You may not be a CISO, but if you are reading this post, you likely work for one. If you want to protect your CISO, and yourself, protect your data. Data is the most important asset any company has. Employees come and go, goods and services are sold, but none of this happens without data.
Organizations spend enormous amounts of money to protect their network, endpoints, and identities... but what about the data? These common protections do little for data that is sent via email, shared via online tools like OneDrive and SharePoint, or data shared via a flash drive.
Maybe your data contains trade secrets that need to remain confidential and secure to protect the business. Perhaps you need to prevent the exfiltration of personally identifiable information in order to maintain compliance with governmental regulations or to avoid fines and lawsuits. Maybe you are beginning a Zero Trust initiative within your organization and data protection is a key element. Regardless of the reason, the result of protecting sensitive information is the same.
This journey can be broken down into 3 main areas:
Do you know where your data is? Or even better, where it is going? Working with many different organizations over the years, I can estimate only 5% of organizations have a handle on data activity. Knowing your data doesn’t mean you intimately understand every document in your organization, but rather that you have an understanding of what is important and what is not. It is only after this examination that you can effectively protect sensitive information.
This can be accomplished in a variety of ways, depending on where the content is located.
Data classification is essentially a label taxonomy that categorizes information based on sensitivity and uses cases. A simple example of this is:
Once you identify the label taxonomy, only then can you determine what is needed to provide the appropriate protection.
Data protection can take many forms. Some organizations take the “big stick” approach of shutting down all external sharing of SharePoint and OneDrive. While this may seem like a logical approach, it cripples external collaboration capabilities, forces users to share via email, and does nothing to protect data once a file is exfiltrated by users working around these controls. The better option here is to promote data sharing from SharePoint and OneDrive with explicit controls regarding data exfiltration.
Email will always be used as a means of sharing and must also be protected. A few examples of this would be:
Example A:
Example B:
Example C:
In a previous post, Microsoft Purview Information Protection Demystified, I explained the different components of Purview Information Protection to help bring clarity to a seemingly confusing acronym, MPIP (formerly MIP). If you haven’t read it, no worries. Here is a summary of the highlighted tools relevant to information protection:
It can be confusing to get started with these solutions if you have never worked with them, and we would love to help any organization on the information protection journey. Working with many customers, we understand every organization has unique requirements. Molding information protection to your environment will sometimes require business process changes, but only after you assess what you have (know your data) can you take action to protect it.
Discover, classify, and protect sensitive information while controlling access to your critical data wherever it may go.
KiZAN is a Microsoft National Solutions Provider with numerous gold and silver Microsoft competencies, including gold data analytics. Our primary offices are located in Louisville, KY, and Cincinnati, OH, with additional sales offices located in Tennessee, Indiana, Michigan, Pennsylvania, Florida, North Carolina, South Carolina, Georgia and Texas.