024: Plan for the protection of Critical Assets

Overview

For each type of critical asset identified previously, determine the type of special data security or cryptographic needs based on the business use case, industry regulatory compliance requirements and any other applicable constraints. Plan accordingly considering the technology, process, and people aspects of the change. These can include the standard methods of protection such as DLP and sensitivity labels with usage restrictions, as well as physical access and hardware considerations, identity and device special considerations for the user accounts and devices used with the critical assets, and special cryptographic methods among others.

For documents where access must be controlled so tightly that even the risk of legitimate government requests for access, legal discovery requests, access by cloud operators or the risk of rogue admins cannot be accepted, encrypting the document with Double Key Encryption might be warranted. Keep in mind that, in addition to a high operational cost, content protected with DKE becomes entirely opaque to all cloud services, including compliance services such as DLP and eDiscovery, so the use of this functionality must be limited to the minimal set of documents that require it.

Reference

• Dynamic watermarking for sensitivity labels in Word, Excel, and PowerPoint https://techcommunity.microsoft.com/t5/security-compliance-and-identity/preview-dynamic-watermarking-for-sensitivity-labels-in-word/ba-p/4185842
• Learn about Double Key Encryption (DKE) https://learn.microsoft.com/en-us/purview/double-key-encryption