Having recently passed another ISO27001 audit with BSI, I thought it would be worth doing a 2-part blog series where I will share with you some of the key Microsoft Cloud products Circle Cloud use to help provide technical enforcement for our information security policies. I am sure that most Information Security Managers and Data Protection Officers would agree that bridging the gap between the rules that are written on paper and what staff actually do in real life can be a genuine challenge. For example, can we always be sure that amongst the hundreds (if not thousands) of emails and documents that are exchanged on a daily basis within our organisations, that 100% of them have been given the appropriate classification? All it would take is one oversight for a piece of confidential or restricted information to end up in the wrong person’s inbox. And let’s face it, for even the most conscientious employees, mistakes happen!
Well, that’s where technology comes into it (particularly the Microsoft Cloud, in this case). Before getting into it, it’s worth noting that the success of technology when it comes to bolstering your organisation’s information security is dependent on how you approach it. I have known many businesses to implement information security technologies without having any policies or procedures in place, which is the equivalent of throwing the proverbial at the wall and hoping some of it sticks. In such instances, people can often be left disillusioned with the effectiveness of technology and its capabilities to solve information security challenges within their organisations. That’s because, with no underlying structure to provide context, things can become messy and underutilised, eventually falling out of use completely. It is for that reason that I have addressed this blog to those organisations with ISO27001 certification, simply because there will be a structure of basic policies and procedures in place by default.
Azure Information Protection
Related ISO27001 Controls: Information Classification (A8.2.1) and Labelling of Information (A8.2.2).
Even if you don’t have ISO27001 but you are an information security conscious organisation, it is highly likely that you will have an Information Classification Policy. Well, if that’s the case, Azure Information Protection is for you.
As I have mentioned in a previous blog, Azure Information Protection (AIP) is a Microsoft Cloud-based solution that enables organizations to discover, classify, and protect documents and emails by applying labels to content. It is part of the Microsoft Information Protection Solution and is dedicated to solving the problem of how to label your organisation’s information appropriately to avoid it falling into the wrong hands.
Azure Information Protection allows you to create labels with pre-set rules and enforce usage throughout your entire organisation. This means that any labels you create would become mandatory, requiring all staff to apply the most appropriate label to documents and emails.
Based on our experience, what we recommend is that you mirror the labels (and associated rules) from your organisation’s Information Classification Policy. For example, at Circle Cloud we have a label in our Policy titled ‘Restricted Internal’, which seeks to protect business-sensitive information that should only be circulated amongst Circle Cloud members of staff. We have therefore created the ‘Restricted Internal’ label in Azure Information Protection and configured it to ensure that only individuals with the Office 365 domain ‘@circlecloud.co.uk’ can access the document/email. This is a basic example, however the rules that can be applied in Azure Information Protection are extensive. You can set up labels that restrict printing from the document, copying from the document, and even screenshotting from the document, meaning that even the strictest labels from the Policy (the ones that seek to protect the most sensitive information) can be technically enforced. For a further breakdown of what restrictions can be applied to labels, click here to be taken to a previous blog.
Before I move on from Azure Information Protection, it is worth pointing out what makes it stand out from the other similar document protection products. To put simply, Azure Information Protection is not network based, it is document based. This means that the labels applied to documents and emails are embedded in the documents/emails themselves, meaning that the level of protection assigned to that document/email follows it indefinitely, no matter where in the world it lands.
Conditional Access & Multifactor Authentication
Related ISO Controls: Teleworking (A6.2.2)
There are a number of ISO27001 controls that Conditional Access can be used for, however teleworking/remote working is a great example, and one that is particularly relevant given the increase in remote workers we are likely to see after the COVID 19 pandemic. As I have mentioned in a previous blog, the rollout of a blanket MFA policy can often prove to be unpopular and, from our experience, is often the reason why companies end up pulling MFA out as quickly as they’ve put it in. Users tend not to like being asked to MFA every time they log into their device, which is where Conditional Access comes in.
As a high-level definition, Conditional Access restricts access to an organisation’s platforms and data by enforcing standards that must be met by a device or network before accessing information. It does this by using ‘IF-THEN’ statements that must be technically configured within your Office 365 tenant. On a basic level, here is how this works for using conditional access to apply MFA for remote workers:
IF: a user is not logging in from [insert IP address],
THEN: enforce multifactor authentication.
By using Conditional Access to gatekeep when are where MFA is used, the application of MFA becomes more contextual and less onerous. In the above scenario, only workers logging onto a device outside of a trusted IP (in this case, your remote workers) will be required to MFA, meaning that office workers can proceed with standard log-in procedures, whilst those working externally and therefore most at risk, are forced to adhere to that extra layer of security.
Of course, there will be many things in your Remote Working/Teleworking policies that cannot be enforced technically, such as finding a quiet place to work with good WiFi access and in a location where information cannot be seen. For such stipulations, there will always be an element of uncertainty around whether our staff are following the stipulations set out. However, by using the kind of technical enforcements mentioned above, we are given some degree of peace of mind from knowing that if our company devices end up in the wrong hands, there are further measures that protect that all-important company data.
Final Remarks and what Comes Next
Before I go, I think it is necessary to reiterate a point I made at the beginning of this blog. When attempting to use technology to improve our information security measures, be it for ISO27001 or otherwise, it is important (in my opinion) that we don’t start with the technology and work backwards. There is always the urge to implement a piece of technology that we find impressive, without considering where it fits into the bigger picture. Having been faced with the dilemma of using technology to enforce and improve information security practices myself, I would advise that the best place to start is always at the policy and procedure level. Robust information security within any organisation is like anything else: it requires a system of work that is built of policies, procedures and best practices that all work together towards a common goal. So, before you think about applying that piece of technology you’re interested in- be it Microsoft or otherwise- ask yourself where it fits in to your existing structure (if you have one). If you can’t answer that question, then perhaps it’s not the one for you.
Click here for part 2, where I will look at how Windows Autopilot and Single Sign-on Can help with Employee Onboarding and Offboarding. I will also be looking at how Microsoft Intune can help with getting to grips with some key elements of your Mobile Device Policy.