When thinking about information protection, one of the key questions is what: what specific information should be protected? Some information doesn’t need to be protected at all, such as when it is common knowledge (2+2=4) or easily available (the name of the current leader of a country).
Other information does need to be protected – for a variety of reasons (the why, which we’ll talk about more fully later). Broadly speaking, information that needs to be protected is like that because its inappropriate use or disclosure could cause harm to a person, entity, or organisation. For example, disclosing someone’s credit card number and expiry date to the wrong person could result in financial harm (unauthorised transactions, lost funds, decimated credit rating, etc.) Disclosing someone’s name, address, national ID number and similar data could result in harm through identity theft; an unauthorised actor uses that valid data to masquerade as the other person, receiving benefits that the other party is entitled to or is forced to pay for without receiving the benefit. In an organisational context, disclosing financial planning documents or explanations of the forthcoming business strategy moves to a competitor can result in a weakened market position, reduced market valuation, and in the worst case, outright business failure.
The potential to cause harm is what drives the need to create mitigations through information protection, and in Microsoft’s perspective on information protection, there are two general classes:
- General and generic types of information that are sensitive, and that can be computationally discovered. For example, a credit card number is a credit card number is a credit card number, and if you can work out the identifying characteristics of credit card numbers, you can detect the presence of one or more. Likewise for social security numbers (US), tax numbers (pretty much everywhere), health identification numbers (ditto), and more. Information in this class exists generally, and a specific organisation could (or may have to) protect such information if they collect or handle it.
- Specific types of information that could cause harm to a specific business (or government agency, organisation, non-profit, etc.) if these were to fall into the wrong hands. For example, strategy documents, financial plans, employee lists, expansion ideas, current M&A targets, and more. Information in this class exists in customized forms for specific entities, and depending on the specific business / organisation / other, will need to be set up. There are of course general classes of these types of information across most entities, but the specific realisation of that is up to the specific entity.
Microsoft deals with the above through two specific products in its information protection solutions portfolio: Office 365 data loss prevention (DLP) and Azure Information Protection (AIP). Both products can work with the generic sensitive information types as well as specific types of information that could cause harm. DLP always works automatically (scanning, analysing, thinking), and AIP can work either by user choice (manual labeling of a document or email) or based on automated content analysis. And if something is found that goes against a policy, an automated action can be triggered – such as a user notification, an alert to an administrator, or a block action that prevents the message or document from being sent / saved / shared.