Understanding DLP in a multi-layered approach to Information Protection (2 of 3)

Published May 23 2021 10:53 AM 17 Views
Microsoft

Where do I start the discussion around DLP?

Commercial Enterprises operation on a spectrum between IT dictates to the Business or Business dictates to IT.  I have been in enterprises at both ends of this where IT provides general capabilities, and the Business is required to fit into then to Business groups coming to IT with hardware specs and directs IT to purchase and configure. Neither of these extremes are optimal as they often serve different goals and disregard the holistic success of the enterprise. 

This is Part 2 of a multi-part article around Data Protection.

What can be said is in today’s Enterprises the goal of IT should be to enable the business.

IT needs to be able to determine the best way to meet the needs in a secure way that algins with corp IT strategy, and when done correctly IT should be seen as an enabler of the business and not an impediment.  In a DLP conversation how this works can be partially dependent on who owns the DLP initiative and the corporate reporting structure. CISOs that report up through the CFO that have procurement driving a tool selection can be drastically different than environments where CIO/CISOs report directly to the CEO.

With terms defined where is a good place for an organization to begin to discuss what a DLP strategy should be?  In a business environment of a Hybrid Infrastructure, SaaS, Remote workers, and BYOD devices the logical place to start to understand the business use case data access scenarios.

I’ll start with a scenario that most security professionals may find familiar

  • Organization will allow remote access to email on corporate managed devices.  Select group of business users have exemption.  This is a group of high value resources and corp executives. IT is provided with the following parameters:
    • Personal device will not be managed, and personal data will not be gathered
    • No device wipe or impact to personal data
    • They do not want to use corp mail client and want to use the native mail/contacts app on the mobile device.
  • Requirements:
    • Ensure corporate data cannot leave device
    • Keep corporate data and personal data separate
    • Capability to remove corporate data if necessary

This protection scenario is not possible. If you struggle to articulate this the question explore with them is what control plane is available in this scenario?

  • A non-managed device means that the device is not a control plane.  So, what other protections are in place?
    • MIP/AIP protections on the file?
      • If, so then the data is protected no matter where it is
    • Intune MAM restrictions on the application?
      • If data is restricted to only Intune managed apps (MAM) then the data is protected
      • In this case the native mail app which is not Intune aware. If the scenario allows the data outside applications that have the Intune SDK and we do not control the device, nor is the data labeled and protected, then it is not protected
    • Device managed or Endpoint DLP deployed
      • In this case the device is not managed
    • Is this a web-based application protected by Azure AD? 
      • Using the native mail app not OWA and therefore a CASB solution cannot be leveraged

The scenario requirements cannot be met. Versions of this ask happen frequently with the expectation that IT security options are a magic bullet adaptable to any scenario, they are not.  Business and IT need to work together to determine access scenarios that will be supported.

Control Planes for DLP

Reviewing data access scenarios require the gathering of data similar to what is needed to create a Conditional Access policy.

  • Who you are (corp user or guest)
  • Where you are (corpnet or off corpnet)
  • Device (managed corp device or unmanaged)
  • What resource or application (protected by Azure AD)
    • Mobile app
    • Browser based SaaS app
    • Windows, MacOS or Linux application

What becomes clear when you step back and look at a DLP scenario is a perimeter-based solution which sits on the edge of your corporate environment.  To create a DLP protection scenario there are two primary things you must define.

  • Where is the edge(s) of my corporate environment?
  • What are the control planes available on that defined service edge?

Our data protection solution is a proactive approach to data protection and requires forethought in where data will exist in a solution.  A way to discuss this is to explore the protection scenarios for a forward proxy vs reverse proxy.

  • A forward proxy puts many clients (end users) behind a gateway solution. Its legacy use was prior to NAT and it protected a group of computers behind a solution that proxies requests to the internet on behalf of the end user. A forward proxy can be used in tandem with a firewall to control traffic coming from the internal network and from a security stance is primarily aimed at enforcing security on client computers in your internal network and is used as a single point of access control from an end user perspective. 

By leveraging an agent, off network computers may also use this forward proxy which creates an experience similar to a VPN to access internet resources. Using forward proxy to browse the Internet usually slows down your overall Internet speed. The experience depends on the location between your computer and the forward proxy and how many people are using that forward proxy. (for a cloud proxy this remains true depending on the nearest entry point of the proxy)

    • GeoClark_0-1621791671088.jpeg

       

  • A reverse proxy as the name implies does the opposite and proxies requests on behalf of the resources instead of the clients.  The client should be unaware this is happening as the solution has its roots in load balancing and high availability but that is not what they typically do now, but the concept is similar.  It also provides security since an attacker would not have access to the back end resources.  Much like a forward proxy a reverse proxy can also be a single point of access and control.

Protection viewpoint - The difference is the protection model of a forward proxy looks at protection from an endpoint focused view. 

  • For an inline forward proxy in most cases the question it is answering is what do I do with data after it has made it to the local machine. (i.e., if a user downloads corporate data to the local machine how do I prevent them from copying it to their personal Dropbox) In this protection scenario the forward proxy is the gateway that is determining how data can move, it is monitoring data in transit on an endpoint device and applying rules based on the data.  The data would need to be inspected using labels or content inspection at the proxy and then access or blocking rules would apply based on the policies, or just certain sites would be blocked by rule in all cases.
  • For a reverse proxy there is a proactive decision on how to protect the corporate data and when do I want to allow data to move from the corporate repositories to other repositories like the local machine.  This is a major difference in methodology and typifies how Microsoft approaches this solution. It forces a discussion on what are the allowed repositories for corporate data and puts the gates at those defined locations.

Reverse proxies are therefore in line with Zero Trust frameworks where forward proxies are not.  Forward proxy solutions are an extension of the inherent trust model we discussed in Part 1 and allows data to move without restriction to ‘trusted’ endpoints and simply moves the firewall from the edge of the corporate infrastructure to the endpoint.

In Microsoft’s Modern Workplace Suite (M365), the control planes that our tools can leverage are:

  • File (Classification, Labeling and Protection)
  • Application / Service (Mobile Application Management, O365/Teams DLP)
  • Device (CLP and DLP at endpoint)
  • Browser (API or CASB controls for ANY web-based application)

In the next installment I’ll discuss how DLP fits into an Information Protection strategy and aligning a business ask with supported access scenarios

If you have questions on M365 DLP capabilities, please contact your Microsoft or CSP account team for more detailed information.

%3CLINGO-SUB%20id%3D%22lingo-sub-2379241%22%20slang%3D%22en-US%22%3EUnderstanding%20DLP%20in%20a%20multi-layered%20approach%20to%20Information%20Protection%20(2%20of%203)%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2379241%22%20slang%3D%22en-US%22%3E%3CP%3E%3CSTRONG%3EWhere%20do%20I%20start%20the%20discussion%20around%20DLP%3F%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CP%3ECommercial%20Enterprises%20operation%20on%20a%20spectrum%20between%20IT%20dictates%20to%20the%20Business%20or%20Business%20dictates%20to%20IT.%26nbsp%3B%20I%20have%20been%20in%20enterprises%20at%20both%20ends%20of%20this%20where%20IT%20provides%20general%20capabilities%2C%20and%20the%20Business%20is%20required%20to%20fit%20into%20then%20to%20Business%20groups%20coming%20to%20IT%20with%20hardware%20specs%20and%20directs%20IT%20to%20purchase%20and%20configure.%20Neither%20of%20these%20extremes%20are%20optimal%20as%20they%20often%20serve%20different%20goals%20and%20disregard%20the%20holistic%20success%20of%20the%20enterprise.%26nbsp%3B%3C%2FP%3E%0A%3CP%3EThis%20is%20Part%202%20of%20a%20multi-part%20article%20around%20Data%20Protection.%3C%2FP%3E%0A%3CUL%3E%0A%3CLI%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fmanufacturing%2Funderstanding-dlp-in-a-multi-layered-approach-to-information%2Fba-p%2F2371615%22%20target%3D%22_self%22%3EDLP%20defined%20and%20the%20pursuit%20of%20data%20protection%20as%20an%20%E2%80%98Edge%20solution%E2%80%99%3C%2FA%3E%3C%2FLI%3E%0A%3CLI%3E%3CSTRONG%3EDefining%20the%20edge%20of%20an%20Enterprise%20and%20control%20planes%20%3C%2FSTRONG%3E%3C%2FLI%3E%0A%3CLI%3EDLP%20in%20Microsoft%20Information%20Protection%20(MIP)%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3CP%3EWhat%20can%20be%20said%20is%20in%20today%E2%80%99s%20Enterprises%20the%20goal%20of%20IT%20should%20be%20to%20enable%20the%20business.%3C%2FP%3E%0A%3CP%3EIT%20needs%20to%20be%20able%20to%20determine%20the%20best%20way%20to%20meet%20the%20needs%20in%20a%20secure%20way%20that%20algins%20with%20corp%20IT%20strategy%2C%20and%20when%20done%20correctly%20IT%20should%20be%20seen%20as%20an%20enabler%20of%20the%20business%20and%20not%20an%20impediment.%20%26nbsp%3BIn%20a%20DLP%20conversation%20how%20this%20works%20can%20be%20partially%20dependent%20on%20who%20owns%20the%20DLP%20initiative%20and%20the%20corporate%20reporting%20structure.%20CISOs%20that%20report%20up%20through%20the%20CFO%20that%20have%20procurement%20driving%20a%20tool%20selection%20can%20be%20drastically%20different%20than%20environments%20where%20CIO%2FCISOs%20report%20directly%20to%20the%20CEO.%3C%2FP%3E%0A%3CP%3EWith%20terms%20defined%20where%20is%20a%20good%20place%20for%20an%20organization%20to%20begin%20to%20discuss%20what%20a%20DLP%20strategy%20should%20be%3F%26nbsp%3B%20In%20a%20business%20environment%20of%20a%20Hybrid%20Infrastructure%2C%20SaaS%2C%20Remote%20workers%2C%20and%20BYOD%20devices%20the%20logical%20place%20to%20start%20to%20understand%20the%20business%20use%20case%20data%20access%20scenarios.%3C%2FP%3E%0A%3CP%3EI%E2%80%99ll%20start%20with%20a%20scenario%20that%20most%20security%20professionals%20may%20find%20familiar%3C%2FP%3E%0A%3CUL%3E%0A%3CLI%3EOrganization%20will%20allow%20remote%20access%20to%20email%20on%20corporate%20managed%20devices.%26nbsp%3B%20Select%20group%20of%20business%20users%20have%20exemption.%26nbsp%3B%20This%20is%20a%20group%20of%20high%20value%20resources%20and%20corp%20executives.%20IT%20is%20provided%20with%20the%20following%20parameters%3A%3CUL%3E%0A%3CLI%3EPersonal%20device%20will%20not%20be%20managed%2C%20and%20personal%20data%20will%20not%20be%20gathered%3C%2FLI%3E%0A%3CLI%3ENo%20device%20wipe%20or%20impact%20to%20personal%20data%3C%2FLI%3E%0A%3CLI%3EThey%20do%20not%20want%20to%20use%20corp%20mail%20client%20and%20want%20to%20use%20the%20native%20mail%2Fcontacts%20app%20on%20the%20mobile%20device.%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3C%2FLI%3E%0A%3CLI%3ERequirements%3A%3CUL%3E%0A%3CLI%3EEnsure%20corporate%20data%20cannot%20leave%20device%3C%2FLI%3E%0A%3CLI%3EKeep%20corporate%20data%20and%20personal%20data%20separate%3C%2FLI%3E%0A%3CLI%3ECapability%20to%20remove%20corporate%20data%20if%20necessary%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3CP%3EThis%20protection%20scenario%20is%20not%20possible.%20If%20you%20struggle%20to%20articulate%20this%20the%20question%20explore%20with%20them%20is%20what%20control%20plane%20is%20available%20in%20this%20scenario%3F%3C%2FP%3E%0A%3CUL%3E%0A%3CLI%3EA%20non-managed%20device%20means%20that%20the%20%3CEM%3Edevice%20is%20not%20a%20control%20plane%3C%2FEM%3E.%20%26nbsp%3BSo%2C%20what%20other%20protections%20are%20in%20place%3F%3CUL%3E%0A%3CLI%3EMIP%2FAIP%20protections%20on%20the%20file%3F%3CUL%3E%0A%3CLI%3EIf%2C%20so%20then%20the%20data%20is%20protected%20no%20matter%20where%20it%20is%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3C%2FLI%3E%0A%3CLI%3EIntune%20MAM%20restrictions%20on%20the%20application%3F%3CUL%3E%0A%3CLI%3EIf%20data%20is%20restricted%20to%20only%20Intune%20managed%20apps%20(MAM)%20then%20the%20data%20is%20protected%3C%2FLI%3E%0A%3CLI%3EIn%20this%20case%20the%20native%20mail%20app%20which%20is%20not%20Intune%20aware.%20If%20the%20scenario%20allows%20the%20data%20outside%20applications%20that%20have%20the%20Intune%20SDK%20and%20we%20do%20not%20control%20the%20device%2C%20nor%20is%20the%20data%20labeled%20and%20protected%2C%20then%20it%20is%20not%20protected%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3C%2FLI%3E%0A%3CLI%3EDevice%20managed%20or%20Endpoint%20DLP%20deployed%3CUL%3E%0A%3CLI%3EIn%20this%20case%20the%20device%20is%20not%20managed%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3C%2FLI%3E%0A%3CLI%3EIs%20this%20a%20web-based%20application%20protected%20by%20Azure%20AD%3F%26nbsp%3B%3CUL%3E%0A%3CLI%3EUsing%20the%20native%20mail%20app%20not%20OWA%20and%20therefore%20a%20CASB%20solution%20cannot%20be%20leveraged%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3CP%3EThe%20scenario%20requirements%20cannot%20be%20met.%20Versions%20of%20this%20ask%20happen%20frequently%20with%20the%20expectation%20that%20IT%20security%20options%20are%20a%20magic%20bullet%20adaptable%20to%20any%20scenario%2C%20they%20are%20not.%26nbsp%3B%20Business%20and%20IT%20need%20to%20work%20together%20to%20determine%20access%20scenarios%20that%20will%20be%20supported.%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3EControl%20Planes%20for%20DLP%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CP%3EReviewing%20data%20access%20scenarios%20require%20the%20gathering%20of%20data%20similar%20to%20what%20is%20needed%20to%20create%20a%20Conditional%20Access%20policy.%3C%2FP%3E%0A%3CUL%3E%0A%3CLI%3EWho%20you%20are%20(corp%20user%20or%20guest)%3C%2FLI%3E%0A%3CLI%3EWhere%20you%20are%20(corpnet%20or%20off%20corpnet)%3C%2FLI%3E%0A%3CLI%3EDevice%20(managed%20corp%20device%20or%20unmanaged)%3C%2FLI%3E%0A%3CLI%3EWhat%20resource%20or%20application%20(protected%20by%20Azure%20AD)%3CUL%3E%0A%3CLI%3EMobile%20app%3C%2FLI%3E%0A%3CLI%3EBrowser%20based%20SaaS%20app%3C%2FLI%3E%0A%3CLI%3EWindows%2C%20MacOS%20or%20Linux%20application%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3CP%3EWhat%20becomes%20clear%20when%20you%20step%20back%20and%20look%20at%20a%20DLP%20scenario%20is%20a%3CEM%3E%20perimeter-based%20solution%20which%20sits%20on%20the%20edge%20of%20your%20corporate%20environment%3C%2FEM%3E.%26nbsp%3B%20To%20create%20a%20DLP%20protection%20scenario%20there%20are%20two%20primary%20things%20you%20must%20define.%3C%2FP%3E%0A%3CUL%3E%0A%3CLI%3EWhere%20is%20the%20edge(s)%20of%20my%20corporate%20environment%3F%3C%2FLI%3E%0A%3CLI%3EWhat%20are%20the%20control%20planes%20available%20on%20that%20defined%20service%20edge%3F%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3CP%3EOur%20data%20protection%20solution%20is%20a%20proactive%20approach%20to%20data%20protection%20and%20requires%20forethought%20in%20where%20data%20will%20exist%20in%20a%20solution.%26nbsp%3B%20A%20way%20to%20discuss%20this%20is%20to%20explore%20the%20protection%20scenarios%20for%20a%20forward%20proxy%20vs%20reverse%20proxy.%3C%2FP%3E%0A%3CUL%3E%0A%3CLI%3EA%20%3CSTRONG%3E%3CEM%3Eforward%20proxy%3C%2FEM%3E%3C%2FSTRONG%3E%20puts%20many%20clients%20(end%20users)%20behind%20a%20gateway%20solution.%20Its%20legacy%20use%20was%20prior%20to%20NAT%20and%20it%20protected%20a%20group%20of%20computers%20behind%20a%20solution%20that%20proxies%20requests%20to%20the%20internet%20on%20behalf%20of%20the%20end%20user.%20A%20forward%20proxy%20can%20be%20used%20in%20tandem%20with%20a%20firewall%20to%20control%20traffic%20coming%20from%20the%20internal%20network%20and%20from%20a%20security%20stance%20is%20primarily%20aimed%20at%20enforcing%20security%20on%20client%20computers%20in%20your%20internal%20network%20and%20is%20used%20as%20a%20single%20point%20of%20access%20control%20from%20an%20end%20user%20perspective.%26nbsp%3B%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3CP%3EBy%20leveraging%20an%20agent%2C%20off%20network%20computers%20may%20also%20use%20this%20forward%20proxy%20which%20creates%20an%20experience%20similar%20to%20a%20VPN%20to%20access%20internet%20resources.%20Using%20forward%20proxy%20to%20browse%20the%20Internet%20usually%20slows%20down%20your%20overall%20Internet%20speed.%20The%20experience%20depends%20on%20the%20location%20between%20your%20computer%20and%20the%20forward%20proxy%20and%20how%20many%20people%20are%20using%20that%20forward%20proxy.%20(for%20a%20cloud%20proxy%20this%20remains%20true%20depending%20on%20the%20nearest%20entry%20point%20of%20the%20proxy)%3C%2FP%3E%0A%3CUL%3E%0A%3CUL%3E%0A%3CLI%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22GeoClark_0-1621791671088.jpeg%22%20style%3D%22width%3A%20400px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F282982iAC3E96AEC37C06C9%2Fimage-size%2Fmedium%3Fv%3Dv2%26amp%3Bpx%3D400%22%20role%3D%22button%22%20title%3D%22GeoClark_0-1621791671088.jpeg%22%20alt%3D%22GeoClark_0-1621791671088.jpeg%22%20%2F%3E%3C%2FSPAN%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3C%2FUL%3E%0A%3CUL%3E%0A%3CLI%3EA%20%3CSTRONG%3E%3CEM%3Ereverse%20proxy%3C%2FEM%3E%3C%2FSTRONG%3E%20as%20the%20name%20implies%20does%20the%20opposite%20and%20proxies%20requests%20on%20behalf%20of%20the%20resources%20instead%20of%20the%20clients.%26nbsp%3B%20The%20client%20should%20be%20unaware%20this%20is%20happening%20as%20the%20solution%20has%20its%20roots%20in%20load%20balancing%20and%20high%20availability%20but%20that%20is%20not%20what%20they%20typically%20do%20now%2C%20but%20the%20concept%20is%20similar.%26nbsp%3B%20It%20also%20provides%20security%20since%20an%20attacker%20would%20not%20have%20access%20to%20the%20back%20end%20resources.%26nbsp%3B%20Much%20like%20a%20forward%20proxy%20a%20reverse%20proxy%20can%20also%20be%20a%20single%20point%20of%20access%20and%20control.%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3CP%3E%3CSTRONG%3EProtection%20viewpoint%3C%2FSTRONG%3E%20-%20The%20difference%20is%20the%20protection%20model%20of%20a%20forward%20proxy%20looks%20at%20protection%20from%20an%20endpoint%20focused%20view.%26nbsp%3B%3C%2FP%3E%0A%3CUL%3E%0A%3CLI%3EFor%20an%20inline%20%3CSTRONG%3Eforward%20proxy%3C%2FSTRONG%3E%20in%20most%20cases%20%3CSTRONG%3E%3CEM%3Ethe%20question%20it%20is%20answering%20is%20what%20do%20I%20do%20with%20data%20%3CU%3Eafter%3C%2FU%3E%20it%20has%20made%20it%20to%20the%20local%20machine%3C%2FEM%3E%3C%2FSTRONG%3E.%20(i.e.%2C%20if%20a%20user%20downloads%20corporate%20data%20to%20the%20local%20machine%20how%20do%20I%20prevent%20them%20from%20copying%20it%20to%20their%20personal%20Dropbox)%20In%20this%20protection%20scenario%20the%20forward%20proxy%20is%20the%20gateway%20that%20is%20determining%20how%20data%20can%20move%2C%20it%20is%20monitoring%20data%20in%20transit%20on%20an%20endpoint%20device%20and%20applying%20rules%20based%20on%20the%20data.%26nbsp%3B%20The%20data%20would%20need%20to%20be%20inspected%20using%20labels%20or%20content%20inspection%20at%20the%20proxy%20and%20then%20access%20or%20blocking%20rules%20would%20apply%20based%20on%20the%20policies%2C%20or%20just%20certain%20sites%20would%20be%20blocked%20by%20rule%20in%20all%20cases.%3C%2FLI%3E%0A%3CLI%3EFor%20a%20%3CSTRONG%3Ereverse%20proxy%3C%2FSTRONG%3E%20%3CSTRONG%3E%3CEM%3Ethere%20is%20a%20proactive%20decision%20on%20how%20to%20protect%20the%20corporate%20data%3C%2FEM%3E%3C%2FSTRONG%3E%20and%20%3CSTRONG%3E%3CEM%3Ewhen%20do%20I%20want%20to%20allow%20data%20to%20move%20from%20the%20corporate%20repositories%20to%20other%20repositories%20like%20the%20local%20machine%3C%2FEM%3E%3C%2FSTRONG%3E.%26nbsp%3B%20This%20is%20a%20major%20difference%20in%20methodology%20and%20typifies%20how%20Microsoft%20approaches%20this%20solution.%20It%20forces%20a%20discussion%20on%20what%20are%20the%20allowed%20repositories%20for%20corporate%20data%20and%20puts%20the%20gates%20at%20those%20defined%20locations.%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3CP%3EReverse%20proxies%20are%20therefore%20in%20line%20with%20Zero%20Trust%20frameworks%20where%20forward%20proxies%20are%20not.%26nbsp%3B%20Forward%20proxy%20solutions%20are%20an%20extension%20of%20the%20inherent%20trust%20model%20we%20discussed%20in%20Part%201%20and%20allows%20data%20to%20move%20without%20restriction%20to%20%E2%80%98trusted%E2%80%99%20endpoints%20and%20simply%20moves%20the%20firewall%20from%20the%20edge%20of%20the%20corporate%20infrastructure%20to%20the%20endpoint.%3C%2FP%3E%0A%3CP%3EIn%20Microsoft%E2%80%99s%20Modern%20Workplace%20Suite%20(M365)%2C%20the%20control%20planes%20that%20our%20tools%20can%20leverage%20are%3A%3C%2FP%3E%0A%3CUL%3E%0A%3CLI%3EFile%20(Classification%2C%20Labeling%20and%20Protection)%3C%2FLI%3E%0A%3CLI%3EApplication%20%2F%20Service%20(Mobile%20Application%20Management%2C%20O365%2FTeams%20DLP)%3C%2FLI%3E%0A%3CLI%3EDevice%20(CLP%20and%20DLP%20at%20endpoint)%3C%2FLI%3E%0A%3CLI%3EBrowser%20(API%20or%20CASB%20controls%20for%20ANY%20web-based%20application)%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3CP%3EIn%20the%20next%20installment%20I%E2%80%99ll%20discuss%20how%20DLP%20fits%20into%20an%20Information%20Protection%20strategy%20and%20aligning%20a%20business%20ask%20with%20supported%20access%20scenarios%3C%2FP%3E%0A%3CP%3E%3CEM%3EIf%20you%20have%20questions%20on%20M365%20DLP%20capabilities%2C%20please%20contact%20your%20Microsoft%20or%20CSP%20account%20team%20for%20more%20detailed%20information.%3C%2FEM%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-TEASER%20id%3D%22lingo-teaser-2379241%22%20slang%3D%22en-US%22%3E%3CP%3ECommercial%20Enterprises%20operation%20on%20a%20spectrum%20between%20IT%20dictates%20to%20the%20Business%20or%20Business%20dictates%20to%20IT.%26nbsp%3B%20I%20have%20been%20in%20enterprises%20at%20both%20ends%20of%20this%20where%20IT%20provides%20general%20capabilities%2C%20and%20the%20Business%20is%20required%20to%20fit%20into%20then%20to%20Business%20groups%20coming%20to%20IT%20with%20hardware%20specs%20and%20directs%20IT%20to%20purchase%20and%20configure.%20Neither%20of%20these%20extremes%20are%20optimal%20as%20they%20often%20serve%20different%20goals%20and%20disregard%20the%20holistic%20success%20of%20the%20enterprise.%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-TEASER%3E
Co-Authors
Version history
Last update:
‎Aug 26 2021 06:32 AM
Updated by: