How to Protect and Monitor Your Sensitive Data in Office 365
Topics: Office 365
With Office 365, Microsoft corporate users can access and share data from anywhere, on any device, and be more productive by using all of its collaboration features. On the other hand, it’s easier to inadvertently share sensitive information with others both inside and outside of the company. Read more to learn how Microsoft handles these challenges.
To manage security risk, Microsoft IT created a solution that uses the Office 365 Management Activity API and the data loss prevention (DLP) features of Office 365. It also includes a custom governance solution to help protect data.
The solution gathers data about sharing from:
- Microsoft Exchange Online
- SharePoint Online
- OneDrive for Business
- Azure Active Directory
Microsoft Power BI dashboards visualize the data to show how Microsoft corporate users share information. Microsoft data handling policy states that sensitive business information must be encrypted both at rest and in flight. When shared externally, users are accountable for who they share it with.
Microsoft solution audits the following types of sharing:
Regulated information. Regulated information includes government identification numbers such as social security numbers and passport numbers, financial data such as credit card numbers and financial records, or medical information. Regulated information must always be protected by encryption.
Business information. At Microsoft, sensitive business information is called High Business Impact (HBI) data. Users can store HBI data on SharePoint Online and OneDrive for Business if they comply with Microsoft policies for HBI data storage and transmission; however, to share HBI content externally, users must get a policy exception from the Microsoft IT security and privacy team.
Low Business Impact (LBI) and Medium Business Impact (MBI) data is permitted on SharePoint Online and OneDrive for Business with no special approval. Users must review all classifications to understand how to classify, protect, and handle data that they create, and ensure that it is properly categorized for use at Microsoft.
Detecting Inappropriate Sharing
Organizations subscribing to Office 365 can use DLP to detect regulated and sensitive information that users share. In addition, Office 365 provides audit data for all file-related events, such as open, upload, download, and delete. Organizations can access audit data through the Office 365 Security and Compliance Center and use search and PowerShell to get different views. They can also use Office 365 APIs in custom solutions.
Site Classification and Labeling
AutoSites requires site owners to classify SharePoint sites according to the type of information that may be posted on it: LBI, MBI, or HBI. When creating a new site, the site owner picks the type. This applies the appropriate security settings to the site and labels it according to its classification. The levels of information are clearly defined in the user interface, as shown here.
Both DLP and AutoSites send email messages to users who share too much, as follows:
DLP for Office 365. If a user shares regulated information on SharePoint or OneDrive for Business or in an Exchange Online email message, the DLP system locks down the document or rejects the message. It then sends an email message letting the user know about it. The email message contains the same information as the Policy Tip. If there’s a valid business reason to share the information, the user can request a policy override.
AutoSites. When a user shares other types of sensitive information, such as usernames and passwords, AutoSites sends an email message asking the user to correct the issue. AutoSites also sends an email message to a user who shares HBI information on an LBI or MBI SharePoint site, or one that has no label. The SharePoint site owner receives the same message.
Rather than pointing out that users are doing something wrong, the AutoSites messages are positive. If a user doesn’t change the sharing behavior on SharePoint or OneDrive for Business, AutoSites automatically delivers another message. If the user and the site owner still haven’t corrected the issue after receiving three email messages, the site is locked down. If the site remains out of compliance, it is removed.
Learn More About Dock for SharePoint & Office 365
As Microsoft Certified Partners, we’re here to assist you with getting the most out of the product.
Written by Jessica Northey
She's a multimedia producer to include writing, photography, graphic design and video. She enjoys learning about new technology for business and exploring her city in Jacksonville, Florida.