Microsoft Information Protection and Governance 101

Over the last six months or so, I have had many people reach out to me asking what information protection and governance is and what capabilities Microsoft has to solve these problems?

Instead of addressing these questions individually, I thought I would start a series of stories to cover some of these topics, at least as I understand them — and apply them with Microsoft technologies.

This article will explain some of the fundamentals of Information Protection and Governance, and I plan to dive deeper in future articles.

What is the difference between Information Protection and Information Governance?

This topic comes up regularly, especially for those who are new to this side of Security. The critical difference between these two is that Information Protection involves placing protective controls around sensitive data (such as encryption). At the same time, Information Governance determines the lifecycle of that data (retaining the data for a particular period).

Information Protection

As I stated before, this is about placing protective controls around your data after the data is discovered and mapped against a data classification framework. Classification Frameworks (or data taxonomies) are often formal, enterprise-wide policies that consist of between 3 and 5 classification levels and include three elements:

• A Name
• A Description
• Some real-world examples (Such as credit card data)

Once this framework has been established, then controls are mapped to those classifications levels. Without these controls, classification labels are simply labels without any purpose other than indicating how sensitive that data is. These controls will be more stringent depending on how confidential the information is; for example, with Highly Confidential Data, the data will be encrypted so that only certain users or groups can access it. While your data classified as Public would generally be for Public consumption, there would be no need for these controls.

Information Governance

On the other hand, information governance is the concept of retaining or deleting data based on the information lifecycle. For example, some states require that you maintain health data for seven years, while other data, like credit card information, should be kept for the least amount of time possible.

Any data that exists within your data estate requires appropriate levels of protection and governance applied to it, depending on the type of data it is — so deleting that data if it is no longer needed is the best path forward. This control can be achieved with a retention lifecycle – certain types of information must either be kept or deleted depending on the data privacy regulations that apply to them, such as the previous examples of health and credit card data that I spoke about before.

The Information Protection Lifecycle

There are four key pillars that Microsoft uses to demonstrate the information protection lifecycle. These pillars are intended to illustrate the different stages typically followed when implementing an Information Protection and Governance program of work. In this article, I will be covering the initial stage, Identify and Classify.

This initial stage is identifying and Classifying the data that you have within your data estate. This stage is typically where the data classification framework is established, and there are two methods used to locate this data — the manual method or the automatic method. The manual way is a time-consuming process where a person goes through analysing the data and determines the classification for each type.

Usually, data owners are appointed to their respective areas, and they are responsible for identifying and classifying their data.

The other approach is to use automated tools and technologies to scan for data types and determine the classification. Depending on what regulations you need to comply with, specific data types might require different sensitivity levels. For example, business-critical data, such as Merger and Acquisition information, will not be mapped to a particular information type but would still be classified as highly sensitive based on the impact of that data entering into the wrong hands.

The Microsoft capabilities that we would use to facilitate this would typically be a combination of three technologies depending on where this data resides:

1. Microsoft Information Protection to scan data within the Microsoft 365 environment, including emails, SharePoint, and Microsoft Teams.
2. Azure Purview to scan and classify data that exists within Azure and third-party services.
3. The Unified Labelling scanner to scan on-premises UNC shares and SharePoint libraries.

These three technologies can assist in automating the process of discovering the data within your data estate and remove the need for people to do it manually.

What’s next?

I plan to start publishing more to help better the understanding of Information Protection and Governance in the broader community and give something back. I know that this has been reasonably high and has only scratched the surface on some fundamentals, but I will be diving deeper into some more core concepts and exploring how we can achieve some of these controls.

Thanks for spending the time to read through my article, and feel free to provide constructive feedback as it is appreciated.