How to Identify Your Enterprise’s High-Level Sensitive Data with Microsoft

By Seán O’Farrell

Too often companies engage with Security professionals when a breach has occurred. They rush to resolve it as quickly as possible without thinking of how to prevent it from happening. Instead, organisations should be considering building a Security Road Map.

Here are some technical aspects that need to be considered if enterprises are to best leverage the Microsoft security suite. Generally speaking, the current high-level challenges that we come across often when speaking with EMEA clients, are:

  • GDPR
  • Personally Identifiable Information
  • Freedom of Information (for Irish Public Services)
  • Client sensitive information
  • Intellectual Property

The Microsoft Information Protection Suite

Microsoft’s Information Protection solutions such as Data Loss Prevention (DLP) are crucial in the protection of data, especially when the following Microsoft technologies are all implemented:

  • Office365 DLP
  • Azure Information Protection
  • Cloud App Security
  • Conditional Access
  • Intune Application Protection Policies
  • Windows Information Protection
  • Intune managed Bit Locker
  • Azure ATP
  • Windows Defender ATP
  • Office365 ATP

All of these technologies will help build a hardened stance against cyber threat. But when companies fail to define what sensitive data, customer or personally identifiable information types they are hosting, they quickly find themselves in the murky waters of becoming data uncompliant.

How do you identify all of the high-level sensitive information types?

My recommendation is to start with Azure Information Protection (AIP) scanner with Azure Log Analytics integration in discovery mode to assess your environment.

When I present the results of the analysis to my customers regarding their data analysis, they often have mixed reactions. Firstly, there’s delight that they can have instant business intelligence reports on their data. Then the delight is followed promptly by the worry that they are uncompliant. This process outlined below will hopefully allay the fear around compliance.

Begin with a small amount of possible sensitive information types that has been configured as part of an Azure AIP Scanner policy integrated into Azure Log Analytics.

How to configure the Azure Information Protection policy

Once this data is enabled, it empowers a business to slowly start defining what data is critical to the business and their customers. A good first sensitive information type to start with is a credit card number to familiarise the organisation’s staff on how to use this service.

TIP: To assign the responsibility to one person to review 30TB of data will not be productive. Azure role-based access control can be implemented so that Department Heads or Compliance Officers only review data that they have the right to review.

Defining sensitive information types and then continuing to update your sensitive information type library will be an ongoing process which should also include the process of upskilling existing employees. The engagement becomes difficult if the customer does not have the required Microsoft Cloud and desktop operating system versions.