The coronavirus pandemic introduced new ways of remote work -- and also introduced new challenges from a compliance perspective.
At the start of the pandemic, more companies gave employees the flexibility to work from home. This shift sent more corporate data across secure and unsecure networks, depending on the location of these workers. Data concerns have also grown due to additional communication methods, such as Microsoft Teams, that expand the ways users can share information. While most of Microsoft's collaboration tools excel in simplifying the exchange of information, very few have controls to restrict unauthorized access to this data. To address this security need, Microsoft introduced information barriers to secure sensitive data on certain Office 365 services.
Information barriers permissions and licensing requirements
In 2019, Microsoft debuted information barriers on Microsoft Teams that addressed the lack of data restrictions on the communication service and eventually added support for this feature to SharePoint Online and OneDrive. Information barriers let administrators customize communication and collaboration policies to stop users or groups from certain actions, including directory searches, preventing messaging with certain users and blocking data sharing with both internal and external users.
Administrators build custom information barrier policies with PowerShell scripts and apply them to any set of users within their tenant.
Scenarios that suit an information barrier policy include:
- Block attorneys from the same firm who work on opposing cases from communicating with each other to meet privacy and compliance requirements.
- Stop internal teams with access to trade secrets or highly sensitive information from communicating with other departments to avoid sensitive information leaks.
- Prevent financial firm employees who work in day trades from communicating with external users to avoid insider trading violations.
Using information barriers requires one of the following licensing requirements:
- Microsoft 365 A5 and E5;
- Office 365 A1, A3, A5 and E5;
- Office 365 Advanced Compliance add-on;
- Microsoft 365 A1, A3 and E3 with the Microsoft 365 A5/E5 Compliance add-on; or
- Microsoft 365 A1, A3 and E3 with the Microsoft 365 A5/E5 Insider Risk Management add-on.
To create or modify an information barrier policy, the administrator must be in one of the following roles: Microsoft 365 global administrator, Office 365 global administrator, compliance administrator or information barrier Compliance Management. To adjust the assignment settings, go to the URL "protection.office.com/permissions" to access the Security and Compliance center.
Gather information to develop the information barrier policy
Before starting the information barrier policy process, administrators must define the restrictions and requirements. This is generally involves a meeting with the security team or compliance officer and outlining the limits of the policy. Asking the following questions narrow the scope:
- Which users or groups need to be restricted?
- What blocks and allowances should a user or a group of users have?
- Which unauthorized communications should be blocked, including directory searches, data sharing, instant messaging, meeting attendance and screen sharing?
- What specific user attributes will segment users as part of the policy filter?
How to build an information barrier policy with PowerShell
After the documentation and approval process, the administrator can create the information barrier policy in Office 365; this portion of the article will focus on a policy for Microsoft Teams. Microsoft does not currently have information barrier configuration and setup through the admin portal, leaving PowerShell commands as the only method to build these policies.
One critical step is to enable the scope directory search option in the Microsoft Teams admin portal, which uses Exchange Online Address Book Policies to separate groups of users.
To start, connect to the Azure Active Directory tenant by executing the Connect-AzureAD cmdlet.
Next, establish a segment, which is a set of users with a selected user account attribute, such as a department or job title. For the purposes of this tutorial, we will create a segment called Secret Engineers from the secret engineers department attribute in Azure Active Directory. The following PowerShell command creates the segment:
New-OrganizationSegment -Name "Secret-Engineers" -UserGroupFilter "Department -eq 'Secret Engineers'"
Next, the following command makes a new information barrier policy called Secret-Engineers-Block-From-Marketing that prevents communication between the Secret-Engineers segment and the marketing segment. While the PowerShell command creates the policy, the inactive setting stops it from taking effect.
New-InformationBarrierPolicy -Name "Secret-Engineers-Block-From-Marketing" -AssignedSegment "Secret-Engineers" -SegmentsBlocked "Marketing" -State Inactive
The administrator can activate the policy by changing its state by first running the Get-InformationBarrierPolicy cmdlet to list the globally unique identifiers (GUIDs) for the information barrier policies in the tenant, then use the following command with the actual GUID in place of the acronym:
Set-InformationBarrierPolicy -Identity GUID -State Active
Communication control policies are critical to the security strategy of the enterprise as more users work from home and adopt multiple collaboration tools. IT leaders should investigate tools, such as information barrier policies, to implement additional restrictions to avoid data leaks and the mishandling of information.