IT-Säkerhetsguiden

Enhancing Secure collaboration with new user-defined permission support

Publicerat den 27 februari, 2024 av Anders

Microsoft has recently implemented a significant architectural change in SharePoint Online and Microsoft Teams, allowing us to now consume and collaborate with User-defined RMS protected files. But what does this mean, and how can it simplify our organization’s ability to collaborate securely with sensitive information? Historically, files protected with custom permissions could only be opened using locally installed Office applications, and collaborative editing was not feasible. This limitation hindered collaboration on highly sensitive data and mandated that all parties have a local Office installation.

While we still rely on locally installed Microsoft 365 apps like Word, PowerPoint, and Excel for encryption, the introduction of Custom permissions empowers users to determine who has access and the level of access for specific documents or presentations. These permissions can be assigned to internal users, groups, as well as external users and entire organizations. Consider the following examples where sensitive information needs protection:

Read-only rights for everyone at an external law firm.
Full rights for the management team by assigning them to an existing group.
Editing rights for an external board member.

The user can now select the appropriate sensitivity level and define custom permissions.

When selecting Custom Permission in the current M365 apps, users must navigate to More Options to precisely configure permissions for users, groups, or domains.

A glimpse into the future is provided by the M365 Beta channel design, offering a clearer and more intuitive interface for defining Custom Permission.

With these new capabilities, files can now be saved and shared via OneDrive/SharePoint/Teams, preventing unauthorized downloads and enabling simultaneous access and editing by multiple users.

For instance, an external user opening the file via Word Online will be restricted from downloading, copying, or printing it. Our system does not require any applications from counterparts, ensuring data security by blocking file downloads.

From an encryption/decryption standpoint, this marks a significant paradigm shift. Encryption using this feature is currently limited to locally installed M365 apps; thus, Teams and web apps cannot be used to protect these files, and are solely intended for consumption.

This is still significant news for several organizations that have been waiting to offer this capability to their business. We can now offer collaboration while still tightly controlling who accesses the information and with what rights. With this online support, we provide the ability to share and collaborate on this document without requiring software from our counterpart. Files can now be opened via any web browser for editing or consumption. We get protection that always follows the file wherever it is stored, with all access logged and controlled through Microsoft Enter ID.

As always, it’s imperative to have robust processes in place for managing encrypted data. User-defined permissions necessitate even higher standards, particularly during offboarding procedures. Therefore, it’s essential to review and refine these procedures before expanding encryption capabilities.

Detect Intrusions by combining Defender and Purview

Publicerat den 8 december, 2023 av Anders

Considering today’s increasingly sophisticated cyber threats, we need enhanced visibility to detect anomalies. We observe targeted attacks increasingly relying on infiltrating internal accounts and utilizing existing services to operate discreetly, evading security solutions. By leveraging Microsoft Defender’s various services, we can identify anomalies such as new login types and risky behaviors from devices, thereby increasing our ability to detect whether an account or device has been compromised and is being used by someone else. When it comes to early-stage detection of both data exfiltration by external actors and internal risks, we also need to identify anomalies in our information management. Similar to how Defender monitors logins, devices, and our services, Purview can offer equivalent functionality to identify anomalies in our information management.

Let me provide a two examples:

Utilizing Purview’s Information Protection suite, we can identify and safeguard sensitive information. Almost all sensitive information is normally protected by encryption accessible only to internal employees, ensuring that, regardless of where the file is stored, it is restricted and monitored for internal use only. In cases where this file needs to be shared with a partner, supplier, or customer, the employee needs to decrypt the file before sharing. This common practice, in itself, poses no risk.
Purview’s Data Loss Prevention (DLP) primarily aims to support our users and raise awareness of the handling of sensitive data. Here, we can identify sensitive data and alert the user if this information is about to be stored on an unknown service, device, or shared externally. Again, in this scenario, the user might need to store or share certain sensitive information with an external partner or customer, which is a common practice.

Contrasting these two examples, if we have a risky user or login that deviates from the norm when files are decrypted by the same user, we can early on detect abnormal behavior that may indicate a compromised account or an internal user on the verge of leaking sensitive information.

Supplementing both these actions and DLP with risky or malicious behavior on clients, such as the presence of malicious code or the utilization of scripts/PowerShell during information decryption or movement from the organization, as detected by DLP, enables us to identify attempts to exfiltrate data via malicious code/script. This approach provides us with a valuable opportunity to discern whether it involves a compromised device where a script is orchestrating the decryption/exfiltration, rather than the user themselves.

While many organizations may not prioritize responding to low-risk alerts, such as a new type of login or abnormal behavior on an endpoint, and tend to focus on medium and high-risk alerts, we enhance our detection capabilities by combining various alerts and activities that identify different anomalies. This approach significantly boosts the likelihood of validating even low-risk alerts, enabling us to promptly identify both compromised accounts/devices (intrusions) and potential information leakage.

Techniques used to identify risky users/sign-ins come from Entra ID Protection and Defender for Identity, monitoring both Entra ID (Azure AD) and local Active Directory.

To identify malicious code or risky behavior on devices, Defender for Endpoint is used.

Activities for risky behavior, such as information decryption, come from Purview Information Protection.

Alerts for data exfiltration come from Purview Data Loss Prevention.

Techniques for combining these alerts/activities are done by connecting the services with Microsoft Sentinel’s various connectors and using KQL queries.

Here’s an example of how a KQL query can look to identify if a user has an identified risk within the last 24 hours and starts decrypting information:

There are several examples of unique use cases with higher sensitivity where we also want to automatically take action to prevent further exfiltration. Examples include disabling the user account, preventing the compromised account or insider from logging into any service to continue exfiltration, or isolate the device to prevent further information leakage.

In these cases, we can further state that if the document contains critical corporate information (detected through a custom Sensitive Information Type) or the sensitive label for board materials/critical projects, we automatically act by disabling the account and/or isolating the device.

In the past, it was said not to put all your eggs in one basket with security products; today, it’s exactly the opposite. We need security features that communicate with each other and techniques that can be combined to have a fighting chance of identifying and stopping sophisticated attacks and exfiltration attempts.

Thank you, Microsoft!

Secure your Microsoft 365 Copilot Journey

Publicerat den 24 september, 2023 av Anders

Microsoft has just unveiled its groundbreaking innovation – Copilot, your everyday AI companion. This exciting launch promises to transform productivity by harnessing AI to analyze all the content to which a user has access within Microsoft 365’s suite of services.

However, before diving into the world of Copilot, it’s crucial to address two fundamental aspects:

Data Accuracy: Is the information we have stored accurate and up to date?
Data Security and Permissions: Have we ensured control over permissions and access to sensitive corporate information?

In this blog post, we’ll explore how you can kickstart your journey with Microsoft Copilot and ensure your data is both accurate and secure.

Data Accuracy with Microsoft Purview’s Data Governance:

One of the key elements in preparing for Microsoft Copilot is ensuring that your data is accurate. Microsoft Purview offers a powerful solution through its Data Governance functionality. Here’s how it works:

Data Lifecycle Management: With Data Governance, you can implement data lifecycle management processes. This means identifying and purging outdated data in your organization. For instance, data that hasn’t changed in 5-10 years or contains outdated, irrelevant information can be identified and removed. This not only enhances data accuracy but also reduces clutter, making it easier to manage your content.

Data Security with Microsoft Purview Information Protection:

The second critical aspect is securing your data and controlling access to it. Microsoft Purview Information Protection plays a pivotal role here:

Identify and Classify: Microsoft Purview Information Protection helps you identify and classify sensitive information within your organization. This includes data like financial records, personally identifiable information (PII), or any other information crucial for your business. This step is essential in understanding the types of data you’re dealing with.
Granular Access Control: With the classifications in place, you can enforce granular access control policies. This ensures that only authorized personnel can access specific locations like Teams or SharePoint sites, or individual labeled files that contain sensitive information. It adds an extra layer of security to your data.

Conclusion:

Microsoft Copilot offers tremendous potential to boost productivity by harnessing the power of AI to analyze your organization’s data. This groundbreaking AI companion, recently launched by Microsoft, promises to be a game-changer. However, the journey starts with ensuring data accuracy and security. By utilizing Microsoft Purview’s Data Governance for data accuracy and Information Protection for data security, you lay a solid foundation for a productive and secure experience with Microsoft Copilot. Embracing these tools will not only enhance your data management but also fortify your organization against potential data-related challenges. Get started today, and unlock the full potential of Microsoft Copilot while maintaining data accuracy and security.

Publicerat i Microsoft Purview Information Protection | Märkt #MicrosoftCopilot | Lämna en kommentar

Enhancing Information Protection in Microsoft 365 apps: Empowering Users, Safeguarding Data

Publicerat den 7 juli, 2023 av Anders

Majority of all information leaks occur due to pure user mistakes where sensitive information is shared with the wrong recipients. By increasing awareness around information management among our end users, we can protect sensitive corporate information from leakage. Microsoft (Office) 365 apps has come a long way and complemented several of our daily actions with information about the sensitivity level we are handling. AI integration with Microsoft 365 Copilot will revolutionize and enhance our productivity across Microsoft’s various services. Organizations that have already started with information classification and implemented Microsoft Purview Information Protection and Data Loss Prevention have good prerequisites to increase awareness and ensure that sensitive information is handled correctly and isolated to authorized recipients even in a Copilot scenario.

As I mentioned before, the AIP add-in has been disabled in new Office versions (2302/2303) and is now primarily intended for encrypting and consuming non-Office files such as images, text, etc.

Starting from Office 2302, sensitivity is displayed both when saving and sharing information. The default sharing settings in Teams/SharePoint entail several risks that most people are unfortunately unaware of. By default, it is allowed to further share documents, which means that if a sensitive document is shared with an employee, they can share the file with someone else. This can be prevented at the site level, where we can set files to be shared only by site owners, thus blocking this scenario, but it may also limit too much and hinder productivity.

By applying the appropriate protection level through Sensitivity Labels and RMS encryption, we can ensure that only the correct personnel can access information regardless of how it is shared and stored. Examples can be found in HR, Legal, R&D, and other departments where there are often predefined labels for their respective departments and their information. If there is extremely sensitive information that should only be accessed by specific individuals, groups, or organizations, we now also have support for Custom Permissions. The new interface makes it easy to apply the right protection and ensure that unauthorized individuals cannot access the document regardless of where it is stored.

Let me do an example, where we can see how a Confidential document that was previously encrypted within the organization is changed to provide read-only rights to an organization and allows only two users to edit and modify the information. When sharing this document, we ensure that only authorized individuals have access to the information, thereby preventing unauthorized individuals from changing the information or further sharing it.

When the user manage the file’s access, it is clearly visible what sensitivity level the file has and who has received shared links:

If the external user, who only has read access, attempts to share it, this action is prevented by RMS (in the same way that they are unable to take a screenshot of the file Smile ).

Should someone with authorization still share the file, unauthorized individuals will encounter the following:

This is good example how label protection prevent common user file share mistakes. Currently, only locally installed Microsoft 365 Apps can open files protected with ”custom permissions,” and not cloud services such as Office Online/Teams. However, hopefully, we will soon have support for this as well.

There are several advantages to no longer relying on an AIP add-in in Office (Microsoft 365 Apps). One use case that we recently identified was the risks associated with Microsoft 365 Apps add-ins that can both access and store sensitive corporate data in unauthorized third-party services. The problem with Office add-ins is that they run in the user’s context and consequently possess the same privileges as the user. Add-ins require/utilize macro access (OBJMODEL) in Office files to access data, and historically, with the AIP add-in to Office, we needed to allow macros for RMS-encrypted files to visualize label information. However, with the current built-in sensitivity support in Office, we no longer need macro support. This gives us the opportunity to protect leakage of sensitive data with RMS encryption.

The following RMS permission example would encrypt Office files and emails for designated individuals, groups, and domains, limiting access only to specified individuals and restricting Office add-ins from accessing the content:

We receive new enhancements with information protection with practically every new Microsoft 365 app release. Here are a few more examples.

Microsoft 365 Apps version 2303
Support was introduced for creating different types of Labels and protection for Files, Emails, and Meetings. This makes it easy to build a user-friendly design with names and descriptions for the rights and restrictions that apply to the used app.

Microsoft 365 Apps version 2306
Expanded support is provided for organizations that have requirements to store data locally in SharePoint OnPrem, where we now have support to apply the correct label and protection for files stored in local SharePoint. Basically, it is supported for users or automated sensitivity labels to classify files saved in local SharePoint, ensuring consistent information protection throughout the organization’s data storage.

I hope this article has provided you with some new ideas. Feel free to comment and/or reach out if you would like me to write about any other scenarios within Purview.

Publicerat i Microsoft Purview Information Protection | Märkt Microsoft 365 Apps version 2306; Microsoft 365 Apps version 2303 | Lämna en kommentar

Microsoft strengthens encryption within Microsoft Purview

Publicerat den 20 juni, 2023 av Anders

A significant challenge for a software vendor like Microsoft is to develop new features while ensuring support for older software versions. The RMS encryption used in Microsoft Purview has been around for 20 years and was released alongside Office 2003. The major advantage compared to other encryption solutions is that the Office suite has built-in support that does not require any additional logins, certificates, or dependencies, as long as all parties are using Microsoft Office and can authenticate through Azure Active Directory.

Over time, the algorithm used in RMS has been enhanced. In 2011, the organization key transitioned from 1024 to 2048 RSA. Additionally, the content key, which had previously utilized 128-bit AES encryption with ECB block mode, was upgraded to 256-bit AES encryption with CBC block mode. The content key enhancement occurred when support for encrypting file types beyond Office files was introduced. However, Microsoft couldn’t increase encryption within Microsoft Office as long as there was a requirement to support Office 2010 and other apps and services, which only supports the older algorithm.

Two days ago, Microsoft announced that in August, they will be enhancing the encryption for all supported Office applications that utilize RMS encryption within Microsoft Purview. This enhancement includes increasing the content key encryption to 256-bit AES for Microsoft Office files and emails.

What do we, as customers, need to do?

This change will happen automatically through the online service and does not require any manual intervention.

Customers using on-premises services such as a local Exchange Server with an RMS connector need to ensure that they have updated these services.

If your organization has made customizations or developed custom applications or add-ins that utilize RMS encryption from Azure RMS, these need to be adapted for the change. Details about the required changes and options to disable this encryption change can be found here: Encryption algorithm changes in Microsoft Purview Information Protection

Publicerat i Microsoft Purview Information Protection | Märkt AES256, AES256-CBC, cryptography, RMS | Lämna en kommentar

Protect sensitive meetings

Publicerat den 12 mars, 2023 av Anders

Digital meetings have only increased recently. We save time and increase collaboration with the right type of skills in meetings regardless of where the participants are located.

When it comes to sensitive topics, there are still some meetings that are conducted physically solely to reduce the risk of sensitive information being leaked. We do have a lot of news within Microsoft Purview Information Protection that helps us to protect sensitive meetings.

This includes for instance protection of Outlook meeting invites where we can protect the invite itself and make sure that the invite and any attachments are protected. For instance, a sensitive internal meeting can be protected and restricted for only internal access that blocks the meeting invite as well as any content/attachments of being forwarded or shared externally.

For a sensitive project we can make sure that these meetings invite are restricted only to the project’s members regardless of internal or external members.

Let’s take an example with a use case.

Business Case Project Delta
This is Project Delta with sensitive information restricted only the project members. We need to make sure that all information and access are restricted only to the project members. The project leader is also Team owner and can control access by adding/removing users to the team.
With the sensitivity label encryption configuration based on the same Microsoft 365 group as the team project. The members get automatically:

Access to the Team site
Access to protected project information (regardless of where these files are stored)
and now also the meetings invite

When the project leader wants to invite to a confidential meeting regarding the project he applies the sensitivity label for the project and send this to both external and internal members.

Sensitive Project meetings are classified (Labeled and Protected) either manually or automatically based on sensitive project information.

The invite and any attachment will be protected only to project members. The company’s internal members are restricted by Exchange Data Loss Prevention (DLP) to send the invites to anyone outside of the project.
If someone within the company by mistake adds a non-project member to the invite the sender is noticed and blocked:

The exchange DLP rule looks for both classified/labeled Project Delta emails and invites as well content of the email with detection of sensitive project information based on a sensitive information type. If this is sent to anyone that is not a member of the project this email/invite is blocked and the sender is notified by the following configuration:

With the sensitivity label we encrypt the information and define/restrict permissions like print, copy or forwarding. In this use case forwarding is allowed. But we still only allow access to the content for project members.

If the project leader sends this invite to an external project member, the external member has permission to forward the invite to another coworker. With help of the protection the coworker (or anyone outside of the project) can´t open the invite or any attachments that may have been downloaded from the invite.

But lets say that this coworker should be part of the project as well as the planned meeting.
The only thing the project leader needs to do, is to add this member to the project Team.
This user can now open the meeting invite that has been sent to him earlier (as well as any project files that has been shared and stored).

Control Teams meeting settings.
Based on the sensitivity we can also define settings for the meeting. For instance, require end-to-end encryption or prevent copying of chat content for sensitive meetings:

Sensitivity label settings for Teams meetings and chats

Define meetings settings based on the sensitivity for the Team or channel.

We can predefine what meeting sensitivity that should be set by the sensitivity of the Team or Channel.
In this case we have configure that meetings created from Secret Internal teams and channels get classified as secret with internal restrictions

For the Project Delta we can configure that meetings created within this team automatically get classified Confidential and labeled for Project Delta with correct permissions.

Notice that enhanced protection settings for Teams require additional license that are explained here

Publicerat i Microsoft Purview Information Protection | Lämna en kommentar

Adaptive protection within Data Loss Prevention

Publicerat den 14 februari, 2023 av Anders

Microsoft has just announced a public preview of adaptive protection within Data Loss Prevention (DLP).

What is this and why is this something important?
The main purpose of DLP is to increase awareness and prevent end-user mistakes. I would definitely not recommend to start a DLP journey by blocking users. The risk of preventing action on our business is not only angry/frustrated users but also that it can result in them finding other ways to do their work. Where so-called shadow IT results in company information being created, stored, and shared outside the companies IT environments.

The question is in what scenarios do we actually want to prevent and stop any possibility of leaking company information?

One example would be an insider risk where an internal user tries to leak internal secrets. Microsoft Purview Insider Risk Management is a great tool to identify these insider risks.

Adaptive protection is a new capability in Microsoft purview that uses AI and machine learning to dynamically protect data. Adaptive protection leverages machine learning analysis in insider risk management to detect risky user actions that may result in a data security incident. It automatically adds that user to a stricter data security policy such as a data loss prevention policy to block specific activity. This is great because the protection policies are adaptive based on user context ensuring that low risk users can maintain productivity and high-risk users have appropriate protection in place. Overall, this will help relieve part of the heavy burden of protecting data in a hybrid and rapidly changing environment.

If we start looking at the end-user experience. Here we see that an internal user attaches company information into a private email account. Be default we notice the user about this kind of action, but the user can proceed and allow the action.
But if there is an identified insider risk with the user, the exact same action is being blocked without any way for the user to proceed.

How is this done?

If we start looking at Insider Risk Management we have a new menu for Adaptive Protection. Here we can fine tune different risk levels, configure DLP policies and monitor this service.

If we look at our DLP rules we see that we now have a new condition that can be added to our DLP rules. User risk level affect today DLP policies for EndPoint and Exchange.

To achieve this scenario, we simple have two different DLP rules. The first one notify and recommend the end user if company information is extracted with Block with override.

The second rule include the same conditions and the User Elevated Risk level that simply block all actions.

This shows that Adaptive protection in Microsoft purview combines the content centric controls from data loss prevention along with the people centric context from insider risk manager. This helps organizations balance data protection and productivity. Adaptive protection leverages machine learning to gain user context and insights about risky activities that may result in security incidents. It automatically tailors the controls based on risk detected so that organizations can enforce the most effective controls on the highest risk users, while everyone else works as usual.

Adaptive protection enables you to create more proactive and risk adaptive DLP policies so that organizations can contain exfiltration impact. Lastly it helps SecOps teams reduce alerts fatigue and the constant triage to identify the true risk. They can now protect more with less by leveraging the ongoing prioritization adaptive protection provides and it drives both effectiveness and efficiency.

Important: integrity within Insider Risk Management (IRM)

To maintain referential integrity, anonymization of usernames (if turned) isn’t preserved for users from Adaptive Protection who have alerts or activity appear outside insider risk management. Actual usernames will appear in related DLP alerts and the activity explorer.

Protect against external threats
Other actions that we normally use for our own playbooks is to combine DLP alerts with device or user behavior risks from Defender and AAD Identity Protection that isolate devices or block users. This is most common for external threats and in the same way preventing information leakage. In that case the compromised device is isolated, and nothing can be extracted from the device. A hijacked account is blocked, and nothing could be accessed (or shared) from that account.

Publicerat i Microsoft Purview Information Protection | Märkt Adaptive protection, Data Loss Prevention, DLP | Lämna en kommentar

Security summary for Microsoft Teams

Publicerat den 29 december, 2022 av Anders

We live in a new age around how we work. Even though we see that the Covid pandemic is finally starting to decrease we have created a new way of working. Microsoft Teams have become an increasingly critical service for storage, communication, collaboration both internally and externally. We can see how the utilization rate is increasing more and more by all types of organizations around the world.

During 2022 Microsoft Teams have reached 270 million users worldwide and over one million organizations use Microsoft Teams as the default messaging platform.

This also means that the threats increase at the same rate (just as with other services / platforms that take over the market). If there are large numbers of users and sensitive information, the interest of criminal organizations is increased.

With this article I want to enlighten you what services should be used to face this threat.

The Control panel

The Microsoft Purview Compliance portal can be seen like a control panel for the Teams platform. With the help of classifications set by sensitivity labels we can design the different Teams and its channels based on the purpose and sensitivity. Controlling everything from guest access, file access, file sharing, to requirements of what users and devices can access and download information.

The key is to make Teams easy to use and understand. After all, the greatest risk of information leakage is our end users. Make it easy to do the right thing and reduce the risk of user mistakes.

Microsoft Purview compliance portal – Microsoft Purview (compliance) | Microsoft Learn

Access and authentication

No one has missed that the identity is the new perimeter and that Zero Trust is an important part of designing access. Based on the Teams design we can and should control access with Azure Active directory Conditional access.

We can define requirements for devices, for example that only company managed devices can get full access to upload/download information.
We can and should require a strong authentication such as multifactor authentication that has different flavors. We can for example make it easier for the end users with Windows Hello for business or other passwordless solutions.
Most important of all within true Zero trust, we should always verify the risk of the sign-in, the user and the device. There is no trusted user, device, or network!
With help of the signals from Azure AD Identity Protection and M365 Defender we get both behaviors and reputation -based control. We should regardless of user, device, and network block risky sign-ins both externally and internally.

One example is to require an internal user to change password directly when it seems to be used by someone else. This automation reduces the time of the breach or completely stops a hijacked account from accessing our information.

Another example is to combine Conditional Access session control with Microsoft Defender for Cloud Apps to monitor and restrict access for non-managed devices. Then we can still allow these devices but prevent sensitive information from being downloaded.

What is Conditional Access in Azure Active Directory? – Microsoft Entra | Microsoft Learn
What is Azure Active Directory Identity Protection? – Microsoft Entra | Microsoft Learn

Files and links

In addition to stolen identities, malicious files and links are still the most common attack route for criminal organizations to get in control of our environments. As our communication paths move from email to Teams, we also see the increase in malicious links and files coming this way.
Microsoft Defender for Office 365 and the built-in virus protection in SharePoint Online provides

Safe Links protection. URL scanning with rewriting of links and time-of-click verification for URLs within Teams conversations and files. The URL scanning is based on reputation and/or detonation asynchronously in the background. This increases protection against both existing and newly arrived malicious links.
Virus scanning of uploaded files and virus control during downloading is done by SharePoint Online (that stores all files for MS Teams). Safe Attachments for SharePoint, OneDrive, and Microsoft Teams in Microsoft Defender for Office 365 provides an additional layer of protection for files that have already been scanned. Safe Attachments for Microsoft Teams help detect and block existing files that are identified as malicious in team sites and document libraries.

The files in OneDrive for Business with one detected as malicious

Complete Safe Links overview for Microsoft Defender for Office 365 – Office 365 | Microsoft Learn
Built-in virus protection in SharePoint Online, OneDrive, and Microsoft Teams – Office 365 | Microsoft Learn

Information Protection

A potential data breach isn’t the only risk companies face when it comes to unstructured data. Noncompliance with regulations can lead to civil or criminal prosecution for business owners or leaders who are found to be negligent or improperly handling sensitive information.

With help of Microsoft Purview Information, we can

detect sensitive information
classify information with purpose for example to define if its public data meant to be spread or sensitive data that should be limited to authorized users.
restrict sharing and access based on the classification/sensitivity
encrypt sensitive information. Protection that follows the lifecycle of the information even if it’s allowed to be shared and downloaded. For example, will protected information be monitored even if it´s externally shared and stored outside of Teams and access to the file can be revoked when needed.

With the help of Data Loss Prevention and Communication compliance we can increase awareness within chat and conversations. Restrict sharing of sensitive information, harassing/threatening language and sharing of adult content that could cause serious damage to our business.

Another example of DLP is to use EndPoint DLP to control what kind of information is allowed to be uploaded to Teams (and other cloud storage solutions).

Microsoft Purview Information Protection – Microsoft Purview (compliance) | Microsoft Learn
Learn about data loss prevention – Microsoft Purview (compliance) | Microsoft Learn
Learn about communication compliance – Microsoft Purview (compliance) | Microsoft Learn

Insider risks

Not only do we have external threats. We can also have internal threats that we need to protect ourselves against. This could be everything from internal users sending sensitive information to their private email with good intent, to someone exfiltrating data with the purpose of leaking trade secrets using an internal user account. Microsoft Purview Insider Risk Management uses the full breadth of service and 3rd-party indicators to help you quickly identify, triage, and act on potentially risky activity. Insider risk management allows you to define specific policies to identify risk indicators. After identifying the risks, you can take action to mitigate these risks, and if necessary open investigation cases and take appropriate legal action.

Insider risk management – Microsoft Purview (compliance) | Microsoft Learn

Data lifecycle management

Microsoft Purview Data lifecycle management is used to comply with laws and regulations. Making sure that irrelevant, out-of-date information is deleted, and that business-critical information is preserved. For example, we can retain or delete certain information based on identified content or the location of the file.
We can also use retention policies and/or a group expiration policy to clean up unused inactive teams/channels and make things cleaner. This makes life easier for our end users and makes it easier for us to protect.

Learn about Microsoft Purview Data Lifecycle Management – Microsoft Purview (compliance) | Microsoft Learn

Microsoft 365 group expiration policy | Microsoft Learn

Last words…

Keep in mind that completely blocking external sharing and guests into your organization often leads to increased risk of information leakage. Basically, because sensitive information will be sent by email instead of being stored and shared from your organization. Shadow IT will increase where employees find their own way of cooperation and sharing of information.

Use Microsoft Teams, in a secure and smarter way!

Publicerat i Microsoft Information Protection | Märkt msTeams; MicrosoftPurview; msEntra; DefenderforM365 | Lämna en kommentar

New data protection for Windows

Publicerat den 16 december, 2022 av Anders

Microsoft just announced that they will release another layer of data encryption within the Windows operating system. This is called Personal Data Encryption (PDE) and will be available from Windows 11 22H2. PDE is an extra layer over the BitLocker disk encryption. The purpose of this it to protect personal data to be accessed either remotely (RDP, File share etc) or locally by another user on the same device.

Personal data locations will be able to be customized later on but is normally “My Documents, desktop and pictures folders.

The encryption is like EFS with a randomized unique 256 bits AES key per file that is protected with Windows Hello for business (instead of certificate-based protection that uses for EFS). To be able to decrypt any file the end user needs to sign in with Windows Hello for Business. This means that the data at rest will be protected before the user login into Windows and as soon as the user lock the machine. Personal Data Encrypted data will only be available when the user signs in with Windows Hello For Business.

The encryption is not a replacement for BitLocker, it should be used in a combination with PDE to fully protect the device and all data. It can’t be combined with standard EFS or Windows Information Protection (WIP).
I personally recommend organizations that using WIP or EFS to replace this with Microsoft Purview Information Protection to be able to identify, classify and protect sensitive content during the entire data life cycle.

For more information and how to test this out follow these links:

https://techcommunity.microsoft.com/t5/security-compliance-and-identity/introducing-personal-data-encryption-securing-user-data-before/ba-p/3691185?WT.mc_id=EM-MVP-4030782

https://learn.microsoft.com/en-us/windows/security/information-protection/personal-data-encryption/overview-pde?WT.mc_id=EM-MVP-4030782

Publicerat i Microsoft Information Protection | Märkt PDE, Personal Data Encryption | Lämna en kommentar

AIP Client: To be or not to be

Publicerat den 28 oktober, 2022 av Anders

A lot of new things have been released during Microsoft Ignite and we have several news within the Office products around information security.

Microsoft Purview Information Protection continues to give more insights and abilities to detect sensitive information. All the news within Microsoft Office is integrated within the product and can’t be combined with the classic AIPC Client. This article is meant to explain and show the difference between the AIP client add-in and Office native.

One of the most requested features that the AIP Client add-in have given in Office is the ribbon that provide more visibility and make it easier to choose the correct information classification. Basically, the user doesn’t need to click on the Sensitivity button to know what information classes that are available and choose the correct sensitivity label. This function with a visible ribbon is planned to be integrated in future Office releases but is not jet here.

However, we have several functions that maybe make us want to disable AIP client Add-in already now. One example is when sensitive information has been detected, with the AIP Client it notices the end-user about it, but it doesn’t show exactly what and where the information is detected in the document.

When sensitive information is detected with Office version 2208 and above, Word notifies the user where the content is in the document as well as what type of content it is. It’s a big improvement in alerting the user to exactly what information was identified and where in the document. This makes it easier for the user to both discover incorrectly identified information but above all to be able to remove sensitive information that may not be approved in the specific document.

Custom Permissions

With the AIP Client and the add-on we have had the possibility to protect information with user defined custom permissions. Here we have the possibility to define what permission (View, Edit, Full Control) to defined users, groups or organizations by their mail domains. Without the add-in (or if we had enabled coauthoring for RMS protected content in the specific tenant) it falls back to the classic RMS function “restrict permissions” that didn’t have the possibility to restrict access to an whole organization.

This has now been resolved in new Office versions (2208) that also include the ability to assign different rights to different users and organizations.

Custom Permission native	Custom Permission with AIP Client

Outlook

When it comes to protect emails to user defined recipients with sensitive labels that uses the rather new “Encrypt-Only” restrictions we had never had this possibility with the AIP add-in enabled in outlook.

Outlook native	Outlook with the AIP add-in

What we still miss in the native Outlook client is the AIP add-in Outlook pop-ups that for instance can be configured to notify and/or block the end-user to send internally protected emails externally.

Non-office files

We still need the AIP client to be able to protect non-office files and/or to protect several files/folders at a time from Windows Explorer. This mean that we don’t want to uninstall the AIP Client app, instead we can disable the add-in for per Office apps

Microsoft is planning to disable the AIP add-in by default in office starting with version 2302, read more here around this (and how to prevent it if there is a need for that):

Migrate the Azure Information Protection (AIP) add-in to Microsoft Purview Information Protection built-in labeling for Office apps – Microsoft Purview (compliance) | Microsoft Learn

Activities that should be planned

For organizations that currently have AIP client’s and its add-in enable, it is time to take a decision when and if changes should be done. Many will wait until the bar is available in native office. I recommend that you create communication plans and review whether user instructions need to be updated when the decision have been made. Service desk and other operational departments should of course be informed.

Also make sure that organization-specific (custom) Information Types/Trainable Classifiers are named and described in a good way because they will now be visible to end users.

Publicerat i Microsoft Information Protection | Märkt aip add-in, AIP addin | 1 kommentar