Microsoft Purview Information Protection and Data Loss Prevention: Block Email Attachments with specific sensitivity Labels
Overview
In my previous article titled "Zero Trust Deployment Plan with Microsoft 365", I discussed the implementation of Zero Trust with Microsoft 365. We discovered that the final level of Zero Trust is Data Protection and Governance, which can be achieved through Microsoft Security Products Purview and Priva. Now, let's learn together what Microsoft Purview is and how it supports Zero Trust with Data Protection and Governance. And in the end, I will also demonstrate one of the most commonly requested scenarios with Microsoft Information Protection and Data Loss Prevention.
Microsoft Purview
According to Microsoft, Microsoft Purview is a set of tools that help you keep track of all the information your organization collects, protect it from hackers or leaks, and make sure you follow all the rules and regulations that apply to your data. This is especially important now that more people work remotely, and data is stored in different places.
If you're at least enabled the default required configuration, from Microsoft Purview Portal (Compliance.microsoft.com) Home Page you can see basic alerts and recommendations.
Before, there were two different sets of tools, Azure Purview and Microsoft 365 Compliance, for managing data in Microsoft Azure and Microsoft 365. Now, they have combined them under one brand called Microsoft Purview.
The new brand name Microsoft Purview helps manage these different platforms through two main categories of solutions.
Today I will focus on Information Protection and Data Loss Prevention, which a part of “Risk & Compliance”. But before this, I just want to give brief description of both “Risk & Compliance” and “unified data governance”
Microsoft Purview Risk and compliance solutions
First, there are "Risk & Compliance" solutions that help manage data specifically in Microsoft 365 environments. This means that the tools are designed to work with data that is stored and used within Microsoft 365 applications and services (for example: Microsoft Teams, SharePoint, OneDrive, Exchange). Microsoft Purview's Risk and Compliance Solutions are aimed at managing, monitoring, and protecting information while reducing risks and ensuring compliance with regulations.
Solutions:
- Insider risk management
- Communication Compliance
- Information Protection
- Data Loss Prevention
- Information Barriers
- Record Management
- Audit
- eDiscovery
More info about Risk & Compliance
Microsoft Purview unified data governance solutions
Secondly, there is "Unified Data Governance" which is focused on managing data in different infrastructures such as on-premise, cloud, and software as-a-service (SaaS) applications. This means that the tools are more flexible and can work with data that is stored in different places, regardless of whether or not it is part of the Microsoft ecosystem ( for example : Azure Storage, Power BI, SQL DB, Amazon S3 file services).
Microsoft Purview Key Solutions in the governance portal:
- Data Map
- Data Catalog
- Data Sharing
- Data Policy
- Data Estate
More Info about Unified Data Governance
Microsoft Information Protection - Sensitivity Labels
Microsoft Information Protection (MIP) is a set of tools and technologies that help organizations to classify, label, and protect sensitive information in emails, documents, and other digital assets.
License Requirements:
Microsoft Purview Information Protection is a key solution that is included in the Microsoft 365 E5 Compliance Suite or Microsoft 365 E5 Compliance capabilities and features are also included in the Microsoft 365 E5 license.
The MIP Framework for Microsoft Purview provides a structured approach to managing data in an organization.
This framework aims to help organizations effectively manage and secure their data assets.
Know your data:
This step involves discovering, classifying, and cataloging your data to gain a better understanding of its sensitivity and value. This includes identifying where data resides, who has access to it, and how it is being used. By understanding your data, you can develop appropriate policies and procedures for managing and protecting it and prioritize resources accordingly.
Protect your data:
In this step, you apply appropriate security measures to protect sensitive data. This can include access controls, encryption, data loss prevention, and other technologies and techniques. It also involves educating employees on the importance of protecting data and how to handle it securely. Protecting your data helps prevent unauthorized access, theft, and other threats.
Prevent data loss:
Microsoft Purview – Data Loss Prevention
This step involves monitoring and auditing data usage to identify and prevent unauthorized access, sharing, or leakage of sensitive information. This can include analyzing user behavior and activity, implementing data loss prevention technologies, and manage regular security assessments. By preventing data loss, you can help ensure compliance with regulations and protect your organization from reputational damage and financial losses.
More information about Information Protection
Secure data with Zero Trust
As I said before in my earlier post on Zero Trust using Microsoft 365, a Zero Trust setup has several parts:
Identity > Application > Data > Infrastructure > Networks > Visibility, Automation
About the first three steps of protecting data from Information Protection: knowing your data, protecting your data, and preventing data loss. Additionally, there is one more step called:
Monitor and Remediate
Continuously keeping an eye on sensitive data can help you spot any policy violations or risky user behavior. This way, you can take appropriate action, such as revoking access, blocking users, or refining your protection policies.
Once we understand and classify our data and sensitive content, now several steps can take.
Some following Information Protection features are available for protecting sensitive Data:
- Policies for blocking or removing emails, attachments, or documents
- Audit, Report, Monitoring ( for example Track data moves inside and outside of organization)
- Encrypt files with labels and restrict access
- Automation for Labeling classification with Policies
Test Scenario: Block Email Attachments with Sensitive Data
You can use Microsoft Information Protection together with Data Loss Prevention Policies and block email attachments with sensitivity labels.
If we use the concept which described the previous paragraph, first we must know and classify our sensitive data
How to create and deploy sensitivity Labels with Microsoft Purview
You can find Sensitivity Labels from Microsoft Purview Portal under Information Protection
Sensitivity Labels
You can use one of the default labels or create your own custom labels, or Auto-Labeling for files and Emails with Sensitive Info Types. Microsoft Purview Portal you can reach a lot of “Sensitive Info Types” such as Credit Card numbers, Tax IDs, and Bank Accounts. You can also create your own “Sensitive Info Types” to define your Data with custom Patterns.
In this demonstration, I will continue with current Confidential Label and will create Label Policy for this Label
Label Policy
After you've established your sensitivity labels, you can generate a policy for the label. The policy could include distributing the labels to group of users or all users. The users have to always apply a label to documents or emails.
Publish the label Policy and assign it to the required users or groups. Configure Policy Setting as illustrated
Data Loss Prevention Policy
We have defined, classified, and labeled our sensitive data, and it is now time to protect and prevent it based on our specific scenario. A Data Loss Prevention (DLP) policy can assist in safeguarding confidential information and implementing centralized actions when data of a matching sensitive type is detected in the system.
By accessing the portal, you can navigate to the Data Loss Prevention section and view an overview containing interactive information about the sensitive data within your organization
Create DLP Policy for Block E-Mail-Attachments
Define your name and description, then Choose Exchange Email as Location
Create a new rule and set it up in accordance with the following instructions:
Turn on Policy and Submit
New Policy is Ready and Active
Proof Scenario with End User
If the Sales Team Users (i applied policy to Sales Team) open a new Document, required to apply a label.
The user will get a block notification if we try to send a document with a sensitivity label to an outside organization.
Conclusion
I attempted to provide general information about data protection using Microsoft Purview and tested the "block attachment from being sent with a sensitivity label" scenario. The DLP policy illustration shows that there are various types of locations where DLP policies can be applied. In this example, the policy was only applied to emails. Additionally, DLP policies, also Sensitivity Labels can be used with Microsoft Defender for Cloud Apps.