Many organizations are presented with a major challenge regarding the protection of privacy sensitive and confidential information. One reason is the vast amount of information created daily by employees, and the numerous locations used to store this information. Moreover, information stored in the cloud is easily and almost always available. Using cloud-services like Microsoft 365, sharing has never been easier.
Here in The Netherlands, access to and sharing of (privacy) sensitive information has led to several recent data breaches. Although none of these where related to Microsoft 365, the message is clear: we need to protect our information and not just the access to it.
For some time, Microsoft have had a solution available for this: Azure Information Protection. However, this solution will came to an end on April 1st 2021 and it is therefore important to look at its successor: Microsoft Information Protection.
The concept of Microsoft Information Protection (in the form of sensitivity labels) can easily be summarized in one sentence; Sensitive information is detected, classified, and protected, to ensure the sensitivity of this information at all times and regardless of location.
Sensitivity labels enable the classification of documents and e-mail messages. These labels offer classification (as metadata for the document/e-mail), visual markings and protection. This protection is a combination of Rights Management and encryption.
Labels are attached to documents and e–mail messages (even automatically, with the appropriate license) and remain part of them. Data loss prevention adds additional protection by using the labels to prevent unwanted sharing actions.
Due to the standard integration of the labels within Office applications and Office Online, it is now very easy to provide these to our end-users. And now that co-authoring and auto-saving of encrypted documents has been made possible, even this hurdle can be overcome.
However, information is not just contained in documents and e–mail messages. Microsoft is working on a more holistic view for information protection. In this article I want to highlight some new and enhanced features, including those in Microsoft 365.
Let us begin to look at locations in Microsoft 365, where information is stored (or: at rest). One of the two biggest innovations for Microsoft 365 information protection is the ability to automatically label documents and e-mails when they are stored, for example in SharePoint Online. Documents and e-mails are scanned at these locations and if the criteria are met, a label is automatically applied. Rest assured: a so-called simulation mode ensures that the possible result is shown first. This prevents very many documents from being labeled at once.
A second great innovation is the option to label entire Microsoft 365 Groups, Microsoft Teams and SharePoint Online sites. But do note that labeling these “containers”, will have no effect on the documents stored within them. In other words: there is no “default label” for documents. Instead, these labels serve another purpose (for now).
Placing a label on a container (a Teams environment for example) should make employees aware of the type of environment they are working in. Also, the label will affect several settings. Guest access, sharing with external parties and access from unmanaged devices can be set directly from the label. When the label is selected, all these settings are applied. Which makes for easy administration. Please note that you will need some additional measures (and licenses) when working with devices. For example: Azure AD Conditional Access rules.
A nice (relatively new) addition to this functionality is the interaction between labeled documents and the labeled environment. When a highly classified document is added to an environment with a lower classification, the employee will receive a warning.
Classifying documents and e-mail messages has been possible for quite some time. But some time ago Microsoft introduced the term “unified classification”. This term denotes a model in which various Microsoft platforms use the same classification model for sensitive information. For example, Microsoft 365, Microsoft Cloud App Security and the Information Protection scanner. This model contains standard definitions for, among other things, EU ID card number and NL BSN. These can also be expanded with your own definitions.
This uniform way of working now also applies to the labeling and protection of information, going beyond platforms, documents, and e-mail messages. Structured information and (for example) documents in non-Microsoft cloud solutions can now also be classified and protected.
While many organizations have policies on where to manage and store information, mostly restricted to a limited number of locations, the reality is different. Network locations, Office 365 and possibly other (non-Microsoft) cloud solutions are used to store information. Microsoft Information Protection allows you to detect and classify sensitive information in documents stored within these locations. By using Microsoft Cloud App Security, the organization can monitor environments such as Box and the business DropBox, for example.
The Azure Information Protection scanner, on the other hand, is used to detect sensitive information in documents stored on local (“on-premises”) network locations or SharePoint environments. Documents can also be classified, if necessary. This can also be useful in the context of migration processes. An initial scan can indicate where the sensitive information is located prior to any migration.
Most of this article has centered around classifying and protecting unstructured information like documents and e-mail messages. But one great step in a more holistic view on information, is the focus on structured data. And Microsoft has done so with Microsoft Information Protection.
PowerBI can be linked to Microsoft Information Protection. This allows you to classify data in PowerBI (such as dashboards or reports). When an employee exports or saves the information in the form of a document (PowerPoint, Excel, PDF), this document is automatically classified. And when the label allows for protection, the document is protected automatically.
A relatively new addition to the portfolio is the Microsoft Information Protection integration with the new (preview) platform Azure Purview. This platform is positioned to be a generic data governance environment, allowing organizations to govern many data platforms in a multi-cloud architecture.
Data platforms include Azure SQL and Cosmos DB, but also AWS S3 and Azure Blob storage. Using Microsoft Information Protection, we can now classify and protect columns and documents. Please do note, that when you want to classify documents, you will need a label set to both “Documents and e-mail” as well-as Purview Assets.
Do note however, that Azure Purview has a more detailed classification scheme when compared to the unified labeling scheme used by Microsoft Information Protection. In other words: it will detect more.
Microsoft offers more and more technological options to ensure the sensitivity and confidentiality of information, regardless of where it resides. Still, implementing these capabilities is more than just flipping a button. A correct classification scheme, the correct protective measures and, above all, the correct attention to awareness and support of and for the ultimate employee are very important.
So, make use of the so-called Crawl | Walk | Run model, in which the introduction of these possibilities is well placed in time. After all – you must be able to walk before you start running.
Did you like this article? Are you interested in this topic? Would you like to share your knowledge and experience with the authors and other readers? Our #communityrocks group on Facebook is bringing everyone involved together: authors, editors and readers. Join us in sharing knowledge, asking questions and making suggestions. We would like to hear from you!
Join us on Facebook
With so many recipes for making a Group, it’s helpful to find an approach that suits your palate. Here’s what all chefs should know.
The impetus for this article is a little bit odd and worth recalling, after I mentioned on Facebook how I was dealing with sorting, managing, and archiving family photos, quite a discussion developed. This short article answers many of the questions that were asked there.
It’s Monday, the start of the week @ 16:30 CET. The engineer rubbed his head “Now to my 11th meeting for the day”. One of those was with Barry (his boss) where he complained, “I have too many meetings” with an ironic smile. What company is this? One of the many hundreds where this happens day in and day out during lockdown.