[NEW] MYDATAMANAGEMENT TO CLEAN UP YOUR OBSOLETE, UNUSED AND VOLUMINOUS DATA

Security

20 November 2024

Data Security and Governance in the AI & Responsible Digital Era

Security and Data Governance on M365: Insights from 2 Companies

On the occasion of the 2024 Security Conference, two major French groups, TotalEnergies and Rocher, will discuss their strategy, vision and solutions implemented to manage security and volume issues, particularly those surrounding data governance on Microsoft 365, the deployment of artificial intelligence and responsible digital ambitions.

Microsoft suite tools such as OneDrive, SharePoint and Teams offer users great freedom for sharing, and for the company greater efficiency by multiplying the possibilities of collaboration. However, this freedom requires rigorous management if we want to avoid unsecured or non-compliant sharing, and to be able to identify malicious activity. The management of collaborative spaces is essential, both in terms of security, with the risk of overexposure of data, and in terms of the life cycle of information and overconsumption of storage.

In this context, the end user is a key player whose active participation must be ensured. They play a crucial role in managing risks and data volume. It is therefore essential to make them responsible and provide them with the necessary tools so that they can manage their data proactively.

How do you identify and eliminate problematic and dangerous access and sharing? How do you clean up unnecessary, obsolete data in order to manage storage?

Our guests, Jean-Marc Boursat, CISO TotalEnergies, and Jerome Etienne, CISO Groupe Rocher will demonstrate:

On the agenda:

Risk mitigation on Microsoft 365

One of the key risks on Microsoft 365 identified by companies is data leakage, often caused by stolen credentials, identity theft or poorly controlled sharing. Solutions such as multi-factor authentication (MFA) can reduce this risk.

Groupe Rocher attempted to manage this problem with its own SOC, but managing the volume of data and exceptions (false positives, heavy alert processing) proved highly complex. This is why an expert solution was chosen.

The two CISOs highlighted the capabilities of the IDECSI solution to act as an audit and supervision platform on Microsoft 365, offering key monitoring, detection, alerting, remediation functions and an extremely effective rights review module.

At TotalEnergies, the challenge is to reduce the attack surface by limiting overly open or anonymous sharing, access to the mailbox (data exposure).

Furthermore, one of the common objectives is to make users aware of the existing risks in the tools they use on a daily basis. Both companies have implemented a system to identify and correct risky sharing through the involvement of data owners with MyDataSecurity.

Data access security

TotalEnergies launched the CheckMyShare project to enable users to manage their data sharing independently, while ensuring secure access.

During an initial phase, the IDECSI platform identified more than 47,000 points of attention (risks) concerning the data shared on TotalEnergies' M365 tenant. This number may seem huge on the global tenant scale, but if we focus on each user, data owners have, on average, 2 to 3 points of attention to manage. This end-user-centred approach helps address a significant problem with share volume, made manageable through user delegation.

Key figures

400,000 collaborative resources OD, SP, Outlook, Teams

1/3 of the tenant's users have points of attention (identified risks)

On average, the owners concerned have 2 to 3 points of attention.

For its part, Groupe Rocher has established monthly rights review campaigns in order to guarantee effective governance of collaborative access around sharing, guests and external access. Every 5th of the month, the rights review process is structured around 3 stages:

1- An inventory of access, sharing and rights to data to identify risks (Outlook configuration; anonymous, external, or obsolete sharing):

example of a report on points of attention

2- Notification with campaigns to data owners who have points of attention for corrective action

Notification of Key Focus Areas for Corrective Action

3- Corrections and performance measurements : The company assesses risk reduction through a detailed report that tracks campaign progress and measures the effectiveness of remediation actions and security improvements. Out of 4,200 users, 18% have already carried out corrective action

Example Campaign Tracking Report

example of campaign tracking report

Managing data storage and volume

Both groups are each seeing an explosion in the volume of collaborative data with a direct impact on available storage. However, only 10% of the data is actually used, according to Microsoft.

In addition, storage generates an often underestimated energy cost, which is increasing with the arrival of AI. It therefore constitutes an essential lever for reducing the ecological footprint of information systems, through better storage management and the proactive deletion of unnecessary data in particular.

Ambitions around digital sobriety are strong within the 2 groups.

Groupe Rocher, the first international group committed to adopting the status of a mission-driven company in 2019, aims to reduce the carbon footprint of its information system by 30%, in particular, by promoting sober digital uses. Thanks to the MyDataManagement solution, the group deleted 6 terabytes of unnecessary and bulky data in less than 3 months. Users are invested in this solution.

TotalEnergies aims to control the growth of its storage, which is continuous, by eliminating obsolete, unnecessary, excessively bulky data and numerous versions.

Overall, users in both groups found the tool intuitive. Internal initiatives, such as "Cleaning Days" or Responsible Digital Week, also reinforce the action taken by the businesses.

Key figures

Groupe Rocher deleted 6 terabytes of unnecessary and bulky data in less than 3 months
TotalEnergies: 44% of users have points of attention, i.e. 4 to 5 points of attention/user and 31 GB/user to challenge

User accountability

Both companies have chosen to empower their users, to involve them in eliminating risks and managing access to data (cleaning up permissions and unnecessary, obsolete data).

Objective : Make the user autonomous by giving them the ability to take action themselves in the management of their data.

For Groupe Rocher, it is crucial to empower and involve users by relying on familiar modes of operation, such as security alerts from their banks or their Netflix account, as well as on very easy-to-use interfaces.

The communication system is relatively simple and easy to use: it includes two launch emails before the remediation campaigns, publications on Yammer and explanatory videos.

The results are already favourable: 40% of the tenant's users regularly connect to MyDataSecurity to manage their data (with an average of 20% carrying out remedial action).
Thanks to the CheckMyShare project, TotalEnergies allows each user to control their sharing and clean up their data. The group's local entities have all of the communication material at their disposal to launch their own "cleaning" campaigns, promoting an approach as close as possible to the businesses. The TotalEnergies teams called on the company I-tracing to manage, among other things, the communication plan.

Deploying generative AI

TotalEnergies has integrated Copilot for Microsoft 365 for more than 30,000 users. Generative AI changes the paradigm and reinforces the importance of a sharing control solution, as it leverages all data stored in Microsoft 365 as well as the associated permissions. How can data lifecycle management be structured in Microsoft 365 to ensure compliance, quality and security?

Digital hygiene is one of the key success factors when deploying AI at scale to ensure quality and security. It allows you to manage multiple versions of files, so as not to keep information that is too extensive or too old, to clean up permissions that are too broad and to cover the risk of obsolescence and overexposure of data.

The explosion of data complicates the issues of security, access and sharing management, as well as the relevance of the data required for AI and the volume of data. These initiatives illustrate how proactive and responsible data management can strengthen security, reduce risk and optimise resources within a Microsoft 365 environment.

Photos of Speakers from the Les Assises 2024 Workshop

Special guests:

- Jérôme Etienne, CISO Groupe Rocher, an independent family group present in 118 countries. Groupe Rocher, a French company of Breton origin, owns brands such as Yves Rocher, Arbonne, Petit Bateau, Stanhome, Kiotis, etc.

- Jean-Marc Boursat, CISO of the TotalEnergies group, is a multinational operating in more than 130 countries, engaged in the production and supply of renewable and fossil energies, which focusses on technological innovation and the energy transition. The company adapts its strategies to respond to global challenges while promoting a sustainable approach to reduce its ecological footprint and contribute to a responsible energy future.