RaMP checklist — Data protection
This Rapid Modernization Plan (RaMP) checklist helps you protect your on-premises and cloud data from both inadvertent and malicious access.
Inadvertent access occurs when a user gains access to data that, based on their roles and responsibilities, they should not have. The result can be unintended data leakage, data destruction, or violations of data security and privacy regulations.
Malicious access occurs when an external attacker or a malicious insider intentionally tries to access data. Malicious insiders can use your data for profit or to harm your organization. External attackers can delete, alter, exfiltrate, and encrypt your most sensitive data, leaving you open to a ransomware attack.
For both types of attacks, you must take the necessary steps to identify your data, protect it, prevent its destruction or exfiltration, and ensure that only users with a business purpose have access to it.
Protecting your data is part of the "assume breach" Zero Trust principle. Even with all the user account and device protections in place, you must assume that an attacker could find their way in and begin traversing your environment, searching for the most valuable data for your organization.
Therefore, you must:
Know your data
Understand your data landscape and identify important information across your cloud and on-premises environment.
Protect your data
Protect your sensitive data throughout its lifecycle by applying sensitivity labels linked to protection actions like encryption, access restrictions, visual markings, and more.
Prevent data loss
Apply a consistent set of data loss prevention policies across the cloud, on-premises environments, and endpoints to monitor, prevent, and remediate risky activities with sensitive data.
Use least privilege access
Apply minimal permissions consisting of who is allowed to access and what they are allowed to do with data to meet business and productivity requirements.
Program and project member accountabilities
This table describes the overall protection of your organization data in terms of a sponsorship/program management/project management hierarchy to determine and drive results.
| Lead | Owner | Accountability |
|---|---|---|
| CISO, CIO, or Director of Data Security | Executive sponsorship | |
| Program lead from Data Security | Drive results and cross-team collaboration | |
| Security Architect | Advise on configuration and standards | |
| Microsoft 365 Admins | Implement changes to Microsoft 365 tenant for OneDrive and Protected Folders | |
| Data Security Engineer and/or Infrastructure Security Engineer | Enable infrastructure backup | |
| Application Owners | Identify critical business assets | |
| Data Security Admin | Implement configuration changes | |
| IT Admin | Update standards and policy documents | |
| Security Governance and/or IT Admin | Monitor to ensure compliance | |
| User Education Team | Ensure guidance for users reflects policy updates |
Deployment objectives
Meet these deployment objectives to protect your data for Zero Trust.
| Done | Deployment objective | Owner |
|---|---|---|
| 1. Know your data | Data Security Architect | |
| 2. Protect your data | Data Security Engineer | |
| 3. Prevent data loss | Data Security Engineer | |
| 4. Use least privilege access | Data Security Engineer |
1. Know your data
Perform these implementation steps to meet the Know your data deployment objective.
| Done | Implementation step | Owner | Documentation |
|---|---|---|---|
| 1. Determine data classification levels. | Data Security Architect | Learn about | |
| 2. Determine built-in and custom sensitive information types. | Data Security Architect | Learn about | |
| 3. Determine the use of pre-trained and custom trainable classifiers. | Data Security Architect | Learn about | |
| 4. Discover and classify sensitive data. | Data Security Architect and/or Data Security Engineer | Learn about |
2. Protect your data
Perform these implementation steps to meet the Protect your data deployment objective.
| Done | Implementation step | Owner | Documentation |
|---|---|---|---|
| 1. Determine the use and design of sensitivity labels. | Security Architect | Get started | |
| 2. Label and protect items for Microsoft 365 apps and services. | Data Security Engineer | Manage sensitivity labels | |
| 3. Enable and configure Microsoft Defender for Cloud Apps. | Data Security Engineer | Get started | |
| 4. Discover, label, and protect sensitive items that reside in data stores in the cloud. | Data Security Engineer | Best practices | |
| 5. Discover, label, and protect sensitive items that reside in on-premises data stores. | Data Security Engineer | Information protection scanner | |
| 6. Extend your sensitivity labels to Azure by using Microsoft Purview Data Map | Data Security Engineer | Labeling in the Microsoft Purview Data Map |
3. Prevent data loss
Perform these implementation steps to meet the Prevent data loss deployment objective.
| Done | Implementation step | Owner | Documentation |
|---|---|---|---|
| 1. Design and create data loss prevention (DLP) policies. | Security Architect | Learn about | |
| 2. Enable and configure endpoint data loss prevention. | Data Security Engineer | Learn about | |
| 3. Configure access policies for Microsoft Defender for Cloud Apps Conditional Access App Control. | Data Security Engineer | Overview |
4. Use least privilege access
Perform these implementation steps to ensure that your users and admins meet the Use least privilege access deployment objective.
| Done | Implementation step | Owner |
|---|---|---|
| 1. From the Know your data deployment objective, review the permissions for the locations of sensitive and critical information. | Data Security Engineer | |
| 2. Implement minimal permissions for the sensitive and critical information while meeting collaboration and business requirements and inform the users who are affected. | Data Security Engineer | |
| 3. Perform change management for your employees so that future locations for sensitive and critical information are created and maintained with minimal permissions. | User Education Team | |
| 4. Audit and monitor the locations for sensitive and critical information to ensure that broad permissions aren't being granted. | Data Security Engineer and/or Security Governance Admin |
Results
After completing these deployment objectives, you will have built out the Data section of the Zero Trust architecture.
Feedback
Coming soon: Throughout 2024 we will be phasing out GitHub Issues as the feedback mechanism for content and replacing it with a new feedback system. For more information see: https://aka.ms/ContentUserFeedback.
Submit and view feedback for