The new uses of collaboration tools, especially in Microsoft 365, have changed the role of the user who has become the administrator of his own data. He can share data via his OneDrive, share internally and externally on Teams via links, create Teams spaces, add members, and more.
But this new way of sharing favors human error. Businesses need to be increasingly sensitive to data processing in Microsoft 365: How to process it? How to identify it? What policy should be put in place? How to understand the evolution of Microsoft features?
For that, several elements must be taken into account to have good control and governance of the data, in particular due to the significant volume of data to be treated. Focus on the data life cycle.
Managing the life cycle of data requires, among other things, the management of permissions and identities. Microsoft manages and provides the architecture and infrastructure for the tenant. But each customer is responsible for 3 security elements:
Each company has the option of implementing a security policy appropriate to its needs. However, it is necessary to be able to track the actual activity of the data, including the different identities that have access to the data.
Users are now responsible for their data. Each user has the power to change permissions, modify the data or extract it.
There are 5 identity profiles to monitor over time that are fundamental to data protection: users, anonymous users, federated users, and Azure AD B2B users.
Read the article: Identity management: 5 profiles to understand in Microsoft 365
Application identities (administration, third-party applications) can be dangerous when a user delegates consent to an application. The latter can do what it wishes with the permissions it has been given. This requires the ability to:
An application will be able to read the data in my OneDrive, read the files I have accessed, or have a read modification. The main threats of this delegation without access governance can be data mining, dumping of Azure AD for a future attack or even ransomware.
Users sometimes do not have great visibility into the permissions granted to the application and do not see what it has access to.
Usually the delegated consent is for life but users don’t know that. It is necessary to be able to follow and control these permissions over time.
Power Platform allows you to make connections between their data and a workflow application. The owner can therefore have access to all their data. To do this, it is important to implement a “tenant restriction” and to ensure that corrections are reviewed by users.
Sensitive data indicates data that requires enhanced protection. The security policy must be adapted to the level of confidentiality of the information and must be known by everyone. However, security should not be seen as a hindrance but rather as a support for new digital and collaboration uses.
Classification is a tool that enables access control for 57% of the companies interviewed in a CESIN survey.
Microsoft has renamed its MIP (Microsoft Information Protection) tool to Microsoft Purview Information Protection to create its classification system, label data either automatically or by giving the users control and apply protection mechanisms.
This data protection framework based on data classification will create:
But there are still some limitations to this Microsoft Purview tool, including access review on sensitive data that is complicated and not possible with a certain level on Purview as well as DLP and governance alert handling.
Each company must be able to track the various access over time. Microsoft offers Azure AD Access Review for this purpose, which is offered in the Azure AD P2 license.
Azure AD administrators can manually track and recertify internal groups and run user campaigns. There are 2 main access review scenarios:
IDECSI offers 5 key features to better manage the data lifecycle in Microsoft 365 and to address some of the limitations encountered in reviewing access and sharing on the Microsoft 365 environment:
For effective data protection and governance, it is important for each company to be able to track who does what? Who shares what? Who accesses what? Especially in a context where the user has become an actor in the management of his data, his access and his internal and external sharing.
To do this, you need to be able to give the user visibility so that they can manage the lifecycle of their data in the Microsoft 365 environment, and so that IT departments can react quickly to any behavioral anomalies.