Data Classification : Where to start?

I have created Blog Posts about this in the past, but Microsoft continue to innovate and develop new technologies that can simplify an organisation’s data classification journey.

GDPR
The European Union introduced a new regulation called GDPR in 2016. There is a new

Wikipedia: https://en.wikipedia.org/wiki/General_Data_Protection_Regulation
Regulation on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (Data Protection Directive).

The European Union’s GDPR regulation was a big step in forcing organisations to consider implementing and controlling personally identifiable information.

In Ireland some of the core unequally identifiable attributes could be as follows.
-PPS – Personal Public Service Number
-Driving License
-Passport
-Mobile Phone Number
-Date of Birth

The unequally identifiable attributes mentioned above are directly related to individuals.

When it comes to an organisation’s intellectual property, how is this their data protected. It could be for example.

-Milk – The ingredients and process of manufacturing and distributing milk
-Bread – The ingredients and process of manufacturing and distributing bread
-Beer – The ingredients and process of manufacturing and distributing beer

Data Classification and protection is such a critical requirement for any organisation, and most organisations find it difficult, on where to begin their data classification journey. Not knowing where to begin a data classification journey can often pause or completely halt an organisation’s data classification journey. Microsoft have developed multiple solutions to try and speed up and enhance an organisation’s data classification journey.

A lot of organisations are not aware of the amount of compliance technologies, machine learning, and artificial intelligence that Microsoft Purview can provide, and organisations are typically licensed for these services and not using them.

The way forward: DORA sets a benchmark

DORA is expected to be published in the Official Journal of the European Union by the end of 2022 after final adoption by the European Parliament and other procedural steps are completed. Following the publication, there will be a 24-month implementation period before the rules enter into force, therefore, the rules under DORA will apply as of late 2024 at the earliest—thus allowing Microsoft and financial institutions to ensure compliance with the new rules ahead of that time. During the implementation period, the Regulatory Technical Standards (RTSs) will also be under development to facilitate DORA’s implementation. The RTSs are expected to be completed ahead of DORA application.

The key requirements under DORA cover the following: ICT risk management, ICT-related incident reporting, digital operational resilience testing, and oversight of critical ICT providers. The legislative framework will also require compliance by critical ICT third-party service providers.

At Microsoft, we support our financial services customers and will continue doing so under DORA implementation—specifically, but not limited to the following key areas:

• ICT risk management: DORA establishes a comprehensive management mechanism of ICT risks with which financial entities would be required to comply—including the identification, protection and prevention, detection, response, and recovery of such risks in scope. Microsoft already provides a broad set of built-in ICT risk management capabilities in our services today. This includes, by way of example: Microsoft Defender for Cloud, Microsoft 365 Service Health Dashboard, and Microsoft Secure Score.
• ICT-related incident reporting: DORA will harmonize the classification of incidents while streamlining the reporting processes to develop a more systematic approach to monitor, control, and follow-up on such incidents. DORA foresees a coordinated approach to ICT incident reporting and tackling reporting overlaps such as the NIS2 Directive. Microsoft provides such capabilities, such as with Microsoft Defender. 
• Digital operational resilience testing: DORA introduces digital operational tests that should be conducted on critical ICT systems and applications on an annual to triennial basis (regarding advanced threat-led penetration testing). This new testing approach will bolster the testing capabilities of financial entities—fostering timely recovery and business continuity. Microsoft already enables customers to do so through our penetration program. Learn more about the Microsoft Cloud Penetration Testing Rules of Engagement program.
• Oversight of critical ICT providers: DORA foresees a communication mechanism between financial regulators and ICT critical service providers for the management of ICT third-party risks. Microsoft already partners closely with its customers and has ongoing and rich engagement with regulators—including audit and regulatory examinations. We think such processes should include inter-agency cooperation amongst other regulators not limited to Europe. For example, alignment and communication among the Bank of England and the United States Regulators (FDIC, OCC, Federal Reserve), would be helpful from a regulatory oversight perspective, drive synergies, avoid fragmentation, and maintain a level of clarity and communication that would benefit regulators and Microsoft alike.
  
  Legacy on-premises data classification

Typical vendors like Broadcom (formally Symantec), Forcepoint (formally WebSense), McAffee, did a really good job of analysing on-premises data stores like ; file shares, sql databases, exchange servers. But these vendors were unable to bridge the gap between on-premises workloads and cloud workloads, most organisations work in a hybrid environment and host data between on-premises infrastructure and private or public cloud services.

Microsoft Windows Information Protection (WIP), previously known as enterprise data protection (EDP). Was a service that Microsoft introduced to provide data loss prevention services on Windows 10\11 devices. This service was quite difficult to configure and provide meaningful insights and recommendations to organisations. Microsoft then deprecated Windows Information Protection in July 2022.

What is the point or how effective is data protection without data classicisation?

Modern data classification

https://www.microsoft.com/en-ie/security/business/microsoft-purview

Microsoft have bridged the gap between on-premises and cloud workloads with technologies that help organisations define their unique sensitive information using technologies like:
-Advanced e-Discovery
-Data Map and Data Catalog
-Auto-classification
-Microsoft Purview Insider Risk Management policies
-Microsoft Purview Insider Risk Management
-Microsoft Defender for Cloud Apps
-Microsoft Purview document fingerprinting

Microsoft Classifiers
A Microsoft Purview trainable classifier is a tool you can train to recognize various types of content by giving it samples to look at. Once trained, you can use it to identify item for application of Office sensitivity labels, Communications compliance policies, and retention label policies.

Creating a custom trainable classifier first involves giving it samples that are human picked and positively match the category. Then, after it has processed those, you test the classifiers ability to predict by giving it a mix of positive and negative samples. This article shows you how to create and train a custom classifier and how to improve the performance of custom trainable classifiers and pre-trained classifiers over their lifetime through retraining

Microsoft currently have 59 trainable classifiers such as
– Wire Transfer
– Profanity
– Money Laundering

Custom classifiers can also be created for an organisation’s bespoke requirements.

Microsoft Endpoint Data Loss Prevention

Microsoft Windows Information Protection was a terrible service and it did not take long for Microsoft to retire the service.

Microsoft finally got it right, Microsoft Endpoint Data loss prevention is a superb service.

Ref: https://learn.microsoft.com/en-us/microsoft-365/compliance/endpoint-dlp-learn-about?view=o365-worldwide