We are amid a global shift from purely on-premises information technology infrastructure to hybrid environments. Many enterprises are moving pieces of their corporate email and file sharing infrastructure to the cloud where Microsoft Office 365 is the clear market leader. Using Office 365 alongside on-premises data stores introduces data security and governance challenges that must be addressed in the era of mega breaches and strict privacy regulations.
Through this whitepaper, we will walk through the basics of data protection and inadvertent disclosure prevention in Office 365 using MS Native Controls; and assist you to comply with business standards and industry regulations.
Enforcing Tenant Access Controls
There is a defined perimeter of our Office 365 instance, but the perimeter must be redefined with the following cloud-native constructs:
Strong Authentication Using MFA – MFA and password less sign-in provide adequate protection against the attacks where password complexity is less useful. Organizations with all Azure Active Directory licensing levels should evaluate Azure Active Directory (AD) security defaults — a preconfigured set of security settings — and configure, if needed to quickly protect all users with MFA using the Microsoft Authenticator app at no additional cost.
Azure AD Conditional Access Policy (CA) – Conditional access is an Azure AD feature that provides authenticated users granular context-based access. It’ s an Azure AD Premium P1 feature. Conditional access policies trigger after the first-factor authentication (typically username and password) is completed successfully. To keep the user within the session, conditional access app control replaces all the relevant URLs within the app session with Microsoft Cloud app security URLs.
Service-specific Controls
App enforced restrictions provide unmanaged devices functional-limited access to Exchange and SharePoint to enable collaboration while minimizing data exfiltration risk.
Limited Access with SharePoint Online – Use conditional access app enforced restriction policy to prevent Azure AD from issuing an access token to the unmanaged device, to block unmanaged device access to SharePoint and utilize PowerShell to configure the SharePoint site-level policy.
Limited Access with Outlook on the Web – Restrict the ability for users using Outlook on the web to download attachments from email to an unmanaged device.
Office 365 Data Loss Prevent on (DLP)
With a data loss prevention (DLP) policy in the Office 365 Security & Compliance Centre, we can identify, monitor, and automatically protect sensitive information across Office 365.
With a DLP policy, we can:
- Identify sensitive information across many locations, such as Exchange Online, SharePoint Online, OneDrive for Business, and Microsoft Teams.
- Prevent the accidental sharing of sensitive information.
- Monitor and protect sensitive information in the desktop versions of Excel, PowerPoint, and Word.
- Help users learn how to stay compliant without interrupting their workflow.
- View DLP alerts and reports showing content that matches your organization’s DLP policies.
OAuth App Control
OAuth app control allows you to review which cloud apps have access to your Office 365 tenant, what permissions they have, the risk level of the cloud apps, manually revoke risky apps access to your Office 365, or define a policy to revoke access automatically.
Customer Lockbox
Customer lockbox lets Office 365 customers approve a Microsoft support engineer’s request to access customer data, in response to an open service request. Each data access request needs to be approved by a Microsoft support manager first, then routed to a customer-designated approver for approval using the customer lockbox.
Microsoft Information Protection (MIP)
Microsoft Information Protection (MIP) is Microsoft’s native unified intelligence and extensible offering for all workloads, including Office 365, using both Azure Information Protection (AIP) and Windows Information Protection (WIP) we can provide the following functionalities:
- MCAS File Policy – Initiated Labelling and Protection
- SharePoint Service – Initiated Labelling and Protection
- Office Apps and Office Web App – Initiated Labelling and Protection
- Content Label – Sensitivity Label Can Be Applied to Emails or Documents, Manually or Automatically
- Container Label – Sensitivity Label for SharePoint Online Site or Teams
Insider Risk Management
Microsoft announced Insider risk management can help you and your organization to promptly identify and remediate insider threats and risks such as digital IP theft or confidentiality breaches while maintaining a principled approach to privacy.
Data Classification Service (DCS)
Microsoft Data classification service is the key capability that enables MIP and other Office 365 services to automatically inspect content and identify various types of sensitive information, a process known as classification. DCS supports multiple classification techniques across a variety of policy enforcement points (PEPs).
Kanoo Elite has several years of experience in providing strategic and tactical technology support for many clients in the Middle East.
Our Managed Digital Operations services provide various flavours of managed IT services for customers through a combination of onsite, nearshore and offshore skills with state-of-the-art tools for proactive operations management. Kanoo Elite, unlike a traditional managed services provider, also assists our clients in transforming their business while managing their Information Security risks.