The Microsoft Incident Response team takes swift action to help contain a ransomware attack and regain positive administrative control of the customer environment.
Five years ago, we started on a journey to update and simplify information protection at Microsoft. We had a manual data classification process that our users didn’t use effectively and didn’t work with our data storage or database technology. We had to find ways to re-classify data and build effective tools while protecting our most important asset, customer, and employee information.
We’ve learned a lot about data protection and tools and today we’re sharing some of our best practices for:
- Laying the groundwork for protecting information.
- Protecting trade secrets.
- Starting your information protection journey.
Laying the groundwork for protecting information
Identifying the location of data—The first step to creating a strategy is discovering where your data and major storage places are so you can create a data landscape. Do you have data on your endpoints? Start by looking across your organization to identify your customer data, regulatory data, and other sensitive information.
Classifying the data—Classifying data is the most important and most difficult step. At Microsoft, we used a custom three-level manual label classification process but found that no one understood how to apply them correctly. We worked with legal, HR, and other groups to identify labels that made sense for our company with a goal that they could be applied automatically.
Our objective is to ensure that our data and our customer data is handled properly, classified correctly, and is protected. We’re a global company and the General Data Protection Regulation (GDPR) is the baseline—and one of our key tenets—for how we think about our information and how we protect it. We replaced the manual classification labels with a more intuitive labeling taxonomy that better aligns with industry standards:
- Non-Business: Data that is non-business related and doesn’t belong to Microsoft.
- Public: Data designed for public consumption.
- General: Business data not meant for public consumption.
- Confidential: Sensitive business data that could cause business harm if over-shared.
- Highly Confidential: Very sensitive business data that would certainly cause the business harm if over-shared.
Identifying and resolving old data—Before you roll out new tools, there may be old data that you need to review and resolve. For example, you may need to clean up, delete, or protect your data. When reviewing data, consider the age of the data and if anyone is still using a document. Prioritize and create rules for saving, deleting, and protecting data.
Protecting the data—You want to protect the data based on classification. Protecting customer and personal information is at the core of what we’re trying to protect at Microsoft. For smaller companies—or companies just starting to develop an information protection program—your biggest return will be finding customer data so you can protect it. Building customer trust and protecting customer information is key to an information protection program.
Protecting trade secrets
Protecting our identities is an extremely important part of the information protection journey. But what if you come across a document with trade secret information? You should probably work with the group that handles trade secrets at your company. We have a white glove program with HR where we build specific programs for specific business units. Using products like Key Vault can help protect sensitive data.
Starting your information protection journey
If you’re just starting to build an information protection program, we recommend the following three-step process:
- Governance, risk, and compliance—Have your legal and HR teams help you define the types of information you need to defend. Always focus on customer data and sensitive information.
- Education and awareness—Labels are always important because they’re foundation for identifying the difference between confidential and general business data. Use terminology that’s easy for users to understand. Train them and use tools to implement your solutions. We used education campaigns and we also built tool tips and right management service (RMS) templates into our products. For example, if I’m working in an Office experience, I might get a tool tip prompting me to classify a document as confidential. We found that 50 percent of the time, users will increase the confidentiality of the document.
- Tools roll out—When you’re working with tools, remember that you’re typically interacting with customer and employee information. It’s an opportunity to build trust as a company. Some of the information protection tools we use include Office 365 Information Protection and Azure Information Protection, which provides labeling functionality we can push to endpoints, as well as label and tool tips for Office documents. We also use the file share scanner and Windows Information Protection (which is still in pilot phase).
Building an information protection program is not one-size-fits-all, but if you choose classification terms, terms that are easy to understand and implement, proactively educate users, and bake information protection into existing processes to minimize impact, you can increase the success of the program.
For more information about how Microsoft has implemented these strategies, watch the IT Showcase webinar, Speaking of security: Information protection.