Skip to main content
Skip to main content
Microsoft Security

Enabling collaboration—without data leaks

  • Microsoft Secure Blog Staff

Many of us have accidentally sent sensitive information to the wrong person at some point in our career, perhaps without even knowing. This is a frightening reality for companies and their IT teams, especially as collaboration increases and corporate data becomes more distributed among on-premises and cloud environments. Monitoring every device, application, and piece of data at all times is not only not practical—it’s impossible.

To stay protected and compliant, IT groups need the ability to effectively manage users and devices in ways that enable productivity without introducing risk. And users must learn to protect themselves from situations in which leaks could occur.

To help mitigate data leaks, influence user best practices, and still allow for collaboration, Microsoft designed the following security features to protect corporate data—whether it is in the data center, in the cloud, or shared with internal and external partners:

Manage your mobile applications

With Microsoft Intune mobile application management (MAM), organizations can control apps and resources at the app level. IT can discourage users from working in unauthorized apps by applying restrictions that prevent copying, pasting, or saving data from a managed app onto an unmanaged app. End users can work productively in familiar Office apps and retain the rich Office productivity experience. Intune MAM capabilities are native to Office mobile apps, but can also be extended to other proprietary and line-of-business apps through the Intune SDK or Intune App Wrapping tool.

Lock mobile devices down

Device Guard is a combination of enterprise-related hardware and software security features that, when configured together, will lock a device down so it can only run trusted applications. When in the lockdown state, users will not have the ability to modify the device state, preventing further unauthorized mobile behavior. Device Guard automatically senses threatening behavior and takes appropriate action, unburdening IT from constantly supervising user behavior at all times.

Protect enterprise data

A combination of Windows 10, Intune, and Azure Rights Management, Windows Information Protection (WIP), previously known as Enterprise Data Protection (EDP), separates and protects enterprise apps and data against disclosure risks across both company and personal devices—without requiring changes in environments or apps. WIP integrates with Intune to enable comprehensive management of WIP policies to protect corporate data by preventing unauthorized apps from accessing business data, similar to the Intune MAM capabilities for iOS and Android. With this capability, all copy and paste functions are restricted for unknown sources and remote wipe of sensitive data can be performed on devices to prevent unauthorized mingling of personal and corporate data.

Prevent data loss

Data Loss Prevention (DLP) in Office 365 helps identify the areas that are most susceptible to threats and potential data loss. The DLP classification engine built into Office 365 analyzes data across programs like Exchange, SharePoint, OneDrive for Business, and Office applications to determine which information is the most sensitive and vulnerable based on unique business requirements. DLP Policy Tips provide complete visibility to help influence better-informed decision making. IT can then leverage this data to inform and enforce compliance and security policies that will best protect sensitive information.

Utilize policy-driven access control

Azure Rights Management (Azure RMS) enables IT to encrypt data at the file level and apply policy-based permissions based on the user’s identity. These access control policies provide integrated coverage across on-premises environments and cloud applications. IT can define privileges for users and files, ensuring only the right people can view sensitive information. Actions like viewing, editing, authoring, and co-authoring capabilities delegated to the user are all governed by access control policies, and they can be tailored to meet specific project or business needs. Designed to support multiple workloads such as Exchange, SharePoint, and Office documents, Azure RMS enables safer sharing and collaboration with partners inside and outside the organization.

To learn more about secure collaboration, download the free eBook, “Protect Your Data: 7 Ways to Improve Your Security Posture”.