Understand the impact local reglementations, the process to be compliant with it and discover which feature Microsoft provides out of the box on your tenant to share them securly.
USed at aMS Aachen 15/11/2022
2. Thanks to our SPONSORs
Vielen Dank an unsere Partner!
2
Organizing sponsor
Organisatorischer
Partner
Sponsors
3. aMS Aachen 15/11/2022 @SP_twit 3
About me
• 15+ years experience in SharePoint, M365, Content Services,
Compliance
• Speaker and event organizer for aMS Community and MWCP
• Founding member of the Open-Source Project Harden 365
• Microsoft MVP “Enterprise Mobility” + “M365 Apps & Services” since
2017
• Follow me on Twitter @SP_twit or LinkedIn
4. aMS Aachen 15/11/2022 @SP_twit
Today
• CDO, ISSO, DPO share same risks about data and documents
Security Compliance
5. aMS Aachen 15/11/2022 @SP_twit
Sensitive data breach cost
• Source IBM and Ponemon
Institute's annual "Cost of a
Data Breach" report
• “Companies that had security
automation technologies
deployed experienced around
half the cost of a breach”
+20% / 5Y
6. aMS Aachen 15/11/2022 @SP_twit
Personnal data regulations
2010 – PDPA Personal Data Protection Act
Applies to all Malaysian citizen / companies
Fine: 500K MYR / 3Y jail
2018 – GDPR General Data Protection Regulation
Applies to all european citizen personal data
Fine: 20M€/4% consolidated worldwide revenue
2020 - CCPA California Consumer Privacy Act
Personnal data of californian residents
750$ / californian resident impacted + 7,5K$/violation
2021 – PIPL Personal Information Protection Law
Personal information
Fine : RMB 50M / 5% annual revenue + additional penalties
9. aMS Aachen 15/11/2022 @SP_twit
Personnal data
« Personal data is any information that relates to an identified or identifiable living individual. Different pieces of
information, which collected together can lead to the identification of a particular person, also constitute personal data.
Personal data that has been de-identified, encrypted or pseudonymised but can be used to re-identify a person remains
personal data and falls within the scope of the GDPR.”
EU Commission
Examples :
• a name and surname; a home address;
• an email address such as name.surname@company.com;
• an identification card number;
• location data (for example the location data function on a mobile phone)*;
• an Internet Protocol (IP) address;
• data held by a hospital or doctor, which could be a symbol that uniquely identifies a person.
10. aMS Aachen 15/11/2022 @SP_twit
See existing with “Purview Content Explorer”
• Are those data sensitiv
11. aMS Aachen 15/11/2022 @SP_twit
3 ways to detect
SIT
Sensitive Info Types
200+ OOTB SIT
Includes Named
Entities
Includes Credentials
Can create your own
based on key words or
patterns (RegEx)
EDM
Exact Data Match
Input .csv .tsv files with:
Up to 100 million rows
Up to 32 columns (fields)
Up to 5 searchable
columns (fields)
TC
Trainable classifiers
~45 pre-trained
classifiers
Can create custom
ones (10.000 samples
required)
Supports 8 languages
including German
14. aMS Aachen 15/11/2022 @SP_twit
Sensitivity Labels
• Can be applied manually of Automatically
• Encrypt your data
• Impossible to access for non-authenticated users
• Restrict actions
• Block Copy/Paste, Printing, Screenshots, etc...
• Watermark
• On Word & Excel files
• [EMS] Block copy to USB key or use on non O365 services
• Windows information protection & Intune required
17. aMS Aachen 15/11/2022 @SP_twit
How it works
• Brings “permissions” at file level
• Can be organized with labels / sub labels
• Public/private key system and on-the-fly encryption
(public keys RSA 2048 bits, and SHA-256 for signatures)
See https://docs.microsoft.com/fr-fr/information-protection/
understand-explore/how-does-it-work
• For most sensitive contents:
• Use DKE (Double Key Encryption) to use your own HSM (Hardware Security Module)
• Use a third-party key management system so even Microsoft is unable to decrypt file content
• Beware of service limitations (antimalware, eDiscovery, search, Office Web Apps)
20. aMS Aachen 15/11/2022 @SP_twit
Retention policies
• Define & deploy
strategies for your
tenant
◦ By sharepoint sites
◦ By mailboxes
◦ By Office365 usergroups
• Adaptive scope the new features that will help you maintain those strategies
21. aMS Aachen 15/11/2022 @SP_twit
Retention Labels
• Configure retention labels at tenant level to manage
retention rules on email and documents
• Personal data, Finances etc..
• Automatic classification , suppress or archive a the end of the
retention period
• (ex : last modification + XX years)
• Applying a Retention Label can also be used to prevent wrongful user suppression
26. aMS Aachen 15/11/2022 @SP_twit
Disposition reviews
• Compliance administrator can review (with proper permissions) all
records pending disposition
• A 1 to 5 steps workflow
• More infos https://docs.microsoft.com/en-us/microsoft-
365/compliance/disposition?view=o365-worldwide#
disposition-reviews
27. aMS Aachen 15/11/2022 @SP_twit
Document Retention
• If user deletes or adds a version to a file
labeled as record :
• A version of the document is sent to the
Preservation Hold Library
• The document will be stored until the end of its retention label
or strategy
• This PHL is only accessible
by admin and compliance admin
• More infos https://docs.microsoft.com/en-us/microsoft-
365/compliance/retention-policies-sharepoint?view=o365-
worldwide
28. aMS Aachen 15/11/2022 @SP_twit
Event based retention
• Retention based on organisational events :
• Employee leaving the organisation
• Contract expiring
• Enforcing product lifecycle and documentation
• Existing Graph API
30. aMS Aachen 15/11/2022 @SP_twit
DLP Applies to
• Exchange Online email
• SharePoint Online sites
• OneDrive accounts
• Teams chat and channel messages
• Microsoft Defender for Cloud Apps
• Windows 10, Windows 11, and macOS (three latest released versions)
devices
• On-premises repositories
• PowerBI sites (preview)
31. aMS Aachen 15/11/2022 @SP_twit
Based on
• Properties
• SIT
• Sensitivity labels
• Trainable classifiers
• Retention labels
• Can use logical operators (AND/ OR) and exceptions
• Allow or not end users to override policy
32. aMS Aachen 15/11/2022 @SP_twit
Actions
• show a pop-up policy tip to the user that warns them that they
may be trying to share a sensitive item inappropriately
• block the sharing and, via a policy tip, allow the user to override
the block and capture the users' justification
• block the sharing without the override option
• for data at rest, sensitive items can be locked and moved to a
secure quarantine location
• for Teams chat, the sensitive information will not be displayed