For our fourth stop in the journey to holistic cloud protection with the Microsoft 365 security stack we will be discussing Data security. For anyone new joining us on this journey please ensure you check out Part I: Overview, Part II: Identity Security, Part III: Device Security, Part IV: App Security to get caught up prior to reading Part V: Data Security which will be discussed during this article.
Data is an extremely valuable asset for any organization since it provides a distinct differentiator between other organizations. Data could include any of the following: proprietary processes, customer metrics, sensitive employee information or trade secrets. An organization must be able to discover sensitive data stored in the cloud and ensure data is protected no matter where it goes. Data stored in the Microsoft Cloud is encrypted while at rest (using AES 256-bit) and while in transit (using TLS 1.2 with 256-bit cipher strength). The main concern around data security arises when the data is taken out of the Microsoft Cloud and how to provide persistent protection to that data.
Microsoft 365 has multiple data security options that protect access to the location of the data through role based access controls (SharePoint/OneDrive permissions), non-persistent encryption (Office 365 Message Encryption) and prevented measure to block sharing of sensitive content. Unfortunately, all of these are not persistent which results in the opportunity to have the content leave the Microsoft Cloud with no protection associated with it. Sensitivity Labels provide persistent protection, through Microsoft Information Protection, to encrypt the content with AES 256 bit encryption that is attached to the content and follows it no matter where it goes. Access to the content is only allowed after you authenticate and only allowed to perform specific functions based on your authorization to a defined set of permissions. Sensitivity Labels provide a few ways to be applied which add unique scenarios like they can be manually applied, auto-labeling labels at the client level and auto-labeling policies at the service level (also known as auto classification).
Issue #1: – Specific documents/emails should only be accessed by internal employees of the organization
Solution: Rights management can be added so that only individuals with an internal user account can access specific labeled content. This prevents external access to content that shouldn’t be accessed by anyone outside the organization by allowing the entire organization or only specific groups. Since this is persistent protection, access is only granted to those that can successfully authenticate and have been authorized to perform specific actions with documents/emails.
Issue #2: – Specific documents/emails should only be accessed by a specific vendor and our organization
Solution: Rights management can be added so that users of an entire specific domain or external email addresses can access labeled content. This can be beneficial if you need to only share a document with a specific vendor (@microsoft.com) or a specific external user (email@example.com) while ensuring no one else has the ability to access it.
Issue #3: – All documents/emails with sensitive information should be automatically labeled
Solution: Rights management can be added to a document/email during the creation or editing process using auto-apply labels that are applied through the client. This allows for a label to be applied due to a condition being met when the document/email is scanned as it is being saved. These conditions look for sensitive information types being present which could be based on keywords/phrases, regular expression patterns (regex), large dictionary lists or exact data match.
Please note: that using auto-labeling policies will allow for labeling data at rest (SharePoint/OneDrive), but there are limitations using this method. If you have Microsoft Cloud App Security (discussed in the next section) it is recommended to use it due to granular policy controls and avoiding current limitations with auto classification policies.
Microsoft Cloud App Security (MCAS):
Visibility of data is important since not knowing what to protect can impact how you protect what you do to know exist. Organizations store data in many different areas using different cloud storage providers. With Microsoft 365 you have OneDrive for Business for personal storage and SharePoint Online for enterprise storage. Organizations may also be using third-party cloud storage providers, like Box, Dropbox, AWS or G Suite, to diversify their repositories or may be in the process of migration to a single repository within the Microsoft cloud. In either case the ability to see sensitive content and protect it is always high on the priority list when it comes to security. MCAS gives you visibility, dynamic alerting and the ability to take actions against specific scenarios through file policies.
Issue #1: – What sensitive information exist in my cloud storage? Sensitive content can be drastically different between different industries and regions around the world. Some are shared among all organizations (credit card and identification numbers) while others are unique for the specific industry/regions (healthcare, financial, government, European Union). Data storage is usually fragmented across multiple cloud storage providers which increases the likelihood of not knowing what sensitive data that is out there needs to be protected.
Solution: When integrating MCAS with our list of connected apps you can not only be alerted to File Policy matches for sensitive content in Office 365, but also in cloud storage providers like Box, Dropbox, AWS and G Suites. This provides Near Real-Time data inspection and goes beyond what is possible with Office 365 DLP policy inspections. The sensitivity content may contain credit card numbers, SSNs, organization specific IDs, project code names or other content that is leaked could be detrimental to the organization. Knowing what exists and where it is located is the first step in protecting your data stored in the cloud.
Issue #2: – How to add persistent protection to data in my cloud storage with no user action? Knowing what data exists is one thing, but once I know about it… How do I protect the files that exist in multiple cloud storage locations? How do I ensure the content is protected without having to touch every single document in multiple locations?
Solution: Using File Policies allow for detection and applying encryption to data at rest in SharePoint Online, OneDrive for Business, Box, and G Suite. This will ensure the content is labeled with persistent protection without any user action like accessing or opening the file.
Issue #3: – Remove external access to data in my cloud storage after XX number of days without activity. When an external user has access to an organizations data it adds an increased level of risk since if the external user is compromised your data is also compromised. As content is shared with multiple internal/external individuals, the owner of the content may forget to remove access that is no longer needed.
Solution: Another use for File Policies it to detect stale externally shared data. This would consist of data that is externally shared but hasn’t been modified in a specific timeframe. Alerting off this and taking automated action can help decrease potential risk if the access is no longer needed. If access is removed and access is required again then adding it back is as simple as resharing the content.
As we look back on what we have discussed about data security, there must be an understanding that the ultimate goal of any malicious attacker is to get to your organizations data. While compromising user accounts, infecting devices or manipulating applications may be attack vectors that are being used… The end game is to get to your organization’s data. During this stop we discussed features that helped increase visibility into what sensitive data you have, where it is located and how to provide persistent protection to it throughout your cloud storage locations.
Thank you so much for joining me during this stop while we discussed data security. Our final stop in this journey will be discussing Microsoft 365 Security Stack Integration and how to increase our security posture when integrating the solutions discussed during this blog series together.