You may not be a CISO, but if you are reading this post, you likely work for one. If you want to protect your CISO, and yourself, protect your data. Data is the most important asset any company has. Employees come and go, goods and services are sold, but none of this happens without data.
Organizations spend enormous amounts of money to protect their network, endpoints, and identities... but what about the data? These common protections do little for data that is sent via email, shared via online tools like OneDrive and SharePoint, or data shared via a flash drive.
Maybe your data contains trade secrets that need to remain confidential and secure to protect the business. Perhaps you need to prevent the exfiltration of personally identifiable information in order to maintain compliance with governmental regulations or to avoid fines and lawsuits. Maybe you are beginning a Zero Trust initiative within your organization and data protection is a key element. Regardless of the reason, the result of protecting sensitive information is the same.
This journey can be broken down into 3 main areas:
Know your data
Classify your data
Protect your sensitive data
Know Your Data
Do you know where your data is? Or even better, where it is going? Working with many different organizations over the years, I can estimate only 5% of organizations have a handle on data activity. Knowing your data doesn’t mean you intimately understand every document in your organization, but rather that you have an understanding of what is important and what is not. It is only after this examination that you can effectively protect sensitive information.
This can be accomplished in a variety of ways, depending on where the content is located.
Cloud Data can be mapped in the Purview compliance portal leveraging the “Content Explorer” if you are an E5/A5/G5 customer
Cloud Data can be mapped via the Cognni Intelligence platform to determine what data is sensitive and what level of risk data sharing entails
On-premises data can be mapped by leveraging the AIP scanner for SharePoint and file shares
Classify Your Data
Data classification is essentially a label taxonomy that categorizes information based on sensitivity and uses cases. A simple example of this is:
Non-Business - Non-business data which does not belong to the organization
Public – Non-sensitive business data governed by marketing and public relations with intention of public consumption
General – Non-sensitive business data that does not require protection
Confidential – Sensitive business data available to all internal employees and to select external recipients and/or organizations
Top Secret – Sensitive business data only accessible by restricted groups of employees
Once you identify the label taxonomy, only then can you determine what is needed to provide the appropriate protection.
Protect Your Data
Data protection can take many forms. Some organizations take the “big stick” approach of shutting down all external sharing of SharePoint and OneDrive. While this may seem like a logical approach, it cripples external collaboration capabilities, forces users to share via email, and does nothing to protect data once a file is exfiltrated by users working around these controls. The better option here is to promote data sharing from SharePoint and OneDrive with explicit controls regarding data exfiltration.
Email will always be used as a means of sharing and must also be protected. A few examples of this would be:
Use Case - User emails patient list to their personal email
Protective Action - Block email from being sent with DLP
Use Case - A protected document is sent to an unknown recipient
Protective Action - User is not on the sensitivity label access list and cannot open the file
Use Case – Documents are downloaded to an untrusted device
Protective Action – Microsoft Defender for Cloud Apps labels and protects documents on download so only internal employees can open the document, regardless of where it goes
Data Protection Solutions
In a previous post, Microsoft Purview Information Protection Demystified, I explained the different components of Purview Information Protection to help bring clarity to a seemingly confusing acronym, MPIP (formerly MIP). If you haven’t read it, no worries. Here is a summary of the highlighted tools relevant to information protection:
Purview Data Loss Prevention – In-line protection that can prevent, notify, and or alert on sharing practices that conflict with the organization policy
Microsoft Defender for Cloud Apps (formerly MCAS) – Microsoft’s CASB solution and can provide DLP and data classification functionality to enhance MPIP
Azure Information Protection – Classification and protection of data with sensitivity labels
It can be confusing to get started with these solutions if you have never worked with them, and we would love to help any organization on the information protection journey. Working with many customers, we understand every organization has unique requirements. Molding information protection to your environment will sometimes require business process changes, but only after you assess what you have (know your data) can you take action to protect it.
Information Protection Accelerator
Discover, classify, and protect sensitive information while controlling access to your critical data wherever it may go.
KiZAN is a Microsoft National Solutions Provider with numerous gold and silver Microsoft competencies, including gold data analytics. Our primary offices are located in Louisville, KY, and Cincinnati, OH, with additional sales offices located in Tennessee, Indiana, Michigan, Pennsylvania, Florida, North Carolina, South Carolina, Georgia and Texas.
Cliff Embry is KiZAN’s Microsoft Security Principal Consultant and specializes in Microsoft 365. He has a solid understanding of Microsoft's underlying on-premises infrastructure technologies backed with over a decade of experience in hundreds of environments.