A way to discuss this is to explore the protection scenarios for a forward proxy vs reverse proxy. Our data protection solution is a proactive approach to data protection and requires forethought in where data will exist in a solution. What are the control planes available on that defined service edge?.Where is the edge(s) of my corporate environment?.
To create a DLP protection scenario there are two primary things you must define. What becomes clear when you step back and look at a DLP scenario is a perimeter-based solution which sits on the edge of your corporate environment.
Device (managed corp device or unmanaged).Reviewing data access scenarios require the gathering of data similar to what is needed to create a Conditional Access policy. Business and IT need to work together to determine access scenarios that will be supported. Versions of this ask happen frequently with the expectation that IT security options are a magic bullet adaptable to any scenario, they are not. Using the native mail app not OWA and therefore a CASB solution cannot be leveraged.Is this a web-based application protected by Azure AD?.Device managed or Endpoint DLP deployed.If the scenario allows the data outside applications that have the Intune SDK and we do not control the device, nor is the data labeled and protected, then it is not protected In this case the native mail app which is not Intune aware.If data is restricted to only Intune managed apps (MAM) then the data is protected.Intune MAM restrictions on the application?.If, so then the data is protected no matter where it is.A non-managed device means that the device is not a control plane.
If you struggle to articulate this the question explore with them is what control plane is available in this scenario? This protection scenario is not possible. Capability to remove corporate data if necessary.Keep corporate data and personal data separate.Ensure corporate data cannot leave device.They do not want to use corp mail client and want to use the native mail/contacts app on the mobile device.No device wipe or impact to personal data.Personal device will not be managed, and personal data will not be gathered.IT is provided with the following parameters: This is a group of high value resources and corp executives. Select group of business users have exemption. Organization will allow remote access to email on corporate managed devices.I’ll start with a scenario that most security professionals may find familiar With terms defined where is a good place for an organization to begin to discuss what a DLP strategy should be? In a business environment of a Hybrid Infrastructure, SaaS, Remote workers, and BYOD devices the logical place to start to understand the business use case data access scenarios. CISOs that report up through the CFO that have procurement driving a tool selection can be drastically different than environments where CIO/CISOs report directly to the CEO. In a DLP conversation how this works can be partially dependent on who owns the DLP initiative and the corporate reporting structure. IT needs to be able to determine the best way to meet the needs in a secure way that algins with corp IT strategy, and when done correctly IT should be seen as an enabler of the business and not an impediment. What can be said is in today’s Enterprises the goal of IT should be to enable the business. DLP in Microsoft Information Protection (MIP).Defining the edge of an Enterprise and control planes.DLP defined and the pursuit of data protection as an ‘Edge solution’.This is Part 2 of a multi-part article around Data Protection. Neither of these extremes are optimal as they often serve different goals and disregard the holistic success of the enterprise. I have been in enterprises at both ends of this where IT provides general capabilities, and the Business is required to fit into then to Business groups coming to IT with hardware specs and directs IT to purchase and configure. Where do I start the discussion around DLP?Ĭommercial Enterprises operation on a spectrum between IT dictates to the Business or Business dictates to IT.