{"id":1701,"date":"2020-06-10T01:00:00","date_gmt":"2020-06-10T01:00:00","guid":{"rendered":"http:\/\/inswwdev.azurewebsites.net\/au\/insights\/uncategorized\/azure-information-protection-deployment-part-2\/"},"modified":"2020-06-10T01:00:00","modified_gmt":"2020-06-10T01:00:00","slug":"azure-information-protection-deployment-part-2","status":"publish","type":"post","link":"https:\/\/www.insentragroup.com\/au\/insights\/geek-speak\/secure-workplace\/azure-information-protection-deployment-part-2\/","title":{"rendered":"Azure Information Protection &#8211; Deployment &#8211; Part 2"},"content":{"rendered":"<p><span>In part 2 of our series, we identify the Crawl steps in our deployments to get the correct services and settings in place and importantly, get users involved as we start to gain visibility into your environment.<\/span><\/p>\n<h3 style=\"padding-bottom: 15px; margin-bottom: 30px; margin-top: 40px; border-bottom: 1px solid #f16020;\">THE CRAWL<\/h3>\n<p>In the crawl phase we achieve the basic requirements; or foundation, for getting the service live so we can start to build the Information Protection landscape.<\/p>\n<ul>\n<li>Turn on AIP features<\/li>\n<li>Investigate Shadow IT\n<ul>\n<li>Run a ShadowIT Audit<\/li>\n<\/ul>\n<\/li>\n<li>Starting our labelling taxonomy<\/li>\n<li>Getting users involved<\/li>\n<li>Optional \u2013 Implement DLP with ToolTips<\/li>\n<li>Optional \u2013 Implement Torsion Level 0<\/li>\n<\/ul>\n<p>So, let&#8217;s go through each of these in a bit more detail.<\/p>\n<p><strong>Assign an Information Protection Owner<\/strong><\/p>\n<p>This should be reasonably obvious, there needs to be a key sponsor or group who will be accountable for the end-state outcome throughout the business. We find that having an executive sponsor assists with driving adoption.<\/p>\n<p><strong>Turn on AIP Features<\/strong><\/p>\n<p>Four features should probably be enabled at this stage. Note \u2013 each one has some considerations, so ensure you read the documentation fully.<\/p>\n<ol>\n<li>Labelling of Office 365 Groups\/Teams\/SharePoint Sites<\/li>\n<li>Labelling in SharePoint and OneDrive<\/li>\n<li>Set up Log Analytics to collect logs<\/li>\n<li>Optional &#8211; enable Trainable Classifiers scan in your environment<\/li>\n<\/ol>\n<p>Here is a table with links and a bit of background on each.<\/p>\n<table border=\"0\" width=\"100%\" class=\"minimalistBlack\">\n<thead>\n<tr>\n<td width=\"53%\">\n<p>FEATURE<\/p>\n<\/td>\n<td width=\"46%\">\n<p>DESCRIPTION<\/p>\n<\/td>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td width=\"53%\">\n<p>Implement AIP in Teams, SharePoint and 365 Groups (Preview Feature)<\/p>\n<p><a rel=\"noopener nofollow\" href=\"https:\/\/docs.microsoft.com\/en-us\/microsoft-365\/compliance\/sensitivity-labels-teams-groups-sites?view=o365-worldwide\" target=\"_blank\" data-anchor=\"?view=o365-worldwide\">https:\/\/docs.microsoft.com\/en-us\/microsoft-365\/compliance\/sensitivity-labels-teams-groups-sites?view=o365-worldwide<\/a><\/p>\n<p>and<\/p>\n<p><a rel=\"noopener nofollow\" href=\"https:\/\/docs.microsoft.com\/en-us\/azure\/active-directory\/users-groups-roles\/groups-assign-sensitivity-labels\" target=\"_blank\">https:\/\/docs.microsoft.com\/en-us\/azure\/active-directory\/users-groups-roles\/groups-assign-sensitivity-labels<\/a><\/p>\n<\/td>\n<td width=\"46%\">\n<p>When creating or editing an object based on a 365 group, a classification label can be applied to the entire site. This can do the following:<\/p>\n<p>1.\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 Make the connected Team site public or private in the organisation<\/p>\n<p>2.\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 Block or allow guest access<\/p>\n<p>3.\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 Control access from unmanaged devices<\/p>\n<p>\u00a0<\/p>\n<\/td>\n<\/tr>\n<tr>\n<td width=\"53%\">\n<p>Enable AIP in SharePoint, OneDrive and Office on the Web (Preview Feature):<\/p>\n<p>\u00a0<\/p>\n<\/td>\n<td width=\"46%\">\n<p>Users will be able to label documents from Outlook on the web as well as OneDrive. Search and other functions will work as expected for protected files.<\/p>\n<p>\u00a0<\/p>\n<\/td>\n<\/tr>\n<tr>\n<td width=\"53%\">\n<p>Setup of Log Analytics for AIP: <a rel=\"noopener nofollow\" href=\"https:\/\/docs.microsoft.com\/en-us\/azure\/information-protection\/reports-aip\" target=\"_blank\">https:\/\/docs.microsoft.com\/en-us\/azure\/information-protection\/reports-aip<\/a><\/p>\n<\/td>\n<td width=\"46%\">\n<p>Allows logging of AIP related activities so you can start to get intelligence about Information Protection in your environment.<\/p>\n<\/td>\n<\/tr>\n<tr>\n<td width=\"53%\">\n<p>Run a \u201cTrainable Classifiers\u201d scan across your environment:<\/p>\n<p><a rel=\"noopener nofollow\" href=\"https:\/\/docs.microsoft.com\/en-us\/microsoft-365\/compliance\/classifier-getting-started-with?view=o365-worldwide\" target=\"_blank\" data-anchor=\"?view=o365-worldwide\">https:\/\/docs.microsoft.com\/en-us\/microsoft-365\/compliance\/classifier-getting-started-with?view=o365-worldwide<\/a><\/p>\n<p>Go to compliance.microsoft.com -&gt; Data Classification -&gt; Trainable Classifiers (preview)<\/p>\n<\/td>\n<td width=\"46%\">\n<p>Microsoft has introduced \u201cTrainable Classifiers\u201d (E5 Feature) which should allow businesses to scan their environment to find information to<\/p>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p>\u00a0<\/p>\n<p><strong>Investigating Shadow IT<\/strong><\/p>\n<p>Shadow IT is when users in your environment are using toolsets or services not sanctioned by the business (DropBox, Box, or other file sharing Software as a Service (SaaS) offerings.) When data is shared like this, it can become a huge problem for IT as its virtually undetectable after it has been shared. Sometimes its common knowledge () but where it&#8217;s not, there are some strategies which can identify where Shadow IT exists:<\/p>\n<ul>\n<li>Firewalls or firewall logs &#8211; it may be necessary to import these into something like <span><a rel=\"noopener nofollow\" href=\"https:\/\/www.microsoft.com\/en-us\/microsoft-365\/enterprise-mobility-security\/cloud-app-security\" target=\"_blank\">Microsoft Cloud App Security<\/a><\/span> (MCAS) \u00a0to provide insights into how information or data is being shared, and by whom.<\/li>\n<li>Endpoint protection such as <span><a rel=\"noopener nofollow\" href=\"https:\/\/www.microsoft.com\/en-au\/microsoft-365\/windows\/microsoft-defender-atp\" target=\"_blank\">Defender ATP<\/a><\/span> \u2013 this will automatically log all activity and present it in MCAS, including accessing Shadow IT services<\/li>\n<li>Web filters or proxies \u2013 these products are like firewalls, where they log web traffic and can be connected to MCAS<\/li>\n<\/ul>\n<p>Once you have a picture of Shadow IT you can use this to ascertain if there is information risk and take action, either by integrating AIP into these products (lots of integration options are available) or blocking the use of these products completely by making them \u201cnon-sanctioned\u201d.<\/p>\n<p><strong>Taxonomy Definition<\/strong><\/p>\n<p>In detailing customers taxonomy we use guidance from Microsoft &#8211; who have been doing it for a long time &#8211; from their <span><a rel=\"noopener nofollow\" href=\"https:\/\/www.microsoftpartnercommunity.com\/t5\/Australia-Security-Compliance\/Announcing-our-white-paper-designed-to-help-your-organization\/td-p\/17378\" target=\"_blank\">whitepaper<\/a><\/span>. <span>, your experience and definitions may differ significantly!<\/span><\/p>\n<p><span>To start we defined some basic labels which are simple to identify and use and not too specific. Then update this in the walk and run phases. The basic definitions are: <\/span><\/p>\n<ul>\n<li><span>Non-business<\/span><\/li>\n<li><span>Public<\/span><\/li>\n<li><span>General (or General Business)<\/span><\/li>\n<li><span>Confidential<\/span><\/li>\n<li><span>Highly Confidential (in some cases)<\/span><\/li>\n<li><span>All Employees \u2013 this is accounts within 365 excluding guest accounts<\/span><\/li>\n<li><span>Recipients Only \u2013 defined at the time of labelling<\/span><\/li>\n<li><span>Finance \u2013 Finance only<\/span><\/li>\n<li><span>Executives \u2013 Execs only<\/span><\/li>\n<\/ul>\n<p><span>We frequently find a case for an unencrypted confidential label too, which could be something like \u201cCommercial in Confidence\u201d or similar, so business processes which require unencrypted but confidential information to be shared externally still can be.<\/span><\/p>\n<p><span>This is just a start to allow us to begin the process!<\/span><\/p>\n<p class=\"P-NumHeading3\"><strong>Generating the Policies and Framework<\/strong><\/p>\n<p><span>Now we have labels, policies can be used to assign labels to people, we have found it is easiest to assign labels everyone will get to the Global policy, then define other label policies for additional labels for certain groups.<\/span><\/p>\n<p><span>We then begin creating the Information Protection<\/span><span> one-stop-shop reference guide for everything information protection, sort of like a design document. It has your requirements, taxonomy and policies all wrapped into a single place. Parts of this framework can then be used to build end-user information for enablement, to help them in their journey as well.<\/span><\/p>\n<p><span>We laid out our framework using the document I referenced from Microsoft in the Taxonomy definition section and our document had these headings:<\/span><\/p>\n<ul>\n<li><span>Drivers<\/span><\/li>\n<li><span>Design considerations<\/span><\/li>\n<li><span>Architecture (components used in our deployment)<\/span><\/li>\n<li><span>Classification Framework<\/span>\n<ul>\n<li><span>Label Framework<\/span><\/li>\n<li><span>Classification policies<\/span><\/li>\n<li><span>Classification security controls<\/span><\/li>\n<li><span>Data Loss Prevention<\/span><\/li>\n<\/ul>\n<\/li>\n<li><span>Cloud App Security<\/span><\/li>\n<li><span>Implementation Plan<\/span>\n<ul>\n<li><span>Crawl<\/span><\/li>\n<li><span>Walk<\/span><\/li>\n<li><span>Run<\/span><\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<p class=\"P-NumHeading3\"><strong>Getting Users Involved<\/strong><\/p>\n<p class=\"P-BodyText\"><span>Once your framework has the majority of the policies and you have implemented them \u2013 its time to cut the relevant things out of the Framework document and give users a picture of how and when to classify, here is an example of one:<\/span><\/p>\n<p class=\"P-BodyText\"><img decoding=\"async\" src=\"https:\/\/www.insentragroup.com\/wp-content\/uploads\/sites\/22\/2021\/02\/insentra_hughroberts_06102020_2_img1_v3.jpg\" alt=\"\" data-udi=\"umb:\/\/media\/91cbe5781f0c483ca55ca95ec68b1af0\" title=\"\"><\/p>\n<p><span>Deploying the Unified Labelling client isn\u2019t strictly necessary at this stage as all new versions of Office software (and Office on the Web, if enabled) provide the ability to assign sensitivity labels to documents.<\/span><\/p>\n<p><strong>Note<\/strong> <span>\u2013 \u00a0<a rel=\"noopener nofollow\" href=\"https:\/\/download.microsoft.com\/download\/7\/1\/2\/712A280C-1C66-4EF9-8DC3-88EE43BEA3D4\/Azure_Information_Protection_End_User_Adoption_Guide_EN_US.pdf\" target=\"_blank\">The Microsoft AIP end-user adoption guide<\/a> is extremely helpful in developing your end-user comms. It contains an FAQ and below has LOTS of examples which you can use for your environment.<\/span><\/p>\n<ul>\n<li><span>A table explaining \u201cWhat encryption means\u201d which aims to answer the question \u201cwhat happens when I assign the different encryption levels?\u201d<\/span><\/li>\n<li><span>A classification flowchart to assist users in classification decisions. Next steps to getting users involved is an information campaign to let them know about the service. Use your preferred methods for getting this information out. We recommend email, all hands (town hall) meetings, team meetings, etc. Don\u2019t forget to encourage feedback on AIP as some users may have a suggestion for a label or project which needs additional care<\/span><\/li>\n<\/ul>\n<p class=\"P-NumHeading3\"><strong>Implement DLP Policies with Monitoring<\/strong><\/p>\n<p class=\"P-BodyText\"><span>To assist users in beginning to identify sensitive data which may exist it is possible to use DLP tooltips and monitoring for data sent externally containing sensitive information types you are using like the built-in sensitive information types.<\/span><\/p>\n<p class=\"P-BodyText\"><span>An example of how DLP can help here is setting up alerts when a credit card number is shared externally, then afterwards monitoring it over time and making an informed decision about whether additional controls are required. You can view all this information in a mailbox or Cloud App Security, if you have E5.<\/span><\/p>\n<p class=\"P-NumHeading3\"><strong>Implement Torsion Level 0<\/strong><\/p>\n<p class=\"P-BodyText\"><span><a href=\"\/au\/services\/technology-partners\/torsion\/\">Torsion Information Security (TorsionIS)<\/a> is an information governance product which seamlessly integrates with the user experience of your Office 365, Teams, SharePoint and Windows file shares. <\/span><\/p>\n<p class=\"P-BodyText\"><span>When connected to your 365 tenant, Torsion with AIP and MCAS provides further insights into who has access to what information, and more importantly \u201cwhy\u201d. To begin with, Torsion is implemented at what we call \u201clevel 0\u201d which is fundamentally a Torsion tenant authenticated and connected (one-off process) to your 365 tenant for visibility and insights only (Who has access). <\/span><\/p>\n<p class=\"P-BodyText\"><span>So, where AIP helps classify data you already have access to, Torsion will determine if you should have access, honour the classification, and enforce controls.<\/span><\/p>\n<p class=\"P-BodyText\"><span><img decoding=\"async\" src=\"https:\/\/www.insentragroup.com\/wp-content\/uploads\/sites\/22\/2021\/02\/insentra_hughroberts_06102020_2_img2.jpg\" alt=\"\" data-udi=\"umb:\/\/media\/913d69dd4e8f40f78b63f9f208d1e95a\" title=\"\"><\/span><\/p>\n<p>And with that we move into the Walk phase, which you can read about in <a rel=\"noopener\" href=\"\/au\/insights\/geek-speak\/secure-workplace\/azure-information-protection-deployment-part-3\/\" target=\"_blank\">part 3<\/a>.<\/p>\n<p>\u00a0<\/p>\n","protected":false},"excerpt":{"rendered":"<p>In part 2 of our series, we identify the Crawl steps in our deployments to get the correct services and settings in place and importantly, get users involved as we start to gain visibility into your environment. THE CRAWL In the crawl phase we achieve the basic requirements; or foundation, for getting the service live&hellip; <a class=\"more-link\" href=\"https:\/\/www.insentragroup.com\/au\/insights\/geek-speak\/secure-workplace\/azure-information-protection-deployment-part-2\/\">Continue reading <span class=\"screen-reader-text\">Azure Information Protection &#8211; Deployment &#8211; Part 2<\/span><\/a><\/p>\n","protected":false},"author":57,"featured_media":1702,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"content-type":"","footnotes":""},"categories":[20],"tags":[],"class_list":["post-1701","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-secure-workplace","entry"],"_links":{"self":[{"href":"https:\/\/www.insentragroup.com\/au\/wp-json\/wp\/v2\/posts\/1701","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.insentragroup.com\/au\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.insentragroup.com\/au\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.insentragroup.com\/au\/wp-json\/wp\/v2\/users\/57"}],"replies":[{"embeddable":true,"href":"https:\/\/www.insentragroup.com\/au\/wp-json\/wp\/v2\/comments?post=1701"}],"version-history":[{"count":0,"href":"https:\/\/www.insentragroup.com\/au\/wp-json\/wp\/v2\/posts\/1701\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.insentragroup.com\/au\/wp-json\/wp\/v2\/media\/1702"}],"wp:attachment":[{"href":"https:\/\/www.insentragroup.com\/au\/wp-json\/wp\/v2\/media?parent=1701"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.insentragroup.com\/au\/wp-json\/wp\/v2\/categories?post=1701"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.insentragroup.com\/au\/wp-json\/wp\/v2\/tags?post=1701"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}