Note-to-self: #DPIA for cloud – reference material (focus on #Microsoft cloud)

In interesting set of reference material, that is regularly coming back in data protection, cybersecurity and information security discussions I lately had with peers and colleagues.
May you can use it too…

Feel free to provide some feedback yourself, if you know additional pointers I should add.

You know where to find me.

Change history

2022-04-27 14:00: Added EDPB announcement to references section

Governmental DPIAs

Netherlands

2018-12-06: DPIA on Microsoft Office 2016 & 365

https://iapp.org/news/a/dutch-government-commissioned-dpia-on-microsoft-office-pro-plus/

Direct download of PDF:

Click to access DPIA+Microsoft+Office+2016+and+365+-+20191105.pdf

2022-02-22: DPIA on Microsoft Office 365

https://www.dataguidance.com/news/netherlands-dutch-government-publishes-dpia-microsoft

Press release by Dutch Government:

2022-02-21 https://www.rijksoverheid.nl/documenten/publicaties/2022/02/21/public-dpia-teams-onedrive-sharepoint-and-azure-ad

Publication of DPIA by Dutch Government

2022-02-21 : https://www.rijksoverheid.nl/documenten/publicaties/2022/02/21/public-dpia-teams-onedrive-sharepoint-and-azure-ad

Source: Beltug news https://www.beltug.be/news/7430/Dutch_government_publishes_DPIA_and_DTIA_for_Microsoft/

2022-02: The Dutch Ministry of Justice and Security requested an analysis of US legislation in relation to the GDPR and Schrems II by GreenburgTraurig.

Switzerland

In a recent article (In French) by ICT journal, the Canton of Zurich published a

https://www.ictjournal.ch/articles/2022-04-26/comment-le-canton-de-zurich-a-estime-le-risque-de-passer-sur-le-cloud-de

Research

Researchgate

Data Protection Impact Assessment (DPIA) for Cloud-Based Health Organizations

https://www.researchgate.net/publication/349882283_Data_Protection_Impact_Assessment_DPIA_for_Cloud-Based_Health_Organizations

Guidelines

CNIL

https://www.cnil.fr/en/tag/Privacy+Impact+Assessment+(PIA)

https://www.cnil.fr/en/guidelines-dpia

IAPP

https://iapp.org/news/a/guidance-for-a-cloud-migration-privacy-impact-assessment/

Templates

IAPP

https://iapp.org/resources/article/transfer-impact-assessment-templates/

Referring to:

IAPP Templates

• Cloud Computing: Risk Assessment of Lawful Access By Foreign Authorities
• EU SCC Transfer Impact Assessment (TIA)

Supplier references

Microsoft

Data Protection Impact Assessment for the GDPR

2021-11-17: https://docs.microsoft.com/en-us/compliance/regulatory/gdpr-data-protection-impact-assessments

Data Protection Impact Assessments: Guidance for Data Controllers Using Microsoft Professional Services

Part 1: Determining whether a DPIA is needed

https://docs.microsoft.com/en-us/compliance/regulatory/gdpr-dpia-prof-services?view=o365-worldwide#part-1–determining-whether-a-dpia-is-needed

Part 2: Contents of a DPIA

https://docs.microsoft.com/en-us/compliance/regulatory/gdpr-dpia-prof-services?view=o365-worldwide#part-2-contents-of-a-dpia

Download Customizable DPIA document

https://www.microsoft.com/en-us/download/details.aspx?id=102398

(more to come, this article will be updated with additional references when necessary)

Other relevant references

EDPB (European Data Protection Board)

Launch of coordinated enforcement on use of cloud by public sector

https://edpb.europa.eu/news/news/2022/launch-coordinated-enforcement-use-cloud-public-sector_en

Note-to-self: Short URL for app password in Azure MFA

When you enable MFA (Multifactor Authentication) in Azure, you can configure app passwords for applications that cannot work with the code generators, applications, phone apps to logon with MFA…

The source URL for it is: https://account.activedirectory.windowsazure.com/AppPasswords.aspx

But it’s very likely you can’t remember it anymore after a while, so train your brain for these bookmarks:

• http://aka.ms/CreateAppPassword

Also, these point to the same URL.

• http://aka.ms/apppwd
• http://aka.ms/appcode
• http://aka.ms/appscode

Last update: 2020-12-30

Note-to-self: You lost access to your initial Office 365 admin?

Although Microsoft has built in quite some methods to regain access to your 0365 tenant/account, you might have some bad luck one day… (experience talking here)

First of all you should try the default options, meaning : the password reset options.

The direct way to get there is the first link to bookmark: https://passwordreset.microsoftonline.com/

Another way to get there is in the 0365 logon page (also for Azure),

If you forgot your password or can’t access the account, hit the link at the bottom.
You get directed to :

If you know the logon, you can proceed to

You notice that the verification is pointing to your alternative mail address or your mobile number…

But what if you forgot your original logon ID (mail address), eg in case you have setup a test tenant in 0365 with an mail address you don’t use frequently? (yes, that happens)

If that is not working or you need more help, check these options:

• Microsoft Support: A user or an administrator forgot his or her password in Office 365, Azure, or Intune
• Reset my admin password for Office 365

And if you really ran out of luck: you might raise a ticket and ask for help. https://portal.office.com/support/newsignupservicerequest.aspx

Anyway, as shown there are some options when configuring 0365 that should keep you out of trouble in the first place

• make sure to add a mobile number to your user account
• make sure to add a secondary email address to your account (not belonging to your O365 domain)
• Configure and test MFA (multifactor Authentication), eg with the Authenticator app
• add a secondary admin account with sufficient rights (with the same security measures!)

(Last update: 2020-12-31)

Winsec.be relaunch event:Docker 101 with focus on security/networking

So, you have heard about Docker and wanted to get expert, hands-on guidance to get started?
Or, you want to know more about Docker and start implementing it yourself?

Then make sure to save your seat* in this 2-day Docker 101 workshop try-out, with focus on network and security.

Philippe Bogaerts will guide you to take the first steps in Docker, deploy apps, create and manage container, play around and discover yourself.
No prerequisite knowledge required.

Furthermore you’ll get the required bits and pieces to setup your lab in Azure.

All you need to do is bring your laptop.

We take care of the rest, to make it through the day.

Don’t miss this session, because seats are limited!

Registration and more information at :https://www.eventbrite.com/e/docker-101-with-focus-on-securitynetworking-tickets-25802118832

Note-to-self: Podcast An Insider’s Look at the Security of Microsoft Azure – Assume the Breach!

Source: got this from Tom Shinder, https://twitter.com/tshinder

“Really interesting and informative podcast with David Cross, where he discusses a multitude of issues around Azure Security.

Definitely 5 stars!

An Insider’s Look at the Security of Microsoft Azure – Assume the Breach!“

Note-to-self: MVA course – Getting Started with Azure Security for the IT Professional

Source: https://www.microsoftvirtualacademy.com/en-US/training-courses/getting-started-with-azure-security-for-the-it-professional-11165

From the course description:

“Course information

Earning Trust in the Microsoft Cloud

Join Scott Edwards and Rick Claus for a look at the Microsoft commitment to earn customer and partner trust in its Cloud Services, with a focus on privacy controls, compliance, and certification.

 

Inside a Microsoft Datacenter

Have you ever wondered what “cloud scale” looks like? Take a virtual tour of a datacenter (designed, built, and operated by Microsoft), and learn about defense in depth, access, and cloud security.

 

Architecting Secure Compute Solutions on Azure

Explore ways to design solutions that will be secure and well architected for availability within your Azure subscription. Learn about security boundary implementation and ways to minimize downtime.

 

Virtual Appliances and Security

​ ​This session covers various elements of the network virtualization stack with emphasis on virtual networks, network security, and user defined routing.

 

Understanding Virtual Appliances

You will learn how to deploy virtual appliances in Azure Virtual Network. The key focus is on security appliances (firewall, gateway), ADC (application delivery controller), and WAN optimization.​ ​

 

Extend Your Network to the Microsoft Cloud

Learn about how Microsoft Azure ExpressRoute enables you to extend your network to Microsoft and enable Hybrid Scenarios for your Enterprise.

 

How to Manage Encryption Keys for Your Cloud Apps with Azure Key Vault

With the new Azure Key Vault service, customers of cloud applications can manage their keys and secrets consistently across their cloud applications. This is part 1 covering background and theory.

 

Demos: How to Manage Encryption Keys for Your Cloud Apps with Azure Key Vault

Managing cryptographic keys and secrets is an essential part of safeguarding data in the cloud. This is part TWO covering all the demos of the Azure Key Vault service​.

 

Disk Encryption with Key Vault

​Disk Encryption has been something that our customers have been asking about since Azure IaaS has been available. Learn what options are available to your Azure IaaS VMs now with Azure KeyVault.

 

Antivirus Options in Azure

AntiVirus extensions are available in Azure and can be included in your Virtual Machine images. Learn what options are available and how to leverage them in your solutions.

 

Encryption for SQL Server on Azure Virtual Machines

This talk will cover how customers can use the SQL Server Connector to use Azure Key Vault as an Extensible Key Manager in implementing SQL Server encryption on Azure Virtual Machines.

 

Azure SQL Database Security

This talk will cover 2 new security features for Azure SQL DB, Transparent Data Encryption and Azure Active Directory integrated authentication.”

Note-to-self: A quick tip to convert Hyper-V .vhdx to .vhd file formats (prep for Windows Azure)

A very useful, quick hint to convert your Hyper-V disk to Azure ready disks…

Source: http://blogs.technet.com/b/cbernier/archive/2013/08/29/converting-hyper-v-vhdx-to-vhd-file-formats-for-use-in-windows-azure.aspx

See also:

• Working with Windows Azure Storage
• Convert-VHD http://technet.microsoft.com/en-us/library/hh848454.aspx

Note-to-self: Microsoft at Gartner Identity & Access Management Summit

You probably recall that, last year, there was quite some confusion regarding the availability of the MS products on the Magic Quadrant for Identity & Access, right? Well, here is some good news.

Source: http://blogs.technet.com/b/enterprisemobility/archive/2014/11/26/microsoft-at-gartner-identity-amp-access-management-summit.aspx

“December 2-4, 2014 Microsoft will be participating in the Gartner Identity & Access Management Summit in Las Vegas, NV as a Platinum sponsor.

Building on our recent momentum around Identity-as-a-Service and on-premises Identity & Access Management, Microsoft will be featuring our solutions at a booth staffed by Microsoft IAM professionals who will be providing an overview, demonstrations and answering questions.

Please join Microsoft Tuesday December 2, 2014 at 2:45PM at the conference for our dynamic presentation “Azure Active Directory Explained.”

Microsoft Azure Active Directory will be highlighted including analysis and deep information into our market-leading solution, roadmap and customer insights.

We will also be discussing the recently-released Microsoft Identity Manager Public Preview and will be providing technical demonstrations of our Identity & Access Management solutions.

Come join us at the Gartner Identity & Access Management Summit reception, presentation and booth to discuss Microsoft Azure Active Directory and Microsoft Identity Manager.”

As you have seen there was and there is a hopeful lot of activity on Microsoft Identity Management.
Alive and kicking. Better know it.