I work with a lot of Star Wars fans. I’m telling you this because a few days ago, I started seeing Star Wars-related ads all over my search results after checking out a link to the new t-shirt a co-worker just bought. And while I personally have no interest in Star Wars, the internet is trying to be helpful with whatever information it can gather about me. As a consumer, I know that every time I sign in anywhere or even run a simple search, there’s information being collected. From the business perspective, though, how can companies protect personal and sensitive data with the same vigor as they do in utilizing it to make more informed decisions and influence consumer behavior? Concerns over data security have continued to grow as cloud and social technologies become increasingly integrated throughout our personal and work lives. And with more ways than ever for organizations to collect, track, and analyze data, data privacy is a rapidly growing topic of interest. So, as an organization, how do you protect personal and sensitive information in a world where data hoarding is very much a reality? We get to the “how” by first understanding the “what” and “why”. So gathering business requirements is the first step. Depending on where your organization is located and conducts business, and what industry you’re in, you’re likely working with different requirements when it comes to how you work with personal and sensitive information, and how you maintain records. These two questions are great places to start:
- What data regulations is your organization governed by?
- Why do you need to collect and store your data?
While these questions seem to be addressing business managers, CIOs, as well as security and privacy officers, ultimately, they are not the ones managing the data. The responsibility of configuring and maintaining the software you use for storing, managing, and securing your data – in this case SharePoint and Office 365 – as well as setting up and maintaining your information architecture all falls on IT. Since IT doesn’t know what data is important and how specific information needs to be protected, there needs to be a knowledge transfer from business managers, CIOs, and security and privacy officers first before any solution can be implemented. Business managers, security and privacy officers, and IT managers often speak different languages, so in order to automate data classification in the name of ensuring security and privacy, a first critical step is to bridge the gap between information management and data management.
Translate From Business to Tech
To know what to classify and how, you need a system to automatically identify and tag information. That way, the system can make and execute intelligent decisions for you. In order for any technology to perform these kinds of tasks, you have to provide information in context that it can understand. Continuing with the previous examples, you can break down those higher level questions to find specific details that can be mapped to aspects of Office 365 and SharePoint that can either be controlled or measured. “What data regulations are you working with?” really means that you need to define:
- What is considered personal and sensitive information? → Risk Type
- Can you store it and where? → Acceptable Locations
- Who should have access? → Acceptable Permissions
- What is the associated cost of a violation? → Risk Level
And “Why do you need to collect and store your data?” means:
- What is the source of this data? → Internal/External
- What is the purpose of this data? → Acceptable levels of risk
- Who claims business ownership? → Responsibility for upkeep and compliance
- Do you have to store it in specific ways? → Records retention policy
Once you’ve determined what to use for identifying information, you can use the different values of these different parameters to matrix out your classification schemes.
Define Your Classification Scheme and Automate
The complexity of your classification scheme will depend upon the amount of data types you need to classify and all of the parameters you’d like to use to track and measure. You may even have multiple schemes to make it easier to apply different rules and regulations, or even simplify reporting structures. Using the questions above, you’re able to define some basic information types based on the source, ownership, risk type, and risk level. For example, if you’re storing employee information within SharePoint or Office 365:
- Source: Internal
- Ownership: Someone in Human Resources management
- Risk type: Personal Identifiable Information (PII) may be present
- Risk level: High
Even with these basic parameters, depending on the different number of values that each contains, you could already be working with a large amount of permutations. The more parameters you add (e.g., location, team, custom properties), the more complex it gets. Given how much data is generated each day – manually tagging and classifying your data is not only time consuming but leaves you open to human error. With the right tools (or maybe some Jedi magic), you can automatically identify those properties, apply relevant tags, and classify them as a specific data type.
Add in Data Privacy and Security Measures
Now, remember those questions that were mapped to acceptable levels of risk, locations, and permissions? With your data types defined, determine the acceptable values for risk, location, and permissions to determine triggers for violations, levels for prioritization, and the appropriate responses. Using the employee information example, the only acceptable location and permissions is in the pre-determined Human Resources site, and only certain personnel from that team are allowed to access the files. If one of the files is moved to a sales site or someone outside of Human Resources gains permissions, given the high level of risk associated with files containing PII, the actions should be blocked and reverted immediately. While human review and reporting will continue to play integral parts for maintaining the security of your sensitive data, the time it takes for someone to respond to the task could be enough to open you up to unnecessary risks that can translate into costly fines. The best approach to ensuring security for your sensitive data across Office 365 and SharePoint is to have multiple layers of measures in place to prevent, catch, and remediate, with a combination of automation and manual review. No matter what your winning combination of these factors is, knowing your data by enforcing classification is vital to truly protecting it.
- Define the regulations, policies, and priorities that apply to your data
- Translate business and compliance goals into parameters that can be identified and controlled within SharePoint and Office 365
- Map out data types with those parameters, and then with acceptable SLAs, responses, and business owners
That way, content can automatically be classified, and have specific standards, such as limitations around sensitive data, to trigger protective responses, and be routed to the right person to be reviewed and resolved.
As you plan your journey to the cloud, be sure to check out AvePoint’s Cloud Arcade for more helpful tips on managing, migrating, and protecting Office 365! You can also learn more about Office 365 protection by watching our on demand webinar, AvePoint’s Cloud Arcade Presents: Policy-Driven Protection for Office 365.