Data-Describe security, compliance, privacy, and trust in Microsoft 365

All the security functions applying to the other five Zero Trust criteria essentially protect the organization’s data—its most valuable resource. Administrators must consider the data’s security in all possible states: in-motion, at-rest, and in-use. Depending on the nature and sensitivity of the data, each state might require different security measures. Microsoft 365 supports tools that can label, classify, and encrypt data to protect it in all states, such as Data Loss Prevention (DLP) and Azure Information Protection (AIP).

The traditional method for securing documents is to apply access control permissions to them. Permissions take the form of access control lists that are stored as attributes of individual files and folders. An access control list (ACL) consists of multiple access control entries (ACEs), each of which specifies a security principal, such as a user or group, and the permissions that grant the principal a degree of access to the file or folder.

Permissions have been around for decades, enabling users and administrators to restrict access to particular documents, but they must be applied manually and are difficult to manage for a large document collection. Someone also must keep track of which documents contain sensitive information that requires additional protection.

Therefore, Microsoft 365 includes security mechanisms, such as Azure Information Protection (AIP) and Data Loss Prevention (DLP), which can protect documents in other ways. The process of identifying documents containing sensitive data and securing them consists of the following four steps:

  • Discovery The process of locating documents that contain sensitive information, either by automatic detection based on established data patterns or by prompting users to apply classification labels
  • Classification The application of labels to documents containing sensitive information, indicating what types of protection should be applied to them
  • Protection The application of specific security mechanisms to documents based on the classification labels that have been applied to them
  • Monitoring The process of tracking document access trends, activities, and events and taking action when necessary

The process of discovering documents containing sensitive information is highly dependent on three factors:

  • The nature of the organization
  • The type of business in which the organization is engaged
  • The policies or regulations with which the organization must comply

Tools like Data Loss Prevention have preconfigured sensitive information types that enable the automated discovery of documents that contain common data patterns, such as credit card and Social Security numbers. Also, administrators can create customized sensitive information types that can discover documents containing specific industry-based keywords and data patterns.

Like a physical label, the sensitivity labels applied by tools like AIP and DLP can warn users that a document contains sensitive information and recommend that users take certain actions. The labels persist with the documents as they travel to different systems and are opened in other applications—even on other computing platforms. However, AIP and DLP labels can also be configured to apply various types of protection, like those shown in Figure 3-42. The labels can

  • Cause documents to be encrypted—at rest and in transit
  • Be limited to use with specific applications
  • Be restricted to specific users or devices
  • Be configured to expire
  • Be deleted after a specified lifespan

FIGURE 3-42 Microsoft 365 document protection mechanisms

Once the document classification and protection phases are complete, administrators are still responsible for monitoring the reports and alerts generated by the security tools. For example, repeated attempts to access or share protected documents by the same user or device can indicate the presence of a security breach, even if the attempts fail. The monitoring process should also include remediation so that an administrator who notices anomalous behavior can intervene by revoking document access privileges or quarantining files.

Leave a Reply

Your email address will not be published. Required fields are marked *

Search

Popular Posts

  • Summary-Describe security, compliance, privacy, and trust in Microsoft 365
    Summary-Describe security, compliance, privacy, and trust in Microsoft 365

    Thought experiment In this thought experiment, demonstrate your skills and knowledge of the topics covered in this chapter. You can find the answers to this thought experiment in the next section. Ralph is the Director of the Brooklyn datacenter at Contoso Corp. The company currently has three office buildings in the New York area with…

  • Anticipating threats-Describe security, compliance, privacy, and trust in Microsoft 365
    Anticipating threats-Describe security, compliance, privacy, and trust in Microsoft 365

    Arguably, the most difficult part of the risk management planning process is trying to anticipate all the possible threats that could afflict the company’s data in the future. The three basic risk factors for the data—confidentiality, integrity, and availability—can be exploited in any number of specific ways, but the general threat categories are listed in…

  • Classifying users-Describe security, compliance, privacy, and trust in Microsoft 365
    Classifying users-Describe security, compliance, privacy, and trust in Microsoft 365

    The third element of the digital estate that must be considered when creating a risk management plan is the people who actually access the data. Whether deliberately or inadvertently, users are a constant vulnerability—if not an actual threat—to the organization’s data. After quantifying the organization’s information assets and their value and inventorying the hardware used…

Tags

There’s no content to show here yet.