Information Protection: The missing link

Data breaches are a CISO's worst nightmare

You may not be a CISO, but if you are reading this post, you likely work for one. If you want to protect your CISO, and yourself, protect your data. Data is the most important asset any company has. Employees come and go, goods and services are sold, but none of this happens without data.

Organizations spend enormous amounts of money to protect their network, endpoints, and identities... but what about the data? These common protections do little for data that is sent via email, shared via online tools like OneDrive and SharePoint, or data shared via a flash drive.

Maybe your data contains trade secrets that need to remain confidential and secure to protect the business. Perhaps you need to prevent the exfiltration of personally identifiable information in order to maintain compliance with governmental regulations or to avoid fines and lawsuits. Maybe you are beginning a Zero Trust initiative within your organization and data protection is a key element. Regardless of the reason, the result of protecting sensitive information is the same.

This journey can be broken down into 3 main areas:

1. Know your data
2. Classify your data
3. Protect your sensitive data

Know Your Data

Do you know where your data is? Or even better, where it is going? Working with many different organizations over the years, I can estimate only 5% of organizations have a handle on data activity. Knowing your data doesn’t mean you intimately understand every document in your organization, but rather that you have an understanding of what is important and what is not. It is only after this examination that you can effectively protect sensitive information.

This can be accomplished in a variety of ways, depending on where the content is located.

• Cloud Data can be mapped in the Purview compliance portal leveraging the “Content Explorer” if you are an E5/A5/G5 customer
• Cloud Data can be mapped via the Cognni Intelligence platform to determine what data is sensitive and what level of risk data sharing entails
• On-premises data can be mapped by leveraging the AIP scanner for SharePoint and file shares

Classify Your Data

Data classification is essentially a label taxonomy that categorizes information based on sensitivity and uses cases. A simple example of this is:

• Non-Business - Non-business data which does not belong to the organization
• Public – Non-sensitive business data governed by marketing and public relations with intention of public consumption
• General – Non-sensitive business data that does not require protection
• Confidential – Sensitive business data available to all internal employees and to select external recipients and/or organizations
• Top Secret – Sensitive business data only accessible by restricted groups of employees

Once you identify the label taxonomy, only then can you determine what is needed to provide the appropriate protection.

Protect Your Data

Data protection can take many forms. Some organizations take the “big stick” approach of shutting down all external sharing of SharePoint and OneDrive. While this may seem like a logical approach, it cripples external collaboration capabilities, forces users to share via email, and does nothing to protect data once a file is exfiltrated by users working around these controls. The better option here is to promote data sharing from SharePoint and OneDrive with explicit controls regarding data exfiltration.

Email will always be used as a means of sharing and must also be protected. A few examples of this would be:

Example A:

• Use Case - User emails patient list to their personal email
• Protective Action - Block email from being sent with DLP

Example B:

• Use Case - A protected document is sent to an unknown recipient
• Protective Action - User is not on the sensitivity label access list and cannot open the file

Example C:

• Use Case – Documents are downloaded to an untrusted device
• Protective Action – Microsoft Defender for Cloud Apps labels and protects documents on download so only internal employees can open the document, regardless of where it goes

Data Protection Solutions

In a previous post, Microsoft Purview Information Protection Demystified, I explained the different components of Purview Information Protection to help bring clarity to a seemingly confusing acronym, MPIP (formerly MIP). If you haven’t read it, no worries. Here is a summary of the highlighted tools relevant to information protection:

• Purview Data Loss Prevention – In-line protection that can prevent, notify, and or alert on sharing practices that conflict with the organization policy
• Microsoft Defender for Cloud Apps (formerly MCAS) – Microsoft’s CASB solution and can provide DLP and data classification functionality to enhance MPIP
• Azure Information Protection – Classification and protection of data with sensitivity labels

It can be confusing to get started with these solutions if you have never worked with them, and we would love to help any organization on the information protection journey. Working with many customers, we understand every organization has unique requirements. Molding information protection to your environment will sometimes require business process changes, but only after you assess what you have (know your data) can you take action to protect it.