How to reduce the risk of shared data in Microsoft 365Lire l'article
10 December 2021
Data security issues, with rising data volumes and constant attacks, are becoming increasingly significant. The expansion of collaborative tools and their widespread adoption offers the possibility for users to manage their data and the risks associated with it.(1) How to secure a large volume of data? How to quickly identify the most sensitive data to protect?
It is difficult for the security teams to apply a single data protection policy. Indeed, not all data is equal in terms of criticality for the company. It is therefore important to identify the data by classification in order to determine a level of sensitivity. It will then be possible to protect the most sensitive data in Microsoft 365.
One of the main risks is the leakage of data - deliberate or unintentional. Some information, through mismanagement or in the wrong hands can result in threats to the company's reputation and interests, and significant economic cost. These data are considered 'sensitive'. It may include regulated data (customers information), financial status, assets (patents, plans etc...) or strategic decisions.
To better control the risks, it is advisable to apply a process to discover, classify and protect your data.
To protect sensitive data, you must first have a good knowledge of the company's data.
Several questions can be considered:
By questioning the nature of the data and the issues involved, it will be possible to determine the levels of risk and prioritize the information.
It is important to define your own classification labels for all data in the company. When defining them, it is also necessary to give examples for each level to facilitate understanding of users.
There is no perfect model. Each company, depending on its environment and complexities, will define its own data classification table. However, it is recommended not to exceed 4 levels.
In general, companies apply 3 levels of classification: confidential, internal, and public.
Organizations can define strategies to classify and then label the most sensitive data.
Once the classification is defined, it is necessary to apply it to all data. This consists of putting a label on the data with the classification level.
The use of this label will help to classify the data into different categories according to established criteria. The labels applied to the files will allow the creation of an identification process for the resources and the establishment of the most appropriate protection strategy.
Information in all systems can be labelled: files, images, folders and even the most sensitive emails.
There are several ways to tag information:
From the sensitive label, it is possible to choose the required encryption.
Encryption provides additional security to prevent unauthorized access to the content.
A company can decide that, for a given classification level, either automatically or by a user, encryption will be employed for that information.
Like the labelling of information, encryption can also be automatically deployed thanks to solutions that scan environment. These solutions look for patterns and automatically apply labels, restrictions and/or encryption.
Depending on the sensitive label, restrictions on permissions and access can be proposed. For example, it is possible to prohibit transfers, copies, printing and to restrict access to specific people.
You need to be able to track activity on classified data and review access as necessary.
Administrators can use reports to monitor and control this data. They will, for example, be able to:
It is possible to analyze the different labelled contents and understand if they have the right label and the right level of protection.
Today, many companies use Microsoft 365 solutions and need to secure information in these collaboration tools.
Through its Azure Cloud platform, Microsoft offers a wide range of protection tools that integrate with Microsoft 365 and Windows services. To classify and protect sensitive data, Microsoft has developed a solution named MIP.
Microsoft Purview Information Protection is the new name for MIP / AIP (Azure Information Protection).
NB. Microsoft Purview Information Protection is not a tool but rather an environment with associated applications and functionalities.
More specifically, Microsoft Purview Information Protection focuses on identifying and protecting sensitive data. It supports many types of content: emails, Office or PDF files and images or Microsoft 365 groups. Purview applies to files stored in on-premise file servers and in cloud platforms, such as SharePoint, OneDrive, and Microsoft Teams.
The solution is included in the E3 and E5 licenses of Microsoft 365 and is offered in premium versions for additional functionality. In the premium versions, the main functionality is the scanner. It supports automatic identification of sensitive data, adding a sensitive label and following and controlling the access to documents.
Microsoft Purview (MIP) supports defining a classification and labelling of documents and emails. But first necessary to identify the sensitive data.
This identification can be done in two ways: manually or automatically, depending on the chosen solution (basic or premium).
With the manual option, the identification and labelling is done by the users. They will then have the choice to add the label that corresponds to the sensitivity of the document, with the effect of inserting a visual marker on the resource and a sensitive label in its metadata.
Some organizations, to encourage users to label their documents, apply a default label, visible to the user. The user will be able to change it if necessary.
For the automated option, the Microsoft Purview scanner automatically detects and classifies all the data in the environment. The scanner will analyze the information contained in the documents and look at their level of sensitivity according to defined models and rules. Following this analysis, it will be able to tell if the document should be labelled and at wich level: for example, Confidential, Highly Confidential.
However, the scanner is a paid service included with certain licenses with additional costs and requires a prerequisite: the file must be indexed by Windows. This scanner can be a source of errors and requires precise settings.
Microsoft Purview Information Protection has identified sensitive data manually or automatically and uses Azure Rights Management (Azure RMS) encryption to protect them.
From the moment a document or other resource is tagged, it applies security policies by establishing relationships between rules and the chosen classification tags.
Azure RMS will use advanced encryption to establish identification and authorization policies to protect data. This tool encrypts data at the application level that hosts it. The file will therefore be encrypted and only authorized people will have access to it. The document will always be protected even if it is shared with someone outside the organization.
33% of security incidents encountered by companies are linked to a negligence or configuration error by an administrator or an employee. (1)
Still often considered as a weak link, the user plays an essential role in data protection. It is important to support them in their use. There is necessarily an adoption phase during which users can develop the reflexes to protect data and fully understand their tools.
Employees must be sensitive to the security levels of the data they handle in order to be able to protect the information. They must therefore recognize sensitive information, emails, and documents.
It can be useful to define an exhaustive list of data considered as sensitive and the classifications that must be applied. Employees will have clearer understanding and will be able to protect their data more easily.
Microsoft Purview (MIP) can propose native levels facilitating the classification by the user.
After identification, employees must ensure that the document has the necessary protections against inappropriate access.
It is important to give access rights to data only to those who need them (principle of least privilege). Once the information has been identified as sensitive, it is necessary to designate who can access it and with what rights.
Depending on the level of classification given in MIP, the user may be required to designate who is authorized to access the information.
On tools such as OneDrive and Microsoft Teams, it is important to verify access and permissions. A collaboration may have ended, or an employee may have changed position, so he or she will no longer be entitled to receive certain information. The sharing is then considered obsolete.
In Microsoft Purview (MIP), it is necessary to regularly check the permissions granted on documents and to remove some those that are obsolete. This review of permissions and access can be initiated according to the lifecycle of the document and/or on a periodic basis.
Classification and labelling are the foundation of a data protection strategy. Whether from a compliance, governance, or security perspective, they will enable organizations to effectively protect their most sensitive data.
IT/security teams need to oversee the proper labelling of documents, any encryption requirements and data access restrictions. They will need to work with the user to establish effective protection.
The deployment of protection tools like Microsoft Purview Information Protection will help companies in these steps. MIP currently offers two licenses: basic and premium. The second premium will have a higher cost and additional features (scanner).
Some companies have made the choice to find alternative solutions to monitor MIP classified data on Microsoft 365.
Allowing each owner of sensitive data to identify his or her tagged data and the rights, delegations, and accesses, is an essential element in data protection.
IDECSI has recently enriched its platform MyDataSecurity to allow each user to easily control their sensitive resources thanks to Microsoft Purview Information Protection (MIP) labels. Administrators and users have a centralized view to easily control access and permissions on their sensitive files. They can also, in case of overexposure (sharing to 'All company' for example), correct the risks by revoking a permission.
Combined with its user platform, IDECSI involves employees and gives them a global view of their data and their applications. The verification of rights, access and sharing is simplified.
(1) CESIN “Barometer of company cyber-security” – 2021
Subscribe to our newsletter and receive new contents every month
These articles may