Advancing Data Protection with a Trusted Partner
A few years ago, when the company decided to make the move to the cloud, they chose Microsoft 365 E5 and Microsoft Azure, building on their longstanding use of Microsoft technologies. Prior efforts to overhaul their data protection program had been unsatisfactory. However, with access to new Microsoft Purview capabilities, the Information Security team saw an opportunity to try again. They hoped to utilize the full breadth of the Microsoft 365 Information Protection suite including Information Protection Classification and Labeling, Data Loss Prevention (DLP), and Insider Risk Management solutions.
Microsoft tapped Security Solutions and Advanced Specialization Designation-Information Protection and Governance Partner Lighthouse Global to lead the engagement for their ability to effectively understand complex compliance needs across IT, security, and legal departments. They hoped that together they could develop a solution to realize the investment they’d made in Microsoft 365, and to support their corporate commitment to safety for both employees and customers.
“If you were to interview a bunch of companies, those who have actual, very successful DLP and data labeling programs typically have a hodgepodge of solutions that get melded together,” reflected the CISO, “and that’s where Lighthouse was successful…we’ve been able to leverage the investment…and get it to work, [and not] have to go spend more money to hodgepodge together a solution.”
Developing a Comprehensive, Scalable Solution
The Lighthouse team started by holding a series of working sessions to align the company’s vision and requirements and design the implementation approach. Using Microsoft Compliance Check, Lighthouse scanned the company’s environment to get an understanding of current state activity and sensitivity intelligence. The team also reviewed existing policies and approaches for the handling of sensitive data and data loss prevention to identify any areas of opportunity or gaps that could exist. From there, the combined teams were able to successfully design and configure a holistic data protection solution leveraging multiple Microsoft Purview products including Data Loss Prevention, Information Protection, and Insider Risk Management.
Starting with data classification, the team defined the sensitive information types that needed to be identified. From there, they developed a set of sensitivity labels corresponding to the data protection policy. This set of classification techniques and labels were generated in the course of both Data Loss Protection and Insider Risk Management implementation, ensuring a comprehensive data life cycle protection program from content identification through insider threat analysis. Finally, the Lighthouse team supported the integration of the Microsoft products with the company’s third-party HR software to feed HR data into the Data Theft by Departing Employee Policy, enabling the creation of a truly end-to-end solution.
Fulfilling a Mission of Security
The company’s dedication to safety, security, and well-being across applications and contexts drove this project’s success. “Because we see security as part of our commitment to people and innovation, we take a uniquely holistic approach and have strong support all the way up to our board of directors,” says the company’s CISO.
The CISO also credits Lighthouse’s unwavering commitment to partnership. “They helped us not only implement the technology and guide us through some of the critical points to consider as we implemented the technology, but also the process and decision points with data—which ultimately, in the end, actually worked,” they conclude. Now, with the design and implementation of the Microsoft Purview-based Data Protection program behind them, the organization’s information security team is focused on operationalizing the program through a series of pilots scheduled over the next year. Their ultimate goal is total, global implementation of the solution—and total, global protection for all employee and customer data.