uniformly to the useraccounts and data that warrant this protection.Admins at regional sites might be better positionedto identify the user accounts and Microsoft Teams orSharePoint sites that fit these categories. However,The protection applied for each of these categoriesshould be consistent across the organization. Forexample, policies for sensitive protection in Japanshould be the same as those applied in for sensitiveprotection in Europe. 2020 Microsoft Corporation. All rights reserved. To send feedback about this documentation, please write to us at CloudAdopt@microsoft.com.
Office 365 Multi-GeoThis topic is 3 of 6Page 3Does my organization need Office 365 Multi-Geo?Office 365 Multi-Geo is an add on capability that gives anorganization the ability to select multiple geographicregions and/or countries within the existing tenant for dataat rest locations. Multi-Geo provisions and stores data atrest in the geo locations that you've chosen to meet dataresidency requirements. Some organizations require this toroll out modern productivity experiences to their globalworkforce.If your organization does not need to meet data residencyrequirements, you do not need Multi-Geo. If you do needthis capability, reach out to your Microsoft Account Teamto sign up. Office 365 Multi-Geo locates user mailboxes, OneDrive,and user-created sites at the location of the user.Teams is Multi-Geo aware. If a user in Europe creates aTeam, then the site and group associated with this teamresides in Europe.Collaboration across multiple geographical locations isnot affected.Multi-Geo is intended for data residency requirements,not for performance.Office 365 Multi-Geo does not affect Azure AD. Allidentities remain at the location of the tenant.How Office 365 Multi-Geo affects security and information protectionSecurityInformation protectionOffice 365 Multi-Geo doesn’t change the recommendationfor security, which is to apply the same policies across theentire organization.Office 365 Multi-Geo doesn’t change the recommendedapproach for information protection, which is to createpolicies to protect specific types of data and then applythese policies uniformly across the entire organization.Additional resources:Office 365 Multi-Geo overviewWhere your customer data is stored (aka.ms/dcmaps)Teams experience in an Office 365 OneDrive andSharePoint Online Multi-Geo-enabled tenancyAdministering an Office 365 Multi-Geo environmentMarch 2020 2020 Microsoft Corporation. All rights reserved. To send feedback about this documentation, please write to us at CloudAdopt@microsoft.com.
Security administration architectureThis topic is 4 of 6Page 4Administration with a single tenantFollow recommendations to limit the number ofadministrators and to secure accounts and access used foradministration. Establish a baseline of security tenant-wide.Multi-national organizations can use regionaladministrators to help identify accounts and data thatshould be protected at higher levels.Resources:About Office 365 admin rolesAvailable roles and recommendations.Protect privileged accountsTop recommended capabilities for securing privileged accounts.Securing privileged accessIn-depth guidance, including how to configure a Privileged AccessWorkstation (PAW).Administering an Office 365 Multi-Geo environmentDescribes how Office 365 service administration works in a multi-geoenvironment.Global adminsEstablish a baseline of protection that applies to the entire tenant.Service admins (Exchange, SharePoint, Microsoft Teams, etc.)Service admins configure tenant-wide protection for their service.Regional adminsAdmins at regional locations are morefamiliar with their users and data and canrecommend and/or apply higher tiers ofprotection where appropriate.Regional admins should be limited to aspecific service. Some services providethe option to limit the scope of accessthrough Roll-based Access Control(RBAC) or user groups, or specificSharePoint sites.Azure Active DirectoryExchange OnlineSharePoint OnlineUse RBAC with Azure ActiveDirectory to customize scopes ofadministration.Create role groups and assign thesegroups to manage specificmailboxes.Assign admins at the site level.Manage site adminsOptions are limited to admin rolesonly.Assign administrator and nonadministrator roles to users withAzure Active DirectoryPermissions in Exchange OnlineMicrosoft TeamsManage role groupsOptions are limited to admin rolesonly.Permissions in the Office 365Security & Compliance CenterWhat is role-based accesscontrol (RBAC) for Azureresources?Office 365 Security & ComplianceCenterUse Microsoft Teamsadministrator roles to manageTeamsAdd or remove role assignmentsusing Azure RBAC and the AzureportalMarch 2020 2020 Microsoft Corporation. All rights reserved. To send feedback about this documentation, please write to us at CloudAdopt@microsoft.com.
Threat protectionThis topic is 5 of 6Page 5This topic recommends a roadmap for implementing threat protectioncapabilities. Microsoft threat protection capabilities are integrated bydefault and signals from each capability add strength to the overall abilityto detect and respond to threats.The combined set of capabilities offer the best protection fororganizations, especially multi-national organizations, compared torunning non-Microsoft products. Organizations with multiple securityteams can implement these capabilities in parallel.Regional considerations — Internal governance between regional teams isImportant. Try to use the same policies for all regions.Start hereMulti-factor authenticationand conditional accessAzureAdvanced Threat ProtectionOffice 365Advanced Threat ProtectionMicrosoft DefenderAdvanced Threat ProtectionMicrosoft Cloud App SecurityIdentity signalsAzure ATP signalOffice 365 ATP signalMicrosoft Defender ATP signalCloud App Security signalProtect against compromised identitiesBegin with this protection because it’sfoundational.User impactSome.Admin workMinimal.Recommended identity and deviceaccess policiesA cloud-based security solution thatleverages your on-premises ActiveDirectory signals to identify, detect, andinvestigate advanced threats,compromised identities, and maliciousinsider actions directed at yourorganization.Focus on this next because It protectsyour on-prem and your cloudinfrastructure, has no dependencies orprerequisites, and can provide immediatebenefit.An endpoint security solution thathelps prevent, detect, investigate, andrespond to advanced threats. Providesboth indicator-based and behavioraldetection and response capabilities.This is recommended next becausechange control, migrating settings fromincumbent system, and otherconsiderations can take longer to deploy.This takes longer to deploy, but can bedone in parallel with the other capabilitiesif other admins are responsible.You can enable this early to begincollecting data and insights.Implementing information and othertargeted protection across your SaaSapps involves planning and can take moretime.User impactUser impactUser impactIf application whitelisting is used, impactcan be significant. Otherwise, any impactis far preferable to the alternative.Only if you are using it to blockunsanctioned applications.Admin workFor discovery and investigation, very littlefor Office 365 and Azure. For governance,depends on the type and number of apps,policies, and other considerations.Minimal if using Office 365 ProPlus.User impactAdmin workNone.As little as an hour to configure, perhapsa bit more to update user training anddocumentation. Migrating settings fromincumbent system may take longer.Admin workIf all domain controllers meet prerequisites, just install it and go.March 2020Safeguards your organization againstmalicious threats posed by emailmessages, links (URLs) and collaborationtools. Protections for malware, phishing,spoofing, and other attack types.Scope of work depends on the number ofendpoints and available deploymentmethods.A cloud access security broker fordiscovery, investigation, and governance.Admin workNote: Be sure you also configure thethreat protection capabilities included inall Office 365 subscriptions (ExchangeOnline Protection). 2020 Microsoft Corporation. All rights reserved. To send feedback about this documentation, please write to us at CloudAdopt@microsoft.com.
Information protection12This topic is 6 of 6Page 634Sensitivity labelsRetention labelsData loss preventionOptions for geo-specific issuesUse sensitivity labels to designate thesensitivity of files and emails and enablebusiness rules and workflows based onthe label. Use labels consistently acrossgeographies where possible.With retention labels, you can define howlong documents and emails must beretained and when they can or must bedeleted.With data loss prevention, you canconfigure a wide range of conditions,exceptions, and actions that can beapplied to Exchange email, Teams chatsand channel messages and OneDrive andSharePoint documents.In some cases, even using the recommended information protection options, you maystill have enough false positives to cause problems with productivity. This can happenif you have different information types that are very similar. The options below canhelp you work around these issues. In some cases, using these options may increaseyour risk of data exfiltration. Weigh that risk against the risk of users bypassing yourgovernance practices in order to remain productive.Use sensitive information typesUse sensitive information types with DLPto prevent exfiltration of sensitiveinformation across geographies. Sensitiveinformation types can be used by dataloss prevention and Microsoft Cloud AppSecurity policies to limit access tosensitive information.Use exact data matchesUse exact data matches to white-list or black-list specific data where possible.Use a small number of labelsUse a small number of well-defined labelsacross departments and geographies.Large numbers of labels can be hard tomanage and can lead to user confusionand content misclassification.Use auto-classification where possibleAuto-classifying documents or emails byusing sensitive information types or otherbusiness rules reduces the risk of sensitivecontent not getting properly classified.Allow override with businessjustificationSometimes the most appropriateclassification is best known by the usersmost closely connected to the content.Allowing users to reclassify content andprovide a business justification can helpmake sure the best label is applied.Use additional labels for highlysensitive dataFor highly sensitive data, use label-basedencryption and secure a site or team witha custom label for that purpose.March 2020Set retention to the longest requiredtimeFor content that has different retentionrequirements across geographies, setyour retention policy to the longestperiod required for all locations. Thissimplifies retention management.Auto-apply labelsAuto-apply labels where possible. Sitescan auto-apply retention labels to alldocuments in the site.Create labels by departmentCreate labels by department rather thanby geo location. Create geo-specificlabels only when needed for specificcompliance requirements (such asdeletion of files as soon as possible).Use DLP policiesUse DLP policies to restrict access tocontent based on conditional matchesacross documents and email.Avoid user overridesAllowing users to overrides a DLP policycan increase your risk of data exfiltrationif the user’s account is compromised.Avoid allowing user overrides whendealing with sensitive data.Update built-in sensitive information typesRecreate built-in sensitive information types to customize pattern matching andsensitivity. Make adjustments to minimize false positives while still catching actualsensitive information.Use geography-specific DLP policiesFor areas where data in some geographies is more likely to produce false positivesthan others, consider using multiple DLP policies for the same information type withdifferent tuning for each geography.Limit overridesIf overrides are needed, limit them to the groups or geographies most prone to falsepositives. This reduces possible avenues for data exfiltration.Use an approval workflowInstead of overrides, send DLP-flagged emails through an approval workflow by usingmail flow rules.Resources:Customize or create a new sensitive information typeDescribes how to optimize these, including reducing false positives. 2020 Microsoft Corporation. All rights reserved. To send feedback about this documentation, please write to us at CloudAdopt@microsoft.com.
How Office 365 Multi-Geo affects security and information protection Office 365 Multi-Geo locates user mailboxes, OneDrive, and user-created sites at the location of the user. Teams is Multi-Geo aware. If a user in Europe creates a Team, then the site and group associated with this team resides in Europe.
