One of my readers wrote to me recently about an article that I penned a couple of years ago, on the topic of Data Loss Prevention in Microsoft 365. They pointed out that my breakdown was a bit dated now, and that the Microsoft universe seems to have become more complicated since then.

I suppose that’s true in some ways. I think some of this confusion was multiplied by the fact that many (if not all) of these products have new names now, such as the recent rebranding of the “compliance-related” features to Microsoft Purview. The other confusion points tend to revolve around licensing: “What is included in my subscription, and what requires an upgrade?”

I wonder if I can help those who are seeking clarity by taking another stab at this from a slightly different perspective.

There are many different risks associated with data leakage and/or loss of data. Each risk has a different set of possible mitigations, and most of the time we can find a solution within Microsoft 365. In fact, sometimes there is more than one technology solution in this suite of tools which could help us to address a particular area of concern. Let us examine a few common risk concerns that businesses may have, and apply the Microsoft 365 features that best help us to address these concerns. I will also highlight the features that require a full E5 subscription, versus the more common Business Premium or E3 that we tend to see in the SMB space.

Concern #1: Loss or theft of a device with access to corporate data

This is the first concern I normally ask small businesses to address. If a device were to fall into the wrong hands, wouldn’t you want to be able to wipe the corporate data from it? There are several solutions to this problem.

The first is App protection policies (a.k.a. MAM policies). This would be the minimum recommended mitigation for most small businesses, and more specifically with regard to personally owned iOS and Android devices. Although these policies are also available for Windows devices, it is more difficult for me to recommend this option (for Windows, this turns on a feature known as Windows Information Protection, which ends up being a difficult user experience for most people).

We will soon have a new App protection policy for the Edge browser on Windows; when combined with a Conditional Access policy, this would allow us to grant access on personal Windows devices via the Edge browser (using a corporate profile), while blocking access from client applications such as Outlook or the OneDrive sync client. Therefore, no company data would persist on the device itself. You can already accomplish a similar outcome using something called Conditional Access App Enforced Restrictions, which enforces ‘limited web access’ where downloads are prohibited on unmanaged devices, and this works on any device platform or browser.

Another option that I generally recommend is requiring devices to be enrolled and compliant with corporate policies in order to gain access to corporate data in the cloud. This is accomplished with a combination of Compliance policies, and Conditional Access policies. I always require this at least for Company-owned devices, but this can be made mandatory for personal devices as well if you prefer. This way, not only do you have remote wipe capability over the device, but you can enforce specific rules and settings as well, including  rules to reduce other risks such as malware, for example, by deploying Microsoft Defender policies like Antivirus, Attack Surface Reduction, and Endpoint Detection & Response (at which point you are addressing risks well beyond data loss).

Controlling access to corporate data on managed and unmanaged devices can be accomplished with Business Premium or E3 subscriptions, but if you happen to have E5, some additional scenarios open up. For example risk-based Conditional Access policies that apply certain restrictions only when risk is detected.

Concern #2: Oversharing of sensitive information stored in the Organization

Some types of information should not be shared externally, or at least not widely outside the walls of the Organization. For example Social Security Numbers, or other Personally Identifiable Information (PII) are often considered sensitive information which should be shared more carefully. The same can be said for financial information like credit cards, bank account numbers, and so on. Sometimes these information types are even regulated by certain laws whether local or state or federal/nation-wide.

To address concerns with handling sensitive information within the Microsoft 365 service, we can write rules using Microsoft Purview Data Loss Prevention that can help us monitor and govern how these data types are to be shared and sent outside the Organization. In most subscriptions (e.g. Business Premium, E3) this includes common services like email and file sharing, meaning we can have rules which are triggered when sending emails or links out of OneDrive or SharePoint. With an E5 subscription we gain rules for additional services such as Teams chat and channel messages, and even on-premises file severs.

Usually the rules we write include such common scenarios as notifying an administrator when something sensitive has been shared, or filing an incident report. As well, we can take actions to automatically encrypt emails containing sensitive info, or we can block certain types of data from being shared at all. Any of these rules can be accompanied by notifications or “policy tips” which display warnings to the end user when sensitive information is being shared in a way which triggers the rule.

Concern #3: Movement of sensitive data from a device to an unapproved app or location

This is sort of a sub-concern of #2 above. Sometimes organizations will want to prevent the movement of certain sensitive data types on an endpoint, for example, to prevent sensitive information from being copied off to a USB storage device, or printed to a network printer, or uploaded to an unapproved cloud service.

For these types of rules, App protection policies can once again come to the rescue. I normally turn these features on for iOS & Android devices, and, as I mentioned before, Windows Information Protection is available as an option too, but I generally shy away from implementation of WIP for various reasons. Within all of these policies, we have the ability to block copy/paste and save to unmanaged apps and storage locations. Sort of like an “Endpoint DLP Lite.”

And that brings us to the “Premium” E5 subscription: here Microsoft offers Endpoint DLP, which brings some more granular DLP controls down to Windows devices only, and these can even be extended to Google’s Chrome browser using the Microsoft Purview Extension (note: all of this is still included under the umbrella of Microsoft Purview DLP, but again you need an E5 subscription to unlock it).

Concern #4: Control of sensitive information once it leaves the Organization

There are cases when sensitive information needs to be sent or shared beyond the boundaries of the organization. And in these cases, we want to ensure the data can still enjoy some protection once it moves beyond our control, to an unmanaged device for example, or to an outside party.

The flagship solution in this space is Sensitivity Labels (part of Microsoft Purview Information Protection). Labels which define Sensitivity can have a lot of different powers attached to them. Sometimes they may do nothing more than mark a file visually with something like a header, footer, or watermark. In other cases, we may want to apply encryption, so that the recipient of the file or email message will need to sign-in before they can read or work with the information. Encryption can also be accompanied with permissions that restrict certain capabilities (for instance we can prevent exporting or printing the data).

Other powers include being able to restrict certain sites or groups (including Teams) with rules like, “Unmanaged devices cannot download, print or sync the contents of this site.” Further, Sensitivity labels can be used as a condition when writing our rules in Microsoft Purview DLP.

Finally, it is possible to automate the application of Sensitivity labels under various circumstances. For instance, we can scan for and label data at rest using auto-labeling policies. Otherwise, we may want to apply or even just “recommend” that a certain label be applied using the auto-labeling settings within the label itself. Or, only apply labels under specific conditions, such as when a file containing sensitive information is downloaded to an unmanaged device from a managed cloud application (including third-party apps like Box or Google); in this case we would need to layer on an additional solutions, for example Microsoft Defender for Cloud Apps.  Most of these auto-labeling capabilities will require the E5 subscription, of course, or another add-on which includes these features such as Microsoft 365 E5 Compliance.

Another “premium” auto-labeling feature (read: E5) includes the ability to use trainable classifiers to recognize information that you want labeled in a certain way. With this solution, you feed examples to Microsoft Purview so that it can “learn” what you consider sensitive data. This gives you some capability to move beyond the common preset information patterns like Passport Numbers, Social Security Numbers, Credit Card numbers, etc. that you get with the standard DLP features.

Concern #5: Insider Risks

Some businesses may have a higher level of concern around insider risks such as:

• Data theft by departing users
• Data leaks by disgruntled users
• Insider trading
• Intellectual property (IP) theft
• And more

Microsoft 365 E5 includes a Microsoft Purview solution called Insider Risk Management with several policy templates that can help you detect and take action on these types of events. This is an example of a more “advanced DLP” solution that also relies on additional components of E5 such as Microsoft Purview eDiscovery (Premium).

Since these are all dependent on more expensive subscriptions, most small businesses will choose to handle these risks in an alternative way. For example: by having a strict written policy, and leveraging the standard Microsoft Purview DLP rules to monitor or alert on the movement of sensitive data.

Conclusion

Here we presented a few examples of common risk concerns around data loss or leakage, and how each of these concerns can be addressed or mitigated using one or more possible technology solutions available within Microsoft 365. When you get into more advanced DLP scenarios, especially involving more automation, or control over third-party cloud apps, or insider risk management scenarios, etc., then we are talking about the more expensive Enterprise E5 subscription. The below table is an updated breakdown of the landscape today:

I think this is a simpler summary, which is perhaps even easier to understand than what I previously published. I can’t say it is completely exhaustive, but it’s a pretty good overview of the most common risk concerns and the associated solutions that we tend to  implement.

The post Making sense of the many DLP options for Microsoft 365 appeared first on ITProMentor.

This blog has been active for at least six years. To this day, I probably receive more questions about BYOD and the various options we have for management with regard to personal devices, than any other topic that I have written about. I think this just goes to show the types of challenges and questions that consultants and service providers face in the wild. It is also telling because I would have expected by now to see these types of questions taper off as the market “figured it out,” so to speak.

But we haven’t quite figured it out yet. Especially for Windows devices (ironically). Part of the problem, I think, is that we can approach the BYOD concerns in several different ways, so folks need help navigating their choices. While we have many tools available which can help us to enable BYOD experiences, unfortunately, every solution has its trade-offs. Some good, some not so good.

For example, take Windows Information Protection (a.k.a. MAM for Windows). This solution can be difficult to configure, and has a fairly large impact on user experience. Certainly it is not something you would casually roll out without some pretty decent planning and testing in advance, not to mention communication and expectation-setting with your user base. Plus, you’ll often find yourself needing to do maintenancy-things like update your approved network locations and cloud resources list, so that certain websites can be considered “inside the corporate fence” and play well with all of your corporate-protected applications.

And even after all that effort, you’ll still notice some serious limitations and drawbacks to the solution. To make matters worse, it is my understanding that Microsoft is stepping away from further development on WIP; when I have asked them about possible improvements to the product, they have pointed me toward Endpoint DLP as an alternative (thanks but no thanks…it’s an E5 solution anyway).

Therefore, I generally recommend against WIP, and suggest that customers either block personal Windows device access outright, or use an alternative approach like requiring device enrollment and full management (which does open another can of worms) or settling for the “Limited web access” experience via Conditional Access / App enforced restrictions.

In short, no matter which path you walk down with regard to Windows devices, every option seems riddled with gotchas and caveats that put a sour taste in your mouth. (And may I just add that it is absolutely maddening that Windows–Microsoft’s own product–still has a less mature and less functional app management solution than iOS and Android? I mean MAM for mobile devices is awesome–so why does it still suck on Microsoft’s own OS?!)

Anyway, soon we will have another option, and this one looks more promising (fingers crossed). It’s called Application Management for Edge. I believe it was first announced publicly here. There was also a digital event where they teased a bit of this functionality in a short demo (see the 11:20 mark in the IT Management and Hybrid Work breakout). Some notes from my observations:

First, we see in the demo that there will be a new App protection policy type in Endpoint Manager (Apps > App protection policies). It appears the current policy we have will be renamed to Windows Information Protection, and we will be given a new option called Windows.

Based on these screenshots from the demo, only the Edge app is going to be available at first, but I am hoping that in the future we will see other Microsoft 365 apps (for the desktop) added here as well, including Word, Excel, PowerPoint, Teams, etc. (I have no idea if this is true but it would be awesome if so).

In any event, being able to target the Edge browser has some important benefits. First, we can enable a better web access experience that is tied to a corporate Edge profile, rather than a pre-defined network boundary, where we have to add all of our “protected” websites and apps to a list in advance. Then, it appears we will have the ability to set Data protection boundaries between the corporate profile and personal profiles, just like we experience with App protection policies on mobile devices (and it is about time)!

We even have Health checks, and I spy that Minimum OS version as well as Defender’s Max allowed device threat level integration will be included off the bat as well, where the threat level on the device can become a bar for access to corporate data.

Once the policy is implemented, the end user experience looks pretty slick so far  (and it doesn’t say this anywhere but I wonder if there is a Conditional Access policy requirement at play here as well, take a look and let me know what you think):

When a user attempts to access a corporate resource such as email from a personal profile in Edge, they are blocked, and given an option to Switch Microsoft Edge profiles.

They sort of gloss over this prompt in the demo video, but when you sign in with a corporate profile, there appears to be an option to enroll your device in order to “Stay signed in to all your apps.” There is a checkbox here, “Allow my organization to manage my device.” Then at the bottom is an option “No, sign into this app only.” If you click OK without checking the box, I assume that would have the same effect as clicking the No… option.

Hopefully we will get an opportunity to remove this prompt entirely, in cases where we do not want users enrolling personal devices (I would suggest that blocking personal enrollment via device restrictions should automatically remove this screen from the end user’s view, but I suspect that it would still remain, so the end user who is restricted from enrolling could get an error if they attempt to check the box–we’ll see if Microsoft is smart enough to improve this flow before it is released to Public preview).

We can see that the health checks have passed, the policies have applied, and the profile is now available on the device.

Clearly, we can see the user is now signed in with a corporate profile (and I suspect that this means any site the user visits under the corporate profile would be within the “corporate boundary,” without us having to manage a list of apps and websites in a “network boundary” within a policy somewhere).

Finally, we can see the policy in action, blocking a copy/paste action:

All in all, a massive, MASSIVE improvement over the legacy WIP experience: easier to set up for the administrator, and easier for the end user, as well. Although, until they add client app support for the desktop apps, this solution appears to be limited to web-only access at first, which is somewhat similar to the experience we have always had with Limited web access (using Conditional Access App-enforced restrictions). Still, I am optimistic that we will find this “profile-based” app management solution allows for more granularity and flexibility as development continues. I am excited to see this released to pubic preview (I haven’t seen a date on that yet), and of course, everything the future holds beyond it.

(I just hope this new policy will be included with Business Premium, and not held behind the E5 paywall!)

 

The post A Sneak Peek at Application Management for Edge appeared first on ITProMentor.

Hi folks,

Chaque semaine, vous entendez parler d’accronyme, pas forcément évident de savoir à quoi rattacher les MFA, PIM, PAM, MIM, MAM, MDM, etc. … Donc pas trop de technique pour l’instant mais du jargon

Je vous propose un petit tour de définition qui peut-être utile

MFA – Multi-Factor Authentication

Un classique, c’est de la double authentification permettant au système de s’assurer que vous êtes bien qui vous dites être (oui oui relire plusieurs fois cette phrase aide). Cela permet d’identifier une personne, un device, une application voir une localisation. C’est une combinaison de facteur permettant un trust et vérifier qui vous êtes.

Le MFA, peut-être un code SMS, un code application, PIN, une clé biométrique, voir une clé de password (FIDO par exemple). La combinaison de votre login password et de cette seconde clé forme le MFA.

PIM – Privileged Identity Management

PIM est utilisé pour attribuer, activer et approuver des identités privilégiées dans Azure AD. PIM fournit une activation de rôle basée sur le temps et l’approbation pour rédire les risques d’autorisations d’accès aux ressources sensibles.

Par exemple : Le support doit avoir accès aux informations de votre tenant, OK mais que pour 10mn. Au dela le système coupe les accès.

Les principales fonctions de PIM :

• Accès privilégié just-in-time à Azure AD et aux ressources Azure.
• Accès limité dans le temps aux ressources.
• Processus d’approbation pour activer les rôles privilégiés (admin par ex.)
• Forcer le MFA
• Justification des demandes d’accès (un peu comme dans SharePoint quand vous n’avez pas accès).
• Notifier lorsque les rôles sont activés.
• Participer aux revus d’accès internes / externes lors d’audit.

PAM – Privileged Access Management

Souvent on confond les PIM et PAM (POUM est toujours pas là #ahah)

PAM permet de gérer les identités de manière locale (OnPremise) PAM est un morceau de PIM qiu utilise MIM.

PAM vous sera utile pour :

• Rendre plus difficile l’accès à l’administration, au réseau et à des comptes avec de grand privilèges pour un hacker.
• Ajouter une protection aux groupes privilégiés qui contrôlent l’accès aux ordinateurs joints à un domaine et aux applications sur ces ordinateurs.
• Fournir une surveillance, et des contrôles afin de voir/suivre qui sont leurs administrateurs (avec de grands privilèges) et ce qu’ils font.

PAM vous permettra de mieux comprendre comment les comptes administrateurs sont utilisés.

MIM – Microsoft Identity Manager

MIM, c’est quoi dans tout ce truc là ? Microsoft Identity Manager

Il va vous aider à gérer les utilisateurs et les environnements hybrides. MIM vous simplifiera la gestion du cycle de vie des identités grâce à des flux de travail automatisés, des règles métier et une intégration aux plates-formes.

MIM permet d’appliquer les droits AD aux utilisateurs pour des applications locales. Azure AD Connect peut ensuite rendre ces utilisateurs et autorisations disponibles dans Azure AD pour Office 365 et les applications hébergées dans le cloud.

Petit récap ?

• PIM est une fonctionnalité permettant de gérer les identités dans Azure AD.
• PAM est une fonctionnalité locale permettant de gérer les identités dans Active Directory.
• MIM aide à gérer les utilisateurs, les informations d’identification, les stratégies et l’accès local.

MAM – Mobile Application Management

MAM est un élément important car si les entreprises ne peuvent gérer que les identités, mais pas les applications, elles passent à côté d’un aspect clé de la protection des données.

MAM est connecté à une fonctionnalité Microsoft appelée Microsoft Intune et est une suite de fonctionnalités de gestion permettant de publier, d’envoyer, de configurer, de sécuriser, de surveiller et de mettre à jour des applications mobiles pour les utilisateurs.

MAM fonctionne avec ou sans enrollment de l’appareil, ce qui signifie que les organisations peuvent protéger les données sensibles sur presque tous les appareils à l’aide de MAM-WE (without enrollment). Si les entreprises activent l’authentification multifactorielle, elles peuvent vérifier quel est l’utilisateur sur l’appareil. MAM permet de gérer les applications auxquelles l’utilisateur peut avoir accès.

Si vous ajoutez la fonctionnalité Gestion des appareils mobiles ou MDM d’Intune, vous pouvez forcer l’inscription des appareils, puis utiliser MAM pour gérer les applications.

Hope this helps !

Stay tuned & safe