Information is a valuable asset. As the volume of information, along with the number of interconnected organisations and individuals, continues to rise, so do the risks and costs of security breaches. Just as we protect our personal possessions with such measures as locks, alarms, and safes, so must we adopt a focused approach towards the protection of our information assets.
What can a business do to protect themselves from the risk of a data breach or leak? The Microsoft Purview family of data protection solutions can help keep data safe with a range of products and services for unified data governance, information protection, risk management, and compliance. With Microsoft Purview composed of 18 products and services, this blog will be solely focused on Information Protection and Data Loss Prevention.
Native Microsoft Solutions
Microsoft Purview Information Protection (MIP) can discover, classify, and protect sensitive information wherever it lives or travels. Combined with Microsoft Purview Data Loss Prevention (DLP), configured to identify, monitor, and protect sensitive items, organisations can prevent users from accidently or intentionally sharing sensitive information such as financial data, proprietary data, credit card numbers, health records, or social security numbers.
Capabilities of MIP and a Sensitivity labels policies include:
- Deploy a classification taxonomy to the company end user employees and give them the ability to apply these labels to documents and emails. Labels can also be applied automatically or in a recommended way based on sensitive information stored in the document or email
- Leverage the applied sensitivity labels as a condition for data loss prevention use cases
- Mark the document or email sensitivity with a header, footer and/or watermark. This will make the data sensitivity visible to anyone who consumes the document, within an app, via the web or as a hard copy
- Apply sensitivity labels for SharePoint online, Teams sites, and groups, providing another layer of control on the container level
- With encryption, control who can consume content (for example: only company employees + approved partners) and what permissions he or she has (for example: Read but Do Not Print or Edit)
Capabilities of DLP policies include:
- Identify sensitive information across many locations, such as Exchange Online, SharePoint Online, OneDrive for Business, Microsoft Teams, Windows 10 Devices, Microsoft Defender for Cloud Apps. For example, you can identify any document containing a credit card number that is stored in any OneDrive for Business site, or you can monitor just the OneDrive sites of specific people
- Prevent the accidental sharing of sensitive information. For example, you can identify any document or email containing a health record that is shared with people outside your organisation, and then automatically block access to that document or block the email from being sent externally
- Monitor and protect sensitive information in the desktop versions of Excel, PowerPoint, and Word applications. Just like in Exchange Online, SharePoint Online, and OneDrive for Business, these Office desktop programs include the same capabilities to identify sensitive information and apply DLP policies. DLP provides continuous monitoring when people share content in these Office programs
- Help users learn how to stay compliant without interrupting their workflow. For example, if a user tries to share a document containing sensitive information, a DLP policy can both send them an email notification and show them a policy tip in the context of the document library that allows them to override the policy
- View DLP alerts and reports showing content that matches your organisation’s DLP policies. To view alerts and metadata related to your DLP policies you can use the DLP Alerts Management Dashboard. You can also view policy match reports to assess how your organisation is complying with a DLP policy. If a DLP policy allows users to override a policy tip and report a false positive, you can also view what users have reported
With both MIP and DLP, the features and capabilities available to an organisation are dependent upon the subscription plan level purchased. The following table shows the services that are activated for the Microsoft 365 (M365) E3 and E5 subscription licenses.
| MICROSOFT 365 | ||
| E3 | E5 | |
| Azure Information Protection Plan 1 | • | |
| Azure Information Protection Plan 2 | • | |
| Manual, default, and mandatory sensitivity labeling in Office 365 | • | • |
| Automatic sensitivity labeling in Office 365 apps | • | |
| Manual labeling with the AIP app and plugin | • | • |
| Automatic labeling in the AIP plugin | • | |
| Automatic sensitivity labels in Exchange, SharePoint, and OneDrive | • | |
| Sensitivity labels based on Machine Learning/Trainable Classifiers | • | |
| Sensitivity labeling for containers in Office 365 | • | • |
| Data Loss Prevention (DLP) for emails & files | • | • |
| DLP for Teams chat | • | |
| Endpoint DLP | • | |
| Basic Message Encryption | • | • |
| Advanced Message Encryption2 | • | |
| Customer Key | • | |
| NOTE | Some tenant services are not currently capable of limiting benefits to specific users. To better understand which licenses provide the rights for a user to benefit from the service, please review the Microsoft 365 guidance for security & compliance article |
Enhance Native Microsoft Solutions
While Microsoft’s built-in controls are powerful, it can be challenging for organisations that have complex requirements to enact the fine-grained use cases they require, such as:
- Control external sharing without restricting it for everyone
- Easily keep track of who has access to what
- Manage and enforce membership for Teams without spending tons of time maintaining and reviewing settings (operationalize and scale common tasks)
- Understand what sensitive content has been overshared, or which users may have too much access
- Review anonymous links periodically to expire or remove them
Additional information governing challenges with the built-in controls include:
- The inability to view and report permissions broadly across all Microsoft 365 workspaces
- No interface to provide a comprehensive view of who has access to certain kinds of information
- No way to prioritize sensitive information based on exposure or location
- Can be difficult to apply and keep track of the many policies in ways that scale with the organisation’s growth while still meeting the needs of the users
One available solution to address the above limitations is AvePoint’s Policies and Insights (PI) for Office 365 solution. PI helps organisations understand permissions, security, and controls across Teams, Groups, SharePoint, and OneDrive. PI also uses sensitive information types, including personal identifiable information, HIPAA, or financial info, to prioritize issues for action. Automated rules can be set to correct out-of-policy sharing, and permissions changes. PI’s policies combine rules to do the heavy lifting, tailoring enforcement based on context.
PI key benefits and features include:
- Monitor and Enforce Security Control
- Create rules for your organisation, either starting from scratch or choosing from 30+ pre-loaded rules built on best practices
- Configure rules for access, external sharing, white/black list, tagging, versions, and more
- Easily monitor rules, best practices, or policy compliance
- Automate M365 Security and Access Policies
- Easily enforce security and compliance policies for permissions and access controls – including for external users
- Revert or notify of configuration drift and security issues automatically
- Access and repair violations in bulk with just a few clicks
- Demonstrate the Impact of Ad-hoc & Automated Security Fixes
- Time-based security dashboards demonstrate business impact of administrative actions
- Track risk score over time to demonstrate your Microsoft 365 security posture
- Centrally audit admin activity to track improvements across Teams, Groups, SharePoint, and OneDrive
The following table demonstrates some scenarios where Microsoft’s controls end, and how PI enhances the native solution.
| THE EXPOSURE | THE FIX | NATIVE CAPABILITIES | AVEPOINT ADVANTAGE |
| Extensive anonymous links | Set anonymous links to expire after “X” days Don’t allow anonymous links outside your organization | Active Directory Sharing Settings, SharePoint/One Drive Admin centre settings or via PowerShell. Admins must report on, investigate, then remove links in bulk (requiring PowerShell) or individually. Time intensive to track, then maintain as a process. Needs constant monitoring | Near real-time reporting provides understanding of the amount of anonymous sharing links and where they provide access, as well as which ones may be increasing risk. Policies help contextualise which Teams may or may not allow such access. Automated with alerts. Requires occasional tweaking |
| Sensitive documents with large amounts of users with access, including external users | Restrict which Teams can house “sensitive” data Prevent guest users from accessing these Teams | Create retention or sensitivity labels and apply sensitivity policies via manual tagging (auto w/E5). Control provisioning via PowerShell or audit Teams to apply external sharing controls at the Team level. Time intensive to track, then maintain as a process. Will need occasional/frequent auditing paired with user training and retraining. Dependence on users will result in uneven execution | In near real time, view a prioritized list of documents with the most sensitive data shared with the most users first. Tweak policies such as Ownership restriction or limiting external sharing to restrict access without hindering collaboration. Automated with reporting and notifications. Requires occasional tweaking |
| Excessive Owners in your Teams/Groups | Restrict Teams provisioning Control which users can become owners of Teams Control how many owners may exist for any set of Teams | Not possible to restrict in Microsoft 365. Possible to apply Teams provisioning controls with PowerShell or audit Teams via the admin centre or PowerShell to restrict ownership. Change unauthorized “Owners” to “Members.” Time intensive to track, then maintain as a process. Will require frequent auditing and many manual corrections | Apply contextual dynamic controls to who can be an Owner of workspaces. For example, only Directors or above can create a Team that allows external sharing. Then, automate enforcement of that policy. Use tagging, naming, or user AD properties to scale the policy. Automated with reporting and notifications. Requires occasional tweaking |
| Difficult to understand the purpose — and validate correct use — of workspaces that have external users or sensitive data | Force contextual labels on Teams upon provisioning Automatically apply labels to Teams already existing in Microsoft 365 Audit collaboration activity | Create sensitivity labels and policies, or Teams classification schema that can be manually applied by users, and audit for accuracy. Follow up with users themselves to confirm proper use and manually update as needed. (Auto apply Sensitivity labels w/E5). Time intensive to maintain as a process. Requires auditing and user training | Force one or more labels onto Teams and workspaces based on context according to organizational needs. Easily monitor and prioritize secure collaboration and contextualise reporting based on this information. Automated with reporting and notifications. Requires occasional tweaking |
| Large number of external/guest users in Teams | Report on anonymous sharing links and external users Audit which external users are accessing sensitive content | Audit active directory for External and Guest users, compare with PowerShell access and activity audits as well as DLP/Sensitivity definition results to understand behaviour. Very time intensive. Requires many manual updates and needs to be performed frequently | Near real time reporting of external users and which ones have activity creating risk, and access to sensitive content. Apply policies to control which Teams and workspaces allow external sharing. Automated with reporting and notifications. Requires occasional tweaking |
| No one has a real sense of whether security and governance processes are actually reducing risk and errors over time | Compile and analyse historical reports Produce trend reporting that shows increase or decrease of risky activity and why | Compile results of security audits and quantify risky activity and exposure to sensitive information. Compare audit results and exposure reports to activity reports to understand if users are improving their behaviour based on your corrections. Time consuming with lots of manual analysis and may require creating visualizations from data | Insights automatically surfaces near real time snapshots of security and exposure, but also shows tailorable trimmed reports to digest if risky activity is increasing or decreasing, how that activity is taking place, and which solution actions have helped decrease it. Minimal time is spent gathering automated report data from solution activity over time |
Final Word on Effective Information Protection
Many information workers rely almost exclusively on digital tools to do work and conduct business. Given the repercussions and cost of an information security breach to a business, information protection is not just desirable, it should be a high priority for management. Having a clear means of identifying the risk or likelihood of a breach is important, mitigating this risk by proper insurance planning, such as bolstering the Microsoft native tools with AvePoint Policies and Insights, will fortify the company should such a breach occur.
As always, we’re here to help. If you need any assistance, please contact us.
