The above picture is from the CISSP material and domain 3 that talks about Security Architecture and Engineering but it could be from Microsoft material also.
Table of Contents
So what are the three layers of protection?
At a high level Microsoft has three layers of security. Actually there is four as baseline is scoped into two different setups or five if you count Highly isolated Teams setup.
- Baseline protection
- Sensitive protection
- Highly sensitive protection
Most of the organizations should have the baseline level, some of the companies could have sensitive protection level but only few of the companies have the highest level of protection.
Baseline protection
With two levels of baseline protection the following are true.
Description | Baseline (Public) | Baseline (Private) |
Private or public team | Public | Private |
Who has access? | Everybody in the organization, including B2B users. | Only members of the team. Others can request access to the associated site. |
Private channels | Owners and members can create private channels | Owners and members can create private channels |
Site-level guest access | New and existing guests (default). | New and existing guests (default). |
Site sharing settings | Site owners and members, and people with Edit permissions can share files and folders, but only site owners can share the site. | Site owners and members, and people with Edit permissions can share files and folders, but only site owners can share the site. |
Site-level unmanaged device access | Full access from desktop apps, mobile apps, and the web (default). | Full access from desktop apps, mobile apps, and the web (default). |
Default sharing link type | Only people in your organization | Only people in your organization |
Sensitivity labels | None | None |
So the differences between these two are minimal but make a huge difference.
If you have a public Teams channel, anyone can join also the External guests users that you have inside your Azure AD as identities.
Baseline protection doesn’t contain any protection. The information can flow outside the organization and your wouldn’t even notice.
If there is a breach to a users account there is nothing to do as there is no prevention with MFA, no risky sign-in blocking, no nothing.
Maybe not the best choice but many have it anyway. At least those anonymous links are removed so you know what you share to who.
And here is a nice pic showing what doesn’t work.
I don’t know the CFO thought it would be a good idea to share important files with the wizard, he is a wizard, don’t understand you CFO.
What about sensitive protection level?
With this protection level the following are true.
Description | Sensitive |
Private or public team | Private |
Who has access? | Only members of the team. |
Private channels | Only owners can create private channels |
Site-level guest access | New and existing guests or Only people in your organization depending on team needs. |
Site sharing settings | Site owners and members, and people with Edit permissions can share files and folders, but only site owners can share the site. |
Site-level unmanaged device access | Allow limited, web-only access. |
Default sharing link type | Specific people |
Sensitivity labels | Sensitivity label used to classify the team and control guest sharing and unmanaged device access. |
Teams channel are private and only members of the Microsoft 365 Group can access the channel.
But also access is limited to web-only for users on un-managed devices.
And only site owners can share content but the members have access to the content.
How to achieve this?
You can use Sensitivity labels and Auto-labeling to protect the files. And enabling co-authoring the with permissions inside the auto-label.
In a multi-lingual organization you can notify the users with their own language in the tools tip.
In the example below the languages are Finnish, Italian and German.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 |
$Languages = @("fi-fi","it-it","de-de") $DisplayNames=@("Publique","Publico","Oeffentlich") $Tooltips = @("Teksti suomeksi","Testo italiano","Deutscher text") $label = "Public" $DisplayNameLocaleSettings = [PSCustomObject]@{LocaleKey='DisplayName'; Settings=@( @{key=$Languages[0];Value=$DisplayNames[0];} @{key=$Languages[1];Value=$DisplayNames[1];} @{key=$Languages[2];Value=$DisplayNames[2];})} $TooltipLocaleSettings = [PSCustomObject]@{LocaleKey='Tooltip'; Settings=@( @{key=$Languages[0];Value=$Tooltips[0];} @{key=$Languages[1];Value=$Tooltips[1];} @{key=$Languages[2];Value=$Tooltips[2];})} Set-Label -Identity $Label -LocaleSettings (ConvertTo-Json $DisplayNameLocaleSettings -Depth 3 -Compress),(ConvertTo-Json $TooltipLocaleSettings -Depth 3 -Compress) |
With policy tips you can example notify users when you are blocking the content.
And here is a nice picture showing how it works.
Again CFO, why again, it’s still the wizard.
But now CFO isn’t allowed to make a mistake, good for the CFO.
How about the highest tier of protection?
What up with the highest tier?
Description | Highly sensitive |
Private or public team | Private |
Who has access? | Only members of the team. |
Private channels | Only owners can create private channels |
Site-level guest access | New and existing guests or Only people in your organization depending on team needs. |
Site sharing settings | Only site owners can share files, folders, and the site. |
Access requests Off. | |
Site-level unmanaged device access | Block access. |
Default sharing link type | People with existing access |
Sensitivity labels | Sensitivity label used to classify the team and control guest sharing and unmanaged device access. Label can also be used on files to encrypt files. |
With the highest level access requests are of so no outsider can request access.
And those unmanaged devices will be completely blocked not even limited. Nobody outside our Azure AD’ reach is able to access the site.
And even the sharing is limited to people with existing access, no new ones allowed to step in.
And here is a nice pic also for this level of security.
Maybe now CFO remembers that internal content isn’t to be shared outside. Not for wizards, not for anyone.
Last sentences
These relatively easy steps to protect you environment will minimize human errors, they happen by mistake or just because someone wants to.
Due diligence is import for reviewing the scenarios and the risks, how the lost content will affect the whole business and what is the monetary value for the loss.
When the manager has done the risk valuation it’s time due care time for the technical experts that protect the environment.
This is an real life example of domain 1 (Security & Risk Management) from CISSP material.
Until next time,