NTT Communications adds insider risk management to enhance data security with Microsoft Purview

Lessons learned from “unauthorized access” that enabled measures against cyberattacks

Organizations around the world, including NTT Communications Corporation, have for a long time developed information security and cybersecurity measures, but cases of information leakage caused by cyberattacks and other incidents never cease. And as IT technology evolves, malicious attackers also change their techniques. In recent years, the issue of intentional and negligent information leakage by internal users has added further risk that might result in data security or compliance incidents. 

Now, Tokyo-based NTT Communications has adopted security measures and updated its corporate policies based on incident trends in recent years. The company’s policies include compliance enhancements based on the Zero Trust security framework to address cyberattacks that use stolen sign-in credentials and abuse of access privileges across internal networks. 

“In the past, we prepared for conventional security risks, including illegal access from outside and targeted email attacks,” explains Masataka Takaguchi, Head of the Security Management Office of the Information Security Department at NTT Communications Corporation. “We created a perimeter defense security environment and educated our users. However, recent security incidents, including departing employees taking confidential information from their former offices, changed our mindset.” 

It turned out that the company’s conventional perimeter defense security model, which was initially designed to block outside attackers, wasn’t sufficient to quickly detect and analyze other cybersecurity risk factors. Such risks include which employee sign-in credentials might have been compromised and abused, which directories these credentials were used to access, and what data was copied or modified. NTT Communications determined that data security enhancements were essential to quickly identify and investigate compromised credentials and other access privilege threats within its networks. The company began looking for more effective solutions in 2020. 

After an evaluation phase, the company implemented tools and established new security mechanisms. At the time, the company’s Digital Transformation Promotion Division had already planned to deploy Microsoft 365 E5. NTT Communications decided to use this solution for its data governance enhancement. 

Safeguarding critical data with a single click

After deciding to adopt Microsoft 365 E5, a suite of products that includes Microsoft Purview, in August 2020, NTT Communications rolled out various data security solutions in stages. Its focus was toward “transparency of insider risks” enabled by Microsoft Purview Information Protection and Microsoft Purview Insider Risk Management, which are included in Microsoft Purview. 

NTT Communications has established information management classification for its internal documents and has applied strict rules for their use and management. As Takaguchi notes, however, it was manual management that relied on users’ decisions and judgments. “Previously, we had five confidential classifications—from SA being most confidential to D being least confidential—indicating to users how documents can be used and managed,” he says. “But we weren’t fully confident that there were no security holes.” 

To prevent activities that might result in a data security incident being created by human operations, the company implemented information protection to automate document protection. At the same time, confidentiality level rules were reviewed and four new levels were established: the highest level was set to 3, while level 0 allows employees to share documents with customers and other external parties. For confidentiality level 1, documents are controlled in an environment that can limit users who can view the documents, acknowledge viewing history, and prohibit viewing after distribution. 

“We created an environment that makes it easier for employees to work,” says Takaguchi. “With our internal documents and those provided by customers, we can simply select a confidentiality level from an Office product toolbar and automatically encrypt a document based on its level. This is a big leap from our previous manual method.”

Enhancing internal investigations and security training

Insider Risk Management is a data security and compliance solution that helps correlate various signals to identify potential malicious or inadvertent insider risks like intellectual property theft, data leakage, and security violations. With Insider Risk Management, customers can create policies to manage security and compliance. Built with privacy by design, users are pseudonymized by default, and role-based access controls and audit logs are in place to help ensure user-level privacy. 

Although NTT Communications mainly focuses on security against external threats and preventing the use of stolen sign-in credentials to impersonate employees, improving its internal understanding of security was necessary to operate the mechanisms to detect suspicious behaviors. “To raise security awareness within the organization, we started by carrying out educational sessions for each of the company’s groups in the summer of 2020,” recalls Hiroshi Hayakawa, Supervising Director of the Security Management Office, Information Security at NTT Communications Corporation. “In these sessions, we provided explanations of the causes and corresponding measures. We also helped employees understand Zero Trust security and provided visibility into past unsafe incidents and internal risks, including information leaks.” Along with the Microsoft Purview deployment, the team also created corresponding operations manuals and a help desk. 

Security training and other related sessions are given on a regular basis. “We provide company-wide online security training once a year, in addition to security training sessions for new employees,” continues Hayakawa. “Through its regular meetings, NTT Communications promotes continual awareness-raising activities, including providing handbooks and manuals. At the end of the year, we have an event called Security Week.” 

Striving ceaselessly for security and compliance to achieve business growth

While NTT Communications is using new systems and promoting security education to achieve Zero Trust security, Hideharu Inoue, Supervising Director for the Information Systems Department of the Digital Transformation Promotion Division, says its use of Microsoft 365 E5 has just begun. “We completed our information protection and Insider Risk Management deployments thanks to the high affinity of features within the comprehensive package of Microsoft 365 E5,” he says. “We were successful in achieving satisfactory results within six months after deployment.” 

“There’s no perfect security—security and convenience are in a contradictory relationship,” adds Tsuyoshi Toyoshima, Supervising Director for the Information Systems Department of the Digital Reform Promotion Division at NTT Communications Corporation. “As technology evolves, the convenience of IT will never be simplified, especially as security measures constantly change. NTT Communications will continue to focus on security. With the accumulated expertise of Microsoft 365 E5 operations and highly secure endpoints, I hope to establish a unique new security solution capable of providing Zero Trust security for our customers and within NTT Communications and the NTT Group. To achieve such a security solution, we expect Microsoft to continue delivering advanced solutions with its unparalleled software development capabilities.” 

Concludes Takaguchi, “As the world rapidly moves to the cloud, suppliers like Microsoft will continue providing various SaaS and PaaS services. Our primary task is to make the best use of these solutions to maintain advanced security systems. Security incidents are now a critical factor for business growth, and we believe that establishing Zero Trust security is critical to keeping risks away while running the business with confidence. To help us do that, we’re relying on Microsoft to provide not only new services, but also information on global, future-looking security trends and examples.”