Fortifying Your Microsoft 365 Environment: Protecting Sensitive Information with Data Loss Prevention
Join Senior Engineer, Cameron Fairfull, and Managing Director, Ben Love, for the second webinar in our series on Fortifying Your Microsoft 365 Environment. This session will delve into Data Loss Prevention (DLP). We’ll provide practical steps to help you leverage DLP features and enhance your organisation’s data protection strategies. Don’t miss this chance to learn from industry leaders and elevate your data security to new heights!
Access This Webinar
Join our presenters, Cameron Fairfull and Ben Love for an informative webinar where they will explore the topic of Data Loss Prevention (DLP). Practical steps will be shared to help you leverage these features and support your organisation’s data protection requirements.
In this Webinar
- Understanding Your Data in Microsoft 365
As your business needs evolve, refining your data classification levels is crucial. By enhancing existing levels and incorporating new ones, you can ensure that your data classification strategy remains robust and effective. Utilising advanced sensitive information types, both built-in and custom, allows for better identification and protection of critical data. Implementing machine learning models, such as pre-trained and custom trainable classifiers, can significantly improve the accuracy of data discovery and classification, making your data loss prevention (DLP) efforts more efficient
- Protect your Data using DLP Policies
Creating and managing advanced sensitivity labels allows for more granular control over data protection. These labels categorize data based on its sensitivity, enabling the application of appropriate protection measures. Designing comprehensive DLP policies is crucial to address complex data protection scenarios and meet regulatory requirements. By implementing automated workflows, you can ensure that sensitive items across Microsoft 365 are consistently labelled and protected, thereby reducing the risk of data breaches.
- Improving and monitoring your Sensitive Information
To effectively manage and protect your sensitive information, it’s crucial to implement a straightforward and efficient strategy. Start by improving and continuously monitoring your sensitive data to ensure it remains secure. Avoid overcomplicating your protection measures; simplicity often leads to better security practices. Implement the principle of least privilege access, ensuring that only those who absolutely need access to sensitive information have it. Regularly review permissions for data locations to prevent unauthorised access. Additionally, conduct regular audits and monitoring of these sensitive data locations to quickly identify and address any potential security issues. By following these steps, you can maintain a robust and manageable data protection strategy.
Whether you’re an IT professional or business decision-maker, this webinar will equip you with the knowledge and strategies needed to fortify your Microsoft 365 environment. Don’t miss this opportunity to learn from the experts and enhance your organisation’s security posture.
The following additional resources are mentioned or referenced in the webinar.
Cameron is a valued member of the Grassroots IT team, offering a wealth of experience gained from his tenure at notable organisations including Dick Smith, Arnott’s, and Coca-Cola. As a seasoned Senior Engineer, Cameron’s expertise in Cybersecurity, Project Delivery, and Internal System Administration makes him the go-to person when techs find themselves stuck on complex issues. His knowledge base offers a treasure trove of solutions, helping clients maintain or improve their overall cybersecurity and enhance their systems through upgrades or improvements via projects.
Ben is a highly experienced technology and business professional with over 25 years’ experience in the field. Prior to founding Grassroots IT in 2005 he served in various roles including Systems Administration, Software Development, Solutions Architecture and IT Management. With his deep understanding of technology and proven business know-how, Ben is a respected and insightful leader.
In addition to serving as Grassroots IT’s Managing Director, Ben is an ultra-marathon runner, coaches and mentors’ entrepreneurs across a range of industries and serves on the board of Entrepreneurs Organization.
Ben Love [00:00:00]:
Hello, everybody, and welcome to today’s webinar with Grassroots IT. We are continuing our series on Microsoft 365 security, fortifying your tenant. Today we’re digging into the topic of DLP, or data loss prevention. Cameron, could you hit the next slide for me? Brief introduction to grassroots it. And again, Cameron, we work across it and cloud, cyber security and data and automation. We have 25 staff headquartered out of Brisbane here in Queensland, and we absolutely embrace this new world of remote, working with staff based across five different countries these days. I’m joined today by Cameron Fairfall, senior engineer with grassroots it. Good morning, Cameron.
Cameron Fairfull [00:01:00]:
Good morning, Ben. How are you?
Ben Love [00:01:02]:
I’m well, thanks. Looking forward to diving into the exciting, fascinating world of DLP.
Cameron Fairfull [00:01:11]:
Yes, well, DLP can be challenging and interesting. It’s one of those subjects that is required, but can be a little dry sometimes.
Ben Love [00:01:26]:
Well, I’m sure you’ll spark it up for us, mate. Why don’t we dive right on in, Hank?
Cameron Fairfull [00:01:29]:
Yeah, absolutely. So let’s jump onto the first slide. So what is DLP? Data loss prevention is preventing sensitive information that your organization holds from ending up in the hands of the wrong person or controlling how that data is able to be shared around the organization, or even more than that externally as well. And what people are able to actually do with that data. One of the biggest steps with making sure that DLP is working correctly is actually classifying all of your data. And that is sometimes one of the more challenging tasks with implementing DLP across your organization. Understanding what data you have and how to classify it is one of the biggest steps in making sure that you’ve got DLP working correctly for your business. And the other thing that DLP also does is it actually helps you maintain regulatory compliance.
Cameron Fairfull [00:02:47]:
So a lot of businesses these days have some form of regulatory requirements that they need to meet. This could be as simple as just meeting the privacy act, or it could be something more significant, like PCI DSS, if you handle things like credit card information and other pieces of financial information. And even the notifiable data breaches scheme these days touches on some of the regulatory. I’ll get that word out in a sec. Regulatory requirements for organizations.
Ben Love [00:03:32]:
So, Cameron, we’re talking here about. I guess we’re not just talking about data. We’re talking about sensitive data or sensitive information. What are some examples of the type of data or the types of information that are really important when we’re having this DLP discussion?
Cameron Fairfull [00:03:52]:
Well, there’s a few different ones. So financial data is obviously a big one. You need to be mindful of what financial data you potentially have or could be sending outside of the organization. But there’s also a lot of other personally identifiable informational PII that you could hold as well that you may not necessarily know that you have there. So that could be, you know, employee details, employee banking information. So again, that financial data, employee identification as well. So, you know, that could be things that you require for when you onboard an employee, such as, you know, their driver’s license details or something like that. So that type of person identifiable information could also be held by an organization that needs to be kept safe.
Cameron Fairfull [00:05:01]:
What are the key takeaways from today? The key takeaways are really about understanding your data. So understanding what types of sensitive data you hold and understanding the depth of the sensitive data that you hold as well, because you will find once you start digging into seeing what data you hold, that there is going to be information there that you didn’t ever realize would be considered sensitive. The second part is how to protect your data, how to make sure that the data that you want, that you want to keep secret so that could be proprietary information that you hold for a product that your business sells isn’t able to be leaked outside of the organization or isn’t able to be shared in a way that will would allow someone to take that information without you having some sort of protection on it. And then the third thing is monitoring and improving once you have DLP enabled across your organization. So it’s easy to go and turn a whole bunch of settings on and then think, yes, I’ve got DLP working and I’m fine, but you need to know what is happening with all of that data once you’ve got those policies enabled. So you need to be able to make sure that you’re looking at the types of data that are being shared from inside your organization or to share it externally as well, and then look at ways to improve and make that security on that data better as well. So understanding your data, how do you do that? Microsoft offer a number of different, excuse me, a number of different features within your Microsoft 365 tenant that allow you to find the types of data that your organization holds. So some of the features that I’ll talk about today will be available only at the highest level of Microsoft licensing.
Cameron Fairfull [00:07:31]:
But there are other features that are available across a range of Microsoft licensing. So Microsoft allow you to use some of their features within their compliance or Microsoft purview to be able to look at the types of data that you hold. So is this financial information? Is this personal information? Are there bank records, are there tax file numbers, etcetera, and allow you to then see where that data exists within your organization and be able to then determine how you need to protect that data. A good question to ask is what type of data does your organization collect? So you may find that your organization collects types of data that you weren’t aware of that could potentially be considered sensitive data. There might be certain types of sensitive data that your organization collects that to date haven’t been that well protected. And there are sometimes also types of data that your organization will collect that you absolutely, you know, once you collect it, you need to make sure that that is kept protected and is not allowed to be shared. And then there is the compliance requirements. So most businesses these days need to comply with, you know, certain things under the Privacy act around disclosure and protection of personal information.
Cameron Fairfull [00:09:20]:
But there are many other compliance or regulatory requirements that businesses need to consider as well. So GDPR is a big one. So australian organisations that operate or in the eude or handle personal data of EU residents need to actually comply with GDPR. The rules around GDPR are very broad and very deep and can be difficult to understand, but that is sometimes a consideration that you need to make around your compliance requirements. Again, I touched on this earlier, the PCI DSS. So that is making sure that if your business collects and uses any sort of payment card information that you are following the requirements of PCI DSS. There’s a few others as well that I’ll touch on quickly. There’s the Telecommunications act.
Cameron Fairfull [00:10:28]:
There’s a health Records and Information Privacy act for New South Wales. There’s the Corporations act. There’s arpra’s prudential standards as well. And these all may tie into the types of data that your organization collects. So how do you understand the data that you have? Microsoft Purview Compliance portal is one of the big areas where you can complete a good view of all of the data that your organization holds. There are some features in there that you can access that allow you to go and filter through each of the different types of different types of data that you may hold or sensitive information that you may hold, and you can then look and see where that data exists. So an example of this would be financial, australian financial information. And a lot of the times you’ll find that there will be a mix of emails and sharepoint and a little bit of Onedrive as well.
Cameron Fairfull [00:11:50]:
And that compliance portal is really the starting point for making sure that you have a good understanding of the different types of data that your organization holds. So classifying the data, again, using Microsoft Purview, you can then look and see all the different types of data that you have and understand how you need to protect them, or if you need to protect them, sensitive information that you will find some of the best practices around the different types of sensitive information. You can use common terms, but the best way to think about classifying all of your data and all of the sensitive information you have is to keep it simple. So you don’t need to go over the top. You just need to understand the specific types of data that you may not want to be allowed to be shared or that you need to protect and then protecting that information. So you then need to start considering the types of sensitivity labels that you would need to apply within your organization. So that you can start classifying all of that different data. And so understanding your data and then being able to identify the different types of sensitive information that you need to apply is one of the big first steps with implementing, implementing DLP for your organization.
Cameron Fairfull [00:14:07]:
The next step is then protecting your information or protecting your data. So, sensitive information. So the sensitive information that you find once you start understanding your data will then help guide you to the types of sensitivity labels that you need to actually apply across your business. You’ll find that you will have information spread across your entire Microsoft 365. And it will be in email, in Sharepoint, in OneDrive, in teams. There will be information on devices. So it will be, it will be spread very far and wide across your, across your organization. There are a number of different DLP policies that you can apply when you are protecting your data.
Cameron Fairfull [00:15:17]:
So these policies allow you the ability to determine what happens with the data. So the policy may be that it just alerts somebody that somebody has shared a specific type of data. The policy may be that it stops a user from being able to share it, or the policy may be that it stops the data from, sorry, it requires justification for why the data needs to be shared and it needs to be approved. So there are a number of ways that you can actually protect the data when you are looking to share this information and when you are, when you are configuring your actual policies. So one of the other things that you need to do is to stay informed when you are configuring all of your DLP policies. And there’s a few ways that you can do this. There’s a number of audit logs. There’s also some, some ability to be able to be notified within DLP policies as well, that your users are sharing sensitive data and that you know what has actually happened when that data has been shared.
Cameron Fairfull [00:17:08]:
So once you’ve got to the point where you have been able to identify the types of sensitive information that you hold and then start configuring those data loss prevention policies, you need to think about the retention of that particular data as well. So you need to decide at what point do we no longer need to retain this data or do we need to retain this data permanently or can we keep this data for a specified amount of time and then look at removing the data from the organization. And that’s when you move on from, from using the DLP policies and the sensitive information types that you can configure within Microsoft 365 and you start using retention policies and labels. So a retention policy allows you to be able to determine what happens with a specific type of data. So retention policy will allow you to configure specific types of data need to be maintained for five years. And then as an example, if it was a certain type of email after that five years, that can then be moved to an archive location within the user’s mailbox. If you were looking at something like maybe sharepoint data, you can go, okay, that data has been there for five years. We need to, we no longer need that specific type of data.
Cameron Fairfull [00:18:56]:
So we can then have that data automatically remove itself. The other side to the retention policies is actually labeling. And so labeling allows you to apply the retention policies by specifically labeling different types of information. And that can be applied to files and folders, emails, or entire sharepoint sites for that matter. Label policies can be applied by a user or they can be automatically applied as well. And you have the ability to simply force labels on some types of data, or you also have the ability to justify why a label type maybe changed on some data as well. And labeling will follow the individual pieces of information that you label, or the individual pieces of data that you label as well. So it doesn’t necessarily mean that when you label it and that particular bit of data leaves your organization that is not going to be labeled, that label will stay with that particular piece of data regardless of where that document or whatever it may, might be exists.
Cameron Fairfull [00:20:32]:
So monitoring and improving, and this was something that I touched on earlier about the Microsoft purview portal. So not only does Microsoft purview give you the ability to look at your data and classify the types of data that you have, understand the different types of sensitive information that you hold, but it also gives you the ability to monitor your data and look at the different types of data that may be new in your organization that you didn’t realize that you held previously. So purview gives you the ability to look through audit logs. It gives you the ability to look at the different types of activity that have been happening for data loss prevention policies and understand if there are specific policies that maybe need to be changed slightly because they’re too restrictive, or it might be the flip side and they’re actually not restrictive enough at all. And you’re finding that users are still able to share different types of data when they may not necessarily need to share that that particular types of data. Another way of monitoring your data within your organization is using defender for cloud apps. Now, Defender for Cloud apps is an interesting portion of Microsoft 365. It allows you to connect all of your different areas where you hold data and have Microsoft Defender actually look at all of that and let you know what is happening.
Cameron Fairfull [00:22:20]:
The two big connectors that you might use within cloud apps will be your Azure and your Microsoft 365. But you might also have file shares on Prem or on servers that are within your organization that you would like Microsoft to monitor as well. And there are ways that you can use connectors to connect this in the and allow Microsoft to see this particular information and be able to help then understand that data that you hold and the different types of sensitive data that are available within those different locations, and then help you again better classify that data and also be able to better apply the policies that you need to be able to protect that data. DLP activity Explorer again, this is something I touched on earlier, and it is really that one stop shop for being able to look at everything that is happening for all of the DLP policies that you have enabled and know whether the content is being labeled correctly. Understand, is a policy too restrictive or is a policy not restrictive enough? Understand what has actually been done with all of your content that you have labeled and where that content might be going. Two other big areas for monitoring and improving are ediscovery and audit logs. So ediscovery is a very powerful tool in Microsoft where it allows you to look across the entirety of your Microsoft 365 and find all of that specific data. So it will allow you to complete searches and understand is there data in multiple locations that you may not have been aware of previously? Is there data that is maybe in someone’s mailbox that shouldn’t be in that particular location at all? And it’s about understanding where that data is and being able to capture that data and make sure that if for whatever reason, you need to be able to recover or, or to protect that data, that you apply the specific settings within that particular search within ediscovery to be able to make sure that that data is safe and can be recovered if it needs to be.
Cameron Fairfull [00:25:18]:
Audit logs are exactly what they say. Audit logs within Microsoft 365 show you absolutely everything, so they’re very filterable. You can look specifically at users and understand exactly what activity a user may have taken, whether that is looking at specific files, whether that is changing a particular file, or maybe moving data or deleting data. Even the audit logs will tell you everything that you need to know about that activity by a specific user. The other thing that audit logs also allow you to do is to filter down onto one specific area and for instance, it might be sharepoint and understand exactly what a user is doing in one particular location. And monitoring and improving is also about making sure that you’re aware of the user’s ability to access the data across your organization. So making sure that you are reviewing permissions and understanding that when new data stores abroad online, that that same permission level is applied to that new data store as well as what is applied to existing data store data stores. And you use a least access principle when you are applying permissions to the data stores to make sure that people only have the access that they need for that particular type of data.
Cameron Fairfull [00:27:30]:
Change management is another very important step around understanding when you are adding those new data stores or when you are changing a particular location that maintains data within your organization, that you are looking at what changes are going to be made, understanding the impact of those changes, and then looking at making sure that the changes that you’re going to apply. Stick with that least access principle of giving users the ability to see data across your organization or making sure that only the users that need access have access to that particular location as you’re bringing it online and putting all of those changes, or making all those changes to a data store, and again, auditing and monitoring your data. I know I’ve said this a few times now, but Microsoft Purview has a large amount of abilities to audit and monitor all of your sensitive data within your organization and making sure that users aren’t getting access to those locations that they should be getting access to. And that is all I have at the moment for data loss prevention, I think.
Ben Love [00:29:10]:
Thank you, camo. Thanks, mate. Quite a deep and in depth dive there on data leak prevention DLP. I guess what it is and what Microsoft 365 can offer in the way of DLP. I think it’s really important to understand how this ties back to our own businesses and to what we, what we’re working with. I’m looking at the people in this webinar right now, and I would be very surprised if people on this call did not store things such as student records or staff details. You might have some sensitive client contracts. You might have intellectual property, confidential product information within your organization, maybe even some sensitive negotiations that you’re in the middle of.
Ben Love [00:30:01]:
The power of DLP is that DLP can make sure that none of that information leaves your organization, maybe without prior approval. So it’s intelligent enough to know what it is that this information looks like. This comes down to the categorisation and so on that Cameron was talking about, and it will then block it. It will say, no, you cannot email that information to that other person who is outside our organization. No, you cannot share that document, you know, with that other person outside our organization. So it’s not just about protecting permissions and protecting information within our organization. It’s making sure that those sensitive types aren’t allowed to leave our organizations, aren’t allowed to leak out of our organization, so to speak. So David’s just popped a great question, actually in the chat there.
Ben Love [00:30:50]:
Cameron, for you, what is the base Microsoft 365 license that is required for DLP?
Cameron Fairfull [00:30:59]:
That is a good question. You can apply DLP from a number of different license levels. It’s the. So you can do that from a Microsoft 365 business standard perspective and above. And then obviously, as your level of license climbs, the ability to look at and monitor that particular data or be able to apply specific settings, whether they automated or manual, will then be determined by those higher levels of license.
Ben Love [00:31:39]:
So we can actually start using DLP in our organizations, even if we only have Microsoft 365 business standard licenses. But then if we’ve got the more advanced licenses. So business premium is of course, the one that we recommended. Grassroots it wherever possible, or upwards, any of the enterprise licenses, maybe you get more features within DLP, is that right?
Cameron Fairfull [00:32:03]:
Absolutely correct. Yes.
Ben Love [00:32:04]:
Okay, so Cameron David’s follow on question here, how should we begin to approach data categorization? I’d actually like to step back a little bit with that question and just say, how should we get started with DLP? Is there some easy steps, some gentle steps that people can take to move into DLP or to understand a bit more if DLP might be a good fit for their organization?
Cameron Fairfull [00:32:34]:
Yeah, absolutely. A good way to get started is to start looking at a your requirements for any particular types of regulation that you need to achieve to understand if there are, you know, specific types of data that you, that you do need to be mindful about, know the types of data that you hold internally that are, that are, that you might consider privileged. So whether that’s, you know, specific types of product that you may have developed or other sensitive information about a project that you might have going. And then within Microsoft 365, there is some really great tools around looking at all of your data and looking through all of the built in data classifications that Microsoft holds. There’s a couple of hundred of those. And then actually, then understanding which ones you need to align with. And the good thing is you can, you can filter through those and they’re all tagged for the different countries. So Australia has Australia financial information, you know, Australia bank details, Australia tax file number, etcetera, whereas other countries, you know, they have the country name in there.
Cameron Fairfull [00:34:02]:
And that’s the best way to get started. It’s knowing the data that you have or the types of data that you have that you may want to protect.
Ben Love [00:34:13]:
Fantastic. So it sounds to me like, you see, I’m pretty sure everybody on this call will have a good idea of what their obligations are to protect data. So, for example, all of us have an obligation to protect personally identifiable information. So anything that might personally identify our, our customers or clients and so on. But other people in here might also be listening to this and go, and, of course, immediately know that we also collect this other layer of information from our clients. Or we do have this proprietary intellectual property or product which we’re developing in house at the moment, which is really critical, and we’d like to protect that. So I think people in this room should have a pretty good feel for that already. And it sounds like there really should be some quick wins available in terms of having a look over your Microsoft 365 tenant and understanding what’s out there and what’s happening with it.
Ben Love [00:35:10]:
And of course, folks, if grassroots, it can help with taking that next step, with helping you in this conversation at all. You know where to find us. So thank you, Cameron, again, for presenting today. Greatly appreciate it. Thank you, everybody, for your attendance today. Lovely to see you all here, and we will see you on our next webinar.
Cameron Fairfull [00:35:30]:
Thanks, everybody.
