Synopsis: Microsoft’s recently rebranded Purview suite of data governance, security, and compliance solutions offers more capabilities than ever before within a single product. But without a fundamental understanding of your data, getting value out of these tools remains a challenge. Defining your organization’s critical data and objectives for protecting it is a critical first step in maximizing the value of any Purview deployment.
Understand the Basics – What Data Are You Trying to Protect?
Before you can successfully deploy a data protection tool, an organization should be able to define their most important data and the biggest risks associated with it. Ideally this is defined in a data classification policy that includes tiers, examples, and security requirements. To identify an organization’s “crown jewels,” it should at minimum be able to answer these questions:
- What is our business’s most important data?
- What applications handle this data?
- Where else is this data stored?
- Who is supposed to be handling this data?
- When are users expected to be accessing this data?
Understanding these points is necessary to define a baseline of expected activity so that you can configure your data governance tools to detect abnormalities and generate alerts for suspicious behavior. Further, the answers to the questions above should come from your organization’s business partners, including Human Resources and Legal. A data security program within a technology organization should be designed to protect business data. Security organizations add value by protecting business assets, and security tools should be configured in alignment with business requirements.
So, What Purview Modules Do You Actually Need to Configure?
As of June 2024, the new Purview compliance portal contains 15 different solutions grouped into 4 categories:
| Microsoft Purview | |||
| Core | Risk Compliance | Data Governance | Data Security |
|
|
|
|
While some organizations may have a need to use all of these, most will find it more effective to start by configuring the basic Purview Data Security offerings. Here are some of the basic capabilities that are worthwhile starting points:
- Information Protection Module: Create sensitivity labels in alignment with your organization’s data classification policy. At minimum, create labels that align with the most sensitive data that lives in the M365 ecosystem (Exchange, SharePoint, Teams, OneDrive). Define auto-labeling policies wherever possible to automatically apply the labels. Use the content explorer to better understand where your most sensitive data lives within the environment.
- Data Loss Prevention Module: Configure basic data loss prevention policies to take specific actions on your sensitive data as its stored or transmitted (e.g. blocking or automatically encrypting outbound emails that contain sensitive data; preventing users from copying and pasting data into other applications or onto removable storage devices, etc.).
- Insider Risk Management Module: Configure insider risk management policies to generate alerts for suspicious user behavior (e.g. mass download of sensitive data over the weekend; high volume of file transfers just prior to a user’s resignation date, etc.).
The examples above are easiest to configure where they’re aligned to the data handling requirements that an organization defines with their business leaders. And, while Purview works without additional integrations, the contextual data it evaluates can be enriched significantly through integrations with other sources such as:
- Data connectors for dedicated Human Resource Information System (HRIS) tools like Workday for better insider risk policies
- Personalized data examples for trainable classifiers
- Organization-specific Exact Data Match (EDM)-based sensitive information types
If you only deploy the bare minimum Purview functionality, you’ll only get minimal security value.
One last thought regarding the setup of Data Loss Prevention (DLP) and Insider Risk Management (IRM) policies. To reduce end user impact and tune its policies more efficiently, an organization should consider a phased approach for deployment. Identify smaller pilot groups (within the security program and within specific business units or power users) and increase the scope of affected users incrementally. It can be even more helpful if you have a good working relationship with a particular business unit that would be willing to help with rule and alert tuning. Enable policies in “monitor”, “audit”, or “simulation” mode first to evaluate the results before switching to “block”, “reject”, or “quarantine.” End users should understand what changes are coming and why this is important to the organization, so a communications campaign is also recommended. In other words – “configuring” effective and useful policies involves a fair amount of work and planning; it isn’t as easy as just “turning it on.”
How Do You Respond to Alerts?
The configurations and policy setup are only the beginning. Responding to alerts that your policies generate involves several other considerations. Alerts can be viewed in the Purview console, but that requires administrators and analysts to log in there as part of their daily routine and manually check for any new alerts. Consider forwarding Purview alerts to Sentinel or XDR if your organization already has it, using Azure Logic Apps, or using Power Automate to create workflows to automate alerting and response activities. Automation or integration with existing SIEM or SOAR tools increases the likelihood that an alert will be actioned but does require an up-front investment.
Analysts should also be prepared to respond to these alerts according to defined documented runbooks. In addition to the up-front time to develop these, the security organization should anticipate an increased resource requirement for analyst triage and response efforts. While the Copilot event summaries can be somewhat helpful, and the Purview AI Hub is coming soon, meaningful response actions still require human analysis to fully understand the context and potential impact. Remember, a computer cannot be held accountable, therefore it must never make an incident response decision. Whether this requires additional headcount will depend on the volume of alerts and current bandwidth constraints. Maintaining an effective Purview solution could become a full-time job.
Finally, being able to quantify the types, frequency, and severity of data security incidents your analysts are managing is necessary to articulate the value of your Purview deployment. Remember – your Purview deployment was done to protect specific business data, and metrics or KPIs can quantify its effectiveness. Success stories or narratives around preventing specific data exfiltration incidents through IRM and DLP policies also make it easier to justify additional analyst headcount for response and additional engineering headcount for deploying and configuring the other Purview modules and integrations.
Is a Purview Deployment Worth Pursuing?
Only if your organization is willing to invest in the resources to properly configure, test, tune, and deploy the appropriate functionality in alignment with relevant business use cases. An “off the shelf” Purview deployment, done in a vacuum without input from the business, and without considerations for monitoring and responding to alerts is simply not worth it.
Deploying the core data security modules in alignment with an existing data classification policy is a good starting point for organizations that have the Purview solution available as part of an existing E5 license model and a fairly mature SOC that can take on the additional workload of responding to a limited number of new alert use cases.
And the sky’s the limit – you can get more value out of Purview by integrating additional data sources, HR user context, connecting to other cloud providers or applications, automating response activities, and deploying additional modules for data governance, compliance, or eDiscovery. Just keep in mind that all of that comes with a significant amount of development work and collaboration with your business partners. So, for Microsoft Purview – you get out what you put in.
Bill Lyons
Bill is a cybersecurity consultant with experience leading framework-based assessments including NIST, CIS, HIPAA, HICP and other customized maturity frameworks. Additionally, Bill has experience performing cloud configuration assessments across Azure, AWS, and GCP with a focus on Microsoft 365 tenant hardening. In the last few years, Bill has developed SRA’s Purview service offerings to help clients get the most out of their Microsoft license model.