Protecting your data with Microsoft 365

Protecting your data with Microsoft 365

 
Unfortunately, in this age the risks to your organisations data are many. Whether that is external from hackers, malware or specifically ransomware, or internal such as intentional or un-intentional data exfiltration from your own employees. Protecting your data is critical to ensuring you stay in business and out of the spotlight for the wrong reasons.

The last thing any CIO needs is a data breach and the fines, damage to reputation and loss of intellectual property that comes with it. The worst part of this is that it affects every organisation from the most highly regulated banks to the small retail business. After all, we all have important information now, and we all have to adhere to data protection compliance regulations such as GDPR.

So, we all have data, but how do we approach the task of managing it?

  • Well firstly it is important to know your data. What data do you have and where is it stored? What type of data is it? You need to classify it.
  • Apply protection including encryption, access restrictions and visual markings.
  • Prevent accidental oversharing of sensitive information whether intentional or un-intentional.
  • Automatically retain, delete, and store data and records in a compliant manner.

This all sounds like a lot of work already, a rock you may wish you never looked under. Luckily for us Microsoft 365 gives us a wealth of technologies that can help protect our data whether it is held on-premises in our data centre or in the cloud.

Let us explore a little into the various data protection products that are available within Microsoft 365.

Microsoft Information Protection

Information Protection allows organisations to discover, classify, label, and protect sensitive documents and emails whether stored in the data centre or cloud. Once you have configured your labels such as “General, Confidential and Highly Confidential” you can associate protection rules to those classifications. For example, preventing a “Highly Confidential” document from being sent external to your organisation or from being printed or forwarded beyond its intended recipient.

Microsoft Information Protection works seamlessly within the Microsoft office applications such as Word, Excel and Outlook, but it also works nicely with PDFs and other file types. It will protect your data in SharePoint, OneDrive, Exchange, Teams and can be setup to scan and protect your on-prem or Azure server data.

Information Protection has evolved over time and has had various names over the years however they pretty much refer to similar services.  So, if you see “Microsoft Information Protection”, “Information Protection”, “Azure Information Protection” ,  “Azure Rights Management”, “MIP”, "AIP", or "RMS", they pretty much equate to the same product but like rings in a tree stump they tell a story of its evolution over time.

At times it may seem like Microsoft are changing product names as quickly as the wind changes direction, though that’s not quite the case. Microsoft Information Protection is an improvement upon Azure Information Protection and thus an evolution on Rights Management. Think of Microsoft Information Protection as Azure Information Protection also including data stored on devices as well as email and SharePoint, OneDrive, and Teams. Microsoft Information Protection is going the extra mile to cover the end user device aspects and is therefore a more end to end data protection solution.

There are two tiers of Information Protection, Plan 1 (E3) which allows you to classify and protect documents as stated above but there is also a higher tier Plan 2 (E5) which gives you auto-classification. Auto-classification removes the possibility of a user intentionally or un-intentionally classifying data incorrectly.

Data Loss Prevention

Data loss prevention allows you to prevent certain types of data from leaving the organisation. These types of data may include national insurance numbers or credit card numbers. It can be setup to prevent data from leaving or setup to notify of data that has left. DLP can work standalone or arm-in-arm with Information Protection.

There is also a higher tier plan with DLP called “Communication DLP for Teams” which blocks chats and channel messages that contain sensitive information.

Microsoft Cloud App Security

Microsoft Cloud App Security (MCAS) is a Cloud Access Security Broker (CASB) solution that gives your organisation visibility into their use of cloud apps and services, and provides analytics to identify and protect against cyber threats. It also allows you to control how your data travels across cloud applications. MCAS is a powerful tool when connected into your existing estate. It can use the data from your firewalls or web proxies to understand exactly what your users are doing and especially what they are doing with your data, and what shadow applications or services they maybe using without your knowledge.

Insider Risk Management

Insider risk management is a solution that helps minimise and prevent internal risks. It enables you to detect, investigate and act upon risky activities happening within your organisation. Analysts can quickly review detections and implement actions to ensure users are compliant against your standards and data is protected accordingly.

Microsoft Information Governance

The last of our favourites of the Microsoft 365 data protection products is Information Governance. Retention is hugely important in the GDPR age and Information Governance allows you to control data across your applications, looking beyond Microsoft and into third party applications such as Facebook, Twitter, LinkedIn, and WhatsApp. There are many third-party connectors which work to control your data in several ways:

  • Retention
  • Litigation hold
  • eDiscovery
  • Records management
  • Communications Compliance

What licensing options do I have?

There are a lot of different licensing plans and add-ons that you can choose from so this can be confusing. I’ve created the following table to try and help explain the options.

Product

EMS E3/A3

EMS E5/A5

Microsoft 365 E5/A5

Microsoft 365 E3/A3

Microsoft 365 E5/A5 Compliance

Microsoft 365 E5/A5 Info Protection and Governance

Microsoft 365 E5/A5 Insider Risk Management*

Information Protection Plan 1

Y

Y

Y

Y

Y

Y

X

Information Protection Plan 2 (Auto classification)

X

Y

Y

X

Y

Y

X

DLP

X

X

Y

Y

Y

Y

X

Communication DLP for Teams

X

X

Y

X

Y

Y

X

Microsoft Cloud App Security

X

Y

Y

X

Y

Y

X

Insider Risk Management

X

X

Y

X

Y

Y

Y

Microsoft Information Governance

X

X

Y

X

Y

Y

X

* Microsoft 365 Insider Risk Management also licenses several other compliance products not mentioned in this post such as Communication Compliance, Information Barriers, Customer Lockbox and Privileged Identity Management.

** Microsoft 365 E5 Compliance licenses everything in the table plus the Insider Risk Management and other great compliance features. All of which we will cover in another article around compliance management.

 


 

This article was written by Matt Fooks, boxxe's Workplace Pre-Sales Solutions Architect. To book a consultation with Matt, please click below.

Book a meeting