Most companies have now started to realize that they need to improve how important and sensitive information is protected in Microsoft 365 and beyond. This could be sensitive market information, commercial information, information about customers and staff, and other information that should not leave the organization.

Why information protection:

• 34% of data breaches involved internal actors (Verizon).
• 70% of intellectual property theft occurs within 90 days of an employee’s termination notice (Richard Agnew, Infosecurity Magazine)
• 88% of IT workers have stated that they would take sensitive data with them if they were fired (CyberArk Trust, Security and Passwords Survey 2008)
• 63% of employees have indicated that they brought data from their former employer to their current employer (Code42 2019 Global Data Exposure Report)

The first step in improving information protection is to identify the type of information that should be protected (know your data). Many companies have therefore implemented a policy that all information should have a security / confidentiality classification, e.g. OPEN, INTERNAL, RESTRICTED, CONFIDENTIAL.

Common security classification problems we often see:

• Inconsistent usage results in a lot of unclassified information
• Incorrect security classification is used by users
• Suboptimal protection settings that create a false level of security
• Interoperability issues due to different security classifications
• Strong focus on cybersecurity, external attacks, while the risk of insider risk grows

Start therefore by evaluating if your security classification model should be simplified and improved.

Best practices for security classification

Here are some emerging best practices for security classification models:

1. Establish only a few top-level classification levels – The fewer the options, the easier it will be for users and machines to pick the correct security classification, e.g. OPEN, INTERNAL, RESTRICTED, CONFIDENTIAL.
2. Only have sub-levels when this is justified – Security classification models may have sub-classes, e.g. CONFIDENTIAL – EXECUTIVES. Only implement this when this require a separate protection or permission, e.g. only accessible to executives.
3. Consider linking access to security classification levels – It may be easier for users to select the correct classification level if they understand who will have access, e.g. INTERNAL is available for all staff, RESTRICTED is only available for some staff, CONFIDENTIAL is only available for named users.
4. Ensure the naming makes sense for users – Ensure users really understand what the different labels means, e.g. OPEN is information that can shared outside your organization, vs INTERNAL is information that can be shared widely inside your organization
5. Identify key words and phrases for each classification level – This will make it easier for users and machines to classify information correctly.
6. Ensure users only see relevant security classification levels – Users should only see relevant security classification levels for them. If OPEN means that it may be shared with everybody outside your organization, then only some users will have this mandate. If CONFIDENTIAL is highly sensitive, then only users with the appropriate background check should be able to use this level
7. Decide if users should classify all information, or only exceptions – Requiring users to classify all files will improve the maturity of the organization, but it will require more work by users. An option is to set default security classifications on systems and workspaces, and then get users to only take action when the security classification level is different per file. The latter is more difficult to implement, and the impact is often that sensitive information is not classified correctly.
8. Establish increased protection levels per classification level – Start by defining how information with the lowest security level classification will be protected, then what additional protection will be for next level, and so on.
9. Find the correct balance between openness and control – Ensure staff have access to relevant information while that sensitive information is protected.
10. Define use cases for external sharing of sensitive information – External users can access protected information when you want this to happen

Ensure also that all users are well aware of whom to contact when not sure of security classification/identify a risk for a document/workspace

Case study: UK government

The UK government used to classify information into UNCLASSIFIED, PROTECT, RESTRICTED, CONFIDENTIAL, SECRET, and TOP SECRET. They realized that the system was designed for paper-based records, and not easily adapted to modern government work and not widely understood. The UK government therefore changed their security classification model to three classification levels: OFFICIAL, SECRET, and TOP SECRET. This is simpler than the old model, and there is no direct relationship between the old and new classifications. “Unclassified” is deliberately omitted from the new model. Government agencies are not expected to automatically note existing data, so there may be cases when organizations working under the new system still handle some data labeled according to the old system. Aggregation does not automatically trigger an increase in protection marking. For example, a database with thousands of records that are individually OFFICIAL should not be marked as a SECRET database. Instead, information owners are expected to make controls decisions based on a risk assessment, and should consider what the aggregated information is, who needs access to it, and how.

The OFFICIAL classification covers up to 90% of public enterprises, including most policy development, service delivery, legal advice, personal data, contracts, statistics, case files and administrative data. Particularly sensitive OFFICIAL information will be checked through local handling schemes that reinforce the principle of “need to know”. The SECRET classification concentrates security resources on particularly sensitive defense, diplomatic and other assets requiring protection against increased threats. The TOP SECRET classification will continue to provide extremely high levels of protection for exceptionally sensitive assets. Very little change is expected to be applicable top-secret standards and procedures.

Almost all personal information/data will be handled within OFFICIAL without reservation or description. Personal data/data shall only be managed in the SECRET classification where the context guarantees defense against an increased threat profile, e.g. In most cases (except where other special sensitivity considerations apply) personal data and sensitive data, as defined by the DPA, will be handled within official without reservation or description. All information must be subject to appropriate protection. There is no assumption of unfettered access at any level in the classification policy, although the principles of openness, transparency and reuse of information must be considered. All personal data/information is subject to the “need to know‟ principle and it is the responsibility of information owners (IAOs) to ensure that this is enforced with respect to personal data/information for which they are responsible.

An OFFICIAL-SENSITIVE classification level warning should be used where the “need to know” must be enforced most strictly, especially where information may be shared outside of a routine or well-understood business process. For example, where loss or compromise of information can have seriously harmful consequences for an individual or group of individuals – it is a clear and justifiable requirement to reinforce the “need to know principle” particularly strictly across the organization. Only under very specific circumstances to identify certain categories of information already considered OFFICIAL-SENSITIVE. The description should be used in the format : ‘OFFICIAL-SENSITIVE [DESCRIPTOR]’

Microsoft Information Protection Best Practices

Microsoft Information Protection (MIP) is a Digital Rights Management (DRM) solution from Microsoft. DRM solutions embed protection directly into digital files, protecting the file regardless of where it’s stored or with whom it’s shared. This is different and complementary to more traditional security measures, like document management access controls.

MIP components:

• ‘Sensitivity labelling’ – Confidentiality Classification levels/labels are embedded into the digital file and travel with it.
• ‘Protection’ – MIP protected files can be configured to apply encryption (differing levels of permissions e.g. read-only, update etc) and access controls that are embedded into and travel with the digital file.

MIP primary benefits:

• Data Loss Prevention (DLP) – Microsoft DLP technologies readily integrate with MIP labelling and will improve the identification and prevention of sensitive information leaving organisation boundary via digital means (email, file transfer etc.)
• Impact reduction – MIP protection means that even if any individual in the world population receives an MIP protected file, only those users within the protection/access control group, can open the file.

Data Loss Prevention

Discover user and application behavior to prevent accidental sharing of sensitive data

Please note that in areas with privacy regulations, you can only start monitoring user behaviour until you have an approved reason for doing so. As part of establishing an DLP program, you need to define with Legal and Data Privacy Officers the process for when this can be enabled.

Impact Reduction

Scenario 1 – without MIP

• The document is removed from the secure SharePoint environment – current on-premise
• The document is not secured and can be sent to any recipient via a variety of methods – email, sharing from OneDrive etc.
• Recipient receives document via the chosen sharing method.
• The document is able to be sent further afield. Even if the original email was encrypted using secure mail, the document is able to be saved and able to be sent on to furthermore recipients unhindered.

Scenario 2 – with MIP

• The document is removed from the secure environment – SharePoint Online – The document maintains MIP security attached to the document.
• The document can be sent to any recipient via a variety of methods – email, sharing from OneDrive etc.
• Upon receival, only those with access to the MIP label are able to open and view the contents of the file.
• Even if the viewer decides to forward the document to other users, the recipients will not be able to open the document without appropriate permissions. The permissions can also be modified at any stage.

Automation is key to success

We can leverage Microsoft Sensitive Information Types, Trainable Classifiers, Syntex, and Metadata to automate the identification of sensitive data.

For users, it means the following options:

• Automated – Policies set by IT automatically classify and label documents according to the data they contain. The policies automatically apply protection. User receives notification of the automatic labeling.
• Recommended – Policies automatically classify and label documents according to the data they contain. User receives notification and can change the label.
• Reclassification – Users can reclassify the data or remove the label. Policy can optionally require users to provide a justification; it is audited
• User-set – Users can manually classify the document. User classification determines which labels and protections automatically apply.

At Infotechtion, we recommend the following journey to improve the protection of information in Microsoft 365 and beyond leveraging all available E3 and E5 features.

Contact us to learn more about this.