As a business owner, you always want to know where your confidential data is stored, who has access to it and that anyone prohibited from seeing it cannot see it. Microsoft 365 (M365) does provide a raft of ways to help you keep your data safe. From security policies and data loss prevention tools to retention labels and unified labeling.
In 2020, Microsoft introduced Sensitivity, a tool that went further than previous M365 security capabilities
In 2020, Microsoft introduced a tool that went further than previous M365 security capabilities have. Sensitivity policies and Sensitivity labels (or simply ‘Sensitivity’) allow you to classify your files, documents and emails in a way that ensures their protection irrespective of the application, service or device they are accessed from. As with any technological solution though, successful application of Sensitivity is dependent on how well you leverage its power.
Here are some tips on deploying Sensitivity that your governance, security, risk and compliance teams can benefit from.
Know the Data
Protecting your company’s data begins with recognizing and understanding the nature of information across the multifaceted technology environment that spans your organization. You must establish the exact data that users work with in the collaboration tools they use. There are Microsoft project management tools that can help you map out the types of sensitive information in your organization.
Data identification helps you define data types just once, then from their unified location, use it in multiple backend tools such as Sensitivity Labels, data loss prevention and cloud app security. You can scale identification as well by tapping into trainable classifiers which could either be the pre-built ones from Microsoft or custom ones you define.
Just knowing the data is not all though. You have to keep track of the information you know. The M365 Purview interface provides a convenient means to monitor and gain insights over your organization’s data environment.
Define Classification Scheme
When you define a classification scheme, it does not have to be overly complicated. The simpler you can make it, the better. Sensitivity labeling after all depends on employee participation. You want a scheme that is relatively easy for a non-techie to understand and correctly apply.
The simpler you can make the classification scheme, the better
An example of a fairly straightforward scheme is to classify information with the default parameters of public, general, confidential and highly confidential.
Prepare End Users
Your users are crucial to ensuring that data is handled in compliance with applicable policy. They are your foremost allies in not just Sensitivity labeling but your overarching data security strategy. Therefore, you must not just prepare them for the rollout of Sensitivity Labels but create mechanisms to keep them updated and involved in any subsequent changes.
For instance, you could use SharePoint for all governance documentation including end user-specific documentation. That way, users can understand any new terms you use or that they see in the user interface. You could include a simple glossary of terms as well as guidance specific to the use of Sensitivity Labels.
Correctly Build Sensitivity Labels
When you create Sensitivity Labels, you must go out of your way to define descriptions that are well differentiated from one another. Seek to create labels that allow users to mostly make a decision in seconds over where a particular document, file or email lies.
That said, you have to complement this with extensive user training, so users have no ambiguity over what each label means.
Apply Sensitivity Labels
When you apply labels, they will be viewed across all M365 applications. At a high level, there are three major places where the Sensitivity Labels you define can be applied — files and emails, groups and sites, and Microsoft Purview assets.
- For files and emails, apply the labels to manage encryption, content markings, right management as well as auto apply for both client and service side. Client-side automatic detection and labeling occurs during document creation and editing. Service side auto detection and labeling takes place in data at rest. It may be applied at scale and serves as a backup process when users forget to define a label.
- For groups and sites, the labels control device access, guest access, privacy settings and external sharing.
- For Microsoft Purview, apply labels to files in database columns, lake data storage and blob storage.
Some confidential data will slip past the organization’s security perimeters especially as it moves across the cloud from one work location/device/user to another. Sensitivity Labels help prevent this from happening by restricting or blocking the inadvertent dissemination of sensitive information to unauthorized parties. This is crucial for automating compliance with data security laws and policies.
Sensitivity Labels help automate compliance with data security laws and policies
Sensitivity Labels are wholly customizable and help encrypt your information by labeling with visual protections such as watermarks. You can even keep track of activity on the sensitive data. Such depth of customization makes security labels a powerful tool to ensure compliance with company, industry and regulatory rules and regulations covering data protection.
If you are considering setting up Sensitive Labels but are not sure where to start, book a call.