Australia | Azure Information Protection - Deployment - Part 2

Hugh Roberts - 10.06.2020

Azure Information Protection – Deployment – Part 2

Australia | Azure Information Protection - Deployment - Part 2

In part 2 of our series, we identify the Crawl steps in our deployments to get the correct services and settings in place and importantly, get users involved as we start to gain visibility into your environment.

THE CRAWL

In the crawl phase we achieve the basic requirements; or foundation, for getting the service live so we can start to build the Information Protection landscape.

  • Turn on AIP features
  • Investigate Shadow IT
    • Run a ShadowIT Audit
  • Starting our labelling taxonomy
  • Getting users involved
  • Optional – Implement DLP with ToolTips
  • Optional – Implement Torsion Level 0

So, let’s go through each of these in a bit more detail.

Assign an Information Protection Owner

This should be reasonably obvious, there needs to be a key sponsor or group who will be accountable for the end-state outcome throughout the business. We find that having an executive sponsor assists with driving adoption.

Turn on AIP Features

Four features should probably be enabled at this stage. Note – each one has some considerations, so ensure you read the documentation fully.

  1. Labelling of Office 365 Groups/Teams/SharePoint Sites
  2. Labelling in SharePoint and OneDrive
  3. Set up Log Analytics to collect logs
  4. Optional – enable Trainable Classifiers scan in your environment

Here is a table with links and a bit of background on each.

FEATURE

DESCRIPTION

Implement AIP in Teams, SharePoint and 365 Groups (Preview Feature)

https://docs.microsoft.com/en-us/microsoft-365/compliance/sensitivity-labels-teams-groups-sites?view=o365-worldwide

and

https://docs.microsoft.com/en-us/azure/active-directory/users-groups-roles/groups-assign-sensitivity-labels

When creating or editing an object based on a 365 group, a classification label can be applied to the entire site. This can do the following:

1.       Make the connected Team site public or private in the organisation

2.       Block or allow guest access

3.       Control access from unmanaged devices

 

Enable AIP in SharePoint, OneDrive and Office on the Web (Preview Feature):

 

Users will be able to label documents from Outlook on the web as well as OneDrive. Search and other functions will work as expected for protected files.

 

Setup of Log Analytics for AIP: https://docs.microsoft.com/en-us/azure/information-protection/reports-aip

Allows logging of AIP related activities so you can start to get intelligence about Information Protection in your environment.

Run a “Trainable Classifiers” scan across your environment:

https://docs.microsoft.com/en-us/microsoft-365/compliance/classifier-getting-started-with?view=o365-worldwide

Go to compliance.microsoft.com -> Data Classification -> Trainable Classifiers (preview)

Microsoft has introduced “Trainable Classifiers” (E5 Feature) which should allow businesses to scan their environment to find information to

 

Investigating Shadow IT

Shadow IT is when users in your environment are using toolsets or services not sanctioned by the business (DropBox, Box, or other file sharing Software as a Service (SaaS) offerings.) When data is shared like this, it can become a huge problem for IT as its virtually undetectable after it has been shared. Sometimes its common knowledge () but where it’s not, there are some strategies which can identify where Shadow IT exists:

  • Firewalls or firewall logs – it may be necessary to import these into something like Microsoft Cloud App Security (MCAS)  to provide insights into how information or data is being shared, and by whom.
  • Endpoint protection such as Defender ATP – this will automatically log all activity and present it in MCAS, including accessing Shadow IT services
  • Web filters or proxies – these products are like firewalls, where they log web traffic and can be connected to MCAS

Once you have a picture of Shadow IT you can use this to ascertain if there is information risk and take action, either by integrating AIP into these products (lots of integration options are available) or blocking the use of these products completely by making them “non-sanctioned”.

Taxonomy Definition

In detailing customers taxonomy we use guidance from Microsoft – who have been doing it for a long time – from their whitepaper. , your experience and definitions may differ significantly!

To start we defined some basic labels which are simple to identify and use and not too specific. Then update this in the walk and run phases. The basic definitions are:

  • Non-business
  • Public
  • General (or General Business)
  • Confidential
  • Highly Confidential (in some cases)
  • All Employees – this is accounts within 365 excluding guest accounts
  • Recipients Only – defined at the time of labelling
  • Finance – Finance only
  • Executives – Execs only

We frequently find a case for an unencrypted confidential label too, which could be something like “Commercial in Confidence” or similar, so business processes which require unencrypted but confidential information to be shared externally still can be.

This is just a start to allow us to begin the process!

Generating the Policies and Framework

Now we have labels, policies can be used to assign labels to people, we have found it is easiest to assign labels everyone will get to the Global policy, then define other label policies for additional labels for certain groups.

We then begin creating the Information Protection one-stop-shop reference guide for everything information protection, sort of like a design document. It has your requirements, taxonomy and policies all wrapped into a single place. Parts of this framework can then be used to build end-user information for enablement, to help them in their journey as well.

We laid out our framework using the document I referenced from Microsoft in the Taxonomy definition section and our document had these headings:

  • Drivers
  • Design considerations
  • Architecture (components used in our deployment)
  • Classification Framework
    • Label Framework
    • Classification policies
    • Classification security controls
    • Data Loss Prevention
  • Cloud App Security
  • Implementation Plan
    • Crawl
    • Walk
    • Run

Getting Users Involved

Once your framework has the majority of the policies and you have implemented them – its time to cut the relevant things out of the Framework document and give users a picture of how and when to classify, here is an example of one:

Australia | Azure Information Protection - Deployment - Part 2

Deploying the Unified Labelling client isn’t strictly necessary at this stage as all new versions of Office software (and Office on the Web, if enabled) provide the ability to assign sensitivity labels to documents.

Note –  The Microsoft AIP end-user adoption guide is extremely helpful in developing your end-user comms. It contains an FAQ and below has LOTS of examples which you can use for your environment.

  • A table explaining “What encryption means” which aims to answer the question “what happens when I assign the different encryption levels?”
  • A classification flowchart to assist users in classification decisions. Next steps to getting users involved is an information campaign to let them know about the service. Use your preferred methods for getting this information out. We recommend email, all hands (town hall) meetings, team meetings, etc. Don’t forget to encourage feedback on AIP as some users may have a suggestion for a label or project which needs additional care

Implement DLP Policies with Monitoring

To assist users in beginning to identify sensitive data which may exist it is possible to use DLP tooltips and monitoring for data sent externally containing sensitive information types you are using like the built-in sensitive information types.

An example of how DLP can help here is setting up alerts when a credit card number is shared externally, then afterwards monitoring it over time and making an informed decision about whether additional controls are required. You can view all this information in a mailbox or Cloud App Security, if you have E5.

Implement Torsion Level 0

Torsion Information Security (TorsionIS) is an information governance product which seamlessly integrates with the user experience of your Office 365, Teams, SharePoint and Windows file shares.

When connected to your 365 tenant, Torsion with AIP and MCAS provides further insights into who has access to what information, and more importantly “why”. To begin with, Torsion is implemented at what we call “level 0” which is fundamentally a Torsion tenant authenticated and connected (one-off process) to your 365 tenant for visibility and insights only (Who has access).

So, where AIP helps classify data you already have access to, Torsion will determine if you should have access, honour the classification, and enforce controls.

Australia | Azure Information Protection - Deployment - Part 2

And with that we move into the Walk phase, which you can read about in part 3.

 

THANK YOU FOR YOUR SUBMISSION!

Australia | Azure Information Protection - Deployment - Part 2

The form was submitted successfully.

Join the Insentra Community with the Insentragram Newsletter

Hungry for more?

If you’re waiting for a sign, this is it.

We’re a certified amazing place to work, with an incredible team and fascinating projects – and we’re ready for you to join us! Go through our simple application process. Once you’re done, we will be in touch shortly!

Who is Insentra?

Imagine a business which exists to help IT Partners & Vendors grow and thrive.

Insentra is a 100% channel business. This means we provide a range of Advisory, Professional and Managed IT services exclusively for and through our Partners.

Our #PartnerObsessed business model achieves powerful results for our Partners and their Clients with our crew’s deep expertise and specialised knowledge.

We love what we do and are driven by a relentless determination to deliver exceptional service excellence.

Australia | Azure Information Protection - Deployment - Part 2

Insentra ISO 27001:2013 Certification

SYDNEY, WEDNESDAY 20TH APRIL 2022 – We are proud to announce that Insentra has achieved the  ISO 27001 Certification.