Author: Paul Curwell
It’s April 2022 – enter, Microsoft Purview
In 2017, Microsoft introduced its cloud-based Microsoft 365 solution, offering a range of personal and business applications to customers. Then, in April 2022, the Microsoft Purview platform was unveiled, combining fuctionality previously called Azure Purview with what was then Microsoft 365 Compliance, providing a host of new tools and functionality for corporate teams involved in protecting and managing sensitive data, including:
- Microsoft Purview Insider Risk Management
- Microsoft Purview Data Loss Prevention
- Microsoft Purview Data Lifecycle and Records Management
- Microsoft Purview eDiscovery
- Various legal holds, auditing and compliance tools, and,
- Microsoft Purview Information Protection
These solutions are Microsoft’s answer to a range of risk, compliance and security problems which commonly arise in businesses across a range of industries. They are designed to largely be implemented out of the box with configuration (as opposed to customisation); however, more advanced technical skills are required to setup features such as APIs, perform PowerShell coding, and undertake other technical tasks.
Remember: technology is not the first or only step!
I’ve written numerous articles on the importance of protecting sensitive business information, Intellectual Property, and research on this blog, but irrespective of what you are protecting it all starts with a good Information Protection Program.
A well-designed Information Protection Program starts with a fit for purpose framework, supported by policies (such as a Code of Conduct, employment and IT Acceptable Use policies) to confidential information naming conventions, appropriate physical / cyber and personnel security programs, security culture and awareness training, and physical and ICT (virtual) monitoring and auditing.
Once your Information Protection Program is developed, Microsoft Purview Information Protection contains a range of tools to help implement and sustain that program over time. Like any software, Microsoft Purview Information Protection is not a substitute for a good Information Protection Program. Conversely, in today’s data and technology rich environment, Information Protection Programs are unlikely to be truly effective without tools like those offered by Microsoft.
Let’s cut to the chase: Microsoft Purview Information Protection is suitable to help manage a variety of information types, including:
- Trade Secrets
- Personally identifiable information (PII)
- Confidential business information (pricing, customer lists, strategies, etc)
- Research data (eg pre-patent, draft papers), and,
- Government classified information
Whether Microsoft Purview Information Protection is suitable for managing your organisations information risk profile is subject to a few considerations, including:
- Is your sensitive information stored outside of a Microsoft 365 environment?
- Do your employees use offline systems, paper records, personal devices or endpoints which are not centrally managed or onboarded?
- Do your suppliers create or replicate your sensitive information on their systems, out of reach of your management and control?
If you have answered yes to any of the above, you may only have partial protection from Microsoft Purview Information Protection without changes to the way your organisation operates.
What features does Microsoft Purview Information Protection offer?
In my opinion, Microsoft Purview offers a range of great tools out of the box which are suitable for many organisations, particularly those which generate and manage sensitive information within the Microsoft ecosystem. Primary data protection tools include:
- Sensitivity labels – provides the tools to classify documents, files, emails and other datasets using your organisation’s information classification scheme (i.e. confidential, proprietary, commercial-in-confidence). This is one area where Microsoft Purview configuration needs to reflect the framework and polices setup in your Information Protection Program.
- Sensitive information types – these are pattern-based classifiers, and used to find datasets containing defined data patterns, such as the format of a Medicare or Tax File Number, BSB and Bank Account etc. Microsoft Purview comes with a host of sensitive information types pre-defined out of the box, saving configuration time and effort.
- Trainable classifiers – the ability to train in-built AI tools to identify and classify datasets based on their attributes. Like all AI tools, this requires a sufficient sample size to learn from, and works best for content not suited to manual (human) or automated-pattern matching (keywords such as ‘confidential’, text strings such as credit card numbers, and file metadata).
- Data classification – provides a host of tools for managers of a Information Protection Program to view and understand how the program is being implemented by users, where sensitive information resides in the organisation (e.g. by type, sensitivity label, etc), and host of other features. This can help inform identification of High Risk Roles and Personnel Security Risk Assessments to inform Workforce Screening Program design, as well as inform implementation of Information Protection Programs and control improvement plans.
I’m enthusiastic about the ability of Microsoft Purview to bring Information Protection, eDiscovery and Insider Risk Management capabilities to small and mid-sized organisations which otherwise might not be able to afford to implement and maintain different vendor solutions to achieve the same outcome.
Two questions I have is what the buyer profile is for E5 licensing in Australia (are these primarily large corporates, or can small to mid-sized organisations afford this as well?), and of the current E5 buyers, how many have actually turned this functionality on. I haven’t been able to find information on Microsoft’s market penetration in Australia, so answers to my questions will need to wait for another day! For organisations who are interested, Microsoft offers a 90-day free trial.
Not only will this inform your business requirements and business case, but it will ensure that the technology solution is implemented in a way that actually aligns with the way your organisation operates. There is nothing worse than when technology, rather than business need, dictates your operating model.
Operationalising your Information Protection Program
All too often, I see cases where organisations have purchased a software solution and expect this will address all their ills. Technology is an enabler that can enhance the effectiveness of an Information Protection Program, but is is not a substitute for implementing the program itself.
Like any technology solution, using Microsoft Purview requires regular attention and maintenance to ensure it does what was intended and is not impacting business users unnecessarily. Microsoft Purview will need periodic adjustment as your organisation changes, such as where new sensitive projects are setup that requiring new sensitivity labels, or in response to insider threat events.
Minimising problems for capabilities ‘in operation’ will require someone (or a team) who has an apprecation of both the Information Protection Program and Microsoft Purview, as well as change management to minimise adverse user outcomes.
- Curwell, P. (2021). Australia’s economic espionage laws: what this means for ‘trade secrets’ protection after 2018, https://forewarnedblog.com/2021/09/26/australias-economic-espionage-laws-what-this-means-for-trade-secrets-protection-after-2018/
- Curwell, P. (2021). How is confidential information compromised?, https://forewarnedblog.com/2021/06/13/how-is-confidential-information-compromised/
- Curwell, P. (2021). In business, confidential information is a critical asset, www.forewarnedblog.com
- Curwell, P. (2022). Business espionage – the sale of intellectual property on the dark web, https://forewarnedblog.com/2022/05/14/business-espionage-the-sale-of-intellectual-property-on-the-dark-web/
- Curwell, P. (2022). Never heard of Research Security? Why safeguarding your research today is critically important, https://forewarnedblog.com/2022/07/09/never-heard-of-research-security-why-safeguarding-your-research-today-is-critically-important/
- Curwell, P. (2022). Understanding High Risk Roles, https://forewarnedblog.com/2022/11/26/understanding-high-risk-roles/
- Curwell, P. (2022). What is a Personnel Security Risk Assessment?, https://forewarnedblog.com/2022/12/24/what-is-a-personnel-security-risk-assessment/
- Koenigsbauer, K. (2017). Introducing Microsoft 365, Microsoft, https://www.microsoft.com/en-us/microsoft-365/blog/2017/07/10/introducing-microsoft-365/
- Microsoft (2022).Go beyond governance with Microsoft Purview, product webpage, https://www.microsoft.com/en-au/security/business/microsoft-purview
- Microsoft (2022). Microsoft Purview compliance documentation, https://learn.microsoft.com/en-us/microsoft-365/compliance/?view=o365-worldwide
- Microsoft (2022). Compare Microsoft 365 Enterprise Pricing Plans (Australia), https://www.microsoft.com/en-au/microsoft-365/compare-microsoft-365-enterprise-plans
- Microsoft (2022). Plan for Insider Risk Management, https://learn.microsoft.com/en-us/microsoft-365/compliance/insider-risk-management-plan?view=o365-worldwide
- Rayani, A. (2022). The future of compliance and data governance is here: Introducing Microsoft Purview, Microsoft Blog, https://www.microsoft.com/en-us/security/blog/2022/04/19/the-future-of-compliance-and-data-governance-is-here-introducing-microsoft-purview/
DISCLAIMER: All information presented on ForewarnedBlog is intended for general information purposes only. The content of ForewarnedBlog should not be considered legal or any other form of advice or opinion on any specific facts or circumstances. Readers should consult their own advisers experts or lawyers on any specific questions they may have. Any reliance placed upon ForewarnedBlog is strictly at the reader’s own risk. The views expressed by the authors are entirely their own and do not represent the views of, nor are they endorsed by, their respective employers. Refer here for full disclaimer.