Managing sensitive content is no easy task. Especially when we have so many content and even more ways of storing and sharing these. How can we make sure that the sensitive content is sufficiently protected but without undermining the usefulness of all the platforms we use to store it?
All these cloud apps
Some time ago a CloudTech research estimated that more than 15% of European organisations use more than 1000 cloud apps, with Google Drive, Facebook, and Twitter the most popular. And those are just some examples. Nowadays we also have Dropbox, Box, OneDrive, to name but a few. I did a little checking using Microsoft Cloud App Security and filtered all cloud applications for Productivity and Content management. I was presented with more than 1.100 apps.
And nice to notice that all these Microsoft apps have a perfect 10 score 😊. But kidding aside, there’s a lot of ways our employees can store and share information. Even if it’s (highly) sensitive information.
Leaving all (public/paid) cloud application aside, even within the organisation itself it can be difficult. Employees are confronted with a multitude of options. Let’s assume that an organisation has moved to Office 365 and is starting to use Exchange, SharePoint Online (or Office Groups/Microsoft Teams) and OneDrive for Business. Let’s also assume that this organisation still has a lot of file shares and is using We transfer to share content with external parties. How can we create a solution which ensures that sensitive content is properly handled and protected?
In this article I want to focus on bringing together Azure Information Protection and Office 365 to create a secure solution for working with sensitive content.
Why this focus?
Let me explain why I choose this focus. In some previous articles I wrote about the discrepancies between Office 365 and Azure Information Protection. One very clear issue was the use of the term “Label”. In Office 365 we now have data governance labels (or CompliancyTags), but Azure Information Protection also uses the term “Label”. And these are clearly not the same.
Then there is the site-classification in Office 365. Although you can use this classification to mark specific site-collections (for example: Confidential), there still is not a lot of additional functionality behind this classification.
A small time ago I figured I was going to write an article on this. I was planning to bring the functions together in a more logical arrangement. But this was no longer needed. In this excellent article by Microsoft you get an overview of SharePoint, data governance and Azure Information Protection working together. And this document goes even further with Office 365 information protection options for GDPR.
Based on the Microsoft article
Please read the Microsoft article, it gives some great insights into creating a secure environment. But do note this part of the article:
Use these recommendations as a starting point and adjust the configurations to meet the needs of your organization.
That part does make sense, of course. And it triggered me to write this article. What if you have an organisation wanting to implement the recommendation? What would be a working scenario? So, based on the Microsoft article, I bring you: the Human Resources department.
Let’s assume that our organisation has moved to Office 365. The Human Resources department want to ensure that sensitive content is protected from a variety of threats;
- Incidental leakage
- Non-incidental leakage
- Non-authorised access to content
- Non-awareness of working with sensitive content
to name but a view.
Some details on HR
The HR department has been provided with a SharePoint Online site-collection [site]. Access to this site is provided by adding the Active Directory security group (HR) to the SharePoint members group.
This site and the SharePoint groups are managed by the IT department. Sharing of content is allowed, although some members of HR are sceptical about this. Anonymous sharing has been disallowed.
Before moving to SharePoint Online, the HR department worked on a secure file-share. Access to the file-share is protected using the Active Directory group. This file-share is still used very actively. All members of HR have been provided with a OneDrive for Business account with limited storage and no external sharing options.
There is awareness on storing content outside of the organisation and this is not allowed. But members of HR do have the need to share some content within the organisation and with external parties.
IT is asked to implement a more secure solution for sensitive content to address to possible threats of data leakage and unauthorised access. The IT department starts work on this solution. Please note though that is still working on implementing additional security measures like conditional access to the HR site and mobile device management (so I won’t have to cover these in this article 😊).
The solution’s number one requirement is to safeguard the sensitive information of the HR department. HR stores this content in SharePoint Online, but also in the legacy file-share environment. Some information needs to be shared with external parties, in a secure way.
The solution uses Azure Information Protection for classifying, labelling and protecting the content, including secure messaging. The SharePoint site provides additional protection and Office 365 data governance labels provide data loss prevention and retention.
Azure Active Directory is one of the main components in the solution. It provides the security group for securing the SharePoint site and file-share. It is also used to create a scoped Azure Information Protection policy.
Azure Information Protection
One of the main components of the solution is Azure Information Protection [AzureIP]. The organisation uses a generic AzureIP labelling scheme. Because AzureIP enables so-called scoped policies, a separate policy is created for the HR department.
Based on discussion with the HR department, IT works out the required labels for AzureIP. These labels have different settings. Some will display a visual marking on any Office document, while some will also protect the document. Some labels will automatically detect the content and apply the relevant label.
All content within the HR department will have the “HR-Confidential” label applied as default. This is part of the HR scope policy setting.
Because a lot of content is still available on the file-share, the new AzureIP scanner is configured. This scanner is set to scan this file-share and label any content with the default AzureIP label. If needed, a different label may be applied if the scanner automatically detects the relevant content.
The specific HR labels offer additional protection to the content. The default label allows members of HR to modify the content, but all other employees can only view the content. Any “secret” HR content can only be accessed by members of the HR department.
Using AzureIP allows the HR department to work with any content and store it on any platform. The protection and classification are always part of the content itself. But the organisation is moving towards Office 365. Which means that content will be stored in SharePoint Online.
SharePoint Online and Office 365
Based on the recommendations from the Microsoft article, the organisation already has a site-classification scheme. This scheme is used to map certain information protection measures with the type of site, but is also used to create awareness for the employees.
On a global level, the organisation uses four generic and distinct classification labels. These range from Public to Secret. Based on that classification scheme (also used in AzureIP), the type of sites is mapped.
Based on the content classification of the HR department, its site falls into the “Confidential” classification. This classification states that SharePoint IRM or AzureIP is to be used for sensitive content. Because the HR department will use AzureIP (because of the file-shares), SharePoint IRM will not be used in their site.
To ensure data governance within the whole Office 365 environment, generic data labels have been introduced. For HR specifically an additional label has been added: “HR Confidential”. This label is set to retain the content for seven years.
Within the HR site, this label is automatically applied to all content in the document library. Any new document library is provided by the IT department, which configures this label as-well.
The label is also used to provide a data loss prevention rule. In SharePoint the sharing of content is allowed, but only with specific domains. If a sharing action is detected, the DLP rule will (at first) disallow it. But this can be overwritten with a business reason.
Working with external parties
Securing the content within the organisation is a challenge, but can be managed by Office 365 and AzureIP. But there are cases when members of HR will need to share content with external parties. And this might be sensitive information or non-sensitive information.
A quick side note before I go on…..
When you use AzureIP to protect the document, this document is encrypted using the required identities. These identities are stored in Azure Active Directory. If I send an AzureIP protected document to firstname.lastname@example.org then John needs to have an Azure Active Directory account. If not, then John can request a temporary Azure RMS account. This is important when talking about working with external parties.
Using AzureIP and Office 365 the sensitive information is now protected within the organisation. But in this scenario, when someone from HR sends an AzureIP protected document to someone outside of the organisation, this person will not be able to open the document.
There are ways to solve this of course. For example, add the external parties to the AzureIP protection configuration. In our scenario, the IT department is looking into this.
For the time being, the other option is to send attachments using Office 365 message encryption which adds additional protection to an e-mail with a click of a button. One standard option is to disallow forwarding, printing or copying of the content. In this article I describe how this works in more detail.
To ensure that the message cannot be forwarded, but the attachment can be opened, the HR members will need to select the appropriate AzureIP label. Which is “HR – No protection”. This will not encrypt the document. Then it is sent using secure messaging.
This is a very lengthy blog article. I was prompted to write it because of the Microsoft post on securing Office 365 (SharePoint) environments. But it still is somewhat of a puzzle to solve. Just to recap. In order to really help our HR department, we are going to use:
Protect sensitive content = AzureIP Data loss prevention = Data governance labels, Data loss prevention rules Access to file-share and SharePoint = Active Directory group Secure messaging = Office 365 message encryption
We will need a strict governance plan and enforcement of the rules. The HR employees will require support and help with the required choices. And we will need to consider some of the drawbacks of this scenario.
For one: what about PDF’s stored in the SharePoint document library? These documents will not be automatically classified and labelled by AzureIP. The good news is, that PDF’s can be classified, labelled and protected using the AzureIP client. And Adobe and Microsoft are working on AzureIP integration with the Adobe clients.
Another drawback is Office Online. AzureIP protected content cannot be opened using any of the online versions of Office. But the good news here is, that AzureIP is going to be integrated into Office Online.
And for this article I did cut some corners. I could have gone into detail on Azure AD identity protection, conditional access policies, mobile device management, and much more. I hope that this article provides enough information for now, but do know that Office 365 combined with Azure and/or EMS provides for a very secure solution.