The last few years have seen a huge shift in how organizations work with their data. The COVID pandemic accelerated a digital transformation as workers transitioned from the office to home-based and back into hybrid working environments. With this new set-up, collaboration is key to worker efficiency. However, the adoption of Microsoft 365 and Teams as a front-end platform has created new challenges for security teams. They now have the unenviable task of ensuring proper governance and data security without getting in the way of productivity.
In March 2022, archTIS conducted a survey with The Association for Intelligent Information Management (AIIM). In this report, we found that 93% of organizations surveyed use M365 in some fashion and that half of those respondents consider M365 their primary Content Management solution. This transitional shift has required a substantial change in how we approach data security.
Content Efficiency and Productivity
As businesses have moved or are in the process of moving their data from their secure on-premises environments to the cloud, several vital questions need to be answered.
- Where does the data now reside (or will it once it is moved)?
- How much of this data contains value?
- Who should have access?
This discovery task is further compounded when we consider the type of functionality that collaborative tools offer. Traditionally, business content was accessed on-premises or transacted through e-mail. Organizations have spent 20-plus years building walls around their data to create a secure perimeter and to protect their confidential data assets from unauthorized access.
But sensitive files like Word docs, Excel files, PDFs and images can now be copied and sent in seconds via a Teams message or high-value subjects casually exposed in a chat message body. This creates a difficult scenario for any security personnel attempting to employ Zero Trust in a busy collaborative work environment.
Data Governance in M365 and Teams
One of the ways that this content sprawl is manifesting is in a lack of governance and security. As a result, some organizations now consider whether Microsoft’s own compliance capabilities are enough to handle their information security challenge natively.
Many organizations are struggling to understand these governance capabilities, how to employ and optimize them fully, and how to regain control around the explosion of content that accompanied the rush to accommodate remote workers. As a result, InfoSec teams are working on getting users to do what they typically resist – manage their content in a controlled environment.
As new documents are added and transactional content is constantly created in M365, administrators need to automate security processes to stay in control of the sprawling content while still supporting key business processes. These processes should be able to apply flexible protection actions, including classification, labelling, encryption, dynamic access management, and activity reviews.
However, as M365 admins attempt to implement these controls, they must do so without inhibiting the productivity of the business users. As organizations adopt document-centric collaboration, administrators have found certain aspects challenging to implement. These include:
- Access and Information Barriers – Ensuring only the right users have access to sensitive information in the platform’s content management tools (SharePoint and OneDrive) and in chats introduced by Teams.
- Workflow – Business rules that help ensure documents are complete and all necessary reviews have been carried out and approved.
- Version control – Ensuring that a record of change history is maintained, including who made the changes and what was changed.
- Auditing and trackability – Carrying out regular audit reviews to ensure appropriate access controls are in place and maintaining a clear view of changes made by a particular user or to a specific document.
- Notifications – Alerts and reports for changes in status, quarantining and requests for review.
- Communication – Allowing users to add comments to documents in draft or review and to be able to surface those communications easily.
- Guest access – Restricting third party guest access to sensitive company information (e.g., contractors, partners, customers, etc.).
Third-Party Tools Are Still Required
Despite massive growth and adoption of M365, a good bit of education and change management efforts are still needed to explain and leverage the platform’s capabilities fully. In addition, there is still confusion about when M365 updates are made. Yet, as with other enterprise tools, organizations should make reasonable efforts to meet users where they now spend a large part of their work time. This is critical to enablw them to leverage Microsoft’s tools to the maximum extent possible and support “super users” to embrace the potential of these business applications fully.
With all of these challenges, it is clear there is still a need for third party providers to ensure that organizations realize the productivity of Microsoft 365, without compromising on security. 63% of organizations still see a need for Microsoft 365 plus something else to address shortcomings in the platform and enhance its functionality according to AIIM.
Enhancing Microsoft 365 Security with ABAC
This is where Attribute-Based Access Control (ABAC) can significantly help reduce exposure, enforce governance and security while maintaining productivity in M365 effectively. ABAC uses granular policies to dynamically determine if the specific user request to access, use or share content should be allowed or restricted in real-time. ABAC policies consider the state of the User, Environment and Data to approve or deny access. The process is transparent to the end user.
An important part of an ABAC (or any) security model is ensuring your data is properly classified according to your data governance and regulatory requirements. This process could include user-driven classifications, where the end-user must select a classification label to apply to the document. Or it could be automated so that all new and modified documents are scanned and classified based on the sensitivity of the content. Regardless of how classifications are applied, ABAC policies can use these tags to identify documents that contain sensitive and require appropriate access and protection policies to be applied.
An example is a project manager logged in on an authorized company laptop that is connected to the secure office network. This user is authenticated, using an approved company device, and connected to a secure location. Thus they are granted access to customer project files and related content. However, if that same manager left the office and visited a local coffee shop, connecting to the complimentary WiFi on their personal mobile device and attempted to access the same files, they would now be blocked due to governance and security policies. Even if the user was able to provide the correct user credentials and gain access to company files, the conditions of their access have changed as they are on an insecure connection with an unauthorized (and possibly unprotected) device.
If the above scenario were to occur on your own business network, would the InfoSec team be able to identify or prevent the unauthorized access attempt? Would they be able to deny access to those confidential customer project files? Or would the company only become aware of a breach if the file’s contents were exfiltrated and publicized?
Dynamic Data Security that Enforces Governance in Microsoft 365 and Teams
NC Protect offers a solution. It dynamically secures collaboration in M365 and Microsoft Teams using zero trust ABAC-enabled policies. NC Protect dynamically addresses these three data governance and security questions:
- Who should have access to data?
- What users should be able to do with it once they have access?
- Should authorized users be able to share the content? With whom?
The platform leverages ABAC policies to control access and apply data protection each time and every time a user accesses a specific piece of data. NC Protect security policies consider the state of the user and the data before allowing access including conditions such as the device being used, geographical location, time of day, and other custom attributes. This information is combined with data properties such as content sensitivity, classification, metadata, location of the data, combined site permissions, and more. The policies ensure your data governance, regulatory and business policies are dynamically enforced.
The NC Protect policy considers all of these factors and will deny or grant access; then allow or restrict what the user can see and do with the content accordingly. For example, NC Protect can limit access to read-only, apply encryption, prevent file duplication (save as), or block copy/pasting from the document itself. The platform can also apply dynamic security watermarks containing user information to discourage users from circumventing controls and attempting to copy the content by taking photos or screenshots from their devices.
The platform applies these controls to various document types including Microsoft Office docs, PDF files, images, and CAD drawings. In addition, Microsoft Teams’ chats are subject to the same controls. NC Protect can block unauthorized attachments or actively redact sensitive chat content in Teams in real time.
Whether you need to manage sensitive data securely within Microsoft 365 or need to control access and sharing of sensitive information stored with high assurance, NC Protect can assist with enabling your big-picture governance and security goals.
Optimizing Governance and Data Security in Microsoft 365 & Teams