Patch me if you can: Cyberattack Series
The Microsoft Incident Response team takes swift action to help contain a ransomware attack and regain positive administrative control of the customer environment.
Five years ago, we started on a journey to update and simplify information protection at Microsoft. We had a manual data classification process that our users didn’t use effectively and didn’t work with our data storage or database technology. We had to find ways to re-classify data and build effective tools while protecting our most important asset, customer, and employee information.
We’ve learned a lot about data protection and tools and today we’re sharing some of our best practices for:
Identifying the location of data—The first step to creating a strategy is discovering where your data and major storage places are so you can create a data landscape. Do you have data on your endpoints? Start by looking across your organization to identify your customer data, regulatory data, and other sensitive information.
Classifying the data—Classifying data is the most important and most difficult step. At Microsoft, we used a custom three-level manual label classification process but found that no one understood how to apply them correctly. We worked with legal, HR, and other groups to identify labels that made sense for our company with a goal that they could be applied automatically.
Our objective is to ensure that our data and our customer data is handled properly, classified correctly, and is protected. We’re a global company and the General Data Protection Regulation (GDPR) is the baseline—and one of our key tenets—for how we think about our information and how we protect it. We replaced the manual classification labels with a more intuitive labeling taxonomy that better aligns with industry standards:
Identifying and resolving old data—Before you roll out new tools, there may be old data that you need to review and resolve. For example, you may need to clean up, delete, or protect your data. When reviewing data, consider the age of the data and if anyone is still using a document. Prioritize and create rules for saving, deleting, and protecting data.
Protecting the data—You want to protect the data based on classification. Protecting customer and personal information is at the core of what we’re trying to protect at Microsoft. For smaller companies—or companies just starting to develop an information protection program—your biggest return will be finding customer data so you can protect it. Building customer trust and protecting customer information is key to an information protection program.
Protecting our identities is an extremely important part of the information protection journey. But what if you come across a document with trade secret information? You should probably work with the group that handles trade secrets at your company. We have a white glove program with HR where we build specific programs for specific business units. Using products like Key Vault can help protect sensitive data.
If you’re just starting to build an information protection program, we recommend the following three-step process:
Building an information protection program is not one-size-fits-all, but if you choose classification terms, terms that are easy to understand and implement, proactively educate users, and bake information protection into existing processes to minimize impact, you can increase the success of the program.
For more information about how Microsoft has implemented these strategies, watch the IT Showcase webinar, Speaking of security: Information protection.