Microsoft has been busy lately on the data loss prevention front. The bad news: they are forming new information protection and data loss prevention service bundles and giving them new names, such as Microsoft Purview. The good news: same, except for the part about new service names.
Information protection has historically centered on files. You assign a label to the file, based on the security of its contents. Then, you define a policy (or multiple policies) specifying what users can do with the file based on its sensitivity label. When I would talk to customers about information protection, I would tell them that it was still possible to exfiltrate the data by copying and pasting the data or an image of the data to another application. Information protection was valuable but not perfect.
Purview data loss prevention closes the copy and paste loophole. Microsoft announced last week that it was extending its information protection or data loss prevention to include the use case where someone copies and pastes data to an application or website.
Put another way, you can control data loss prevention at the content level, which is more fine-grained than control at the file level.
Why This Matters
Imagine these scenarios.
- A user copies information from a SQL query to his Gmail account, so he can share it with a colleague at another organization.
- Another user is exploring AI. She has set up a learning model that she wants to train and copies sensitive data into the model without understanding that the model considers that data to be public information.
- A staff member is leaving the organization on bad terms and wants to “get even” by posting a portion of a confidential memo on a website that rates organizations.
IT managers tell me all the time that their security policies start with the presumption that staff are professionals who want what is best for the organization. This is a sensible approach. Start with the most common security case (users will not knowingly compromise the organization’s sensitive information) and go from there.
And yet, there are times when a user will skirt the rules. Perhaps she wants to share information with a development partner and does not want to wait for IT to change access permissions for her partner. I have already seen stories about people that opened their data to an AI model, only to find the data being referenced by the model with no regard for security or confidentiality.
How Data Loss Prevention Now Works
As I have related elsewhere, Microsoft follows a common approach to extending the reach of its data loss prevention tools. Here are the steps.
- Start by defining sensitive information types. You can choose from a list or create your own types.
- Then, list one or more websites (such as glassdoor.com and yahoo.com) as members of the Sensitive Sites group.
- Next, you define websites where it would be OK to share internal information. You might include the staff intranet and the organization’s email service provider.
- Following this, you define the policy actions to take when a user tries to paste sensitive information to one of the websites above.
You might allow the copy and paste to occur, since the site is “safe” (such as the organization’s intranet.) Or you might display a warning but allow the action to take place if the user provides a justification. Finally, you could block the paste action outright.
Purview data loss prevention works natively with Edge. It also works with Chrome and Firefox, via browser extensions.
Look at Adding This to Your Security Portfolio
I like the fact that Purview Data Loss Prevention will create a log entry even when data is shared without restriction. It is good to know when data loss prevention policies are being triggered.
I also like using the new data loss prevention feature with Microsoft’s “adaptive protection.” Think of adaptive protection as machine learning for security. Imagine that you have defined a data loss prevention policy that allows pasting of information if the user provides a justification. That will work for you in most cases. However, you have that one user that is constantly sharing sensitive information. Adaptive protection looks at this user’s pattern of sharing and blocks the sharing straight away.
I worry about AI model training going awry, with an organization’s data suddenly exposed to the Internet. This round of data loss prevention could help you avoid that concern.
0 Comments