Understand where your sensitive data is located and intelligently protect it with Microsoft 365

November 4, 2019
The original article is published on the Microsoft Tech Community Security, Privacy and Compliance Blog.

Do you know where your organization’s sensitive and business critical data is located, how it is being accessed, and how it is being shared? As we speak with customers, we realize that most organizations can’t answer this question definitively. This represents a significant challenge as these very same organizations are also facing numerous worldwide compliance requirements that mandate not only understanding where this sensitive data lives, but also protecting it.  

Organizations today face a daunting task as they embark on their information protection journey. The amount of data they must find is enormous and is likely to be stored across varying devices and in multiple disparate locations from on-premises to the cloud.

We have spent several years working with our customers to better understand their challenges and develop Microsoft 365 solutions that leverage intelligence and machine learning to simplify an otherwise complex and manual process. Today we are excited to announce several capabilities rolling out in preview for Microsoft Information Protection to help organizations protect their information wherever it lives and wherever it travels.

Know your data

The first step in the journey for organizations to better protect their data is to get an understanding of their data landscape. The new Data Classification tab has an overview page that shows you the volume of sensitive data across your digital estate. Currently data across Exchange Online, SharePoint Online and OneDrive for Business, is categorized by sensitive information types or personally identifiable information (PII).

1again.png

Activity Explorer shows document-level activities like label changes and label downgrades, such as from confidential to general, across various locations. Understanding these activities gives you the ability to identify the right policies for protection or data loss prevention (DLP) to ensure your most important data is secure.

2.png

Classify your unique data

Not all data is created equal, and every organization on the planet has data that is unique to them, whether these are contracts, invoices, or customer records. You can use artificial intelligence and machine learning to intelligently classify data that is unique to your organization. Built-in classifiers will be able to intelligently detect resumes, offensive language, and using a combination of words and context, while build-your-own trainable classifiers let you train your own classifiers to look for data that is unique to your organization, such as customer records, HR data, contracts, etc.  Now in public preview, these trainable classifiers can be used in combination with retention labels to automatically label data and apply policies. We are just getting started! The ability to use these classifiers in combination with sensitivity labels will start rolling out into preview by the end of the year.  

3.png

Protect your data

Once you understand your sensitive data landscape, you are in a stronger position to implement the protection policies to meet internal security goals and external compliance requirements. The following new capabilities rolling out that can help you intelligently protect your sensitive information:

  • Easily apply sensitivity labels in Office apps on Windows, Mac, iOS and Android
  • Automatically label using sensitive info types in Office on Windows, Office for the web, and Teams
  • Protect Power BI artifacts with sensitivity labels
  • Take advantage of support for protected PDF files in Microsoft Edge and Office 365 Message Encryption
  • Extend labeling and protection to third-party apps and services with new partner integrations

Let’s take a closer look at these enhancements in more detail.

Natively applying sensitivity labels in Office

Outlook mobile

Earlier this year we released additional support for sensitivity labeling built directly into Office apps – on Windows, Mac, iOS and Android. We’ve recently expanded support for labeling experience, and now Outlook mobile (iOS and Android) and Outlook on the web also include sensitivity labeling capabilities. The experience is similar to labeling in other Office apps, making it familiar and consistent for end users, enabling them to stay productive while keeping sensitive data secure.

4.jpg

Office for the web

Sensitivity labels are now available in preview natively in Office for the web. The experience is similar to labeling in other Office apps wherein users can view and manually apply the label. You can also apply a label, which has encryption policies, to a file in Office for the web. And, you can get much richer modern productivity experiences like co-authoring for the encrypted files in the Office for the web. You can also govern these encrypted files in SharePoint and OneDrive with Data Loss Prevention and eDiscovery, much like any other files.

Learn more at https://aka.ms/OfficeLabels

5.png

  Apply sensitivity labels to documents while working in Office for the web

6.png

   Apply sensitivity labels to documents while working in Office for the web

Auto-classification now built into Office ProPlus

Office 365 ProPlus on Windows now has the labeling experience built directly into the experience, without requiring any Azure Information Protection plug-ins. While someone is working in a document or an email, if sensitive information is detected – based on the policies defined by your organization – a sensitivity label is either automatically applied or recommended to the user. The preview of automatic labeling is rolling out for Word, PowerPoint, and Excel (Outlook preview coming soon) in Office 365 Office ProPlus on Windows, as well as Office for the web and Outlook on the web.

Learn more at: https://aka.ms/officemipdocs.

7.png

 Automatically classify and label documents while working in Office apps

Extending to Microsoft Teams and Office 365 groups and SharePoint sites 

Outside of the clients we are extending support to Teams Office 365 Groups and SharePoint Sites. This allows users to create a Team or Group or Site and simply select the sensitivity label they want applied. The initial sites and groups policies that can be associated with labels are: privacy, user membership, and unmanaged device access policy. Learn more at https://aka.ms/SPOLabels.

8.png

 Control access to sites and groups using sensitivity labels

Beyond Microsoft 365

Other productivity tools such as Microsoft Power BI, a leader in self-service and enterprise business intelligence, now also support classification, labeling and protection policies. It’s easy to apply a sensitivity label to Power BI artifacts – including dashboards and  reports that are created from a single or multiple data sources, helping ensure persistent protection of the data – even if exported to a file format such as Excel, as the exported file inherits the sensitivity label and associated protection settings.

Furthermore, integration with Microsoft Cloud App Security enables an additional level of control – for example, the ability to block the export of sensitive data if the user is accessing from an unmanaged machine. You can learn more in the Power BI blog.

9.png

 Apply sensitivity labels to Power BI assets – labels and protection settings persist even when data is exported

While customers are often most concerned with protecting Office files, PDF files are also pervasive and often contain sensitive information, which is important to protect, such as when sending as an attachment in an email. When using Outlook along with Exchange Online, if you encrypt an email or apply a sensitivity label that results in protection settings, the attached PDF now automatically inherits the protection policy that’s been applied to the email. This helps ensure that both the email and the attachment are only accessible by authorized individuals.

In addition, viewing those labeled and protected PDFs directly from a browser is also important, which is why Microsoft Edge is the only browser to support the ability to view a protected PDF.

On-premises and third parties

To help customers manage sensitive information that resides in on-premises file repositories, an updated version of the Azure Information Protection scanner now supports unified labeling and enhancements to make it easier to manage and scale out your scanner deployments. This includes performance improvements and the ability to group scanners in clusters to make it easier to scale up or down your scanner deployments. Learn more about these updates in our blog.  

Finally, to our integration partners extend information protection capabilities within their apps and services, providing more comprehensive and consistent protection experiences across a broad range of apps and services. New partner integrations include the ability to label and protect CAD files and new options to enforce DLP policies based on sensitivity labels. Learn more about our partner integrations in our blog.

10.jpg

 Autodesk inventor integration with Microsoft Information Protection via Secude’s HaloCAD solution

Getting started

We’re excited to deliver these new capabilities and hear your feedback. Regardless of where you are in your information protection journey, there’s plenty to evaluate and start implementing. For the capabilities that are in public preview, get started today by either signing up for an Microsoft 365 E5 trial or navigate to the Microsoft 365 Compliance Center in your tenant.

Thank you!

Microsoft Information Protection team

Discuss this article in the Microsoft Technical Community.