The security of information is a very sensitive subject for all companies. Openhost tries every day to improve the protection of user data by relying on the latest technologies available but also by applying a simple and precise policy enabling all users to protect themselves from computer risks.
In a company, a good security policy aims to put the data of the users safe but without harming the productivity of the employees. Microsoft Cloud App Security and Azure Information Protection offer new enhancements that will help you more securely and efficiently secure data that passes through the Office 365 Professional and Office 365 Business Pro suites.
1 – Establish standardized safety labels
It is important to keep in mind that most business users are not familiar with computers despite their usual uses of different specifications in their personal lives (smartphones, tablets, laptops …). When defining a company safety policy, it is, therefore, necessary to take account of this in order to establish simple and effective rules that can be respected by all.
Generally, 5 safety labels is a standard that allows facing all the situations while remaining simple enough to take into account. These 5 levels of protection are configured in your Office 365 suite to natively protect all internal documents.
The 5 levels of protection can, therefore, be defined as follows:
Staff: Unprofessional document, for personal use only.
Public: Professional data that is prepared and compliant for public use.
General: Internal data that is not intended to be publicly disclosed but can be shared with external partners. For example, you can find directory files with company contacts, organizational charts of the various departments, news releases or other.
Confidential: Sensitive professional data that if disseminated to external persons could jeopardize the company’s activity (sales data, safety reports, etc.)
Highly confidential: In case of leakage of this data, the company will suffer damages of various kinds which will necessarily jeopardize the activity of the company. This level of corporate information protection is the highest and must therefore be the most restricted in terms of access. They are, for example, customer or user data, access codes, pieces of source code, formulas or patents, etc.
For example, by creating a new Word Office document, the standard level of protection is at the “General” level, which designates an internal professional document. Depending on the data that will be stored in this document, the user will be able to redefine the most appropriate level of security. By basically imposing a level of document protection on “General” then you are certain that your employees will have basic enough protected documents.
By applying an automated security policy under Microsoft Cloud App Security (MCAS), files with a certain security level will be automatically blocked if an attempt is made to send them to a public cloud platform. This feature is compatible with all major public cloud storage providers (Azure, Amazon Web Service, Google Cloud, Dropbox, etc.).
2 – Sublabels to enforce access rules
Of course, the overall security policy may not be sufficient depending on the size of your business. It is, therefore, possible to create specific entities representing groups of people who have specific accesses. This feature makes it possible to restrict access to certain files according to the status of the person in the company.
For example, if you belong to the legal department of the company, the documents you are processing are confidential, but it is also important to restrict access internally. The definition of a sub-label “Legal” or “Legal Service” will, therefore, allow you to leave access to this document only those people who have access to the same group. A good practice is initially to define sub-labels by a department and then to adjust according to internal needs. It is also possible to create sublabels for specific projects if this project requires a level of confidentiality restricted only to the members of the group.
3 – Create specific security policies for user groups
As seen above, it is essential to clearly define user access according to their roles and status. Azure Protection Information offers you the possibility to define specific security policies that are independent of one another.
In this screenshot we see three different security policies: the first concerns all users and allows to place the security level spontaneously on “General”, the 2 nd and 3 rd are addressed to more specific user groups and thus have more restrictive security measures (for example, the average security level could be placed on “High Confidential / Project Samos” or “Confidential / Managers” from the outset).
If a user belongs to a specific group, then it will have a specific security policy applied to each of the documents produced, if no policy is in place then it will be the global policy that applies.
4 – Encourage good user behavior
It is well known that the first risk factor for computing in a company is the behavior of the user himself, which unfortunately often lacks the internal IT security policy. Encouraging the user to behave more responsibly and appropriately is therefore necessary!
Overall, there are 4 different types of data protection policies for users :
Automatic: all the rules are from the start automated by the administrator if there is a need for adaptation or other it is necessary to go through the IT department …
Recommended: Lists of recommendations defined and communicated to users.
Double Classification: Allows each user to redefine the level of protection of the created document.
Defined by users: Each user must classify each document at the appropriate security level. This is the most cumbersome policy to put in place because the majority of users end up abandoning or forgetting to classify each of their documents.
The file security policy is at the crossroads of the first three. By combining these different aspects and using the right tools, it is possible to deploy a highly efficient policy that provides a global level of security and personalization for each user. As seen above, creating automatic rules defines a global security policy as a basis, but allows users to redefine the level of security with or without justification.
It is furthermore possible to add advanced recommendations that appear based on the content of the document: For example if a user is about to save a document with the term “financial service” in its text content when a message can be “You are recommended to classify your document as a Protection Level: Confidential / Finance Service”. This automatic way of pushing recommendations is very effective in educating users to make the right choice.
5 – E-mail protection barriers
Until then, our advice has been largely focused on the security of the documents of the users in the company. Another weak point of computer security in business is the management of fraudulent emails. Despite the many anti-spam and other filters applied to email servers, attacks are still present and more and more businesses are affected.
Protecting email exchanges while not limiting trade is therefore essential for your business. Under Outlook, email protection is therefore enhanced to secure exchanges with employees who use the same Exchange servers (with Outlook always) but also with external email clients such as Gmail or Apple.
Encrypt email with Azure Information Protection!
It is now possible to deploy protective barriers to prevent the loss or misappropriation of information by email. The basic idea is actually to be able to ensure that the user who is going to consult the content of the email is indeed the person who is supposed to receive it.
Let’s take the example of an encrypted email that we would only send to certain people. Previously it was necessary to go through the application Outlook or Outlook Web App (OWA) to justify its identity. Now when a person receives an encrypted email, a message prompting them to sign in to their Google Account or to use a single-use code will be displayed (see capture above). The one-time code will be sent to the recipient’s mailbox, which confirms that it is indeed the person who will access the message. Once the identity is confirmed, the message opens in a secure mail environment recreated in the browser which allows access to all the classic email features.