The first step in protecting your sensitive data in O365 is to identify it accurately. The Microsoft Purview Information Protection framework facilitates three varieties of sensitive data classification – data can be classified as being sensitive manually by users; by automated pattern recognition i.e., regular expressions or regex; and by machine learning. Data that has been classified as sensitive according to one of these three measures can then be protected with a variety of built-in tools that Microsoft offers.
Below, we’ll look at various elements of sensitive data identification, and the core functionality that Microsoft provides to protect data that has been classified as sensitive.
Microsoft provides a significant number of built-in sensitive information types that your organization can use to identify specific categories of data, which can then be managed according to rules aligned directly with a given variety of sensitive information.
For example, there is an “All Full Names” identifier that looks for any combination of a given name followed by a family name. If found within a given document, that document would be subject to any rules that your IT team has in place for managing data that refers to a specific person in the organization. Furthermore, there are also such identifiers as “All Medical Terms” and “All Physical Addresses” in addition to hundreds more that can be applied in the same way.
If the built-in sensitive information types don’t satisfy your organization’s needs, you can create custom types as well.
Whichever method your IT team employs to identify sensitive information, there will be degrees of confidence as to the accuracy of that designation. Microsoft breaks these levels of confidence into three categories – high, medium, and low.
Confidence levels are determined by the number of correlating items found in a given document when the primary sensitivity indicator is found. For example, if a numerical pattern that matches a credit card number is detected in a document, the confidence level that the document is sensitive is low. If additional indicators are detected in the proximity of the primary indicator, the confidence level will move to medium or high, depending on the thresholds set by your IT administrator.
It is worth noting that the thresholds set will influence the number of false positive or false negative identification of a document as being sensitive, depending on the number of correlating data points defined by your organization’s specific rules.
Data Loss Prevention (DLP) is a feature offered by Microsoft that actively scans internal documents for potentially sensitive information according to a set of rules defined by an administrator. For your convenience, a wide variety of pre-built rules exist that scan for specific categories of information, such as financial, medical, and health (HIPPA related), and privacy.
When this system identifies information that has been defined by an administrator as sensitive, DLP can either send a notification that this information is being shared externally, or it can stop members of the organization from sending it in an email or otherwise sharing it externally through SharePoint, OneDrive and other Office programs such as Word and Excel.
Sensitivity labels are another powerful option for controlling access to sensitive documents that travel outside of your Office 365 environment. They are effectively metadata that lives on the document, and that allows IT to apply specific access rules to documents themselves that will be interpreted by Office Apps, such as Microsoft Word, so whether a document is opened internally or externally to your organization, the access rules will persist.
Rules can be applied to sensitivity label policies that specify exactly what can be done with a given document that has been classified as sensitive. For example, your IT team can create rules that send an alert when such a document is shared internally or emailed, say, or they could go so far as to deny the user permission to attach such a document to an outgoing email.
In addition to identifying and actively enforcing rules to protect data that has been classified as sensitive in nature, your organization should also adhere to best practices for controlling access to data within your O365 environment generally.
Making sure to enforce strong password policies and multi-factor authentication (MFA) will help your organization enormously in controlling who has access to any of your internal data. Moreover, your IT team can extend this level of blanket protection by employing conditional access that will require that anyone who is trying to access your organization’s resources is doing so from a known and approved geographic location – if you don’t have employees in certain regions, particularly those associated with high levels of cyber-attacks, you can simply deny access from those regions.
You will also want to leverage Microsoft-provided security tools, such as the Microsoft Secure Score, which will assess your general security posture and provide specific suggestions for improving your data security holistically.
As you can see, Microsoft offers a wealth of tools to ensure Office 365 security. However, each of these features is controlled by distinct UIs related to specific applications that fall under the umbrella of O365. This can make it challenging for IT teams to make the best possible use of these diverse and powerful tools.
CoreView simplifies the entire system by providing access to all of this functionality through a single, unified web-based user interface that dramatically reduces the complexity, and thus greatly increases IT teams’ ability to employ it all successfully and coherently. See it in action today.
