Collaboration tools, a paradigm shift in data management
The new uses of collaboration tools, especially in Microsoft 365, have changed the role of the user who has become the administrator of his own data. He can share data via his OneDrive, share internally and externally on Teams via links, create Teams spaces, add members, and more.
But this new way of sharing favors human error. Businesses need to be increasingly sensitive to data processing in Microsoft 365: How to process it? How to identify it? What policy should be put in place? How to understand the evolution of Microsoft features?
For that, several elements must be taken into account to have good control and governance of the data, in particular due to the significant volume of data to be treated. Focus on the data life cycle.
Better manage internal and external permissions and identities
Managing the life cycle of data requires, among other things, the management of permissions and identities. Microsoft manages and provides the architecture and infrastructure for the tenant. But each customer is responsible for 3 security elements:
- Establish the configuration of the platform (security base, work environment) to be able to collaborate internally and externally, especially with sensitive data
- Know and manage user and data identity
- Monitor and supervise the level of security and risk to ensure that we are in a nominal situation
Each company has the option of implementing a security policy appropriate to its needs. However, it is necessary to be able to track the actual activity of the data, including the different identities that have access to the data.
1. Manage identities in Microsoft 365
Users are now responsible for their data. Each user has the power to change permissions, modify the data or extract it.
There are 5 identity profiles to monitor over time that are fundamental to data protection: users, anonymous users, federated users, and Azure AD B2B users.
Read the article: Identity management: 5 profiles to understand in Microsoft 365
2. Managing application identities
Application identities (administration, third-party applications) can be dangerous when a user delegates consent to an application. The latter can do what it wishes with the permissions it has been given. This requires the ability to:
- Prootecting your data on M365
An application will be able to read the data in my OneDrive, read the files I have accessed, or have a read modification. The main threats of this delegation without access governance can be data mining, dumping of Azure AD for a future attack or even ransomware.
Users sometimes do not have great visibility into the permissions granted to the application and do not see what it has access to.
- Track and revoke permissions on M365
Usually the delegated consent is for life but users don’t know that. It is necessary to be able to follow and control these permissions over time.
- Extend this reflection to the Power Platform
Power Platform allows you to make connections between their data and a workflow application. The owner can therefore have access to all their data. To do this, it is important to implement a “tenant restriction” and to ensure that corrections are reviewed by users.
Protecting and managing sensitive data in the M365 environment
Sensitive data indicates data that requires enhanced protection. The security policy must be adapted to the level of confidentiality of the information and must be known by everyone. However, security should not be seen as a hindrance but rather as a support for new digital and collaboration uses.
Classification is a tool that enables access control for 57% of the companies interviewed in a CESIN survey.
Microsoft has renamed its MIP (Microsoft Information Protection) tool to Microsoft Purview Information Protection to create its classification system, label data either automatically or by giving the users control and apply protection mechanisms.
This data protection framework based on data classification will create:
- Privacy labels (labeling of unstructured data (emails, documents), container labels (Microsoft 365 group, SharePoint sites) and structured data labels with Azure AD
- Data protection with data encryption and Office 365 Data Loss Prevention
- Container protection (access and sharing restrictions)
- Advanced protection with Microsoft 365 E5 (data alerting policy with Defender for Cloud Apps and contextual conditional access policy with Group or site label)
But there are still some limitations to this Microsoft Purview tool, including access review on sensitive data that is complicated and not possible with a certain level on Purview as well as DLP and governance alert handling.
Revalidating access over time with automatic owner identification
Each company must be able to track the various access over time. Microsoft offers Azure AD Access Review for this purpose, which is offered in the Azure AD P2 license.
Azure AD administrators can manually track and recertify internal groups and run user campaigns. There are 2 main access review scenarios:
- Scenario 1: Launch of a review campaign on all Microsoft 365 group guests. The review is only possible on group members and not on the tracking of share links or SharePoint permissions.
Admins do not have a centralized overview.
- Scenario 2: Launch of a group member review campaign that will include internal and external parties, although we still won’t have a review of share links and permissions.
IDECSI offers 5 key features to better manage the data lifecycle in Microsoft 365 and to address some of the limitations encountered in reviewing access and sharing on the Microsoft 365 environment:
- Review identities for better data control over time
- Engage users and data owners with a seamless, user-friendly experience via a personal security dashboard
- Simplify access to information with a centralized overview
- Review of permissions and sharing periodically and industrially by the owners
- Ability to follow the evolution over time and trouble-shoot
Better management of data and users to control data over time
For effective data protection and governance, it is important for each company to be able to track who does what? Who shares what? Who accesses what? Especially in a context where the user has become an actor in the management of his data, his access and his internal and external sharing.
To do this, you need to be able to give the user visibility so that they can manage the lifecycle of their data in the Microsoft 365 environment, and so that IT departments can react quickly to any behavioral anomalies.
