Once you have completed all the basics in Crawl we go through our Walk steps, which is what we are covering in part 3 of this blog series. Here, we are customizing the solution to your business and can start to put proper protection into place.
WALK
In the walk phase, we build upon the foundation by:
- Reviewing label usage
- Defining company-specific sensitive information types
- Implementing Cloud App Security (E5 feature)
- Applying default and automatic (E5 feature) labelling
- Implement DLP policies
- Optional – Move to Torsion Level 1
Defining Company Specific Sensitive Information
This may also be useful in Crawl.
Now we have users interacting with the service, information from analytics and trainable classifiers, we should be able to gather these insights and make some informed decisions on what sensitive information might be out there and how we might identify it. Some might be obvious like company records, purchase order numbers, customer numbers, document titles and others might show up, like personally identifiable information (PII) or Financial information (PCI).
Implementing Cloud App Security (E5 Feature)
If you have E5, then hooking up MCAS to your Information Protection data is an amazing way to present the data in a single place – once data is flowing you can take actions based on logs to alert, control, block or whatever you want based on the data. Right now, implementing it for visibility is probably a good start, then you can look to control AIP through MCAS later on.
Now, using Cloud App Security you can also connect other SaaS applications into AIP, ensuring data in places like Box or Google Drive can also be classified.
Review the Data
Important: It is crucial to do a review of the analytics provided as part of AIP in the compliance center and/or Cloud App Security console. This can help you refine or tune the current installation to get further insight into some of the next steps and actions.
Applying Default & Automatic Labelling
Now people are getting used to labelling documents its time to assign a default label. You can change the default label based on the labelling policy you apply to people, so people in high-risk areas of the business may have a higher classification. Normally we don’t want to make this a problem for the majority of users, so picking a label without encryption might be a good start for the majority of users. Then you can ask for a justification when a label is downgraded – which you should investigate when alerted.
E5 Feature – Further to this, if you have E5 you can turn on automatic labelling throughout the tenant (in specified locations – still in preview) and in the clients. If you enable it in the client it will either recommend or just change the label when someone opens .
Note – Turning on the Office 365 automatic labelling feature takes a while to run its simulation but after its run and you have ensured no false positives or negatives, it will automatically classify documents without having the document open.
Implement DLP Policies
After reviewing DLP logs and feedback from users you should have a good understanding whether false positives or negatives are still an issue. After you have refined things you can start to change the tooltip/monitor policies into manual override, send for approval and have many other options at your disposal to assist with data loss prevention.
Implement Torsion Level 1
Moving to Torsion implementation level 1 builds upon the visibility provided by connecting Torsion to 365. Now we can see who “has access” through machine learning, determine access behaviors to determine “who” should own the data. Torsion can poll individuals in the business to determine ownership and provide detail on who has access. This makes it easy for the information owner to determine legitimate, or stale access and resolve accordingly. The critical thing here is we are building on the foundation of “ownership and access”. With AIP and MCAS in place and appropriate labels and classifications defined, we are now able to enforce policies based on sensitivity and legitimate access.
And just like that we are ready to move into the Run phase, read on to part 4 as we conclude our AIP deployment blog series.
