Three tiers of protection explained with use cases

The above picture is from the CISSP material and domain 3 that talks about Security Architecture and Engineering but it could be from Microsoft material also.

So what are the three layers of protection?

At a high level Microsoft has three layers of security. Actually there is four as baseline is scoped into two different setups or five if you count Highly isolated Teams setup.

  1. Baseline protection
  2. Sensitive protection
  3. Highly sensitive protection

Most of the organizations should have the baseline level, some of the companies could have sensitive protection level but only few of the companies have the highest level of protection.

Baseline protection

With two levels of baseline protection the following are true.

DescriptionBaseline (Public)Baseline (Private)
Private or public teamPublicPrivate
Who has access?Everybody in the organization, including B2B users.Only members of the team. Others can request access to the associated site.
Private channelsOwners and members can create private channelsOwners and members can create private channels
Site-level guest accessNew and existing guests (default).New and existing guests (default).
Site sharing settingsSite owners and members, and people with Edit permissions can share files and folders, but only site owners can share the site.Site owners and members, and people with Edit permissions can share files and folders, but only site owners can share the site.
Site-level unmanaged device accessFull access from desktop apps, mobile apps, and the web (default).Full access from desktop apps, mobile apps, and the web (default).
Default sharing link typeOnly people in your organizationOnly people in your organization
Sensitivity labelsNoneNone

So the differences between these two are minimal but make a huge difference.

If you have a public Teams channel, anyone can join also the External guests users that you have inside your Azure AD as identities.

Baseline protection doesn’t contain any protection. The information can flow outside the organization and your wouldn’t even notice.

If there is a breach to a users account there is nothing to do as there is no prevention with MFA, no risky sign-in blocking, no nothing.

Maybe not the best choice but many have it anyway. At least those anonymous links are removed so you know what you share to who.

And here is a nice pic showing what doesn’t work.

I don’t know the CFO thought it would be a good idea to share important files with the wizard, he is a wizard, don’t understand you CFO.

What about sensitive protection level?

With this protection level the following are true.

DescriptionSensitive
Private or public teamPrivate
Who has access?Only members of the team.
Private channelsOnly owners can create private channels
Site-level guest accessNew and existing guests or Only people in your organization depending on team needs.
Site sharing settingsSite owners and members, and people with Edit permissions can share files and folders, but only site owners can share the site.
Site-level unmanaged device accessAllow limited, web-only access.
Default sharing link typeSpecific people
Sensitivity labelsSensitivity label used to classify the team and control guest sharing and unmanaged device access.

Teams channel are private and only members of the Microsoft 365 Group can access the channel.

But also access is limited to web-only for users on un-managed devices.

And only site owners can share content but the members have access to the content.

How to achieve this?

You can use Sensitivity labels and Auto-labeling to protect the files. And enabling co-authoring the with permissions inside the auto-label.

In a multi-lingual organization you can notify the users with their own language in the tools tip.

In the example below the languages are Finnish, Italian and German.

With policy tips you can example notify users when you are blocking the content.

And here is a nice picture showing how it works.

Again CFO, why again, it’s still the wizard.

But now CFO isn’t allowed to make a mistake, good for the CFO.

How about the highest tier of protection?

What up with the highest tier?

DescriptionHighly sensitive
Private or public teamPrivate
Who has access?Only members of the team.
Private channelsOnly owners can create private channels
Site-level guest accessNew and existing guests or Only people in your organization depending on team needs.
Site sharing settingsOnly site owners can share files, folders, and the site.
Access requests Off.
Site-level unmanaged device accessBlock access.
Default sharing link typePeople with existing access
Sensitivity labelsSensitivity label used to classify the team and control guest sharing and unmanaged device access. Label can also be used on files to encrypt files.

With the highest level access requests are of so no outsider can request access.

And those unmanaged devices will be completely blocked not even limited. Nobody outside our Azure AD’ reach is able to access the site.

And even the sharing is limited to people with existing access, no new ones allowed to step in.

And here is a nice pic also for this level of security.

Maybe now CFO remembers that internal content isn’t to be shared outside. Not for wizards, not for anyone.

Last sentences

These relatively easy steps to protect you environment will minimize human errors, they happen by mistake or just because someone wants to.

Due diligence is import for reviewing the scenarios and the risks, how the lost content will affect the whole business and what is the monetary value for the loss.

When the manager has done the risk valuation it’s time due care time for the technical experts that protect the environment.

This is an real life example of domain 1 (Security & Risk Management) from CISSP material.

Until next time,

KEEP CALM AND PREPARE FOR CISSP Poster | Shailendra Kapoor | Keep  Calm-o-Matic
Author: Harri Jaakkonen

Leave a Reply

Your email address will not be published. Required fields are marked *

*

code