Protecting documents-Describe security, compliance, privacy, and trust in Microsoft 365

The fundamental purpose of identities is to protect documents and other data. When protecting identities, the threat of lateral penetration forces administrators to apply equal protection to all of them, regardless of their privileges. However, the security can and should be more selective when protecting documents. While an enterprise might have hundreds or thousands of identities to protect, it might easily have hundreds of thousands or millions of documents, which makes applying equal protection to them all impractical. Therefore, administrators need to identify sensitive data documents requiring more protection.

As discussed earlier in this chapter, Azure Information Protection (AIP) and Data Loss Prevention (DLP) enable administrators and users to apply classification labels to documents and specify security measures applied to the documents based on those labels. While these tools can, in some cases, detect sensitive data within documents based on criteria that administrators specify, there are many other cases in which it is up to the users to apply the labels correctly to their documents.

Note Information Protection and Data Loss Prevention

For more information on Azure Information Protection and Data Loss Prevention, see the “Data” section earlier in this chapter.

The technological aspects of implementing tools such as AIP and DLP are relatively straightforward; however, the implementation’s administrative, cultural, and educational aspects can be more troublesome, especially in a large enterprise. For these tools to function effectively, the classification labels representing the various levels of data sensitivity must be understood by everyone involved and applied consistently throughout the organization.

When the intention is to create a single classification label taxonomy that the entire enterprise will use, it makes sense for representatives from all areas and all levels of the enterprise to have a say in the design of that taxonomy. Unless the terms used for the labels mean the same thing to everyone, there is a chance that documents could be labeled incorrectly or, worse, not labeled at all when they should be.

With the labeling taxonomy agreed on and in place, the next step in the deployment—as with all new programs—should be a pilot deployment. With a small group of representative users applying labels to their documents and with DLP configured to classify a subset of the company’s documents automatically, careful monitoring of the labeling process and evaluation of the classified documents will almost certainly disclose some incorrect labeling, requiring modifications to the tools themselves or to the users’ procedures. Successive iterations of the taxonomy and the DLP algorithms will likely be needed before the system is completely reliable.

The final phase of the deployment—and arguably the most difficult one—will be educating all the organization’s users on the labeling system, how it works, and why it is necessary. This is particularly true for users not involved in the technology behind the system. Document protection is not a problem that administrators can solve only with technology; the human factor is also critical.

Leave a Reply

Your email address will not be published. Required fields are marked *

Search

Popular Posts

  • Summary-Describe security, compliance, privacy, and trust in Microsoft 365
    Summary-Describe security, compliance, privacy, and trust in Microsoft 365

    Thought experiment In this thought experiment, demonstrate your skills and knowledge of the topics covered in this chapter. You can find the answers to this thought experiment in the next section. Ralph is the Director of the Brooklyn datacenter at Contoso Corp. The company currently has three office buildings in the New York area with…

  • Anticipating threats-Describe security, compliance, privacy, and trust in Microsoft 365
    Anticipating threats-Describe security, compliance, privacy, and trust in Microsoft 365

    Arguably, the most difficult part of the risk management planning process is trying to anticipate all the possible threats that could afflict the company’s data in the future. The three basic risk factors for the data—confidentiality, integrity, and availability—can be exploited in any number of specific ways, but the general threat categories are listed in…

  • Classifying users-Describe security, compliance, privacy, and trust in Microsoft 365
    Classifying users-Describe security, compliance, privacy, and trust in Microsoft 365

    The third element of the digital estate that must be considered when creating a risk management plan is the people who actually access the data. Whether deliberately or inadvertently, users are a constant vulnerability—if not an actual threat—to the organization’s data. After quantifying the organization’s information assets and their value and inventorying the hardware used…

Tags

There’s no content to show here yet.