8. Data Loss Prevention

Career stage: One of the final projects I ran as a consultant, which included frequent travel across the United States to help implement data security into a large and complex organization. During this project I reflected on the experience I gained during my time in the military, back in the 1990's. As a Naval communications specialist, I learnt all about encryption and the importance of correct data classification. It was a bit more manual back then, we would use rubber ink stamps and color-coded envelopes to ensure clear identification of classified documents that were only to be seen by specific personnel. Those military practices are now proliferating in the corporate world as more and more companies realize the importance of information classification and stronger data security controls.

?

Challenge: This customer had engaged with multiple consulting companies to assist them with their Data Loss Prevention (DLP) project. After several months of work, they had produced documentation that clearly stated their intent, policy, and most importantly, a label taxonomy. This label taxonomy is one of the first difficult steps in the project because it can take time for each department across the organization, to agree what to call the labels that every employee should see and use, and those which should only be seen and used by specific groups. In the end, they had agreed on 375 labels.

What this work didn't provide was a detailed understanding of what really constitutes sensitive data, how to find it in existing and new data, then what to do once it is discovered. This type of project is both fun and mundane, impactful, and thankless, yet every organization needs to do it if they want to prevent ransomware and data theft. If you don't know where your sensitive data is being stored and how it is being used, you cannot put sufficient controls in place to protect it, or even detect if it is being attacked.

My team and I were assigned to this project because we had the expert skills in the technologies required to complete the work: Implement the labelling taxonomy, scan all existing data stores for sensitive data types, and apply a meta-data label into the digital documents for later identification and control.

The discovery and inventory of all the data a company has ever generated is a lot of work to carry out. It requires that each file server, SharePoint server, and email account be scanned against a list of known sensitive data types. This can lead to issues with permissions, where someone has restricted access to scan within sub-folders, and false positives when data flagged but is not sensitive. Here is an example of what a complex labelling structure might look like, along with some representation of the types of sensitive data to look for:

If done well, a company will discover all kinds of hidden information about the way their systems are configured, who handles the most sensitive data, and any potential gaps in their security controls as you discover how that data is accessed and used. Companies may choose to scan just once to take the inventory, or they may implement ongoing scanning to ensure all changes are captured, reported, and controlled.

The end result was the discovery of over 60,000 individual documents that were marked with sensitivity labels.

This customer's IT administrators and security team were keen to keep this project restricted to their small group of experts as they wanted to manage the communications to the business. They did have a good scenario for sensitive information types: IT Security Investigations. This type of data is generated when a security alert is generated, and the team may have to work across their HR and Legal departments as they investigate the potential of an insider risk, the loss of sensitive data, or the compromise of their systems. The information must remain confidential to a small group of users and must also have a preconfigured data retention period to prevent accidental or purposeful deletion.

Whilst I could understand the need to control communications, I always recommend that more departments are involved in the planning and design of these systems because they will be directly impacted. It is also wise to find a few key scenarios that can be secured end to end quickly, instead of trying to roll out the system to the whole company, which might take multiple years to complete.

We invited some business representatives to one of the final presentations where we showcased the capabilities of the system, now that we had the customers' data discovered and labelled. Two key scenarios came out of this meeting, both of which came from the business, not from the IT or Security teams:

1. There was a need to send an email to their legal team and ensure it was handled in the strictest of confidence. This needed to be automated to prevent any accidental mishandling of sensitive information in the email, including forwarding to other recipients, or adding others into the To. Or Cc. line during the reply. There is a very simple action in Microsoft Outlook that can achieve this called "Do Not Forward" - by clicking on this single button, the sender could ensure that only the original recipients could see the email and reply to each other only. The email is encrypted end to end, preventing any option to copy and paste, print, or show via screen share.
2. One of the departments was involved in procurement exercises where they needed to keep vendor bids confidential from each other, and confidential between specific groups within the business. The current method of handling this confidentiality was to force every vendor to submit their bids on a CD. This CD would be stored in a physically locked desk and only viewed on a specific pc in their office, then locked away again on completion. This offline storage of data prevented many of the common security and backup practices, but it was the only way they could have confidence that it wasn't going to be accessed by the wrong person. Once we explained how the labelling and DLP rules worked across all Microsoft Office products, including from the time it was sent via email to the time it was stored in SharePoint or viewed within any Office product, the procurement person was very pleased to hear they might be able to improve their efficiency whilst also increasing their security.

?

When we wrapped up the project, we showed the results to the customer's senior leadership team for feedback. They were impressed by the capabilities of the tools, surprised by the findings of some sensitive data types, and had just one question for the team: "so, does this mean our data is now protected?". Unfortunately, the answer was no. The scope of the project (before we even joined in to help complete the work) was to discover and label sensitive data. Implementing any controls to prevent mishandling and abuse of the data would take a few more steps, and many months or years of training and change management. Enforcing DLP rules has the potential of blocking some business productivity if implemented incorrectly. By taking one small scenario at a time, and fixing real-life security issues, the project can show its value day by day and continue to justify the investment in both the technology and the consultants hired to implement it.

?

What I Learnt: Setting clear expectations early on ensures limited misunderstanding later. Data security relies on everyone being aware of what is sensitive and valuable to the business (insert link to paperclips and diamonds quote). Data labelling is critical but means nothing without the implementation of DLP controls across all systems.

I also remember another lesson learnt on a different Data Classification project: Data security is affected by the organization's culture. The leadership needs to make a choice between the following two principles and let that guide all future decisions about data:

• Data is secure by default: When data is secure by default, access is specifically granted on a need-to-know basis. This may be seen as the most secure option due to the secure nature, however misconfiguration and stale permissions can enable unwanted access rights. This option also limits collaboration across working groups and the discoverability of data must be enabled through other data publishing options.

?

• Data is open by default: When data is open by default it is easier for individuals and groups within the organization to easily find interesting information and encourage cross-group collaboration. This is especially useful when more systems like Microsoft Delve, and the future use of AI integrated search becomes ubiquitous. Because data is open by default, any data that should not be openly available is specifically secured by the data owners, usually at the group level that knows which data they can make open and which they must secure (legal, financial, personal, etc.)

?

You can learn more about sensitivity labels in the Microsoft Purview Information Protection Ninja Training

?

Join me next time as we see "The writing is on the wall".