Compliance is a team sport and it is everyone’s responsibility in an organization. We need to understand that it is more than a technical problem and must be tackled with more tools and processes than technical controls. So, it is time to go beyond the accountability of IT professionals and ensure end-users are also working in a compliant manner. It is pivotal to ensure that your digital workplace is equipped with governance, automation, training, in-the-moment help, and consistency, to adhere to long-term compliance policies.
Sensitivity labels are one great way to maintain protection and compliance in your Microsoft 365 environment and throughout the organization as well. Let us explore this further and understand how to put Sensitivity Labels to good use in Microsoft 365.
Microsoft Information Protection - The Greater Ecosystem
Microsoft Information Protection (MIP) is a construct for which data protection is rolled out across Microsoft 365 and central to this is a service called Data Classification Service. With data classification, you can build and identify your own sensitive information types. Part of that and your own organization’s data classification scheme is Sensitivity Labels.
Underneath all these layers there is a lot of groundwork that goes in before you can define your Sensitivity Labels. Conveniently, Sensitivity Labels can be applied across Microsoft 365 applications and services and numerous devices that use these apps.
Sensitivity Labels – The Problem Solver
There are some real security concerns that keep executives and business owners up at night, such as, is the data we are working with is protected or not? Discerning sensitive data from not sensitive data, ensuring data security at all times, and many others are all on the list. Sensitivity Labels, if implemented correctly, take care of these and thus, provide a more restful sleep, by:
- Enforcing Privacy
- Enforcing Guest Access
- Controlling External Sharing
- Controlling Device Access
Microsoft 365 Compliance Through Sensitivity Labels
If you are looking to articulate a path to compliance and what you want from it, then you need to communicate this four-step path with your compliance and risk teams:
1. Know Your Data –> 2. Protect Your Data –> 3. Prevent Data Loss –> 4. Govern Your Data
In this blog, we will be going over the first two stages of the compliance path and discussing how they tie into Sensitivity Labels.
1. Know Your Data
It is important to understand your data landscape and identify important data across your hybrid environment. You need to know what data your users are working with in all of the collaboration tools that they are using. Out-of-the-box Microsoft tools can help identify sensitive information types in your environment.
The power of data identification is that you can define the data type once in a unified location and use it across a number of tools in the backend such as Sensitivity Label conditions, Retention Label Policy conditions, Data Loss Prevention (DLP) conditions, and Microsoft cloud app security.
Additionally, you can scale your identification by using trainable classifiers. These come with the option to create custom ones or use pre-built ones provided by Microsoft.
Knowing your data is not enough, you also must be able to monitor what you know. The Data Classification in Microsoft 365 compliance interface is an effective way to gain insight into your environment.
For a guided experience to understanding your data and the role of Sensitivity Labels, watch our webinar session recording featuring Joanne C. Klein: https://www.orchestry.com/event/sensitivity-labels-microsoft-365-what-how-and-why-to-inform-and-engage/
2. Protect Your Data
Data protection keeps your data secure as it travels inside and outside your organization. Although there are many tools in the backend that would be considered compliance control options as part of the MIP solution, Sensitivity Labels play an integral role.
Let’s focus on the protection of your sensitive information wherever it lives and any exchange that takes place between these collaboration assets – Exchange, Microsoft Teams, SharePoint and OneDrive.
- Define your organizational classification scheme: The classification scheme does not have to be complicated, in fact, the simpler it is the better it is for end users to know and utilize them correctly. Here is a basic example of what a classification scheme can look like:
Hot Tip: 5 -6 parent Sensitivity Labels are enough and you can add sub-labels, if required. If you are going over that then you need to regroup to define what are the distinguishing controls between all those labels.
- Prepare your end users. This is integral to ensuring that compliance policy is enforced and implemented. End users are your ally in any information protection strategy. The best way to keep them involved and updated is by utilizing a SharePoint Communication Site for all your governance documentation. This Site can include: End user documentation so that they understand new terms you may be using or what they will be seeing in the user interface, a high-level glossary of terms, user guidance around Sensitivity Labels, etc.
- Build Sensitivity Labels correctly. When creating Sensitivity Labels, it is super important to get the description right so that labels are clearly differentiated one from the other. At the same time, you need to keep in mind that you will have to structure proper end user training around it so that they understand what each aspect of it means.
- Apply Sensitivity Labels. There are 3 high-level places where you can apply Sensitivity Labels:
Files/Emails: Sensitivity Labels can be applied to manage content markings, encryption, right management, client-side auto-apply, and service side auto-apply.
Auto-labeling client-side: This is based on sensitive types detected at the moment, and can be applied while using or editing documents, or while composing emails. This kind of label can be automatically applied or recommended to the user.
Auto-labelling service-side: These are based on sensitive types detected in content at rest, such as in SharePoint or OneDrive. It helps if users forget to set a label, and can be applied at scale.
Groups/Sites: In this case, Sensitivity Labels control privacy settings, guest access, device access, & external sharing.
Data: Sensitivity labels are used across Azure Purview, files in azure blob storage, files in azure lake data storage, and several database columns.
Once labels are applied you can see them across your Microsoft 365 applications.
Note that when you apply a sensitivity label to an MS Teams team, it is not automatically copied over to each file shared in that team, therefore, to get granular you need to apply Sensitivity Labels at the file level separately.
To make this process simpler for you, we have this wildly helpful checklist to guide you through the creation and implementation of a Sensitivity Labels:
Unmatched Compliance with Orchestry
At Orchestry, we understand the importance of compliance in an organization and with that in mind, we have included some powerful capabilities in our spring product release. Whether you make use of Sensitivity Labels or not, there is something for everyone in Orchestry. We are here to offer you enhanced control of your Microsoft 365 environment with improved compliance features and full support for Sensitivity Labels and Classification Labels.
Orchestry has so much to offer to ensure that you are operating in the most secure way possible. Stay tuned for our next blog: ‘Unparalleled Control with Compliance in Orchestry’, to take a deep dive into new Orchestry compliance capabilities, and understand the nuances of each feature and how they fit together.