Why is information leaked?
In the previous “Part 1” , we will discuss ” regular labels ” and ” automatic labeling ” on how to classify information protection measures, that encryption is not always necessary, and how to thoroughly enforce it within the company. I talked about how to utilize it. Thorough labeling will make information more visible, and it will be possible to understand what kind of information is where, which will lead to a review of policies.
This time, I would like to talk about how to actually use labels to prevent information leaks.
The theme of this time is “How can we protect information in the unencrypted situation?”, And finally, how can we maintain an environment where information leakage accidents do not occur? , I would like to give you some hints.
First, before protecting information, I would like to think about how information is leaked.
When analyzing the tendency of incident reporting of information leakage, it can be roughly classified into the following two categories.
- Information leakage due to inadvertent mistake (negligence)
- Information leakage intentionally
”Inadvertent mistakes” mainly include erroneous operations and fraudulent activities by internal users, management mistakes, and setting mistakes. In addition, “intentional information leakage” includes, for example, unauthorized access and theft by external users.
When it comes to how to protect your information, you need to understand the difference between the two and take action. This is because the measures for users who inadvertently leak information from the inside and the measures for users who maliciously leak information are different.
In general, the information that internal users inadvertently leak by mistake is often internal documents or specific personal information, and although it is difficult to leak it outside the company, it does not cause serious damage to the company. It seems that it is often information. Moreover, since such information is frequently created and distributed within the company by many people, it is difficult to take measures because the distribution of information will be delayed and productivity will be reduced if protection by encryption is implemented. Often.
On the other hand, the information leaked by malicious users is often sensitive, highly confidential information or a large amount of personal information, and once the information is leaked to the outside, it causes serious damage to the company. In some cases, a press conference will be held by the president and officers, so it is necessary to strictly manage and protect the information.
These two cases apply to any company, but it seems that many companies are considering only measures for the latter, or are implementing operations such as applying measures for the latter to the former as well. It can be seen in. Both occur at about the same rate, so it is necessary to consider measures for the former.
Countermeasures against information leakage due to inadvertent mistakes
From here, I would like to explain in detail how we can protect the former internal users, who inadvertently leak information due to mistakes.
First of all, the following are possible cases of information leakage due to inadvertent mistakes.
■ Route of information leakage
- Shadow IT (Webmail, cloud storage, etc.)
- External sharing
- USB device
Let’s start with the measures against information leakage by e-mail.
The screen below is the one when you created a new email, but you can see that the label “In-house document” is already attached.
As a case of information leakage by e-mail, there is a case where an external user is mistakenly sent to the destination and the information is sent as it is. The screen below is the email that will be notified to the user when this email is sent to an external user.
In this case, the label attached to the email was the “in-house document” with the default label, so the user is notified that sending emails to external users has been blocked. As a mechanism, set a rule so that when an email is sent, the mail server (in this case, Exchange Online is used) will block the sending to the outside in the case of “in-house document” and “confidential document”. Because of this, sending an email was blocked.
If the user wants to send an email to an external user, the label must be explicitly changed to “public”. By adding a little effort like this, it is possible to prevent emails from being accidentally sent to external users by mistake. If you change it to “Public”, you can send it to an external user, but in that case it is not an accidental mistake because you changed it intentionally.
I think that there are many accidents of information leakage due to incorrect sending of emails, so I think that methods such as controlling emails using labels are quite effective. Furthermore, since it is not encrypted, it does not affect users in sharing internal information, so it is highly recommended in terms of preventing information leakage from emails.
For reference, the exchange online transport rule setting screen is as follows.
Measures against information leakage by shadow IT
Next, I will explain the measures against information leakage by Shadow IT.
I think that shadow IT management is one of the issues that both IT managers are worried about in any company.
In particular, information leakage accidents due to webmail and cloud storage occur frequently, so it is necessary to control the use of these apps as well. It is possible to simply prevent the application itself from starting or using it, or to protect it with a URL filter, but in many cases it will be controlled by a blacklist type, which complicates operation.
As a countermeasure against shadow IT introduced this time, we will use a function called “Windows Information Protection” (hereinafter, WIP) implemented in Windows 10.
To briefly explain WIP, it is a function that creates a boundary between the area used by the company and the area used by the individual in the terminal of Windows 10 and controls the transfer of data from the area within the company to the area used by the individual. If the area of the company is decided, the other areas will be treated as individual areas, and white list type operation will be possible, control can be carried out systematically, and operation can be realized relatively easily.
According to the Exchange Online transport rules implemented as a countermeasure against information leakage by email, Webmail cannot be blocked because it cannot be audited without passing through Exchange Online, so it becomes one of the information leakage routes. In addition, personal cloud storage can be easily used for the purpose of referring to company materials from outside, which may lead to an accident.
In order to prevent information leakage through such routes, WIP can register applications and networks used by the company and block information from going out from there, so it is easy to easily apply applications and outside the company’s control. It allows you to control the movement of data to the network.
There are four levels of protection provided by WIP. First of all, after performing pre-verification of in-house applications etc. using “silent mode”, it is possible to avoid troubles such as suddenly becoming unusable applications required for business by implementing restrictions. Please refer to the figure below for an overview of WIP protection levels.
Now, let’s see how it works on the user side on the terminal to which WIP is actually applied.
The figure below shows the screen when trying to attach a company file to Gmail, but you can see that the attachment is blocked.
The next screen shows that when you try to upload your company data to your personal OneDrive, the file upload is blocked, similar to webmail.
In addition, this WIP protection of corporate data is automatically combined with “Windows Defender Advanced Threat Protection” (Windows Defender ATP) if the labeled file detected on the device is not protected by WIP. Since WIP protection can be applied to the device, it is possible to more reliably prevent information leakage due to shadow IT.
Countermeasures against information leakage due to external sharing
Next, I would like to see what kind of measures can be taken against data leakage due to external sharing.
I think that there are many cases where data handled by a company needs to be shared not only by employees but also with external partners and partner companies. In such cases, you probably share the file with ZIP compression encryption and password protection.
However, in this case, once the file is retrieved using the password, the file can be passed on to others, and the information cannot be protected. Also, since the password of the file once distributed cannot be changed, it is almost impossible to prevent the information leakage if the password is leaked.
By using “Azure Information Protection” (AIP) to safely share information to the outside, only certain users, including external users, can open the file. However, since it is necessary to have an environment where AIP can be used by external users (preparation of AIP client), it may not be possible to use it immediately in some cases.
Therefore, this time, we will introduce “Conditional Access” and “Microsoft Cloud App Security” (hereinafter, MCAS) of “Azure Active Directory” (hereinafter, Azure AD). This combination makes it possible to prevent information leakage without performing encryption.
Specifically, Azure AD applies control policies for that session to qualified users and applications (for example, SharePoint Online) on the MCAS side to control subsequent actions.
There are three stages of control actions, which are “test”, “block”, and “protect”. By conducting only an audit in the “test”, it is possible to confirm that there will be no problems in business before the actual introduction. “Block” allows the user to view the file, but prohibits the user from downloading the file. For the final “protection”, you can allow downloads but label the files with AIP.
The following screen is the setting screen when “Block” is selected in the session policy of MCAS.
Now let’s see what kind of screen will be displayed to the accessing user when this session policy is enabled.
First, the following screen will be displayed for the accessing user, indicating that the access is being monitored.
By displaying such warnings, you can be aware that external users will handle the information more carefully.
After this, the user will access the SharePoint site and browse the file, but when trying to download the file, the download is blocked as shown in the screen below, and the file can be saved to its own terminal. lose.
By doing this, you can only allow external users to view the file, so you can safely share information with the outside world.
Lastly, regarding the leakage of files from the USB device, we will also use the WIP explained in the measures against information leakage from Shadow IT. You will be able to use WIP policies to enforce encryption when writing corporate data to USB devices.
The screen below shows the corporate data from the “Azure Active Directory Rights Management” (Azure RMS) template (this time “confidential” is registered) to the specific policy when writing to the USB device in the WIP policy. It is a screen that can protect.
Finally, we have summarized the relationship between the products related to the measures introduced this time and the subtleties of information, so we would appreciate it if you could refer to it.
This concludes the introduction of methods to prevent information leakage even when encryption is difficult, centering on labels (although the last USB device will be encrypted). It has been decided that this idea of labels will continue to be expanded under the name “integrated labels” centered on Office files.
Most recently, support for macOS, Mobile Office, and native support for Office apps and web browsers will make it possible to use protected files and labels without installing an AIP client. I think the range will continue to expand. If I have the opportunity, I would like to introduce how the “integrated label” enhances the protection of corporate information.