Data breaches have become a major concern for businesses today, and it’s not hard to see why. It seems like every month there is another horror story about breaches of corporate data. 

While many of the largest data breaches involved database attacks, for many companies, loss of confidential documents and emails is the more common threat. For documents, the problem is growing worse due to several trends:

  • Growing user expectations or even business requirements to share sensitive data outside the walls of the organization.
  • The advent of cheap, tiny portable storage (flash drives).
  • The rise of cloud storage and sharing apps like Dropbox, Google Drive, and Microsoft OneDrive.

For all these reason, IT leadership has recognized the need to go beyond traditional defenses such as “the three As” (authentication, authorization and auditing) and network perimeter protection (firewalls, proxy servers and intrusion detection). The problem with these approaches is that when they fail, either due to social engineering or zero-day exploits, they become the equivalent of closing the barn door after the horses have escaped.   What is needed is file-level protection that is both portable and content-aware. In other words, documents must be inaccessible even if they are stolen, and the documents that are most sensitive (e.g., personal information and financial data) should be identified and locked down automatically.

Microsoft has recently faced this issue head-on in Office 365 with two solution that protect documents in OneDrive, Exchange and SharePoint Online. These offerings are:

  • Azure Rights Management (ARM)
  • Data Loss Prevention (DLP)

Data Loss Prevention

This is an industry-wide generic term that Microsoft has adopted for its offering. DLP can be thought of as “transmission control:” It analyzes content within documents to determine if it contains sensitive information, and takes actions to prevent sensitive documents from leaving the organization. Preventative measures are implemented automatically if, for example, a document contains Social Security or credit card numbers, and can range from simple warnings to total lockdown of the document.

Microsoft’s DLP offering contains a set of built-in content-based rules that implement US and international regulatory requirements, such as HIPAA and Sarbanes-Oxley.

Azure Rights Management

ARM can be thought of as "usage control". This technology assumes that documents will be shared outside the enterprise, so tries to retain control over documents no matter where they are. It protects documents from unauthorized disclosure regardless of where the document is. It does this by encrypting the documents, and embedding in them a “check-in” to a cloud service that applies rules as to whether the document can be opened by a given user, and if so, what that user can do with it. For example, a document locked down by IRM can be sent to a business partner who is identified by their login to a cloud authentication service such as Microsoft Live or Google’s Gmail.   Once the authorized user opens the document, IRM can prevent any of the following actions:

  • Sending by email
  • Copying
  • Printing
  • Screen captures (some)
  • Access can be expired on a specific date

ARM works by encrypting the file with a key that can only be opened by accessing ARM servers in the cloud. The protection covers all Office suite documents, as well as PDFs. And it works across multiple platforms, including iOS, MacOS, Android and Windows.

Summing up

Office 365 with DLP and ARM provides the right tools for data security in the cloud. There are other companies offering similar products, but Microsoft’s have some unique advantages:

    • Very easy to set up—a few clicks of a mouse.
    • Integrates fully with Office and Windows, but also works on iPads, MacOS and Android.
    • DLP intelligently prevents sharing of documents based on content, and has dozens of built-in rules reflecting regulations for data security and privacy from around the world.

ARM allows sharing, but restricts further sharing or editing.   It can be applied to whole sites/libraries, or invoked ad hoc by the end user.