In today’s post-pandemic environment, employees will be working from anywhere for a long time to come. But there are digital workplace security risks that businesses need to be aware of, including compromised identities, unauthorized access to information and inadvertent leaks of sensitive content. Many organizations struggle to minimize these risks, while also ensuring that their employees can work remotely as easily as they can in the office.
To help combat this issue — and with its focus on zero trust — Microsoft is raising the bar for what content security within a modern digital workplace should encompass.
To remain competitive, businesses must meet employee needs and expectations. Employees need access to personal productivity tools and enterprise applications to exchange information, coordinate day-to-day activities and collaborate around business tasks. And, increasingly, they will rely on digital channels as the primary — and, in some cases, the only — way to engage with customers and partners.
Historically, content security and trust have been based on a perimeter defense: Build the wall, secure the boundary and trust what happens inside. Like doors into an office, a firewall protects the internal corporate network from the wilds of the public internet. Access rights define the privileges for accessing content that applications manage. And authentication establishes an individual’s identity within an enterprise network and to various applications.
Digital work relies on a number of enterprise applications, including email servers, network file shares, collaborative environments, enterprise content management platforms and business systems. Each application manages the access rights and privileges that determine the range of actions employees can perform. Individuals authenticate themselves to particular applications and establish their identities, relying on login/password challenges, biometrics or other techniques.
Trust is implicit. Once they successfully authenticate themselves, employees are entrusted with access to content that each application maintains. Privileges are hierarchical, and employees read, update, create and delete content as their privileges permit, which extend for the entire session.
But trust is rarely verified. Once employees log in to an application and authenticate their identity, they are seldom challenged that they are operating in violation of their privileges. Monitoring for risks and breaches occurs after the fact. Applications track what happens and have few capabilities to detect risks in real time or sense future threats.
But, with the explosion of digital devices, the ever-rising tide of data flowing across a corporate network and the advent of cloud computing, the scale and sophistication of digital threats against organizations continue to mount.
“One of the fundamental shifts in enterprise security is the concept of zero trust,” said Kirk Koenigsbauer, COO and corporate vice president for Experiences and Devices. “Basically, zero trust assumes never trust anything, whether it is within or outside your corporate network.”
From Microsoft’s perspective, there are three pillars to zero trust:
- Applications should explicitly verify every request — not only the user’s identity, but also other factors, such as the user’s location, device health and anomalous behaviors.
- Grant only least-privileged access, where users access just what they need, for the specific time that they need it and for the specific tasks that they have. Then, audit to keep track of what has been happening.
- Expect breaches to happen. Design the network infrastructure and enterprise application environment to minimize their impact when they occur.
Zero trust relies on AI and machine learning to detect signals occurring within corporate networks, recognize patterns and automatically prevent risky events from occurring.
Getting to zero trust is a journey, and it begins with comprehensive authentication. Microsoft is embarking on this journey by enhancing Azure — its cloud computing environment — and by bundling its two-factor authentication capabilities directly into Azure Active Directory, enabling organizations to reduce the risk of phishing and other identity-based attacks by 99.9%.
Moreover, Microsoft is simplifying how businesses enable applications for single sign-on within Azure by reducing the installation steps to a one-click process. Administrators can ensure that employees only need to authenticate themselves once to access all of the applications within their digital work environment.
Filtering sensitive information
Organizations must also secure the content and conversations flowing through their networks to reduce the likelihood that employees inadvertently — or maliciously — reveal sensitive information. It is essential to have content security policies in place — predefined rules and operating procedures about how business should categorize and handle certain types of content. Microsoft is rising to the challenge by rolling out a systematic set of information protection capabilities.
In addition to all of the identity verification processes, Microsoft is introducing a Cloud App Security portal that enables administrators within an enterprise to automatically monitor the content that users post to cloud applications and block posts containing sensitive information. Administrators will be able to define the criteria for content inspection. Microsoft provides 100 preset expressions, such as credit card numbers and Social Security numbers, and companies can add their own predefined terms as well. Notably, this portal tracks and filters sensitive content from both Microsoft and third-party applications running on Azure.
Microsoft is also incorporating sensitivity labels — such as public, general, confidential and highly confidential — directly into Microsoft 365, so Word, Outlook, Teams and SharePoint can automatically recognize and manage sensitive content within their application workflows.
For example, employees can apply sensitivity labels to messages and attachments using Outlook, ensuring that they are exchanged within the enterprise in a predefined manner. Word can scan the contents of documents, automatically detect sensitive terms and add the labels. And Teams and SharePoint can manage these documents with their embedded sensitivity labels according to the predefined content security policies.
Insider risk management
Insider risk can also be a problem for content security — untrustworthy employees putting the enterprise at risk. To address this problem, Microsoft is launching an administrative dashboard for insider risk management.
Relying on machine learning to detect patterns, automatic agents track signals and network events within Microsoft 365 and alert administrators about suspicious activities. Security administrators can further investigate these activities, as well as trace related events that may have occurred within third-party applications.
For instance, an agent may detect downloads of sensitive documents to a mobile device and alert the security administrator. The administrator, in turn, can dig into related data sources maintained by the company’s HR platform to determine whether the downloads signal the potential theft of intellectual property and take remedial action as need be.
In today’s digital age, it is essential to secure the entire enterprise ecosystem. Zero trust represents the future for content security in a post-pandemic digital workplace. And Microsoft is setting the directions for the modern enterprise by embedding essential security capabilities directly into Azure and Microsoft 365 to create a more secure ecosystem where trust is also verified.
Get your CompTIA A+, Network+ White Hat-Hacker, Certified Web Intelligence Analyst and more starting at $35 a month. Click here for more details.