Identifying Your Enterprise’s High-Level Sensitive Data with Microsoft

By March 6, 2019Azure, Microsoft, Security

By Sean O’Farrell

Too often, companies engage with security professionals when a breach of sensitive data has occurred.

They rush to resolve it as quickly as possible without thinking of how to prevent it from happening. Instead, organisations should be considering building a security road map surrounding their data. Here are some technical aspects that need to be considered if enterprises are to best leverage the Microsoft security suite. Generally speaking, the current high-level challenges that we come across often when speaking with EMEA clients, are:

  • GDPR
  • Personally Identifiable Information
  • Freedom of Information (for Irish Public Services)
  • Client sensitive information
  • Intellectual Property

 

The Microsoft Information Protection Suite

Microsoft’s Information Protection solutions such as Data Loss Prevention (DLP) are crucial in the protection of data, especially when the following Microsoft technologies are all implemented:

Evros Microsoft Solutions Architect Sean O'Farrell explores the Microsoft security suite.

All of these technologies will help build a hardened stance against cyber threat. But when companies fail to define what sensitive data, customer or personally identifiable information types they are hosting, they quickly find themselves in the murky waters of becoming data uncompliant.

How do you identify all of the high-level sensitive information types?

My recommendation is to start with Azure Information Protection (AIP) scanner with Azure Log Analytics integration in discovery mode to assess your environment.

When I present the results of the analysis to my customers regarding their data analysis, they often have mixed reactions. Firstly, there’s delight that they can have instant business intelligence reports on their data. Then the delight is followed promptly by the worry that they are not compliant. This process outlined below will hopefully allay the fear around compliance.

Begin with a small amount of possible sensitive information types that has been configured as part of an Azure AIP Scanner policy integrated into Azure Log Analytics.

Read: How to configure the Azure Information Protection policy

Once this data is enabled, it empowers a business to slowly start defining what data is critical to the business and their customers. A good first sensitive information type to start with is a credit card number to familiarise the organisation’s staff on how to use this service.

TIP: To assign the responsibility to one person to review 30TB of data will not be productive. Azure role-based access control can be implemented so that Department Heads or Compliance Officers only review data that they have the right to review.

Defining sensitive information types and then continuing to update your sensitive information type library will be an ongoing process which should also include the process of up-skilling existing employees. The engagement becomes difficult if the customer does not have the required Microsoft Cloud and desktop operating system versions.

Interested in learning more about data classification from our Microsoft Solutions Architect? Talk to Sean or any of our Microsoft Division today.