Optimize your data protection governance leveraging E-Clearance capabilities!

Cristian Mora CEO & Founder

In response to the recent spike of data protection and exfiltration concerns that we see as organizations prepare for Gen-AI solutions to crawl their data, we have come up with a new capability to extend our current data protection strategy: Introducing E-Clearance.

E-Clearance provides organizations with the capabilities to define a “need to know” framework for unstructured data across M365 and other repositories. E-Suite technologies can then use this in discovery and as an input prior to performing an action, taking into consideration if the user, label, or path comply with organizational rules (clearance).

Sensitive Data Collections

We are introducing a new type of logical framework for sensitive data called “Sensitive data collections”. These provide the organization a way to “map” between people (based on Entra ID users and groups), sensitive data (based on the Sensitive Information Types defined in your organization), sensitivity labels (Purview IP), and data at rest repositories/paths.

From this mapping, you will see three potential results that can drive analytics and remediation actions, as necessary:

Authorized

The data, user, label, and path contains information aligned to the E-Clearance policy
- Example:
  - Credit card department accessing PCI data according to E-Clearance collection
    - The location ACLs allow authorized users to see the data in sync with the business clearance definition (and that’s exactly the result we are pursuing!)

Unauthorized

The data, user, label, or path contains information that is not aligned to the E-Clearance policy
- Example:
  - HR department accessing PCI data in a location that violates the rules configured in the E-Clearance collection
  - The location ACLs may allow HR users to see the data but business rules dictate that the users should not have access to this information. This can be a technical misconfiguration or an end user oversharing data due to a mistake, a lack of training, or suspicious behavior

Undefined

The data, user, label, or path contains information that has not been defined in an E-Clearance policy
- Example:
  - There is information stored in a path matching one of the SITs (built by Microsoft or custom) but the business has not defined a clearance for this data type
    - In this scenario, this triggers an action by the business to define an E-Clearance policy to this kind of data and then monitor and govern it

E-Clearance components

Our updated version of the E-Suite management console provides the capability to build new clearance policies using the following components:

From this mapping, you will see three potential results that can drive analytics and remediation actions, as necessary:

Sensitive Information Types (SIT)

Sensitive Information Types overview:
- - Pattern-based classifiers designed to identify sensitive information within your organization’s data. Some examples are provided below:
    - Social Security numbers
    - Credit card numbers
    - Bank account numbers
    - And more.

People

Users or groups
- Based on your existing Entra ID you can select
  - Specific users
  - Groups

ACTION:
- You can specify which SITs and sensitivity labels you would like to allow or deny specific users and groups access to (from the clearance perspective)

NOTE: Hopefully, you have noticed that so far you have mapped the people and content type. The following options help you sharpshoot more advanced scenarios.

Sensitivity Labels (Purview Information Protection)

You can also define sensitive data collections by combining the previous settings with sensitivity labels or, depending on your needs, simply define who can use /access this kind of content in your organization.

Sensitivity labels overview:
- Sensitivity labels are part of Microsoft Purview Information Protection.
- They enable you to classify and protect your organization’s data.
- These labels ensure that content is handled securely, even when it travels across devices, apps, and services.
- Sensitivity labels can provide protection settings:
  - Encryption: Content can be encrypted based on the label, preventing unauthorized access and use.
  - Content Markings: Labels can add watermarks, headers, or footers (e.g., “Confidential”) to educate the end user.
  - Supported by Word, Excel, PowerPoint, Outlook, and more across various platforms (Windows, macOS, iOS, Android, and Office on the web).
- ACTION:
  - You can select which labels you would like to allow or deny access to (from the clearance perspective)
    - Note that our console only enables you to define what kind of labeled files the user should be able to access from the clearance perspective
      - Labeled files may or may not contain sensitive information types and be subject to auto-labelling actions….
    - This option is extremely helpful for organizations that want to mitigate users obtaining access to sensitive information by “common mistakes”
      - Manual assignment
        People assigned to create/see content that they may not need (or no longer need) to access….
        E-Clearance can easily crawl the labels and identify those for you!
        Nesting groups
        People who belong to a group and inherited membership to create/see content with specific labels
        Dealing with nesting groups is always a challenge
        Mitigate this identity and access risk using E-Clearance
        Mixing sensitivity labels with sensitive information types
        You can also specify users who should see /or not certain labels/with certain content types
        This is a combination of SITs, labels, and users
        Reference:
        Here

Locations

You can also specify clearance using location in combination with the above, for example to a specific SharePoint site, library, OD4B path, and more.

Examples:

Location only (with sensitive info)
- Set a policy that allows/restricts what kind of content is allowed in that path
  - (regardless of users)
- The result will be:
  - Authorized content: XXX found
  - Unauthorized content: YYY Found

Location only (with sensitive info + labeled content)
- Set a policy that allows/restricts what kind of content is allowed in that path based on content/labels
  - (regardless of users)
- The result will be:
  - Authorized content (with or without labels): XXX found
  - Unauthorized content (with or without labels): YYY Found

Location only (People)
- Set a policy that allows/restricts who is allowed to access that path
  - (regardless of content type loaded)
- The result will be:
  - Authorized Users: XXX found
  - Unauthorized Users: YYY Found

E-Clearance Versions and Actions

As mentioned at the very beginning of this blog, data exfiltration is a hot topic! This is why we are releasing two versions of our E-Clearance tool:

Basic – Analytics

Included in all E-Inspector versions and E-Suite for Information Protection versions
- SCOPE:
  - This version enables organizations to define E-Clearance collections and see summaries, drill-down details, and analytics via E-Visor (PBI)

Advanced – Actions (add-on)

Included in E-Inspector 4.0 Enterprise and E-Suite Advanced for Information Protection or as an add-on
- SCOPE:
  - This version enables organizations to take actions via different licensed products including the following:
    - E-Inspector
      - Take an action if a policy is matched (Unauthorized/Undefined)
    - E-Vigilant (separate license may be needed, depending on E-Suite version)
      - Trigger an action if a policy is matched (Unauthorized/Undefined)
        Chatbot notifications
        Workflow based action
        Automation task
    - E-Cryptor
      - Trigger a reclassification/label workflow, taking into consideration E-Clearance collections as a baseline, prior to reaching out for approvals or managing auto-approvals based on E-Clearance policies
    - E-Racer
      - Take specific actions when a policy violation has been identified after recent activity is identified in a document
        New file
        Edited file
        Share link created or share modifie

E-Clearance + E-Visor Teams App (Better together)

While all these actions can help remediate and govern your data, we do not want to miss the chance to work in a critical aspect: Change Management.

You can connect our newest solutions, such as E-Clearance (security clearance) and E-Racer (remediation tool), to a central location, without leaving Microsoft Teams. With the Teams app, users, managers, and other audiences, such as IT support/auditors, can see and respond to relevant activities directly from the app.

Our E-Visor Teams app has an experience (tab) called My Office 365 files (EN video), (SP Video), that provides users with the following capabilities:

Notifies users to file sharing activities. From the perspective of an end user, I can see activity and take action:
- My files
  - I can access all files I created within SharePoint Online, OneDrive for Business, Teams chats and meetings from a centralized place
    - Yes without leaving Teams!
  - Provide details about usage, sharing configuration, and, depending on the My Office 365 version, users can also start or stop sharing content
    - I can see who has accessed and used my files
- Files shared with me
  - - I can access all files shared with me by other users
From the data protection perspective, our application provides – in specific My Office 365 versions – the following:
- - Clear identification of sensitive data within the file
  - Easily identify if a label has been applied to content

In this way, organizations can provide user education and awareness to the sensitive information create by, or shared with, an end user

E-Clearance + Microsoft Purview IP/DLP/IRM

One key aspect to mention is that as you evaluate access, use, and collaboration, E-Clearance can quickly accelerate the creation and optimization of different Microsoft Purview compliance solutions components you have acquired:

Purview IP

Identifying who uses what kind of data can enable you to better define your Purview configurations:
- Policies that match the collaboration needs between business units while confirming the kind of content type they use
- Accelerate endpoint autolabeling and M365 autolabelling

This without the need to have all content labelled and potentially impact users “as you go” since you will have the log trail activity that can confirm the collaboration scenarios needed by the business and effectively protect them.

Purview DLP

As you see user activity among locations and data, you can also optimize your data loss prevention strategy:
- - Define new DLP rules
  - Identify false positives and optimize existing rules

This without having to enable/create DLP rules for all users and all content types; simply use E-Clearance as a reference point to then create/polish

Purview IRM

As you see user activity among location and data, you can optimize your insider risk detections:
- Identify suspicious activities
- Define baseline actions
- Optimize IRM policies

This naturally happens as people interact with data/locations and you can see their trending actions, enabling you to see and then define what content users in specific roles should be able to access and use

NEXT STEPS

Stay tuned to upcoming webinars and additional announcements related to new data governance capabilities within Synergy Advisors E-Suite!!

To summarize, to get the most of GenAI, you lead and you govern; Using E-Suite capabilities helps get your organization collaboration up to the next level!!!

Interested in a private demo? Contact us by filling out the form below and we will be happy to share how to accelerate your GenAI interaction with your sensitive data, while maximizing visibility and actions governing your data.