Microsoft’s Approach to data protection
Microsoft’s information protection solution(s) are a layered approach to platform data security. This infographic explains the protection solutions in O365 from the design of libraries and SharePoint groups, Classification and Labeling, Encryption and DLP. I explicitly call this out as I often respond to requests from clients that want to discuss DLP from a task-oriented viewpoint. Often these requests come from organizations that may have skipped the foundational design of data protection and have allowed data to proliferate in their environment largely unchecked and are now seeking to use a technology like DLP to throw a net over the problem.
This is Part 3 of a multi-part article around Data Protection.
- DLP defined and the pursuit of data protection as an ‘Edge solution’
- Defining the edge of an Enterprise and control planes
- DLP in Microsoft Information Protection (MIP)
Microsoft’s Data protection solution solutions leverages two primary concepts in its approach
- MIP/AIP – Protect the data no matter where it is
- DLP – Define a service edge and control the data that can pass through it
It can be difficult when a client tries to piece meal in our solutions and couple them with their other solutions to fill a gap or address a specific task as they might a niche point solutions, or try to map it to a use case we would not support (forward proxy discussion from part 2) or they expect it to fulfill all of their requirements again from a task oriented view point when our solution is a platform and not a point solution. The easiest tool to understand the platform statement is MCAS. Microsoft Cloud App Security has no access control. The industry definition of this space is Cloud Access Security Broker, and our tool is named ’App’ Security with purpose. Our access controls exist in Azure AD which MCAS leverages, it would not make sense to replicate the access control capability in MCAS. The capability sought probably does exist just in another place that makes sense in a holistic conversation about data protection, but not a tactical conversation around filling a gap.
DLP in Microsoft’s Information Protection
M365 offers DLP in the following locations:
- O365 (Email, SharePoint Online, OneDrive for Business)
- Teams
- MCAS (O365 and 3rd party SaaS such as Salesforce and ServiceNow)
- Endpoint (Windows 10)
Data Protection in Microsoft starts with the definition of Sensitive Information Types (SITs). These are the patterns and rules that define what sensitive data is for your organization. Many customers struggle with this initial step to get the definitions tuned in a way that minimizes false positives. DLP can require tuning and that should be the expectation. Microsoft has tools to assist such as Trainable classifiers which is ML training against known positive datasets to create the classifier, Exact Data Match and SharePoint Syntex and expanded use cases outside of M365 with Azure Purview that leverages the same backend.
This effort can be a large undertaking as depending on which department you speak with what is considered sensitive critical data can vary. Microsoft provides general recommendations of 3 types of data to support this internal conversation.
The fact is there IS some data in your organization that is more important than others and it will require involvement of leadership to effectively define. A quote around data protection I like to use to illustrate the importance of this definition and the knee jerk response to just try to protect everything is “if you protect paperclips and diamonds with an equal amount of vigor, you will soon find yourself with fewer diamonds and more paperclips”. Again, not an easy button but an important and worthwhile exercise regardless.
Once the SITs are created you can see by the MIP diagram the type can be used across all the locations where Microsoft offers DLP in O365. Create the definition once and use it across the M365 estate.
Define the Business ask in the terms of available service edge/control plane
Access to data should be assessed in the terms of edges and control planes. Scenarios will generally not be a DLP only protection model and in the cases where it is, the supported scenarios will be reduced. The image below is an examination of a business use case for access to Teams and file downloads. We worked on this to help the client understand the variations of control planes in response to the general ask of the business for remote access, without a clear definition of the access modalities that would be used.
The organization used this to tailor the supported access use cases presented to the business and as supporting information to answer the ‘why’ as needed.
An organization can look at the matrix above in two ways complexity, or options. The modern enterprise which includes remote work, SaaS application, personal devices, B2B and guest users creates this web of access modalities, and it is the responsibility of the business to clearly understand what its true requirements are and then it is incumbent on IT to determine how to meet them and enable the business.
It is understandable that organizations would seek to simplify this question by attempting to preserve the 4-walls security model through forward proxies and Software Defined perimeters but in affect what that design is a reduction of complexity through the minimization of options.
The big picture
Hopefully, this discussion has provided a good overview of the Microsoft Information Protection platform in M365 and where DLP fits into a data security model. The modern enterprise has expanding the traditional workforce and resource delivery outside of the ‘4-walls’ of an on premises data center and effective data security is a layered approach of which DLP is one component and will include tools in M365, Azure, 3rd party Cloud and network providers and even as part of the code within your applications.
If you have questions on M365 DLP capabilities, please contact your Microsoft or CSP account team for more detailed information.
