2. SYNOPSIS
With Modern Team sites and Microsoft Teams being created at a record pace these days, are you
concerned how content within them can be secured, protected, and retained?
Join me in this session to learn how various Office 365 features work together to address these
requirements so you can breathe a little easier.
Key Takeaways:
Understand Microsoft's shared responsibility model and what this means for you
Ways to prevent sensitive information in your Teamwork from leaving your organization
How to apply retention across your Teamwork
How to have oversight across your sensitive Teamwork
4. Agenda for today
THE SHARED
RESPONSIBILIT
Y MODEL
PROTECTING YOUR
SENSITIVE
INFORMATION
RETAINING YOUR
TEAMWORK
COLLABORATING
WITH EXTERNAL
USERS
WHERE TO
START
Viewed thru a Governance Perspective
5. DISCOVERING AND MANAGING DATA IS CHALLENGING
of corporate data is “dark”
(not classified, protected
nor governed2)
>80%
Protecting and governing
sensitive data to comply with
regulations4
#1
Concern
of organizations no longer
have confidence to detect
and prevent loss of
sensitive data1
88%
1. Forrester. Security Concerns, Approaches and Technology Adoption, December
2018
2. IBM. Future of Cognitive Computing, November 2015
3. Gartner CXO survey
4. Microsoft GDPR research, 2017
of CXOs indicate that
Information Security is a
primary risk from COVID-
193
40%
6. NOT ALL TEAMS ARE CREATED EQUAL
Company
Department/Division
Where Teamwork happens
Authoritative curated content
1:many broad conversations
Functional units
Few:many specific conversations
Transient groups
Microsoft Teams, Yammer,
SharePoint
Cross-collaboration
7. A SHARED
RESPONSIBILITY
MODEL
Support for >90 global, national, regional, and
industry-specific regulations
Get your own digital house in
order!
¹ Thomson Reuters, "Cost of Compliance 2018 Report: Your biggest challenges
• Leverage the shared responsibility model
• Coordinated effort of 3 groups
9. In one corner, we have
firewalls, encryption, anti-
virus software, conditional
access, MFA, DLP,
sensitivity labels, external
sharing strategies, auto-
provisioning solutions,…
And in the other corner… we
have “Steve”
10. BE “CYBER-SECURE”
SHIFT FROM AN “IN-PERSON”
TO AN “ONLINE” MINDSET
KNOW HOW TO EFFECTIVELY USE
MODERN COLLABORATION TOOLS
KNOW HOW TO
COLLABORATE SECURELY
ACROSS ALL NETWORKS
BUSINESS INFORMATION WORKERS
HELP THEM MAKE A “DIGITAL MIND-SHIFT”
11. COVID19 TRAINING KIT (FREE)
3 end user phish and privacy education courses
2 videos about how attackers using pandemic to target victims
Blog posts, posters, newsletters, infographics
Download:
https://security.microsoft.com/attackSimulatorTrainings
HELP USERS BE “CYBER-SECURE”
12. WHAT CONTENT IS CONSIDERED
“SENSITIVE” IN OUR ORGANIZATION,
DO WE HAVE ANY IN THIS TEAMWORK
AND, IF SO, WHAT ARE THE PROPER
HANDLING CONTROLS FOR IT?
HOW DO WE CLOSE DOWN OUR
TEAM WHEN THE WORK IS DONE?
WHAT ARE TEAM OWNERS’
RESPONSIBILITIES FOR THIS TEAM?
BASED ON THE TEAM’S
CLASSIFICATION, WHAT ARE OUR
COLLABORATION GUIDELINES?
GET BUSINESS INFORMATION WORKERS
TO SIGN OFF ON A “TEAMWORK AGREEMENT”
INCORPORATE THIS
INTO YOUR
PROVISIONING
PROCESS!
13. INFORMATION GOVERNANCE HAS 3 STAKEHOLDER
GROUPS!
Business information workers Legal, Risk, Compliance,
Governance Teams
17. SCENARIO-BASED GOVERNANCE AND CONTROLS
John works in the IT
department of
Woodgrove bank.
They usually use
restrictive settings.
Kate works in the IT
department of Contoso.
They always try to find
the best balance
between user freedom
and IT control.
Chad works in the IT
department of Tailspin Toys.
They want to drive
productivity by removing
as many barriers as possible.
18. EXAMPLE SCENARIO: SELF-SERVE SITE CREATION
We control site provisioning with a strict
approval process and automation to control
external access, naming conventions, protection,
and retention.
We leverage consistent site designs for our
users and allow them to provision sites
without approval. We follow-up after-the-fact
for additional guidance and controls.
We use out-of-the-box provisioning features
in our tenant. End-users know what they want
and we don’t want to get in their way.
John
Kate
Cha
d
19. Container and Content Governance
Protecting your (sensitive) teamwork
Retaining your teamwork
20. Container and Content Governance
IDENTIFY
VALUABLE
CONTENT
Require classification for
containers
Scan with Data Loss
Prevention (DLP)
PROTECT
ASSETS
Retention/Deletion
Use Conditional Access
Use Rights Management
Information Barriers
ENSURE
ACCOUNTABILITY
Manage group/site ownership
Review external membership
EMPOWER
EMPLOYEES
Self-service site creation
Life-cycle management
21. DATA LOSS PREVENTION (DLP)
Use DLP to govern your sensitive data (teamwork)
SENSITIVITY LABELS
Use sensitivity labels to identify and protect your data
(teamwork)
KNOW YOUR DATA
Understand where your sensitive data lives, what
users are doing with it and why it may be at risk
GET READY
Define your classification scheme
Protect your sensitive teamwork wherever it lives!
22. GET READY! DEFINE YOUR OWN CLASSIFICATION SCHEME
Highly confidential
This is the most critical data for Microsoft. Share it only with named
recipients.
Confidential
This content is key to achieving our goals. Limited distribution – on
a need-to-know basis.
General
Product used and shared throughout Microsoft, like personal
settings and zip codes. Share it throughout Microsoft internally.
Public
Non-restricted data meant for public consumption like publicly
released source code and announced financials. Share it freely.
23. IT’S 3 O’CLOCK.
DO YOU KNOW WHERE YOUR
(SENSITIVE) DATA IS?
IS IT BEING PROTECTED AND
RETAINED?
24. KNOW YOUR DATA USING DATA CLASSIFICATION
Use Content Explorer to gain insight into your sensitive data
Where are sensitive information types located?
Where are sensitivity labels being used?
Where are retention labels being used?
Use Activity Explorer to show activities across your locations
When labels were applied
Who modified sensitive data
When was a file printed
Etc.
* Assign members of your Governance teams to role groups required for monitoring this!
29. SENSITIVITY LABELS
Content markings
Protection (encryption)
Rights management
Auto-apply/Recommend based on
sensitive information type (and
Trainable Classifiers*) on the Client
On the Service side, auto-apply SP/OD
content at rest, EXO emails in-transit*
30. END-USER EXPERIENCE WITH SENSITIVITY LABELS
Office apps:
Outlook on the web:
iOS Outlook app:
Office for the web:
31. BASED ON SENSITIVE
INFORMATION TYPES
HELPS IF USER
FORGETS TO SET A
LABEL
WILL SEE IN SENSITIVITY
COLUMN IN SHAREPOINT
LISTS AND LIBRARIES
ENCRYPTED (PROTECTED) FILES
OPEN AND EDIT IN OFFICE ONLINE
CO-AUTHORING ALLOWED
SEARCHABLE
Allows for DLP and eDiscovery
2 new Sensitivity Label Features
AUTO-LABELING FILES AT RES
IN SHAREPOINT
37. DATA LOSS PREVENTION (DLP) TO GOVERN TEAMWORK
A DLP Policy can:
Prevent content from being shared
Allow end-user to override
Use sensitive information types and retention labels as conditions
Soon…use sensitivity label as a condition (Preview now!)
DLP for Microsoft Teams blocks sensitive content when shared with
Microsoft Teams users who have:
guest access in teams and channels; or
external access in meetings and chat sessions
41. SECURE DATA ENABLE PRODUCTIVITY
Striking a perfect balance
Manually apply sensitivity label consistently
across apps, applications, and endpoints
Show recommendations and tooltips for sensitivity
labels with auto-labeling and DLP
Visual markings to indicate sensitive documents
across apps/services: watermark, lock icon,
sensitivity column
Co-author and collaborate with sensitive
documents
Enable searching and eDiscovery of encrypted
files in SharePoint
Enforce conditional access to sensitive data
DLP actions to block sharing
Encrypt files and emails based on sensitivity label
Prevent data leakage through DLP policies based
on sensitivity label
Mark files as sensitive by default
42. SCENARIO: PROTECTING YOUR SENSITIVE CONTENT
We automatically apply sensitivity labels to our content and
will require users to provide a reason for override if
necessary. We use DLP across all locations and block access
to SharePoint sites from all unmanaged devices.
We allow our users to collaborate freely with external users,
however, we are currently monitoring when sensitive
information is being shared to build our DLP and auto-labeling
policies. We allow web-only access to confidential SharePoint
sites.
We apply a default sensitivity label to all content and rely on
our users to adjust it if necessary. We allow external sharing
on all sites. We allow full access to SharePoint sites even
from unmanaged devices.
John
Kate
Cha
d
43. DELETE
“Delete all team
collaboration content 8
years after its last modified
date”
RETAIN
“Retain all Access Request
forms for 5 year”
RETAIN and DELETE
“Retain all customer
information for 10 years and
then delete it after review”
APPLYING RETENTION ACROSS YOUR TEAMWORK
Retaining content where
you work (“Built-in”
compliance)
44. Collaboration
Workspace
Retention Policy Retention Label (Label
Policy)
Exchange mailbox Yes Yes
OneDrive for Business site Yes Yes
SharePoint site Yes Yes
Microsoft 365 Group
Yes Yes
Chat and (standard)
channel messages
(minimum 1-day retention
allowed)
Yes No
Meeting recordings No No
APPLYING RETENTION ACROSS YOUR TEAMWORK
45. End-user applies a retention label on a
specific document or email.
MANUALLY APPLIED
Automatically apply retention based on
condition(s).
AUTOMATICALLY
APPLIED
Using machine learning to apply a retention
label based on a trainable classifier.
MACHINE-LEARNING APPLIED **
MANUAL
AUTOMATIC
MACHINE
LEARNING
APPLYING RETENTION ACROSS YOUR TEAMWORK
47. WAYS TO AUTO-APPLY A RETENTION LABEL
#1 – Automatically apply at a document library level
#2 – Automatically apply at a folder or document set level
#3 – Auto-apply based on a sensitive information type
#4 – Auto-apply based on a keyword query
#5 – Auto-apply based on a content type
#6 – Auto-apply based on a metadata value
#7 – Automatically set using Microsoft Flow
#8 – Automatically set using custom code/PowerShell
#9 – Auto-apply based on a Trainable Classifier
51. SCENARIO: RETAINING YOUR TEAMWORK
We have retention labels published aligning to our File Plan
to retain regulated content with disposition review. We have
retention policies on Teams chats to delete them after 5
days. We have a mature training program for business users
for retention education.
We have retention policies published across collaboration
locations including Microsoft Teams. This is transparent to
end-users, but still allows it to be discoverable. We delete
Teams chats after 1 month.
We have a few retention labels defined for our most
valuable content. We use auto-apply capabilities, so end-
users don’t have to remember to do it. We don’t delete
Teams chats.
John
Kate
Cha
d
53. EXTERNAL ACCESS VERSUS GUEST ACCESS
EXTERNAL ACCESS
External access users have no access to
specific Teams or Teams resources
Allows external users in other domains
to find, call, chat, and set up meetings
with you
GUEST ACCESS
External users with access to existing
Teams and Channels in Microsoft Teams
Anyone not part of your organization
can be added as a guest in Teams
Teams Admins/Owners control what
guests can and cannot do
54. ALLOWING IT
Turned off by default.
Can be set at a Teams org-
wide level or a Teams/Group
level.
RECOMMENDATIONS
Audit what Guest users are doing
via regular security audits via audit
logs.
COLLABORATING WITH EXTERNAL USERS SECURELY
GUEST ACCESS
AVAILABLE NOW
Disable guest access at a
Teams/Site level based on
sensitivity of Team/Site.
ALLOWING IT
Allow all domains (default),
some domains, or block
some domains.
RECOMMENDATIONS
Use allow/deny lists for
your external partner
domains.
EXTERNAL ACCESS
55. COLLABORATION
Enable external
sharing by default.
Disable based on
classification.
(coming soon via
site classification)
DOMAINS
Limit domains as
required.
EDUCATE
Educate your users
on sharing with
external parties.
ANYONE LINKS
New: Use DLP to
prevent “Anyone with
the link” access from
SharePoint/ODFB for
sensitive documents.
AUDIT
Make security
audits part of your
governance
process.
01 02 03 04 05
EXTERNAL SHARING
RECOMMENDATIONS
56. SCENARIO: GUEST ACCESS AND EXTERNAL ACCESS
We need to be very selective on who we collaborate with.
We use “allow lists” for external access to limit
collaboration to specific domains. We do not allow guest
users into our Confidential sites.
We allow our users to collaborate with external users,
however, we currently prevent guest users while we
establish our organizational collaboration culture in Teams
and define our classification scheme.
We allow communication with any external parties. We do
no want to impede our users’ ability to do more. We train
our end-users to periodically monitor the ‘Shared with
external users’ list.
John
Kate
Cha
d
58. DATA CLASSIFICATIONS 01
Document your organization’s data
classifications to build your classification
scheme (keep it simple)
ENFORCEAND AUTOMATE POLICIES 03
Determine policies to enforce based on your classification scheme:
sensitivity, retention, privacy, guest access, conditional access.
Automate as much as you can during the provisioning process.
UNDERSTAND WHERESENSITIVE DATA IS 02
Monitor where your sensitive data is located to start
building your organization’s protection strategy where
it will have the biggest impact
EDUCATEUSERS 04
Educate information workers across your organization to know how to
work with sensitive data. Consider a “Teamwork Agreement” and a
“User Resource Center”.
4 PLACES…
59. LICENSING
Feature discussed today Office 365 E3
Microsoft 365
E3
Office 365 E5
Microsoft 365 E5
Compliance
Office 365
Advanced
Compliance
AIP
Premium
P1
AIP
Premium
P2
Sensitivity labels Yes Yes Yes Yes Yes
Sensitivity label auto-apply (automatic or
recommended)
No Yes Yes No Yes
DLP protection for SPO, EXO, OneDrive
(incl. Microsoft Teams files)
Yes Yes Yes N/A N/A
DLP for Microsoft Teams chat/channel
messages
No Yes Yes N/A N/A
Retention Policies Yes Yes Yes N/A N/A
Retention Labels (Manual) Yes Yes Yes N/A N/A
Retention Labels auto-apply No Yes Yes N/A N/A
Trainable Classifiers TBD TBD TBD N/A N/A
Data Classification
No Yes
Yes (also Advanced Threat
Intelligence add-on)
N/A N/A
60. CAPABILITIES MENTIONED TODAY
Coming soon or here…
Sensitivity labels for Office Apps: GA
Sensitivity labels for Teams/Site/Groups: GA
Sensitivity labels with protection in
SharePoint and OneDrive: GA
Auto-classification with Sensitivity labels in
M365: Public Preview
Trainable Classifiers: Public Preview
Data Classification: GA
Top of mind for rest of year…
External sharing based on Sensitivity
Separation of Sensitivity labels
(Doc/Emails vs. Sites/Teams/Groups)
Inherit the label (w/encryption) on the
site to documents in that site
Survey for your feedback
64. rencore.com
Moving from AIP to Unified Sensitivity Labels
• AIP Classic client and Label Management in the Azure Portal will be deprecated on March
31, 2021
• Steps for migrating:
• https://docs.microsoft.com/en-us/azure/information-protection/configure-policy-
migrate-labels
• Compare the labeling clients:
• AIP Classic client VERSUS Unified Labeling client VERSUS Office built-in
labeling client
• https://docs.microsoft.com/en-us/azure/information-protection/rms-client/use-
client#compare-the-labeling-clients-for-windows-computers