One of my favorite security analogies is that enterprise information security is like an onion. Each layer of the onion represents a different control that secures the data at the center. Common layers are endpoint protection, mobile device management, MFA, firewalls, encryption, security policies, and staff training. All of these (and more) are certainly critical controls that you should have in your environment. There is one set of controls that rarely gets mentioned in this context, though, and that is compliance. (Shocking, since it is everyone’s favorite topic, right?....)
In all seriousness, a robust set of compliance controls adds a significant amount of protection to your organization and should be included in any information security discussion. Properly implemented retention policies, sensitivity labels, and data loss prevention tools augment the other more technical controls listed above. For example, if a bad actor does get in, they won’t be able to exfiltrate data that your retention policy already deleted. If your sensitivity controls encrypt critical files, they can’t access them. Your DLP settings can detect and stop any exfiltration that is detected. In concert with your other controls, an attack can be mitigated quite effectively. Let’s explore this further by reviewing how the Microsoft Purview compliance toolset can be used to achieve this with data in your Office 365 tenant. Your existing Office 365 or Microsoft 365 subscription likely includes access to these tools now
Document retention and secure deletion (Data Lifecycle Management)
- This function gives you the ability to define retention policies and assign those policies to documents and email. The application can be done manually or automatically based on characteristics of the document, file location, group membership, etc.
- You can drastically reduce the amount of data at risk in your environment by deleting what is no longer needed. An attacker will not be able to steal or encrypt (or steal AND encrypt) what isn’t there.
- Organizations usually have stale data in their environments that is no longer needed, but that no one has the time or inclination to delete. Having a well-enforced and automated set of policies that removes this data also reduces what is discoverable in a legal action.
- This feature provides the ability to import all the random PST files that people have locally or in a file share so that ALL mail can reside in Exchange and be either archived or deleted using the same retention policies.
Sensitivity Labeling (Information Protection)
- Similar to retention labeling, this function allows you to create sensitivity labels and mark documents and emails with them. Policies can be created to govern what can be done with data that is labeled. Again, the application can be done manually or automatically based on content of the document, file location, group membership, etc.
- Policies can enforce access control, encryption, the ability to share/forward, watermarking, and offline access.
- The controls applied can significantly reduce the impact of a compromised account, since access is further restricted or encrypted. Further, the labels can prevent people form inadvertently sharing or forwarding sensitivy data in error.
- Teams and M365 groups content can also be labeled in this way so that channel discussions or shared files can also be protected.
Data Loss Prevention
- This function can use both the content of documents or email and/or the any retention or sensitivity labels applied to alert and prevent the misuse or exfiltration of information. It serves as the “security guard” as people use data in the organization.
- DLP includes categories of pre-defined data types to act on, such as social security numbers, addresses, credit card numbers, and many other types of personally identifiable information that can trigger an alert or restriction policy. If Defender for Endpoint is in use, it can also provide control over use of locally stored files on endpoints.
- You can use sample data to create trainable classifiers to customize detection capabilities for specific kinds of data. For example, if you have purchase agreements that are highly confidential, you can submit sample documents to a machine learning engine that will learn to identify those documents going forward so they can be restricted appropriately.
Other valuable features in addition to the core functionality above:
- Content-aware searching - Searching data in the tenant for labels or sensitive content is easy and provides a way to identify any wayward files that are somewhere they don’t belong. Some examples would be an HR data export saved to someone’s desktop, a report that someone really meant to delete, or emails that really should be prevented from forwarding.
- Compliance Manager – This feature provides compliance templates that measure and record your tenant’s score compared to compliance standards such as PCI, HIPAA, NIST, and many others. (Some of those standards are licensed separately). A list of controls and guidance on how to meet the given standards to make your environment compliant are included, along with the ability to document and report on both technical and procedural controls.
- Insider Risk Management – This allows you to set up sophisticated behavior-based monitoring and metrics to help detect misuse of information by employees. Groups of events like files being downloaded from specific SharePoint libraries and then uploaded to a cloud file sharing service, excessive DLP violations, changing sensitivity labels, and suspicious activities on endpoints can be configured so alerts can be triggered. The platform can also use access badge usage and data from HR systems as data points in its analysis.
As you can see, these capabilities can add many more layers to the onion to detect and prevent misuse of data by authenticated users, whether malicious or accidental. It can help get control of any shadow IT usage and provide valuable insight as to how people are using systems and data overall so your risk posture can continuously be improved. These policies, labels, and controls can be applied across the data in your tenant so that enforcement and visibility are managed in one place for the entire environment.
Implementing all that I described above is challenging for any organization. It will require commitment across all areas: executive, legal, human resources, finance, compliance, operations, sales, and on and on. Everyone will be impacted. The data needs to be understood and prioritized to get a project like this started. Many times it is easiest to start putting some controls around email or specific departmental files first (start with the “crown jewels” that everyone can agree on) and work up from there. Automation of labeling is really the way to go if you can get the buy-in for it. Asking people to do this manually is a hard change to have them accept, and the accuracy and completeness of manual labeling is usually questionable.
Compliance standards evolve and more privacy laws are enacted every year. Having automated controls in place will make it easier to comply and reduce the cost of maintaining compliance (and the likelihood of being fined for noncompliance). Plus, the reduction in the likelihood or severity of a breach is real and should be highlighted to your stakeholders