The fundamental purpose of identities is to protect documents and other data. When protecting identities, the threat of lateral penetration forces administrators to apply equal protection to all of them, regardless of their privileges. However, the security can and should be more selective when protecting documents. While an enterprise might have hundreds or thousands of identities to protect, it might easily have hundreds of thousands or millions of documents, which makes applying equal protection to them all impractical. Therefore, administrators need to identify sensitive data documents requiring more protection.
As discussed earlier in this chapter, Azure Information Protection (AIP) and Data Loss Prevention (DLP) enable administrators and users to apply classification labels to documents and specify security measures applied to the documents based on those labels. While these tools can, in some cases, detect sensitive data within documents based on criteria that administrators specify, there are many other cases in which it is up to the users to apply the labels correctly to their documents.
Note Information Protection and Data Loss Prevention
For more information on Azure Information Protection and Data Loss Prevention, see the “Data” section earlier in this chapter.
The technological aspects of implementing tools such as AIP and DLP are relatively straightforward; however, the implementation’s administrative, cultural, and educational aspects can be more troublesome, especially in a large enterprise. For these tools to function effectively, the classification labels representing the various levels of data sensitivity must be understood by everyone involved and applied consistently throughout the organization.
When the intention is to create a single classification label taxonomy that the entire enterprise will use, it makes sense for representatives from all areas and all levels of the enterprise to have a say in the design of that taxonomy. Unless the terms used for the labels mean the same thing to everyone, there is a chance that documents could be labeled incorrectly or, worse, not labeled at all when they should be.
With the labeling taxonomy agreed on and in place, the next step in the deployment—as with all new programs—should be a pilot deployment. With a small group of representative users applying labels to their documents and with DLP configured to classify a subset of the company’s documents automatically, careful monitoring of the labeling process and evaluation of the classified documents will almost certainly disclose some incorrect labeling, requiring modifications to the tools themselves or to the users’ procedures. Successive iterations of the taxonomy and the DLP algorithms will likely be needed before the system is completely reliable.
The final phase of the deployment—and arguably the most difficult one—will be educating all the organization’s users on the labeling system, how it works, and why it is necessary. This is particularly true for users not involved in the technology behind the system. Document protection is not a problem that administrators can solve only with technology; the human factor is also critical.
Leave a Reply