How to Stop Data Loss in an Office 365 Cloud-Centric World

Protecting sensitive data is hard enough when everything is stored on-premise, but it’s an entirely different ball game as the enterprise steadily marches towards cloud-based systems like Microsoft Office 365.

That confidential data can include everything from valuable business intelligence insights to highly regulated data such as personally identifiable information (PII), protected healthcare information (PHI), and payment card information (PCI).

Email has become the No.1 attack vector, and 49% of cloud hacks and exploits come from email, file sharing, and instant messaging, according to Symantec’s 2017 Shadow Data Report. Moreover, Symantec’s 2018 Internet Security Threat Report found that 90% of targeted threats are aimed squarely at identifying and stealing organization’s sensitive data.

Because cloud apps like Office 365 move information outside of the traditional corporate perimeter, security practices that worked well in on-premise environments no longer hold up and can expose organizations’ IP and compliance-sensitive information to greater risk of data loss and other attacks. “Organizations are struggling with the fact that they don’t own the environment and there’s no more perimeter to protect,” explains Carmine Clementelli, Symantec senior product marketing manager. “Data is exposed more, there are more users accessing data with more devices, and breach exposure is a big thing.”

Extending Security to the Cloud

While organizations are under pressure to augment their security practices for cloud platforms like Office 365, they are justifiably leery about having to reinvent the wheel. The good news is they don’t have to, especially with a layered security solution that takes a platform approach thus can deliver visibility across both on-premise and cloud platforms.

In fact, successfully preventing data loss starts with visibility and discovery, or knowing exactly what sensitive data resides where, Clementelli says.

“Everything starts with detection—if you don’t know what you have, you don’t know what you need to protect,” he says.

• Solutions like Symantec’s Data Loss Prevention (DLP) deliver a single console and unified policy management that spans every channel, whether that be endpoints, storage, and email as well as in the cloud or on-premise. Using advanced technologies from data fingerprinting to machine learning, Symantec DLP will automatically perform discovery on outbound emails to detect sensitive data and files based on policies, including those supporting key compliance initiatives, and ensure that everything is adequately protected.
   
• The mix should also include dedicated tools for handling data security on inbound emails. Products like Symantec Email Security.cloud use policy configuration, compliance and regulatory templates, email encryption, and other capabilities to analyze email components such as the body, subject, and attachments and take a range of actions. Messages that are approved will be passed through to recipients while emails that are flagged with sensitive data will be automatically protected using policy-based encryption.
   
• A Cloud Access Security Broker (CASB) comes into play to monitor and protect data outside of email. Products like Symantec’s CloudSOC automatically detect confidential data exposed in other Office 365 apps like OneDrive, SharePoint, and Teams, providing visibility into what type of confidential data is in question and who maintains access to it, among other policy points.
   
• As an extension of Symantec DLP’s data detection policies, CloudSOC monitors user activity within the cloud-based Microsoft suite in real-time, enforcing policies that will negate any questionable sharing actions and deleting highly sensitive data that shouldn’t find its way into Office 365.
   
• The platform has a built-in data classification engine that automatically detects and classifies sensitive data that spans a range of file and field types, including documents, databases, video, and custom forms. It works across structured and unstructured content found in emails, messages, and in the cloud, and unlike other CASBs, it employs a machine learning engine to automate the process instead of relying on custom tuning.