Microsoft Purview

Back in August, I released an article about why you should consider Microsoft for your IT Security. I talked about how Microsoft’s solution has matured and how it can help organisations do more with less. Now I would like to talk about what that solution could look like as an end-to-end suite of tools that can help protect your identities, endpoints, data, applications, and infrastructure.

To do this, I aim to release a series of articles that introduce each pillar of the Microsoft Security Suite, with an overview of its capabilities, features, and what role it performs in the solution.

The Microsoft Security suite of products contains the following:

• Microsoft Defender 365 – Defend across the Attack Chain to protect against external threats.
• Microsoft Sentinel – Collect, analyse, and respond to alerts and incidents picked up by your security tools, such as Defender, Entra and Purview.
• Microsoft Entra – Identity and Access Management platform that can protect your identities and access to your corporate resources.
• Microsoft Intune – Endpoint Management platform that manages and secures all endpoints in your estate.
• Microsoft Purview – Secure your sensitive data and protect against internal threats.
• Microsoft Priva – Manage the risks of handling sensitive information within Microsoft 365.

The penultimate pillar is Microsoft Purview, which I will discuss in this article. Purview is the service that helps you to protect your data and adhere to Compliance and Legal regulations. Whilst native to Microsoft 365, it can be used with non-Microsoft tools too. It is a powerful tool when integrated with the other components of the end-to-end security suite.

Protecting your data is a fundamental of cyber security, as discussed in the Microsoft Digital Defence Report 2023. With most of our data sitting on cloud storage of some kind, we lack the traditional perimeter solutions to protect it. Instead, we must rely on new, modern methods of ensuring our data does not become compromised. And with more sensitive data being used, plus more complex regulations organisations need to follow, we need ways to identify sensitive data and protect it.

Data Classification – Find, Label and Protect

One of the first things to consider when talking about data protection is classification of data. There has been an explosion of the amount of data organisations can now hold. Especially if using cloud storage instead of costly on-premises solutions. And with a larger amount of data, do we really know what it is that we are storing?

Classification of data can help you to understand what types of data are being stored, is it public data that is available to anyone or is it confidential and should it be for certain eyes only? Using Microsoft Information Protection, we can apply sensitivity labels to our data. These sensitivity labels help us to classify the data, and where needed they can be used to protect the data too.

Using the example of confidential data that should only be visible to certain people, a sensitivity label can add encryption to the files. For instance, we can add encryption to the label so that when it is used, we apply permissions on the file so that only those users that are a member of a specific Microsoft Entra group can open, read, and edit the file. The great part about the encryption is that it is applied to the file and stays with the file no matter where it is stored. So, if someone does get a hold of the file outside of your environment, say it was emailed or saved to a USB stick, then if someone tries to open it, they must authenticate to your M365 tenant. If they fail authentication, then the file cannot be opened.

Sensitivity labels can be applied manually by users using the Microsoft 365 Enterprise Apps, a web browser, or the Unified Labelling Client for Windows. However, having users manually label documents can be time consuming or lead to a large subset of data that is not classified. Documents can be labelled automatically when stored within SharePoint, OneDrive, email, and on-premises file shares.

Labels can be applied to more than just files, they can also be applied to email, SharePoint Sites, Teams, Microsoft 365 Groups, Teams meetings and chats, Power BI and even extend to third-party storage solutions, such a Box or Salesforce.

When integrated with Microsoft Entra and Microsoft Defender for Cloud Apps we can use Sensitivity Labels to restrict what access users have to files. We can do some cool things whereby based on what label is applied, we can allow full access from a corporate managed device, but on a personal device, we prevent users from being able to print or save as. Alternatively, we may allow access to any public type files from any device, but if accessing a file with sensitive information in it, we will only allow from a managed endpoint. It can be an immensely powerful tool in improving the user working experience whilst still securing and protecting your data. And as the encryption and label configuration are stored within the document, there is no need to manage the personal endpoints to protect your data.

Sensitive Information – Discover and Prevent Data Loss

Management of sensitive information is important. We are seeing year in year organisations being fined for the mishandling of sensitive information. Sensitive information can be anything from financial data, account numbers, credit card numbers to Personally Identifiable Information (PII) such as Passport or NHS numbers. This can also include information that is sensitive to your organisation, such as contract numbers or customer numbers.

Sensitive information tends to have a bit more of a restriction on how it is managed and shared with external parties. And for many regulations, such as The Data Protection Act, you need to show you are doing all you can to protect it, especially if it is Personal Information. Microsoft Purview provides Data Loss Prevention (DLP) for you to detect and prevent sensitive information from leaving your organisation.

DLP can be configured across Microsoft 365, including SharePoint, OneDrive, email, Teams, Endpoints, Power BI workspaces and on-premises storage too. However, what DLP can be applied to depends on the licenses you have available:

• DLP in Office 365, such as email and SharePoint/OneDrive is available with an Office 365 E3 license.
• DLP for Microsoft Teams requires an Office 365 E5 step up or Microsoft 365 E5: Information Protection and Governance license.
• Endpoint DLP, on-premises storage DLP and DLP for Power BI Workspaces requires a Microsoft 365 E5: Information Protection and Governance license.

DLP policies can be enormously powerful in preventing the loss of data. They can be configured to block certain actions, such as preventing content with sensitive information from being shared to external parties. Or they could be configured to audit activities on an endpoint once certain conditions have been met. A lighter touch for DLP policies would be to configure tooltips or alerts when certain conditions are met. This could prevent a user from sharing that document with credit card details or notify the Security team once it has happened for review.

DLP policies are especially useful when looking to detect and protect sensitive information and, in my opinion, should at least be configured for notifications and tooltips so you are aware of any potential activities that should not be happened and remediate them quickly if necessary.

Insider Risks – Protecting you from you

One potential area of attack, which may not be considered is from the inside. Let us say an account has been compromised, or someone is just not happy and decides to perform some unsavoury actions…such as sharing a load of files with sensitive information externally. We should be able to detect these potential risks and restrict access. Insider Risk Management in Purview can help us achieve that.

Insider Risk Management comes with templated policies that can be enabled based on triggering events. When these events are detected, alerts can be generated for investigation. Example policies are detecting data leaks, data leaks by priority users, security policy violations and risky browser usage. Some of these policies rely on integration with other services such as Defender for Endpoint to work.

One interesting concept (it is in preview now) is to connect to a HR system to understand when users will be leaving. People leaving an organisation, especially if on bad terms, could be tempted to exfiltrate data. This information can be used in some policies to monitor leavers activities and generate alerts if a risk is detected.

If an alert is raised then you can perform triage, further investigations, and act all within the Compliance portal.

Another service that should be of consideration is Communication Compliance. This feature can help to protect sensitive data within communication tools such as email and Microsoft Teams conversations and channels. It also helps to capture inappropriate messages such as threatening language.

Insider Risk Management requires a minimum of a Microsoft 365 E5: Insider Risk Management license, which is included in the M365 E5 and M365 E5 Compliance subscriptions.

Summary

These are some of the areas that Microsoft Purview can help secure your data and integrate with the Microsoft Security stack. Purview does have more to offer and can help with Compliance and Legal Regulations that you need to adhere to. But in terms of security, these are the core components.

The next, and final, post in this series is on Microsoft Priva. This service provides you with the ability to protect your data against privacy risks and help manage Subject Rights Requests.