jro-grafik - Fotolia
In today's post-pandemic environment, employees will be working from anywhere for a long time to come. Whether they are actually in the office or someplace else, they expect a secure yet trusting environment in which to work.
There are digital workplace security risks that many businesses struggle to minimize, including compromised identities, unauthorized access to information and inadvertent leaks of sensitive content. One cloud vendor -- Microsoft -- has tools and technologies that help enhance digital workplace security.
To remain competitive, businesses must meet employee needs and expectations. Employees need access to personal productivity tools and enterprise applications to exchange information, coordinate day-to-day activities and collaborate around business tasks. And, increasingly, they will rely on digital channels as the primary -- and, in some cases, the only -- way to engage with customers and partners.
Historically, content security and trust have been based on a perimeter defense: Build the wall, secure the boundary and trust what happens inside. Like doors into an office, a firewall protects the internal corporate network from the wilds of the public internet. Access rights define the privileges for accessing content that applications manage. And authentication establishes an individual's identity within an enterprise network and to various applications.
Digital work relies on a number of enterprise applications, including email servers, network file shares, collaborative environments, enterprise content management platforms and business systems. Each application manages the access rights and privileges that determine the range of actions employees can perform. Individuals authenticate themselves to particular applications and establish their identities, relying on login/password challenges, biometrics or other techniques.
Trust is implicit. Once they successfully authenticate themselves, employees are entrusted with access to content that each application maintains. Privileges are hierarchical, and employees read, update, create and delete content as their privileges permit, which extend for the entire session.
But trust is rarely verified. Once employees log in to an application and authenticate their identity, they are seldom challenged that they are operating in violation of their privileges. Monitoring for risks and breaches occurs after the fact. Applications track what happens and have few capabilities to detect risks in real time or sense future threats.
With the explosion of digital devices, the ever-rising tide of data flowing across a corporate network and the advent of cloud computing, the scale and sophistication of digital threats against organizations continue to mount, causing a shift in enterprise security with the concept of zero trust.
The fundamentals of zero trust include:
- Applications should explicitly verify every request -- not only the user's identity, but also other factors, such as the user's location, device health and anomalous behaviors.
- Grant only least-privileged access, where users access just what they need, for the specific time that they need it and for the specific tasks that they have. Then, audit to keep track of what has been happening.
- Expect breaches to happen. Businesses should rely on micro-segmentation to design the network infrastructure and enterprise application environment to minimize the impact of breaches when they occur.
Zero trust relies on AI and machine learning to detect signals occurring within corporate networks, recognize patterns and automatically prevent risky events from occurring.
Getting to zero trust is a journey, and it begins with comprehensive authentication. Two-factor authentication is one of the basic building blocks for securing content in any distributed work environment. Microsoft, for example, bundles its two-factor authentication capabilities directly into Azure Active Directory, enabling organizations to reduce the risk of phishing and other identity-based attacks by 99.9%.
Filtering sensitive information
Organizations must also secure the content and conversations flowing through their networks to reduce the likelihood that employees inadvertently -- or maliciously -- reveal sensitive information. But it's essential that organizations make their employees and business partners aware that certain content types and topics are sensitive and require protection. Businesses must create content security policies -- predefined rules and operating procedures about how a company should categorize and handle certain types of content.
Microsoft's Cloud App Security portal addresses content sensitivity. This portal tracks and filters sensitive content from both Microsoft and third-party applications running on Azure. Administrators within an enterprise can automatically monitor the content that users post to cloud applications and block posts containing sensitive information. But this does take up front design work -- administrators and/or information architects must first define the criteria for content inspection. Microsoft helps in this process by providing 100 preset expressions, such as credit card numbers and Social Security numbers, and companies can add their own predefined terms as well. Even with this process in place, it's important to note that if the content is not tagged correctly the security portal will not be able to filter the content.
Sensitivity labels -- such as public, general, confidential and highly confidential -- are available in Office 365, so Word, Outlook, Teams and SharePoint can automatically recognize and manage sensitive content within their application workflows.
For example, employees can apply sensitivity labels to messages and attachments using Outlook, ensuring that they are exchanged within the enterprise in a predefined manner. Word can scan the contents of documents, automatically detect sensitive terms and add the labels. And Teams and SharePoint can manage these documents with their embedded sensitivity labels according to the predefined content security policies.
As with any content metadata, an information architecture is necessary. Defining these sensitivity labels does take some up-front design work and is becoming progressively easier with AI and machine learning tools. Furthermore, cloud content management platforms that are tightly integrated with Office 365, such as Box, can manage these sensitivity labels as well. Of course, some assembly is required.
Insider risk management
Insider risk can also be a problem for content security -- untrustworthy employees putting the enterprise at risk. To address this problem, Microsoft has an administrative dashboard for insider risk management.
Relying on machine learning to detect patterns, automatic agents track signals and network events within Office 365 and other applications running on Azure within a business. These agents are trained to alert administrators about suspicious activities. Security administrators can further investigate these activities, as well as trace related events that may have occurred within third-party applications.
For instance, an agent may detect downloads of sensitive documents to a mobile device and alert the security administrator. The administrator, in turn, can dig into related data sources maintained by the company's HR platform to determine whether the downloads signal the potential theft of intellectual property and take remedial action as need be.
Nevertheless, virtual training agents to spot insider risks in real time depends on a range of rules and machine learning inferences. Training requires both a considerable up-front investment, continuing updates and is not for the faint of heart. Security administrators, in particular, need to be alert to continuously changing threats and be able to easily update the dashboard.