Classify and protect sensitive data: focus on MIPLire l'article
10 December 2021
Data security issues, with rising data volumes and attacks, are becoming increasingly significant. The expansion of collaborative tools and their widespread adoption offers the possibility for users to manage their data and the risks associated to it.(1)
How to secure a large volume of data, how to quickly identify the most sensitive data to protect?
It is difficult for the security teams to apply a single data protection policy. Indeed, not all data is equal in terms of criticality for the company. It is therefore important to identify the data by classification in order to determine a level of sensitivity. It will then be possible to protect the most sensitive data.
One of the main risks is the deliberate or involuntary leakage of data. Some information, through mismanagement or in the wrong hands can result in threats to the company's reputation and interests, and even at economical cost. These informations are considered as sensitive for companies. It concerns regulated data (customers), financial status, assets (patents, plans etc...) or strategic decisions.
To better control the risks, it is advisable to apply a process to discover, classify and protect the data.
To protect sensitive data, you must first have a good knowledge of the company's data.
Several questions can be asked to determine them:
By questioning the nature of the data and the issues involved, it will be possible to determine the levels of risk and prioritize the information.
It is important to define your own classification levels for all data in the company. When defining them, it will also be necessary to give examples for each level to facilitate understanding of users.
There is no perfect model; each company, depending on its environment and complexities, will define its own data classification table. However, it is recommended not to exceed 4 levels.
In general, companies apply 3 levels of classification: confidential, internal, and public.
Organizations can define strategies to classify and then label the most sensitive data.
Once the classification is defined, it will be necessary to apply it to all the data according to its content. This consists of putting a label on the data with the classification level.
The use of this label will help to classify the data into different categories according to established criteria. Associated with the data search, the labels applied to the files will allow the creation of an identification process for the resources and the establishment of the most appropriate protection strategy.
The labelling of information can be done on different types of data such as files, images, folders or even the most sensitive emails.
There are several ways to tag information:
From a level of classification, it is possible to choose an encryption.
Encryption provides an additional security to prevent someone from accessing the content of the document.
A company can decide that, for a given classification level, either automatically or by a user, encryption will be established on the information.
Like the labelling of information, encryption can also be added thanks to solutions that scan documents. These solutions look for patterns and automatically apply labels, restrictions and/or encryption.
Depending on the level of classification, restrictions on rights and accesses can be proposed. For example, it is possible to prohibit transfers, copies, printing and to restrict access to specific people.
You need to be able to track activity on classified data and review access as necessary.
Administrators can use reports to monitor and control this data. They will, for example, be able to:
It is possible to analyse the different labelled contents and understand if they have the right label and the right level of protection.
Today, many companies use Microsoft 365 solutions and need to secure shares in these collaborative tools.
Through its Azure Cloud platform, Microsoft offers a wide range of protection tools that integrate with Microsoft 365 and Windows services. To classify and protect sensitive data, Microsoft has developed a solution named MIP.
MIP is the abbreviation of Microsoft Information Protection, formerly known as AIP (Azure Information Protection.
NB. Microsoft Information Protection is not a tool but rather an environment with associated applications and functionalities.
More specifically, Microsoft Information Protection focuses on identifying and protecting sensitive data. It supports many types of content: emails, Office or PDF files and images for example. MIP applies to files stored on on-premises file servers and on cloud platforms, such as SharePoint, OneDrive, and Microsoft Teams.
The solution is included in the E3 and E5 licenses of Microsoft 365 and is offered in Premium versions for additional functionality. In the premium versions, the main functionality is the MIP scanner. It allows to identify and encrypt automatically sensitive data to follow and control the access to documents.
MIP allows to define a classification and to label documents and emails but for that it is first necessary to identify the sensitive data.
This identification can be done in two ways: manually or automatically, depending on the chosen solution (basic or premium).
For the manual part, the identification and labelling is done by the users. They will then have the choice to add the label that corresponds to the sensitivity level of the document, with the effect of inserting a visual marker on the resource and a label in its metadata.
Some organizations, to encourage users to label their documents, apply a default label, visible to the user. The user will be able to change it if necessary.
On the contrary, the MIP scanner allows to detect and classify automatically all the data in the environment. The scanner will analyse the information contained in the documents and look at their level of conformity according to the established models and rules. Following this analysis, it will be able to tell if the document should be labelled and on what level: for example, Confidential, Highly Confidential.
However, the scanner is a paid service included with certain licenses with additional costs an require a prerequisite: the file must be indexed by Windows. This scanner can be a source of errors and requires precise settings.
Microsoft Information Protection has identified sensitive data manually or automatically and uses Azure Rights Management (Azure RMS) encryption to protect them.
From the moment a data is tagged, it applies security policies by establishing relationships between rules and the chosen classification tags.
Azure RMS will use advanced encryption to establish identification and authorization policies to protect data. This tool encrypt data at the application level that hosts it. The file will therefore carry the encryption and only authorized people will have access to it. As the encryption is done in the document header, the document will always be protected even if it is shared with someone outside the organization.
33% of security incidents encountered by companies are linked to a negligence or configuration error by an administrator or an employee. (1)
Still often considered as a weak link, the user plays an essential role in data protection. It is important to support them in their use. The responsibility and the protection of information go through an adoption phase on the reflexes to have around the data and a good knowledge of the tools.
Employees must be sensitive to the security levels of the data, they handle in order to be able to protect the information. They must therefore recognize sensitive information, emails, and documents.
It can be interesting to define an exhaustive list of data considered as sensitive and the classifications that must be applied. Employees will have a clearer vision and will be able to protect their data more easily.
MIP can propose native levels facilitating the classification by the user.
After identification, employee must ensure that the document has the necessary protections against inappropriate access.
It is important to give access rights to data only to those who need them (principle of least privilege). Once the information has been identified as sensitive, it is necessary to designate who can access it and with what rights.
Depending on the level of classification given in MIP, the user may be required to designate who is authorized to access the information.
Like on OneDrive or Microsoft Teams, it is important to verify rights. A collaboration may have ended, or a collaborator may have changed position, so he or she will no longer be entitled to receive certain information. The sharing is then considered obsolete.
In MIP, it will be required to regularly check the rights granted on documents and to remove some rights/accesses if necessary. This review of rights and accesses can be initiated according to the progress of the document, for example at the end of each validation, by month or by quarter.
Classification and labelling are the foundation of a data protection strategy. Whether from a compliance, governance, or security perspective, they will enable organizations to effectively protect their most sensitive data.
IT/security teams need to oversee the proper labelling of documents, any encryption needs and data access restrictions. They will need to accompany the user to establish effective protection.
The deployment of protection tools like MIP will help companies in these protection steps. AIP currently offers two licenses: basic and premium. The second premium will have a higher cost and additional features (scanner).
Some companies have made the choice to find alternative solutions to monitor MIP classified data on Microsoft 365.
Allowing each owner of sensitive data to identify his or her tagged data and the rights, delegations, and accesses, is an essential element in the data protection.
IDECSI has recently enriched its Data Security platform to allow each user to easily control the MIP tagged sensitive resources. The platform is supported by a powerful search tool. Administrators and users gain visibility, detect, and remediate risks quickly.
Combined with its user platform, IDECSI involves employees and gives them a global view of their data and their different applications. This simplifies the verification of rights, access and sharing.
Subscribe to our newsletter and receive new contents every month