Krome Cast: Tech-IT-Out

TECH-IT-OUT: Microsoft Purview | Data Security and Compliance with M365

Krome Technologies Season 3 Episode 5

In this episode of Krome Cast Tech-IT-Out, we discuss security and compliance, focusing specifically on leveraging the tools available within M365, such as Microsoft Purview. 

Krome's CTO Rupert Mills and Commercial Director Sam Mager, explore how Microsoft 365 tools can enhance data governance, information protection, and compliance within an organisation's existing Microsoft ecosystem, emphasising how organisations can maximise the value of their existing E5 or E3 licenses to improve data security and regulatory adherence.

This podcast highlights the advantages of leveraging the built-in functionalities of M365, including data classification, access control, and audit trails, using Microsoft Purview, eliminating the need for multiple third-party tools and simplifying the compliance process.

► ABOUT KROME: Krome Technologies is a technically strong, people-centric technology consultancy, focused on delivering end-to-end infrastructure and security solutions that solve business challenges and protect critical data. We work collaboratively with clients, forming long-term business partnerships, applying knowledge, experience and the resources our clients need to solve problems, design solutions and co-create agile, efficient and scalable IT services.

► KROME WEBSITE: https://www.krome.co.uk/

► SOCIAL MEDIA
• YouTube: https://www.youtube.com/@krometechnologies
• Linkedin: https://www.linkedin.com/company/krome-technologies-ltd
• Instagram: https://www.instagram.com/krometechnologies/
• Twitter: https://twitter.com/KromeTech
• Facebook: https://www.facebook.com/KromeTechnologies/

► CONTACT
• Telephone: 01932 232345
• Email: info@krome.co.uk

SPEAKERS

Rupert Mills, Sam Mager

 

Sam Mager  00:11

Welcome to Krome Cast, Tech-IT-Out. I'm Sam Mager, and I am back once again with Rupert Mills.

 

Rupert Mills  00:15

Hi Sam.

 

Sam Mager  00:15

So we're here to talk about security and compliance. Specifically, Microsoft Purview.

 

Rupert Mills  00:20

Yep, absolutely.

 

Sam Mager  00:21

So I will dish that over to you as usual, and if you could intro what we'll go through today. 

 

Rupert Mills  00:25

Yeah, sure, it's talking about getting a bit more out of your M365 estate. Embracing that a bit and taking some of the traditional things you would have done around sort of information protection, data governance, discovery, and actually bringing those forwards in a modern way using the M365 tooling.

 

Sam Mager  00:42

I guess, leveraging all the tools in 365, which is one thing, because historically, there's been lots of tools to do this, but from different vendors with potentially different purposes, different visions, and now Microsoft, I guess, doing what to do well, bringing that all into one kind of holistic approach.

 

Rupert Mills  01:02

Yeah, absolutely. I mean, if you, if you think about the traditional estate that we've talked about, in the past, you've had things like Exchange servers, file servers, various different locations for unstructured data to live in your estate, unstructured and structured to be fair, but traditionally, the problem lies in the unstructured data. And you're taking that unstructured data and saying, well, realistically, you've probably moved your email to O365, you're moving your file servers into SharePoint Online, your end users and their personal drives will be OneDrive online, you've got Teams as another source now, which has come up and you've got a lot of data in there. So it's taking the thought of, okay, historically, I've looked at DLP of locking down USB drives that sort of thing. Or actually, it could be software that prevents you uploading content to Box, or Dropbox or anything like that. 

 

Sam Mager  01:51

Yeah. 

 

Rupert Mills  01:51

And it's taking a more modern view on that and working out, okay, how do you how do you do that, with the tooling that's available, and there's loads of people out there selling different third-party tools. But actually, if you subscribe to, well, there's there's add-ons that do it. But essentially, if you have E5, then you'll get it anyway. If not, there's a bunch of add-ons that you can use to get there. But using those tools allows you to actually use the built in functionality within M365, and start to really drill into your data and apply all those policies or regulatory requirements or do all those searches, you need to do whatever it might be within the native suite.

 

Sam Mager  02:26

But it's also historically, predominantly, and the space we play in is Wintel. So all these houses are out there using Microsoft file systems and databases, and so on, and then you layer on a third party tool application, wherever it is to go and investigate it, to tell you who's using what, where, allowed, deny all that sort of stuff. And now this is actually the Microsoft file system databases, etc, with Microsoft telling you who's doing what and where is it, and am I allowed, and all that sort of stuff.

 

Rupert Mills  02:51

Yeah. And it's, and it's taking the ability to sort of take that on a file basis, for example. So traditionally, you'd have tried to stop a file leaving your organisation, now you can actually set permissions on the file embedded within the file itself. So that essentially, when you take that outside of your organisation, if you give it to someone else, and they don't have permissions to open it, when they try and open it, it's going to check in and see whether or not they have permission and come back and say, no no, that's been classified as sensitive data or, or you shouldn't have permission to open that because it's part of our HR data, or whatever it might be. So even if they actually managed to get their hands on the file, yeah, it's the fact that they can't then use that file and take a more modern approach to it.

 

Sam Mager  03:31

Essentially gibberish or useless. 

 

Rupert Mills  03:32

It's, yeah, it's basically they can't open it. 

 

Sam Mager  03:35

Without the right permission. 

 

Rupert Mills  03:36

Yeah. And you, as an administrator can track that , oh someone outside of organisation or organisation has that file. They're over there in this country, or whatever. And they've tried to open this file that they shouldn't have. So how did that get there?

 

Sam Mager  03:48

Yeah yeah, see the root cause of, was it malicious, or non-malicious 

 

Rupert Mills  03:52

Yeah all the attempts, basically. So you start to pull that data together. But there's a whole bunch of stuff inside M365 which allows you to start applying prebuilt policies. So for example, if you're talking about PCI data, or health data, or I don't know, it could be passport data or anything like that, that might reside in your file system. Traditionally, you've used a tool like Varonis, or something like that to go and scan, scan my file server, tell me where all that exists with the 365 suites, all built-in in the background anyway. So once you start to look at that data, you can build your own classifications and say, okay, I want to say I'm running project, project Redmond. So take that and you say, I'm running Project Redmond. And I want to pick out anywhere where I see Project Redmond and not let that data out and only allow it to be used by certain people within our organisations. 

 

Sam Mager  04:40

Okay.

 

Rupert Mills  04:40

It will automatically pick that out, whether that's

 

Sam Mager  04:42

That's user groups or specific individuals, etc, etc.

 

Rupert Mills  04:45

Yeah, you can define the audience. And you can define boundaries to allow that to not cross over between those boundaries. So you can say, I don't want, Project Redmond's in the Dev team at the moment, I don't want the marketing team to be able to know about it. 

 

Sam Mager  04:57

Yeah. 

 

Rupert Mills  04:58

And then actually,

 

Sam Mager  04:59

Or if you had someone in the project team, that was in was in marketing, and you can say, apart from maybe that person.

 

Rupert Mills  05:03

Yeah. Absolutely. So you can build all those classification rules and allow the data to be secured by automatically being picked up by the system. So you pop it into Outlook and Outlook will say, well, I can't email that, because it's contained to this, and it will warn you about it on screen. If you're a senior admin person, it will say, okay, you could or someone with the right privileges, you don't have to be an admin, but a Director, for example, where you can reclassify that data and send it, but please note, this will be logged and tracked, and we will know that you sent it out. 

 

Sam Mager  05:32

So that's where it kicks in from, I guess the compliance angle, it's the classification and the audit trail. 

 

Rupert Mills  05:37

Yeah. There's a

 

Sam Mager  05:37

Who's doing what when type of stuff, right.

 

Rupert Mills  05:39

And historically, they've taken this and spent a lot of time and money building it with a third-party solution around your on-premise infrastructure. But it's pretty much there, if you've got the if you've got the right licensing now. And it's this is where we talk about the different things that you can do with your licensing suite and start to start to be able to take advantage of things you may not even realise you had.

 

Sam Mager  06:00

I think there's a big thing, we had that conversation quite a bit and people with, it's the do I do I need an E5? You know, what more will I get? And actually, when you really dig, there is an awful lot of value to be had. If you actually stop and look at, going back, legacy bit there. You might have two or three different vendors and tools that you're using to achieve this. Actually, you may already have it or for a small up if you could have it. 

 

Rupert Mills  06:22

Yeah. 

 

Sam Mager  06:22

What does it save from here? And does it reduce the complexity of different vendors tools trying to talk to this, and we've seen before when you try to do the integration bit. Sometimes goes really well. 

 

Rupert Mills  06:32

Yeah. 

 

Sam Mager  06:32

Sometimes it doesn't. And I guess you'd get more support from Microsoft when you're trying to interrogate the Microsoft world, than you will potentially from, supplier X. Oh yeah, of course. 

 

Rupert Mills  06:41

Yeah. And then the fact of the matter is, that most large enterprises, not all, we know plenty that run G Suite, or things like that, but most large enterprises run Office 365 in some way, shape or another. So actually to, to have that as your data governance mechanism behind it or sharing compliance mechanism allows you to say, okay, this organisation also has this so we can share that data in this way and secure it. Things like subject access requests, that traditionally would have been very difficult, you can plug those in straightaway and get that data back. If it exists within that ecosystem. It compliance, archiving or compliance, expiry on data, doing that sort of stuff. Okay,  Historically, you've gathered all this data, you got 47 million emails that you haven't dealt with, or whatever it might be. Well, we can take the 

 

Sam Mager  07:30

Sounds like my inbox... 

 

Rupert Mills  07:31

Yeah Exactly. [Laughter] Well, that's where I was coming from.  You can take these certain subjects and say, right, we'll take this subject, and we'll and we'll look for all the emails in that. And we'll say, okay, as an example, internal communications. So, right, we tell the company about the Christmas party, this that and the other, if you had all of that in there, you can turn around say, well, anything from that email address after a year, expire it out everybody's mailbox, because they don't need it anymore. 

 

Sam Mager  07:51

Yeah.

 

Rupert Mills  07:51

Things like that are all built into the engines to do it.

 

Sam Mager  07:54

You look at the PCI stuff over three years purge it, show you've purged it, etc, etc.

 

Rupert Mills  07:59

And evidence it, the evidence chain's built in.

 

Sam Mager  08:01

That's what I mean, so we've done it before, you build your purge engines, whatever you want to call it? And someone has to sit down and make these things happen? 

 

Rupert Mills  08:06

Yep. 

 

Sam Mager  08:06

In various different systems. And it's just it's just the power of that being in that that singular, for want of a better way of putting it, ecosystem, but people are 95% Microsoft? 

 

Rupert Mills  08:16

Yeah. Yeah, in that world.

 

Sam Mager  08:18

A bit of a bold statement, but, sweeping. But in that in that Wintel space, it's Wintel for a reason. But yeah, most of the customers we will deal with are heavily invested in that Microsoft stack, you are right, there's some G Suite and whatever else, but that's the, they are the minority. So for the majority of people, this is, I won't say it's a game changer, because it's, we're already doing it, but with different tools. It's just a simplification,

 

Rupert Mills  08:40

Well a lot of times people have gone, you know what, I can't afford to invest in the tool.

 

Sam Mager  08:43

Yeah.  I was about to say, but so you already own it. So that is just a case of,

 

Rupert Mills  08:44

So right now, if they if they couldn't afford to go out and buy a third-party tool to do things, you may not even realise they now have the tools to take this functionality into the business relatively simply and say, you know what, actually, we can just turn that on. We own it already.  Or in some cases, even turned on already. 

 

Sam Mager  09:00

Yeah. But it's just the case, then of working with the right people to go, do the, I guess the predefined bits, do they fit for us? If not how do I customise that to work for our business, there's going to be the, consultation upfront to make sure that it's, set up correctly, right.

 

Rupert Mills  09:16

You've got to work with the organisation, we've been discussing it with a particular client recently, where actually the key point is to work with them, to work out what their business wants to classify, what their rule set should be. And then building that rule set using the tool that's there. So there is a bit of work around the, okay we want to this type of data secured in this way. We want this type of data purged in this way, that sort of stuff.

 

Sam Mager  09:38

But that work doesn't change if you're, I'm not picking on Varonis, it's very good, but you know, if you're buying Varonis you still got to do the, what do we need to classify, you need to tell us, that bit has to happen regardless. But you won't necessarily have the large capital outlay because you probably already have it. 

 

Rupert Mills  09:54

Yeah, that's it. So I just think there's there's, I mean, I think we're going to do a series of these, of looking at what more you can get from what you're already paying for. And as one example, this has been something that's been pertinent recently and it's certainly something that we can see coming up more and more within heavily regulated industries particularly.

 

Sam Mager  10:13

I was about to say, most businesses have some level of regulation, or compliance, they need to adhere to, so it's bearing it in mind, if you've got E5 out there, you've probably got you need already and it's just a conversation to see,

 

Rupert Mills  10:24

E3's, we can do, add-on modules

 

Sam Mager  10:25

Bolt-ons, etc. Thank you. Very interesting. 

 

Rupert Mills  10:29

Welcome. 

 

Sam Mager  10:30

And thank you for joining us on this episode of Krome Cast, Tech-IT-Out, remember to like, subscribe, comment and share. If there's anything you'd like us to cover in future episodes, leave it in the comment section below.  Tech-IT-Out.