Office 365 Message Encryption for External Collaboration – Strengths and Weaknesses

What is Office 365 Message Encryption?

Office 365 Message Encryption allows organizations to send and receive encrypted email messages between people inside and outside their organization. This allows organizations to work with external collaborators in B2B and B2C business scenarios.  Office 365 Message Encryption builds off Microsoft Azure Information Protection (formerly called Rights Management Services).  Users can protect email using Azure Information Protection, and external collaborators will be able to open and view the protected content. Office 365 Message Encryption works with Outlook.com, Yahoo!, Gmail, and other email services. Via Azure Information Protection’s persistent encryption, Office 365 Message Encryption ensures that only intended recipients can view message content.

How does Office 365 Message Encryption Work?

Office 365 Message Encryption is designed to facilitate the secure exchange of information between internal users and external collaborators. The flow of information is usually from a business to another business partner, or from a business to it’s customers. The initiating business needs to have Office 365, Outlook (at the Professional Plus level) and Azure Information Protection.

Continue reading “Office 365 Message Encryption for External Collaboration – Strengths and Weaknesses”

Machine Learning Boosts Data Protection

There’s a lot of excitement in the security world today around artificial intelligence (AI) and, more specifically, machine learning (ML). CSO Online lists their top 5 use cases for machine learning in security which include detecting malicious activity in the network, automating repetitive tasks, and analyzing large volumes of data for threat intelligence. But another immediate application of machine learning will be in data protection and the prevention of data leaks.

Data Protection Accuracy and Usability

Data protection is always balancing security and usability. Whether you are using traditional encryption and data loss prevention (DLP) software, or more modern CASB and Information Rights Management, those technologies are known for their usability problems. Some data protection software, especially if the settings are too aggressive, will prompt users too often to identify themselves and identify their data, prevent users from accessing data they actually should be able to access, and report false positives. Too many usability problems lead to frustration and slow down the pace of business. In the worst case, unusable data protection software will even incite users to find ways of circumventing the security you’ve put in place altogether. Faced with user backlash, many organizations end up turning down the security settings on their DLP, which improves the user experience but makes the data protection much less effective.

Machine learning algorithms promise to strike a better balance. By learning what sensitive data looks like in your organization, ML has a better chance of identifying sensitive data before it leaks, and catching potential leaks with fewer false positives.

Continue reading “Machine Learning Boosts Data Protection”

A New Data Protection Paradigm Emerges in 2018

Traditional data protection has been about securing data behind the corporate perimeter, locking down IT systems and endpoints with firewall and data loss prevention (DLP) technology. But going into 2018, there is an increasing recognition that traditional data protection is not working. Faced with the new realities of cloud, shadow IT, BYOD, increasing collaboration with 3rd parties, and “last mile” endpoints like USB devices… no matter how well you secure data behind the perimeter, your data will eventually leak.

In their DLP magic quadrant analysis in February 2017, Gartner said “At present, even with extensive DLP coverage across endpoints, networks and data repositories, there are still gaps and data flows where data can leak. The better answer is a data security strategy focused on securing the data itself, as opposed to trying to secure every system that comes in contact with sensitive data.”

What Gartner is talking about is a revival of Information Rights Management (IRM) technology, that embeds encryption directly in a company’s valuable data assets themselves – their sensitive files and e-mails – so that even if the data does leak beyond the perimeter, it’s still protected.

We expect that the Information Rights Management paradigm will start to go mainstream as of 2018. Here’s a look at what to expect.

Continue reading “A New Data Protection Paradigm Emerges in 2018”

Who Decides What Data Needs to be Protected?

Information Rights Management is a new form of data protection that embeds protection directly within sensitive data files and e-mails themselves, so that wherever those files and e-mail travel, even if they leak outside the company into an enemy’s hands, the data is protected. The enemy can’t do anything with it. Only authorized users are ever able to decrypt and use the data.

Faced with today’s continual stream of high-profile data leaks, we believe Information Rights Management is the future of data protection, and a host of analysts, evangelists and emerging vendors agree.

One question that often comes up is – in Information Rights Management, how do you ensure that the right level of protection is consistently applied to sensitive data in the first place?

For example, do you apply protection to every piece of data, or only to certain sensitive data? Who decides what is sensitive and what’s not sensitive? Does an administrator apply protection to the data, or do individual users apply protection to their own data? Can protection be applied automatically, by smart algorithms based on the nature of the data?

Do you apply protection to every piece of data, or only to certain sensitive data?

Data protection experts agree that not all data is created equal, and therefore it makes sense to identify and classify different types of data and treat each class of data differently. For example, a company may want to encrypt and lock down highly confidential data that includes personally identifiable information (PII), personal financial information (PFI), and sensitive intellectual property, ensuring that only a small group of employees at the company may have access to that data. The same company might want to identify more broadly any HR confidential data and simply ensure it doesn’t get shared beyond the company perimeter. And it may also want to identify publicly available information and put little-to-no restriction on that data at all, to ensure anyone can use the data and share it.

Continue reading “Who Decides What Data Needs to be Protected?”

Supply Chain Security – How to Collaborate in a World of Data Leaks

CSO Online lists a company’s supply chain and the rise of supply chain attacks as one of its 2018 trends: “No one’s personally identifiable information (PII) is safe. Companies can’t count on the integrity of their suppliers’ and partners’ security capabilities […] Expect more companies to demand security audits of their partners, suppliers, and service providers. Third-party breaches are becoming more common, and it shows that any organization’s security is only as good as its extended network.”

Supply chain refers to all partners, suppliers and even customers that a company collaborates with and increasingly shares data with, using traditional and modern means of collaboration, including e-mail, SharePoint, OneDrive, Dropbox, and even “last mile” endpoints like USB drives. Even small companies can have hundreds of partners, suppliers and customers and this ecosystem represents a significant risk for leaks.

Although supply chain breaches is forecasted as a rising trend, with high-profile examples including Target, Verizon, Domino’s, and the Paradise Papers, not much actionable advice is provided so far on how to reduce these incidents other than traditional advice – vet 3rd parties’ security capabilities, enforce security contractual agreements with partners, encrypt data over the wire, etc.  These are good steps but the reality is, with supply chains so large and diverse and so many technology pathways where data can leak, there will always be holes in supply chain security despite a company’s best efforts.

In contrast, Information Rights Management offers a radical new paradigm of data protection that is perfectly suited to securing data in B2B and B2C collaboration across a large and diverse supply chain. Let’s look at what Information Rights Management offers in this context, and how it could have protected against many of the often-cited data breaches.

Continue reading “Supply Chain Security – How to Collaborate in a World of Data Leaks”