In contrast, proactive data governance offers a holistic approach that conserves resources and simplifies the protection of your data assets. This integrated approach to data governance is a vital component of Zero Trust security and spans the complete lifecycle of your data. It also reduces the cost incurred by a data breach, both by shrinking the blast radius and preventing an attacker from moving laterally within your network. Microsoft Purview provides a comprehensive data governance solution designed to help manage your on-premises, multicloud, and software as a service (SaaS) data. To help you get more from your data, we’ve put together five guideposts.

1. Create a data map of all your data assets

Before you can protect your data, you’ll need to know where it’s stored and who has access. That means creating comprehensive descriptions of all data assets across your entire digital estate, including data classifications, how it’s accessed, and who owns it. Ideally, you should have a fully managed data scanning and classification service that handles automated data discovery, sensitive data classification, and mapping an end-to-end data lineage for every asset. You’ll also want to make data easily discoverable by labeling it with familiar business and technical search terms.

Storage is a vital component of any data map and should include technical, business, operational, and semantic metadata. This includes schema, data type, columns, and other information that can be quickly discovered with automated data scanning. Business metadata should include automated tagging of things like descriptions and glossary terms. Semantic metadata can include mapping to data sources or classifications, and operational metadata can include data flow activity such as run status and run time.

2. Build a decision and accountability framework

Once you know where all your data is located, you’ll need to document the roles and responsibilities of each asset. Start by answering seven basic questions:

1. How is our data accessed and used? 
2. Who is accountable for our data?
3. How will we respond when business or regulatory requirements change?  
4. What is the process for revoking access due to a role change or an employee leaving?
5. Have we implemented monitoring and reporting to track data access?
6. How do we handle lifecycle management?
7. Are we automating permissions management to enforce security and compliance?

In response to question number one, you should develop a detailed lifecycle for data access that covers employees, guests, partners, and vendors. When deciding what data someone may need to access, consider both the person’s role and how the data in question will be used. Business unit leaders should determine how much access each position requires.

Based on the information gathered, your IT and security partners can create role-based access controls (RBAC) for each employee position and partner or vendor request. The compliance team will then be responsible for monitoring and reporting to ensure that these controls are put into practice. Implementing a permissions management solution can also help your organization by preventing misuse and malicious exploitation of permissions. By automatically detecting anomalous alerts, your organization can reduce IT workloads, conserve resources, and increase user productivity.

3. Monitor access and use policies

Next, you’ll need to document the policies for each data repository. Determine who can access the data—including read versus write access—and how it can be shared and used in other applications or with external users. Will your organization be storing personal identifiable information (PII) such as names, identification numbers, and home or IP addresses in this repository? With any sensitive data, it’s imperative to enforce the Zero Trust principle of least privilege or just-in-time (JIT) access.

The JIT permissions model strengthens the principle of least privilege by reducing the attack surface to only those times when privileges are actively being used (unlike the all-day, every day attack surface of standing privileges). This is similar to the just-enough-privilege (JEP), wherein a user completes a request describing the task and data they need to access. If the request is approved, the user is provisioned with a temporary identity to complete the task. Once the task is completed, the identity can be disabled or deleted. There’s also a “broker-and-remove-access” approach, wherein standing privileged accounts are created and their credentials stored securely. Users must then provide a justification when requesting to use one of the accounts to access data for a specific amount of time.

Your organization can protect itself by maintaining a log of every request for elevated access (granted or declined), including when the access was revoked. All organizations, especially those storing PII, need to be able to prove to auditors and regulators that privacy policies are being enforced. Eliminating standing privileged accounts can help your organization avoid audit troubles.

4. Track both structured and unstructured data

Traditionally, data governance has focused on business files and emails. But stricter regulations now require organizations to ensure that all data is protected. This includes both structured and unstructured data shared on cloud apps, on-premises data, shadow IT apps—everything. Structured data is comprised of clearly defined data types with patterns that make them easily searchable, such as Microsoft Office or Google Docs. Unstructured data can include anything else, such as audio files, videos, and even social media posts.

So, should you leave it up to the individual asset owner to implement their own data protections across such a vast data landscape? An alternative that some of Microsoft’s customers have embraced involves developing a matrixed approach to data governance, wherein security and compliance experts help data owners meet requirements for protecting their data. In this scenario, a “common data matrix” is used to track how data domains are interacted with across your organization. This can help document which areas of your business can simply create data versus read, access, or remove data assets. Your data matrix should identify the data’s source, including any shadow IT systems in use. Make sure to capture any domains and sub-domains containing sensitive or confidential data, subject to government regulation. Also, documenting roles and responsibilities for each business unit allows everyone to understand who is using specific data for a particular job, as well as who is adding data into a system and who is responsible for it.

5. Delete data that’s no longer needed

“Dark data,” which organizations pay to store but goes underutilized in decision making, is now growing at a rate of 62 percent per year.² Given that most IT teams are already overstretched, asking them to stand guard over vast data lakes is not a recipe for security. So, how do you know when some data is no longer useful to your organization?

Sometimes the easiest way to protect data is to delete it. In keeping with the Zero Trust principle of “assume breach,” less data means less risk. Theft of intellectual property (IP) can be financially hazardous, whereas theft of customer PII can be disastrous long-term for your brand. Privacy laws require that businesses keep PII only for as long as it has served its original purpose.³ However, manually tracking which files are subject to deletion would be nearly impossible. A better approach is to implement ongoing controls to auto-expire PII or set up automated reminders for reviewing sensitive data to decide if it’s still needed.

Understanding the lifecycle of data makes it easier to delete when it’s no longer needed. An integrated data governance solution with intelligent machine learning capabilities can do the work for you, classifying content when it’s created and automatically applying appropriate sunset policies.⁴ Or, use multi-stage retention policies to automatically apply a new label at the end of a retention period.

Learn more

Proactive, holistic data governance is an integral part of data protection, spanning the complete lifecycle and helping drive business outcomes by ensuring that your data is discoverable, accurate, and secure. Microsoft Purview integrates and automates data governance by setting lifecycle controls on your sensitive data, protecting against data loss, and managing RBAC. To experience Purview in your organization, you’re welcome to start with a free trial.

Learn some top-level information about data governance for enterprise businesses.

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

¹Almost 70% of CISOs expect a ransomware attack, Danny Bradbury. October 19, 2021.

²September 2021 survey of 512 United States compliance decision-makers commissioned by Microsoft from Vital Findings.

³GDPR personal data—what information does this cover?, GDPR. 2022.

⁴Microsoft is committed to making sure AI systems are developed responsibly and in ways that warrant people’s trust. As part of this commitment, Microsoft Purview engineering teams are operationalizing the six core principles of Microsoft’s Responsible AI strategy to design, build and manage AI solutions. As part of our effort to responsibly deploy AI, we provide documentation, gating, scenario attestation, and more to help organizations use AI systems responsibly.

The post Data governance: 5 tips for holistic data protection appeared first on Microsoft Security Blog.

Data governance is the process of managing data as a strategic asset. This means setting controls around data, its content, structure, use, and quality. Microsoft considers data governance to be the foundational pillar of an enterprise data strategy. All the preceding steps—data discovery, data classification, and data protection—are necessary to build your plan. When done right, data governance makes it easier for companies to ascertain their data is consistent, trustworthy, and properly used.

To avoid those issues, ensure that you govern your data properly. Let’s explore three steps to take when building a data governance plan.

1. Set lifecycle controls on sensitive data

Numerous laws and regulations dictate how long you must retain data and in what circumstances you should delete data. Many privacy laws require that you keep personally identifiable information (PII), such as names, identification numbers, home addresses, and IP addresses, only for as long as it has met its original purpose.¹

Under GDPR Article 5(1)(c), the data minimization principle requires entities to process only “adequate, relevant and limited” personal data that is “necessary.”² GDPR also encourages you to pseudonymize and encrypt this personal information.

Your organization’s data governance plan should take these data retention requirements into account. Tracking which file is subject to a retention or deletion regulatory requirement manually would be extremely challenging if not impossible. A better approach is to implement ongoing controls to auto-expire personal data or set up automated reminders to review data periodically to assess whether it’s still in use or active. Another option is to have approvals in place before deleting documents to ensure you’re deleting verified personal data and not inadvertently hurting the business by deleting the wrong content.

2. Operationalize data governance

After setting lifecycle controls to manage your company’s sensitive data, it’s time to define strategy and figure out how to operationalize the management of your data governance program. Data governance isn’t a set-it-and-forget-it situation. You’ll need ongoing processes to protect and govern sensitive data.

However, a company’s approach to data retention and deletion will vary based on the laws of its country and corporate policies. You need to define how often you review, delete, and archive sensitive data. Your company’s Data Governance Officer or legal department can offer guidance on what’s required.

Automating these ongoing operations can ease the burden of management. One opportunity for automation is auto-labeling of secure documents at different confidentiality levels. If you don’t properly label data as sensitive, you’ll be unable to locate, identify, or successfully govern it. 

3. Manage role-based access

A major tenet of Zero Trust, a security model that assumes breach and verifies each request, is to allow people to access only the resources that they use to complete their work. Assigning role-based access control helps you protect resources by managing who has access to resources, what they can do with those resources, and what resources they can access.

Develop a detailed lifecycle for access that covers employees, guests, and vendors. Don’t delegate permission setting to an onboarding manager as they may over-permission or under-permission the role. Another risk with handling identity governance only at onboarding is that this doesn’t address changes in access necessary as employees change roles or leave the company.

Instead, leaders of every part of the organization should determine in advance what access each position needs to do their jobs—no more, no less. Then, your IT and security partner can create role-based access controls for each of these positions. Finally, the compliance team owns the monitoring and reporting to ensure these controls are implemented and followed.

When deciding what data people need to access, consider both what they’ll need to do with the data and what level of access they need to do their jobs. For example, a salesperson will need full access to the customer database, but may need only read access to the sales forecast, and may not need any access to the accounts payable app. It’s about ensuring that people have the right access to the right information at the right time.

Other questions to ask when building your plan include:

• How do you revoke access when someone no longer needs it due to a role change, offboarding, or another reason?
• Have you set up recurring and exception-based monitoring and reporting to check what people are doing with the access they have? 
• Could implementing a permissions management solution help reduce costs and workload to IT while increasing user productivity?

Organizations need to be able to prove to auditors and regulators that privacy policies are being followed and enforced within the company. Restricting network access based on the roles of individual users can assist with that.

Secure sensitive data with data governance

Data governance ensures that your data is discoverable, accurate, and trusted. Protect your sensitive data by launching a data governance plan that involves setting lifecycle controls of sensitive data, operationalizing data governance, and managing role-based access. As a follow-up to careful data discovery, data classification, and data protection, data governance can help you protect your sensitive data through its entire lifecycle according to industry regulations, which in turn will help you protect your employees, customers, prospects, and partners.

Read more about data governance and protecting sensitive data:

• Creating a modern data governance strategy to accelerate digital transformation
• Microsoft shares 4 challenges of protecting sensitive data and how to overcome them

Read more about data security.

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

¹GDPR personal data – what information does this cover?, GDPR.

²GDPR Article 5(1)(c), EUR-Lex. 2016.

The post 3 strategies to launch an effective data governance plan appeared first on Microsoft Security Blog.

Sensitive data is confidential information collected by organizations from customers, prospects, partners, and employees. Common types of sensitive data include credit card numbers, personally identifiable information (PII) like a home address and date of birth, Social Security Numbers (SSNs), corporate intellectual property (IP) like product schematics, protected health information (PHI), and medical record information that could be used to identify an individual.

Every level of an organization—from IT operations and red and blue teams to the board of directors— could be affected by a data breach. How do organizations identify sensitive data at scale and prevent accidental exposure of that data? Let’s look at four of the biggest challenges of sensitive data and strategies for protecting it.

1. Discovering where sensitive data lives

The data discovery process can surprise organizations—sometimes in unpleasant ways. Sensitive data can live in unexpected places within your organization. For instance, an employee may have stored a customer’s SSN in an unprotected Microsoft 365 site or third-party cloud without your knowledge. Of an estimated 294 million people hacked in 2021, about 164 million were at risk because of data exposure events—when sensitive data is left vulnerable online.³   

The only way to ensure that your sensitive data is stored properly is with a thorough data discovery process. Scans for data will pick up those surprise storage locations. However, it’s close to impossible to handle manually.

2. Classifying data to learn what’s most important

That leads right into data classification. Once the data is located, you must assign a value to it as a starting point for governance. The data classification process involves determining data’s sensitivity and business impact so you can knowledgeably assess the risks. This will make it easier to manage sensitive data in ways to protect it from theft or loss.

Microsoft uses the following classifications:

• Non-business: Data from your personal life that doesn’t belong to Microsoft.
• Public: Business data freely available and approved for public consumption.
• General: Business data not meant for a public audience.
• Confidential: Business data that can cause harm to Microsoft if overshared.
• Highly confidential: Business data that would cause extensive harm to Microsoft if overshared.

Identifying data at scale is a major challenge, as is enforcing a process so employees manually mark documents as sensitive. Leveraging security products that enable auto-labeling of sensitive data across an enterprise is one method, among several that help overcome these data challenges.

3. Protecting important data

After classifying data as confidential or highly confidential, you must protect it against exposure to nefarious actors. Ultimately, the responsibility of preventing accidental data exposure falls on the Chief Information Security Officer (CISO) and Chief Data Officer. They are accountable for protecting information and sharing data via processes and workflows that enable protection, while also not hindering workplace productivity.

Data leakage protection is a fast-emerging need in the industry. The Allianz Risk Barometer is an annual report that identifies the top risks for companies over the next 12 months. For the 2022 report, Allianz gathered insights from 2,650 risk management experts from 89 countries and territories. Cyber incidents topped the barometer for only the second time in the survey’s history. At 44 percent, cyber incidents ranked higher than business interruptions at 42 percent, natural catastrophes at 25 percent, and pandemic outbreaks at 22 percent.⁴

4. Governing data to reduce unnecessary data risks

Data governance ensures that your data is discoverable, accurate, trusted, and can be protected. Successfully managing the lifecycle of data requires that you keep data for the right amount of time. You don’t want to store data longer than necessary because that increases the amount of data that could be exposed in a data breach. And you don’t want to delete data too quickly and put your organization at risk of regulatory violations. Sometimes, organizations collect personal data to provide better services or other business value. For instance, you may collect personal data from customers who want to learn more about your services. To abide by the data minimization principle, once the data is no longer serving its purpose, it must be deleted.

How to approach sensitive data

The fallout from not addressing these challenges can be serious. Organizations can face big financial or legal consequences from violating laws or requirements. A couple of well-known brands, for instance, were fined hundreds of millions of euros in 2021. One of these fines was related to violating the GDPR’s personal data processing requirements. Another was because of insufficient detail to consumers in a privacy policy about data processing practices. The data protection authorities have issued a total of $1.25 billion in fines over breaches of the GDPR since January 28, 2021.⁵

Considering the potentially costly consequences, how do you protect sensitive data? As mentioned earlier, data discovery requires locating all the places where your sensitive data is stored. This is much easier with support for sensitive data types that can identify data using built-in or custom regular expressions or functions. Since sensitive data is everywhere, we recommend looking for a multicloud, multi-platform solution that enables you to leverage automation.

For data classification, we advise enforcing a plan through technology rather than relying on users. After all, people are busy, can overlook things, or make errors. Also, organizations can have thousands of sensitive documents, making manual identification and classification of data untenable because the process would be too slow and inaccurate. Look for data classification technology solutions that allow auto-labeling, auto-classification, and enforcement of classification across an organization. Trainable classifiers identify sensitive data using data examples.

Some solution providers divorce productivity and compliance and try to merely bolt-on data protection. Instead, we recommend an approach that integrates data protection into your existing processes to protect sensitive data. When considering plan protections, ask: Who can access the data? Where should the data live and where shouldn’t it live? How can the data be used?

Microsoft solutions offer audit capability where data can be watched and monitored but doesn’t have to be blocked. It can be overridden too so it doesn’t get in the way of the business. Also, consider standing access (identity governance) versus protecting files. Data leakage protection tools can protect sensitive documents, which is important because laws and regulations make companies accountable. 

Explore data protection strategies

Security breaches are very costly. Data discovery, data classification, and data protection strategies can help you find and better protect your company’s sensitive data. Learn more about how to protect sensitive data.

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

¹Cost of a Data Breach Report 2021, Ponemon Institute, IBM. 2021.

²Cyberattacks Against Health Plans, Business Associates Increase, Jill McKeon, HealthITSecurity xtelligent Healthcare Media. January 31, 2022.

³Despite Decades of Hacking Attacks, Companies Leave Vast Amounts of Sensitive Data Unprotected, Cezary Podkul, ProPublica. January 25, 2022.

⁴Allianz Risk Barometer 2022: Cyber perils outrank Covid-19 and broken supply chains as top global business risk, Allianz Risk Barometer. January 18, 2022.

⁶Fines for breaches of EU privacy law spike sevenfold to $1.2 billion, as Big Tech bears the brunt, Ryan Browne, CNBC. January 17, 2022.

The post Microsoft shares 4 challenges of protecting sensitive data and how to overcome them appeared first on Microsoft Security Blog.