Compliance as Security Technology

One of my favorite security analogies is that enterprise information security is like an onion. Each layer of the onion represents a different control that secures the data at the center. Common layers are endpoint protection, mobile device management, MFA, firewalls, encryption, security policies, and staff training. All of these (and more) are certainly critical controls that you should have in your environment. There is one set of controls that rarely gets mentioned in this context, though, and that is compliance. (Shocking, since it is everyone’s favorite topic, right?….)

In all seriousness, a robust set of compliance controls adds a significant amount of protection to your organization and should be included in any information security discussion. Properly implemented retention policies, sensitivity labels, and data loss prevention tools augment the other more technical controls listed above. For example, if a bad actor does get in, they won’t be able to exfiltrate data that your retention policy already deleted. If your sensitivity controls encrypt critical files, they can’t access them. Your DLP settings can detect and stop any exfiltration that is detected. In concert with your other controls, an attack can be mitigated quite effectively. Let’s explore this further by reviewing how the Microsoft Purview compliance toolset can be used to achieve this with data in your Office 365 tenant. Your existing Office 365 or Microsoft 365 subscription likely includes access to these tools now.

Document Retention and Secure Deletion (Data Lifecycle Management)

  • This function gives you the ability to define retention policies and assign those policies to documents and email. The application can be done manually or automatically based on characteristics of the document, file location, group membership, etc.
  • You can drastically reduce the amount of data at risk in your environment by deleting what is no longer needed. An attacker will not be able to steal or encrypt (or steal AND encrypt) what isn’t there.
  • Organizations usually have stale data in their environments that is no longer needed, but that no one has the time or inclination to delete. Having a well-enforced and automated set of policies that removes this data also reduces what is discoverable in a legal action.
  • This feature provides the ability to import all the random PST files that people have locally or in a file share so that ALL mail can reside in Exchange and be either archived or deleted using the same retention policies.

Other Valuable Features in Addition to the Core Functionality Above:

  • Content-aware searching – Searching data in the tenant for labels or sensitive content is easy and provides a way to identify any wayward files that are somewhere they don’t belong. Some examples would be an HR data export saved to someone’s desktop, a report that someone really meant to delete, or emails that really should be prevented from forwarding.
  • Compliance Manager – This feature provides compliance templates that measure and record your tenant’s score compared to compliance standards such as PCI, HIPAA, NIST, and many others. (Some of those standards are licensed separately). A list of controls and guidance on how to meet the given standards to make your environment compliant are included, along with the ability to document and report on both technical and procedural controls.
  • Insider Risk Management – This allows you to set up sophisticated behavior-based monitoring and metrics to help detect misuse of information by employees. Groups of events like files being downloaded from specific SharePoint libraries and then uploaded to a cloud file sharing service, excessive DLP violations, changing sensitivity labels, and suspicious activities on endpoints can be configured so alerts can be triggered. The platform can also use access badge usage and data from HR systems as data points in its analysis.

As you can see, these capabilities can add many more layers to the onion to detect and prevent misuse of data by authenticated users, whether malicious or accidental. It can help get control of any shadow IT usage and provide valuable insight as to how people are using systems and data overall so your risk posture can continuously be improved. These policies, labels, and controls can be applied across the data in your tenant so that enforcement and visibility are managed in one place for the entire environment.

Implementing all that I described above is challenging for any organization. It will require commitment across all areas: executive, legal, human resources, finance, compliance, operations, sales, and on and on. Everyone will be impacted. The data needs to be understood and prioritized to get a project like this started. Many times it is easiest to start putting some controls around email or specific departmental files first (start with the “crown jewels” that everyone can agree on) and work up from there. Automation of labeling is really the way to go if you can get the buy-in for it. Asking people to do this manually is a hard change to have them accept, and the accuracy and completeness of manual labeling is usually questionable.

Compliance standards evolve and more privacy laws are enacted every year. Having automated controls in place will make it easier to comply and reduce the cost of maintaining compliance (and the likelihood of being fined for noncompliance). Plus, the reduction in the likelihood or severity of a breach is real and should be highlighted to your stakeholders

Work with our team of Cloud Computing Consultants who have “been there done that” multiple times to know all of the “minefields” to prevent missteps.

Tom Papahronis

Tom Papahronis

Strategic Advisor - Enabling Technologies

Last updated on July 27th, 2023 at 02:00 pm