A deeper dive into protecting your information in the cloud - Part 1

-
During the years I have done a lot of information protection projects and set up solutions with labeling for both small and larger organizations. For customers who want to protect their data, there really are no reasons to wait to get started. Know that a lot of time will (should) go into planning the label settings and protections settings. And also know that this is not a perfect system. It will require a lot of thinking on your part to get this right. I will write a series of blogposts describing the different ways to protect data in the cloud and my experiences with the different solutions. This is part 1 in this series and will serve as a kind of introduction.

I suppose we have all seen headlines describing embarrassing data leaks and companies that have lost control of their sensitive data. And many out there have considered different ways to avoid leaks like that. But do we really have tools that can stop these bad things from happening? Well, we have several tools that can help, but we can never be completely safe. As long as we are human, we will make mistakes.





If you want to know more about some of the requirements for using these services you can see some in this previous blogpost: Requirements to use information protection (AIP,MIP,RMS).

So, as you are starting your strategy to protect your companies info: What can go wrong you may ask? Well, it depends on how well you have thought things through. You will have to consider all the scenarios (and there are many in most companies). What kind of information are we dealing with in our company? Who do we communicate with? And what labels will be needed to ensure we cover the most important cases? And we also need to keep it manageble. When it comes to AIP Microsoft recommends no more than 5 primary labels with no more than 5 sublabels to not make it to chaotic.

So, what solutions are there to protect data in the cloud (Microsoft)?


(We will cover the different solutions in more detail in the coming blogposts, but I can give a short description here.) 


First of all, there are several ways to protect our data:

  • We have AIP (Azure Information Protection) that allows us to set up labels and rolout these labels to our users. They will be visible in our office apps for instance (unless you have an older version of office. Then you will have to install an extra add-in: link to aip clients)Many people use the abbriviation MIP (Microsoft Information Protection) for AIP now after we have started using sensitivity labels in Office 365, and you will be fine either way. MIP was originally the umbrella for all the solutions we will be talking about, but even Microsoft are using the terms a little randomly so why shouldn't we?
  • We have Office 365 DLP (Data Loss Prevention) that will go through our data in one of, or all of these services: Exchange Online, Teams, SharePoint Online and OneDrive for Business and can apply a rule we have created. It can be a rule looking for certain sensitive info types, either predefined by Microsoft, or we can create our own. When data matching our rule is found, we can apply certain restrictions if we want. For instance we find sensitive data shared externally, and automatically stop the sharing, and remove the external users who had access. 
  • We have MCAS (Microsoft Cloud App security) that can run DLP rules to look at content, it can apply sensitivity labels and do much, much more to make sure our sensitive data is safe. And it can also (unlike AIP) protect data outside of Microsoft 365 like AWS, Google and other services). 
  • We also have the opportunity to use Office 365 Message Encryption to encrypt our emails for instance with a couple of predefined encryption rules: Encrypt or Do Not Forward.  Great thing about these are that you can create mail flow rules that do this for you automatically. For more info on this, please read this previous blogpost: Protecting Exchange Online email with mail flow rules.
There are different (and some overlapping) use cases for these, and in this blog series we will cover quite a few of them.
    Things keep moving around and there are many portals.

    What do all these have in common you ask? Well, they all use the Azure RMS service to protect (encrypt) data, and they all use Azure AD to ensure who has what rights to the data.

    Licenses

    Some of the licensing stuff is covered in the Requirements post, but s we go deeper into the products we will also be talking about the different licensing requirements and other stuff we will need to use the products.


    Microsoft has done an amazing job documenting all these features, and you will be able to find good guides for setting up the different protection schemes. I started working with RMS a long time ago, and I'll tell you: It has come a long way since back then.

    Hope this was interesting, and that you will keep reading the coming posts. First we will talk about AIP/MIP and you can read about that in part 2 here.

    Comments

    Post a Comment

    Popular posts from this blog

    Do not Forward and the protection of attachments

    -
    Image
    Maybe I am the only one who has misunderstood this, but if not, this may be useful for you. I've been wrong about this for a while, and since it is not a feature we have used, I didn't really look into it until today. I always thought that using Do not Forward in a label would make sure attachments where given the same DNF rights.  Unfortunately I was shown the error of my ways by one of my customers today, when I answered (with some confidence) that, yes: Attachments get the same protection. He then replied that he was able to do all kinds of things with the attachment, and I started to look into it more closely. Microsoft has many great articles about protecting information, and this article is no exception. I guess you just have to read it carefully. They say:  “When the Do Not Forward option is applied to an email, the email is encrypted and recipients must be authenticated. Then, the recipients cannot forward it, print it, or copy from it . For example, in the Outlook cli
    Read more

    Using Do not Forward or Encrypt Only as the results of a Sensitivity Label

    -
    Image
    Do not Forward and Encrypt Only can be found in Outlook by default for all who uses Office 365 E3 or equivalent/higher. And as many know, they can also be used in a Sensitivity label. But what are the consequenses of using these, instead of creating our own encryption settings within the label? This is what we will be looking at today.  As many know, we can use these two in Outlook, as long as we have the proper license. They are well hidden away under Options, and can look a little like this:    EO and DNF in Outlook.  I've covered these in earlier blogposts , but lets just quickly go through them again here: " Encrypt/Encrypt-Only " option makes sure the email is encrypted and recipients must be authenticated, but then they have all usage rights except Save As, Export and Full Control (Basically means no restriction except that they cannot remove the protection). When the Do Not Forward option is applied to an email, the email is encrypted and recipients must be au
    Read more