Classify and protect sensitive data: focus on MIP

Data security issues, with rising data volumes and constant attacks, are becoming increasingly significant. The expansion of collaborative tools and their widespread adoption offers the possibility for users to manage their data and the risks associated with it.(1) How to secure a large volume of data? How to quickly identify the most sensitive data to protect?

It is difficult for the security teams to apply a single data protection policy. Indeed, not all data is equal in terms of criticality for the company. It is therefore important to identify the data by classification in order to determine a level of sensitivity. It will then be possible to protect the most sensitive data in Microsoft 365. 

• Classify and protect - issues reinforced by regulatory obligations
• Microsoft Purview Information Protection to protect sensitive data  
• Support employees in the protection of their sensitive data 

Classify and protect - issues reinforced by regulatory obligations (GDPR) 

One of the main risks is the leakage of data - deliberate or unintentional. Some information, through mismanagement or in the wrong hands can result in threats to the company's reputation and interests, and significant economic cost. These data are considered 'sensitive'. It may include regulated data (customers information), financial status, assets (patents, plans etc...) or strategic decisions.  

To better control the risks, it is advisable to apply a process to discover, classify and protect your data. 

1. Identify sensitive data 

To protect sensitive data, you must first have a good knowledge of the company's data. 
Several questions can be considered:  

• What are the different data held by the company?  

• What are sensitive data for my company? 
• Where are those data located?  
• Who has access today?  
• What are the impacts in case of a leak?  

By questioning the nature of the data and the issues involved, it will be possible to determine the levels of risk and prioritize the information.  

2. Define classification labels

It is important to define your own classification labels for all data in the company. When defining them, it is also necessary to give examples for each level to facilitate understanding of users.  

There is no perfect model. Each company, depending on its environment and complexities, will define its own data classification table. However, it is recommended not to exceed 4 levels.  

In general, companies apply 3 levels of classification: confidential, internal, and public. 

3. Classify data according to its level of confidentiality

Organizations can define strategies to classify and then label the most sensitive data.  

Once the classification is defined, it is necessary to apply it to all data. This consists of putting a label on the data with the classification level.  

The use of this label will help to classify the data into different categories according to established criteria. The labels applied to the files will allow the creation of an identification process for the resources and the establishment of the most appropriate protection strategy.  

Information in all systems can be labelled: files, images, folders and even the most sensitive emails.  

There are several ways to tag information:  

• Manually by involving the user  
• Automatically through software systems

4. Protect data

Through encryption 

From the sensitive label, it is possible to choose the required encryption. 
Encryption provides additional security to prevent unauthorized access to the content. 
A company can decide that, for a given classification level, either automatically or by a user, encryption will be employed for that information.  

Like the labelling of information, encryption can also be automatically deployed thanks to solutions that scan environment. These solutions look for patterns and automatically apply labels, restrictions and/or encryption.

Through access restriction 

Depending on the sensitive label, restrictions on permissions and access can be proposed. For example, it is possible to prohibit transfers, copies, printing and to restrict access to specific people. 

5. Monitor and track labelled data  

You need to be able to track activity on classified data and review access as necessary.  

Administrators can use reports to monitor and control this data. They will, for example, be able to:  

• Monitor tagged documents or emails 

• Identify who has accessed a document with a specific sensitive label 
• Easily identify documents with the most sensitive information

It is possible to analyze the different labelled contents and understand if they have the right label and the right level of protection. 

Microsoft Purview Information Protection to protect sensitive data 

Today, many companies use Microsoft 365 solutions and need to secure information in these collaboration tools.  

Through its Azure Cloud platform, Microsoft offers a wide range of protection tools that integrate with Microsoft 365 and Windows services. To classify and protect sensitive data, Microsoft has developed a solution named MIP. 

Overview of Microsoft Purview Information Protection Solution 

Microsoft Purview Information Protection is the new name for MIP / AIP (Azure Information Protection). 

NB. Microsoft Purview Information Protection is not a tool but rather an environment with associated applications and functionalities. 

More specifically, Microsoft Purview Information Protection focuses on identifying and protecting sensitive data. It supports many types of content: emails, Office or PDF files and images or Microsoft 365 groups. Purview applies to files stored in on-premise file servers and in cloud platforms, such as SharePoint, OneDrive, and Microsoft Teams. 

The solution is included in the E3 and E5 licenses of Microsoft 365 and is offered in premium versions for additional functionality. In the premium versions, the main functionality is the scanner. It supports automatic identification of sensitive data, adding a sensitive label and following and controlling the access to documents. 

Classification and sensitive label with Microsoft Purview (MIP)

Microsoft Purview (MIP) supports defining a classification and labelling of documents and emails. But first necessary to identify the sensitive data. 

This identification can be done in two ways: manually or automatically, depending on the chosen solution (basic or premium).  

With the manual option, the identification and labelling is done by the users. They will then have the choice to add the label that corresponds to the sensitivity of the document, with the effect of inserting a visual marker on the resource and a sensitive label in its metadata.  

Some organizations, to encourage users to label their documents, apply a default label, visible to the user. The user will be able to change it if necessary. 

For the automated option, the Microsoft Purview scanner automatically detects and classifies all the data in the environment. The scanner will analyze the information contained in the documents and look at their level of sensitivity according to defined models and rules. Following this analysis, it will be able to tell if the document should be labelled and at wich level: for example, Confidential, Highly Confidential.  

However, the scanner is a paid service included with certain licenses with additional costs and requires a prerequisite: the file must be indexed by Windows. This scanner can be a source of errors and requires precise settings. 

Data encryption with Azure RMS 

Microsoft Purview Information Protection has identified sensitive data manually or automatically and uses Azure Rights Management (Azure RMS) encryption to protect them.  

From the moment a document or other resource is tagged, it applies security policies by establishing relationships between rules and the chosen classification tags. 

Azure RMS will use advanced encryption to establish identification and authorization policies to protect data. This tool encrypts data at the application level that hosts it. The file will therefore be encrypted and only authorized people will have access to it. The document will always be protected even if it is shared with someone outside the organization. 

Support employees in the protection of their sensitive data 

33% of security incidents encountered by companies are linked to a negligence or configuration error by an administrator or an employee. (1)

Still often considered as a weak link, the user plays an essential role in data protection. It is important to support them in their use. There is necessarily an adoption phase during which users can develop the reflexes to protect data and fully understand their tools.

1. Assign the right levels of confidentiality on documents 

Employees must be sensitive to the security levels of the data they handle in order to be able to protect the information. They must therefore recognize sensitive information, emails, and documents.  

It can be useful to define an exhaustive list of data considered as sensitive and the classifications that must be applied. Employees will have clearer understanding and will be able to protect their data more easily. 

Microsoft Purview (MIP) can propose native levels facilitating the classification by the user. 

After identification, employees must ensure that the document has the necessary protections against inappropriate access. 

2. Give limited access rights

It is important to give access rights to data only to those who need them (principle of least privilege). Once the information has been identified as sensitive, it is necessary to designate who can access it and with what rights. 

Depending on the level of classification given in MIP, the user may be required to designate who is authorized to access the information. 

3. Regularly check permissions and access

On tools such as OneDrive and Microsoft Teams, it is important to verify access and permissions. A collaboration may have ended, or an employee may have changed position, so he or she will no longer be entitled to receive certain information. The sharing is then considered obsolete.  

In Microsoft Purview (MIP), it is necessary to regularly check the permissions granted on documents and to remove some those that are obsolete. This review of permissions and access can be initiated according to the lifecycle of the document and/or on a periodic basis.

Classification and labelling to secure sensitive data  

Classification and labelling are the foundation of a data protection strategy. Whether from a compliance, governance, or security perspective, they will enable organizations to effectively protect their most sensitive data.  

IT/security teams need to oversee the proper labelling of documents, any encryption requirements and data access restrictions. They will need to work with the user to establish effective protection. 

The deployment of protection tools like Microsoft Purview Information Protection will help companies in these steps. MIP currently offers two licenses: basic and premium. The second premium will have a higher cost and additional features (scanner).  

Some companies have made the choice to find alternative solutions to monitor MIP classified data on Microsoft 365. 

IDECSI, a complete and efficient protection of your sensitive data, integrated with MIP classifications 

Allowing each owner of sensitive data to identify his or her tagged data and the rights, delegations, and accesses, is an essential element in data protection. 

IDECSI has recently enriched its platform MyDataSecurity to allow each user to easily control their sensitive resources thanks to Microsoft Purview Information Protection (MIP) labels. Administrators and users have a centralized view to easily control access and permissions on their sensitive files. They can also, in case of overexposure (sharing to 'All company' for example), correct the risks by revoking a permission.

Combined with its user platform, IDECSI involves employees and gives them a global view of their data and their applications. The verification of rights, access and sharing is simplified.

(1) CESIN “Barometer of company cyber-security” – 2021