{"id":11169,"date":"2016-04-21T15:14:04","date_gmt":"2016-04-21T22:14:04","guid":{"rendered":"https:\/\/www.microsoft.com\/insidetrack\/blog\/?p=11169"},"modified":"2023-06-16T15:58:47","modified_gmt":"2023-06-16T22:58:47","slug":"monitoring-and-protecting-sensitive-data-in-office-365","status":"publish","type":"post","link":"https:\/\/www.microsoft.com\/insidetrack\/blog\/monitoring-and-protecting-sensitive-data-in-office-365\/","title":{"rendered":"Monitoring and protecting sensitive data in Office 365"},"content":{"rendered":"
\n
\n
<\/div>\n
This content has been archived, and while it was correct at time of publication, it may no longer be accurate or reflect the current situation at Microsoft.<\/p>\n<\/div>\n<\/div>\n
Microsoft IT created a solution to manage the risk of sharing sensitive data, while still promoting collaboration in Office 365. Power BI dashboards give insight into how Microsoft corporate users share information. This solution detects sensitive data sharing and helps Microsoft IT proactively manage and respond to information security risks.<\/p>\n
With Office 365, Microsoft corporate users can access and share data from anywhere, on any device, and be more productive by using all of its collaboration features. On the other hand, it\u2019s easier to inadvertently share sensitive information with others both inside and outside of the company.<\/p>\n
To manage security risk, Microsoft IT created a solution that uses the Office 365 Management Activity API and the data loss prevention (DLP) features of Office 365. The solution gathers data about sharing from Microsoft Exchange Online, SharePoint Online, OneDrive for Business, and Azure Active Directory. It also includes a custom governance solution to help protect data. Microsoft Power BI dashboards visualize the data to show how Microsoft corporate users share information.<\/p>\n
The dashboards help answer four business questions that have direct business impact on risk, and the answers help leadership make decisions that reduce risk. Microsoft IT uses an agile process to answer these questions:<\/p>\n
\n
Which sites are capable of external sharing?<\/li>\n
What is the classification of externally shared sites?<\/li>\n
Which files are shared externally?<\/li>\n
What operations are performed by external users on those externally shared files?<\/li>\n<\/ol>\n
Microsoft IT tests hypotheses about how various policies and programs might improve users\u2019 sharing behavior and then check the dashboards to see if the behavior has changed. Besides dashboards, the solution improves sharing behavior by giving users visual cues about appropriate sharing. The solution automatically sends email to users who violate security policies by sharing too much, asking them to change their behavior. This helps manage and respond to information security risks.<\/p>\n
Information security policies<\/h2>\n
To protect valuable intellectual property, Microsoft has corporate policies for handling and sharing data. Using business rules based on these policies, the solution detects and reports when users share documents and if the sharing is in or out of compliance with the rules. For example, Microsoft data handling policy states that sensitive business information must be encrypted both at rest and in flight. And, when shared externally, users are accountable for who they share it with.<\/p>\n
The solution audits the following types of sharing:<\/p>\n
Regulated information<\/strong>. Regulated information includes government identification numbers such as social security numbers and passport numbers, financial data such as credit card numbers and financial records, or medical information. Regulated information must always be protected by encryption.<\/p>\n
Business information<\/strong>. At Microsoft, sensitive business information is called High Business Impact (HBI) data. Users can store HBI data on SharePoint Online and OneDrive for Business if they comply with Microsoft policies for HBI data storage and transmission; however, to share HBI content externally, users must get a policy exception from the Microsoft IT security and privacy team.<\/p>\n
Low Business Impact (LBI) and Medium Business Impact (MBI) data is permitted on SharePoint Online and OneDrive for Business with no special approval. Users must review all classifications to understand how to classify, protect, and handle data that they create, and ensure that it is properly categorized for use at Microsoft.<\/p>\n
How users share too much<\/h3>\n
Inappropriate sharing occurs when users make information accessible to others in a way that violates information security policies. There\u2019s rarely malicious intent behind inappropriate data sharing. Rather, the main reasons for it are:<\/p>\n
\n
The feeling of importance associated with having sought-after, inside information.<\/li>\n
Lack of understanding about the sensitive nature of the information or the security level of the site where it\u2019s shared.<\/li>\n<\/ul>\n
Users often don\u2019t grasp the implications of sharing information with many people. While some users\u00a0do <\/i>understand appropriate sharing, there are people who share all information indiscriminately.<\/p>\n
Some common inappropriate sharing scenarios are:<\/p>\n
\n
When sharing a document internally, a user doesn\u2019t set appropriate security settings to limit the ability to open or edit the document to named users or groups.<\/li>\n
A user shares a sensitive business document or regulated information on a SharePoint Online or OneDrive for Business site, and the site has users who shouldn\u2019t have access to that document or information. For example, with OneDrive for Business, a user might inadvertently select the \u201cshare with everyone\u201d folder for highly sensitive information.<\/li>\n
A user includes a credit card number, driver\u2019s license number, password, or other regulated information in email.<\/li>\n
A user sends a sensitive business document in email and does not set appropriate Microsoft Rights Management permissions on the document.<\/li>\n<\/ul>\n
Detecting inappropriate sharing<\/h3>\n
Organizations subscribing to Office 365 can use DLP to detect regulated and sensitive information that users share. In addition, Office 365 provides audit data for all file-related events, such as open, upload, download, and delete. Organizations can access audit data through the Office 365 Security and Compliance Center and use search and PowerShell cmdlets to get different views. They can also use Office 365 APIs in custom solutions.<\/p>\n
Microsoft IT wanted to do advanced analytics and statistical analysis on this raw data and give the results in a Microsoft Power BI dashboard. A custom solution was built to automatically detect, analyze, and report on sharing behavior. The solution uses the following types of information:<\/p>\n
\n
Sharing activities.<\/strong>\u00a0The solution audits how files are shared on SharePoint Online, OneDrive for Business, and Exchange Online. It also audits login activities on Azure Active Directory. To obtain audit data, it uses the Office 365 Management Activity API.<\/li>\n
Regulated information.<\/strong>\u00a0Adhering to international information privacy regulations, Microsoft IT configured rules for DLP to monitor regulated information contained in Exchange Online email and in files on SharePoint Online and OneDrive for Business. The Microsoft IT solution uses DLP PowerShell cmdlets to create reports for further analysis and reporting. To learn more about configuring DLP rules and using the DLP cmdlets to get reports, see\u00a0Data loss prevention<\/a>\u00a0and\u00a0View DLP policy detection reports<\/a>.<\/li>\n