This blog is part of a series that responds to common questions we receive from customers about deployment of Microsoft 365 security solutions. In this series you’ll find context, answers, and guidance for deployment and driving adoption within your organization. Here is the second installment of an 8 part series on deploying intelligent security scenarios. Check out our last blog, Enable your users to work securely from anywhere, anytime, across all of their devices.
Most companies focus their security solutions around users, devices, and apps, but often overlook the data that they are trying to protect. In this blog, we dig into some of the most challenging data protection scenarios our customers encounter.
How can I make sure company data is safe when employees use their own devices for work?
To help ensure your organization’s data is safe on employee-owned devices, Microsoft 365 security solutions give you control and protection throughout the data lifecycle. With interoperating solutions for identity and access management, endpoint protection, information protection, and mobile device management (MDM), Microsoft 365 helps you protect your data against the complicated risks of a mobile landscape.
To build a comprehensive strategy for information protection, start by managing employee identities with Azure Active Directory (Azure AD). Azure AD gives you visibility and control over user identities, allowing you to manage what users can access. It allows your users the ability to securely sign in to business apps and access appropriate company data on their own devices.
Your employees use mobile devices for both personal and work tasks throughout the day, moving quickly among apps and files and potentially mixing up work and personal data. You want to make sure users can be productive while you prevent data loss. You also want to have the ability to protect company data even when accessed from devices that aren’t managed by you.
You can use Microsoft Intune app protection policies (Figure 1) to help protect your company’s data. Because Intune app protection policies can be used independent of any MDM solution, you can use it to protect your company’s data with or without enrolling devices in a device management solution. By implementing app-level policies, you can restrict access to company resources and keep data within the purview of your IT department. These policies enable you to provide parameters for how your users interact with or use data in their Intune-managed apps, for example by restricting copy-and-paste and save-as functions.
Figure 1. Intune App Protection policies allow you to restrict access to company resources.
Conditional access in Azure AD (Figure 2) lets you assign conditions that must be met in order for users to gain access. By setting conditional access policies, you can apply the right access controls under the required conditions. Configure conditional access policies to address risks based on user sign-in, network location, unmanaged devices, and client applications.
Figure 2. Conditional access lets you assign conditions that must be met in order for users to gain access.
Protect against accidental data leaks by using Windows Information Protection (WIP) to help secure business data when it leaves your employees’ devices. WIP can be configured through Intune and it allows you to restrict copy-and-paste functions, prevent unauthorized apps from accessing business data, and discriminate between corporate and personal data on the device so it can be wiped if necessary.
How can I make it easier for employees to meet my company’s strict compliance requirements for data access and sharing?
Classify and protect documents and emails by applying labels with Azure Information Protection. Labels can be applied automatically by administrators who define rules and conditions manually by users, or by a combination where users are given recommendations. The classification is identifiable regardless of where the data is stored or with whom it’s shared. For example, you can configure a report document so that it can be accessed only by people in your organization, and control whether that document can be edited, or restricted to read-only, or prevent it from being printed. You can configure emails similarly, and also prevent them from being forwarded or prevent the use of the Reply All option.
How can I protect data when an employee loses their device?
If your employees use their own devices to access or store company information, you can remotely wipe data from managed business apps, like Word and SharePoint, with Intune. Company-owned devices can be managed through Intune MDM, giving you the flexibility to wipe an entire device (factory reset) or just wipe company data.
Deployment tips from our experts
Now that you know more about how Microsoft 365 security solutions can protect your data, here are three proven tips to put it all into action.
Keep your identities safe. Manage employee identities with Azure AD for visibility over user identities and control over what users can access. Configure conditional access policies to apply the right access controls to address access risks.
Manage the devices in your environment with Intune. Enable Intune to be your mobile management strategy to manage the apps that employees use to do business. You can control the apps employees can access, and you can wipe a device when someone leaves the company.
Keep your company data safe. Restrict access to company resources using Intune app protection policies to help protect your company’s data. Deploy Azure Information Protection and set up your data classification, labels, and automatic policies to control access by labeling, classifying, and encrypting documents according to their level of security. Then use WIP to protect against accidental data leaks.
Plan for success with FastTrack. This valuable service comes with your subscription at no additional charge. Whether you’re planning your initial rollout, needing to onboard your product, or driving end-user adoption, FastTrack is your benefit service that is ready to assist you. Get started at FastTrack for Microsoft 365.
Want to learn more?
More blog posts from this series:
- Tips for getting started on your security deployment
- Accelerate your security deployment with FastTrack for Microsoft 365
- First things first: Envisioning your security deployment
- Now that you have a plan, it’s time to start deploying
- New FastTrack benefit: Deployment support for co-management on Windows 10 devices
- Assessing Microsoft 365 security solutions using the NIST Cybersecurity Framework
- Enable your users to work securely from anywhere, anytime, across all of their devices