Go back

Getting Sensitive Workflows Out of Email

As we’ve previously written about, adding Microsoft 365 and Google Workspace data into a security data lake can unlock many new use cases for security teams. This post continues our series on sharing examples on how to use this data to measure and improve your security posture.

Partners
August 29, 2023
8m read
8m read
8m listen
8m watch
8m watch
circles in a blue background
speakers
speakers
speakers
authors
Max Pollard
participants
No items found.
share

As we’ve previously written about, adding Microsoft 365 and Google Workspace data into a security data lake can unlock many new use cases for security teams. This post continues our series on sharing examples on how to use this data to measure and improve your security posture.

In this blog post, we’ll walk through how to use Material and Snowflake to detect sensitive workflows happening over email as well as steps to mitigate the risks that they pose.

What are sensitive workflows and why should you move them out of email?

A sensitive email workflow is the handling of emails containing sensitive information such as legal matters, employee data, financial details, patient records, passwords, trade secrets, and classified government information.

While email is the most commonly used business communication tool, the suitability of handling sensitive workflows solely through email depends on the specific requirements and risk factors involved. Email itself presents a number of risks as the incumbent collaboration platform. Here are just a few:

  • Lack of control: Once an email is sent, the sender or owner loses control over distribution. Recipients can share the information with others, intentionally or inadvertently, increasing the risk of unauthorized access to sensitive information.
  • Legal and compliance issues: Depending on the nature of the sensitive content, sending it via email may violate regional or industry-specific regulations.
  • Phishing and social engineering attacks: Email is a spoof-able channel that is open to the internet and by processing sensitive content over email, organizations are more susceptible to impersonation, social engineering and business email compromise.
  • Data loss: Email is one of the most targeted datasets by attackers; if a bad actor gains unauthorized access to one or more email accounts, they can exfiltrate years of archived content instantly.

While email offers convenience, there are alternative methods that may provide enhanced security for sensitive workflows. These include secure file transfer, secure collaboration platforms or messaging applications, and other dedicated secure systems. Ultimately, the choice of the most appropriate method depends on several factors; however, the optimal choice is rarely email. So let’s walk through how to move these workflows out of email.

Moving sensitive workflows out of email with Material and Snowflake

Solving this problem is multi-faceted. You need to start by getting a baseline of what types of sensitive content exist in your organization's email today. Next, you need to ensure that your policies make clear what types of sensitive content should not appear in email. The next step is to prioritize which types of sensitive content to target and in what order. Lastly, you need to operationalize the enforcement of these policies to ensure you maintain correct posture and continuously measure impact. If you are successful, you will see a downward trend for new sensitive content appearing in email.

1. Get a Snapshot & Understand Baseline

In order to solve this issue, it’s important to first get a baseline of where data sits. The pipeline here looks something like the following:

  1. Process all emails up to a certain historical date. This generally would require exporting via Graph or Gmail APIs, transforming the data, and loading that information into a tool like Snowflake.
  2. Develop tagging of sensitive content within this dataset. Techniques might include OCR, text matching, and other 3rd party tools like Google’s DLP API.
  3. Spot check your tagging for accuracy and precision across all relevant categories.
  4. Aggregate counts of sensitive content by category, and potentially other breakdowns such as by group, job function, etc.

This is quite a lot of work, but luckily Material makes it easy by executing steps 1-3 out of the box. The results might look something like the following:

dashboard content image

Material also makes it easy to get this data into Snowflake. I talk a bit about the integration in a previous blog, How to Monitor Shadow IT using Material Security and Snowflake. Once it’s there, you might have a similar visual like the following:

sensitive content image

Now that we have a good grip on our baseline, let’s move on to the next step.

2. Communicate Policy & Prioritize Types of Data

Once the baseline is established, it is time to introduce and communicate policies aimed at securing sensitive workflows. Announcing these policies to the organization is crucial for ensuring awareness and buy-in from all stakeholders. It is also important to prioritize the types of data you will target. Each organization will have differing tolerances for the types of risks the categories of sensitivity represent to them based on region and industry. For example, healthcare companies may want to prioritize healthcare records to honor their BAA (business associate agreement) commitments whereas European companies may want to address sensitive employee and customer information first to remain compliant with GDPR.

Once you’ve selected your categories, you can visualize them in Snowflake easily, as such:

categories content image

3. Operationalize Enforcement and Measure Impact

Implementing a robust measurement and reporting framework becomes vital. Tracking time-based metrics, such as week-over-week (WoW) and month-over-month (MoM) comparisons, enables organizations to evaluate the impact of the policies. This data-driven approach allows for continuous improvement and a better understanding of progress.

Gauging MoM metrics and aggregating data based on groups or departments provide insights into specific areas that require attention. By monitoring group-based progress, organizations can identify patterns and address compliance gaps promptly. Furthermore, setting up alerts for repeat offenders ensures that enforcement remains effective. One such example is a recurring job that queries for users with the largest increase in sensitive content handling MoM. An alert set up to identify these users could help identify a malicious actor, or at the very least lead to better monitoring of sensitive data usage. Here’s a visual representation in Snowflake:

graph content image

This operationalization of policies helps establish a culture of accountability and reinforces security practices throughout the organization.

Next Steps

The resources in this blog post are a great starting point for getting sensitive workflows out of email, but it is crucial to acknowledge that external factors, such as third parties sending you sensitive content, might limit complete elimination. While organizations strive for zero tolerance of sensitive content in email, realistic targets range from 0.5% to 2% of sensitive content for all email. This percentage translates to millions of sensitive messages for organizations. To protect these millions of messages effectively, organizations can turn to Material's Data Protection, which offers comprehensive security controls and advanced monitoring.

To learn more about our unique approach, request time with our team here.

Gist of Queries:

https://gist.github.com/maxpollard/fafdbd6460b125d7582b5f595ef97d59

Related posts

Our blog is your destination for expert insights, practical tips, and the latest news in technology. Stay informed with our regular updates and in-depth articles. Join the conversation and enhance your understanding of the tech landscape.

blog post

New in Material: Detections, Remediations, Reports & More

As the days grow shorter and the weather gets colder, Material’s ready with a steady stream of hot platform updates to keep you warm.

Patrick Duffy
4
m read
Read post
Podcast

New in Material: Detections, Remediations, Reports & More

As the days grow shorter and the weather gets colder, Material’s ready with a steady stream of hot platform updates to keep you warm.

4
m listen
Listen to episode
Video

New in Material: Detections, Remediations, Reports & More

As the days grow shorter and the weather gets colder, Material’s ready with a steady stream of hot platform updates to keep you warm.

4
m watch
Watch video
Downloads

New in Material: Detections, Remediations, Reports & More

As the days grow shorter and the weather gets colder, Material’s ready with a steady stream of hot platform updates to keep you warm.

4
m listen
Watch video
Webinar

New in Material: Detections, Remediations, Reports & More

As the days grow shorter and the weather gets colder, Material’s ready with a steady stream of hot platform updates to keep you warm.

4
m listen
Listen episode
blog post

Identifying Risk in Google Workspace with Material & SADA, An Insight Company

Partnering with SADA, An Insight company, companies big and small can get deep insights into the types of risk that live inside of Google Workspace, powered by a data-driven analysis of user behaviors, sensitive data in email and files, and posture settings by the Material Security platform.

Josh Donelson
5
m read
Read post
Podcast

Identifying Risk in Google Workspace with Material & SADA, An Insight Company

Partnering with SADA, An Insight company, companies big and small can get deep insights into the types of risk that live inside of Google Workspace, powered by a data-driven analysis of user behaviors, sensitive data in email and files, and posture settings by the Material Security platform.

5
m listen
Listen to episode
Video

Identifying Risk in Google Workspace with Material & SADA, An Insight Company

Partnering with SADA, An Insight company, companies big and small can get deep insights into the types of risk that live inside of Google Workspace, powered by a data-driven analysis of user behaviors, sensitive data in email and files, and posture settings by the Material Security platform.

5
m watch
Watch video
Downloads

Identifying Risk in Google Workspace with Material & SADA, An Insight Company

Partnering with SADA, An Insight company, companies big and small can get deep insights into the types of risk that live inside of Google Workspace, powered by a data-driven analysis of user behaviors, sensitive data in email and files, and posture settings by the Material Security platform.

5
m listen
Watch video
Webinar

Identifying Risk in Google Workspace with Material & SADA, An Insight Company

Partnering with SADA, An Insight company, companies big and small can get deep insights into the types of risk that live inside of Google Workspace, powered by a data-driven analysis of user behaviors, sensitive data in email and files, and posture settings by the Material Security platform.

5
m listen
Listen episode
blog post

Risky Biz Podcast Interview with Rajan & Dan

Dan Ayala, Chief Security & Trust Officer from Dotmatics joins Rajan Kapoor, Field CISO from Material on Risky Business to discuss how to wrangle securing data that ends up in corporate cloud email and file stores.

Material Team
10
m read
Read post
Podcast

Risky Biz Podcast Interview with Rajan & Dan

Dan Ayala, Chief Security & Trust Officer from Dotmatics joins Rajan Kapoor, Field CISO from Material on Risky Business to discuss how to wrangle securing data that ends up in corporate cloud email and file stores.

Rajan Kapoor
10
m listen
Listen to episode
Video

Risky Biz Podcast Interview with Rajan & Dan

Dan Ayala, Chief Security & Trust Officer from Dotmatics joins Rajan Kapoor, Field CISO from Material on Risky Business to discuss how to wrangle securing data that ends up in corporate cloud email and file stores.

Rajan Kapoor
10
m watch
Watch video
Downloads

Risky Biz Podcast Interview with Rajan & Dan

Dan Ayala, Chief Security & Trust Officer from Dotmatics joins Rajan Kapoor, Field CISO from Material on Risky Business to discuss how to wrangle securing data that ends up in corporate cloud email and file stores.

Rajan Kapoor
10
m listen
Watch video
Webinar

Risky Biz Podcast Interview with Rajan & Dan

Dan Ayala, Chief Security & Trust Officer from Dotmatics joins Rajan Kapoor, Field CISO from Material on Risky Business to discuss how to wrangle securing data that ends up in corporate cloud email and file stores.

Rajan Kapoor
10
m listen
Listen episode
blog post

Material Product Demo: Securing Google Workspace & M365

Abhishek Agrawal gives an in-depth product demo walkthrough on Risky Business

Material Team
35
m read
Read post
Podcast

Material Product Demo: Securing Google Workspace & M365

Abhishek Agrawal gives an in-depth product demo walkthrough on Risky Business

Abhishek Agrawal
35
m listen
Listen to episode
Video

Material Product Demo: Securing Google Workspace & M365

Abhishek Agrawal gives an in-depth product demo walkthrough on Risky Business

Abhishek Agrawal
35
m watch
Watch video
Downloads

Material Product Demo: Securing Google Workspace & M365

Abhishek Agrawal gives an in-depth product demo walkthrough on Risky Business

Abhishek Agrawal
35
m listen
Watch video
Webinar

Material Product Demo: Securing Google Workspace & M365

Abhishek Agrawal gives an in-depth product demo walkthrough on Risky Business

Abhishek Agrawal
35
m listen
Listen episode
Privacy Preference Center

By clicking “Accept”, you agree to the storing of cookies on your device to enhance site navigation, analyze site usage, and assist in our marketing efforts. View our Privacy Policy for more information.