aMS Aachen -Personal and confidential data - how to manage them in M365 2022-11-15

1
aMS Aachen
15.11.2022
Personal and
confidential data
How to manage them in M365
(EN)
Sébastien PAULET

Thanks to our SPONSORs
Vielen Dank an unsere Partner!
2
Organizing sponsor
Organisatorischer
Partner
Sponsors

aMS Aachen 15/11/2022 @SP_twit 3
About me
• 15+ years experience in SharePoint, M365, Content Services,
Compliance
• Speaker and event organizer for aMS Community and MWCP
• Founding member of the Open-Source Project Harden 365
• Microsoft MVP “Enterprise Mobility” + “M365 Apps & Services” since
2017
• Follow me on Twitter @SP_twit or LinkedIn

aMS Aachen 15/11/2022 @SP_twit
Today
• CDO, ISSO, DPO share same risks about data and documents
Security Compliance

Sensitive data breach cost
• Source IBM and Ponemon
Institute's annual "Cost of a
Data Breach" report
• “Companies that had security
automation technologies
deployed experienced around
half the cost of a breach”
+20% / 5Y

Personnal data regulations
2010 – PDPA Personal Data Protection Act
Applies to all Malaysian citizen / companies
Fine: 500K MYR / 3Y jail
2018 – GDPR General Data Protection Regulation
Applies to all european citizen personal data
Fine: 20M€/4% consolidated worldwide revenue
2020 - CCPA California Consumer Privacy Act
Personnal data of californian residents
750$ / californian resident impacted + 7,5K$/violation
2021 – PIPL Personal Information Protection Law
Personal information
Fine : RMB 50M / 5% annual revenue + additional penalties

Discovery and data management is a challenge

Personnal data
« Personal data is any information that relates to an identified or identifiable living individual. Different pieces of
information, which collected together can lead to the identification of a particular person, also constitute personal data.
Personal data that has been de-identified, encrypted or pseudonymised but can be used to re-identify a person remains
personal data and falls within the scope of the GDPR.”
EU Commission
Examples :
• a name and surname; a home address;
• an email address such as name.surname@company.com;
• an identification card number;
• location data (for example the location data function on a mobile phone)*;
• an Internet Protocol (IP) address;
• data held by a hospital or doctor, which could be a symbol that uniquely identifies a person.

See existing with “Purview Content Explorer”
• Are those data sensitiv

3 ways to detect
SIT
Sensitive Info Types
200+ OOTB SIT
Includes Named
Entities
Includes Credentials
Can create your own
based on key words or
patterns (RegEx)
EDM
Exact Data Match
Input .csv .tsv files with:
Up to 100 million rows
Up to 32 columns (fields)
Up to 5 searchable
columns (fields)
TC
Trainable classifiers
~45 pre-trained
classifiers
Can create custom
ones (10.000 samples
required)
Supports 8 languages
including German

Retention labels
Sensitivity Labels

Sensitivity Labels
• Can be applied manually of Automatically
• Encrypt your data
• Impossible to access for non-authenticated users
• Restrict actions
• Block Copy/Paste, Printing, Screenshots, etc...
• Watermark
• On Word & Excel files
• [EMS] Block copy to USB key or use on non O365 services
• Windows information protection & Intune required

Demo creating & using Sensitivity Labels

Apply sentivity label new UX

How it works
• Brings “permissions” at file level
• Can be organized with labels / sub labels
• Public/private key system and on-the-fly encryption
(public keys RSA 2048 bits, and SHA-256 for signatures)
See https://docs.microsoft.com/fr-fr/information-protection/
understand-explore/how-does-it-work
• For most sensitive contents:
• Use DKE (Double Key Encryption) to use your own HSM (Hardware Security Module)
• Use a third-party key management system so even Microsoft is unable to decrypt file content
• Beware of service limitations (antimalware, eDiscovery, search, Office Web Apps)

Retention policies
• Define & deploy
strategies for your
tenant
◦ By sharepoint sites
◦ By mailboxes
◦ By Office365 usergroups
• Adaptive scope the new features that will help you maintain those strategies

Retention Labels
• Configure retention labels at tenant level to manage
retention rules on email and documents
• Personal data, Finances etc..
• Automatic classification , suppress or archive a the end of the
retention period
• (ex : last modification + XX years)
• Applying a Retention Label can also be used to prevent wrongful user suppression

Retention Labels in Teams

Demo creating a retention label

Trigger Power Automate Workflow

Auto-applying rules & Policy

Disposition reviews
• Compliance administrator can review (with proper permissions) all
records pending disposition
• A 1 to 5 steps workflow
• More infos https://docs.microsoft.com/en-us/microsoft-
365/compliance/disposition?view=o365-worldwide#
disposition-reviews

Document Retention
• If user deletes or adds a version to a file
labeled as record :
• A version of the document is sent to the
Preservation Hold Library
• The document will be stored until the end of its retention label
or strategy
• This PHL is only accessible
by admin and compliance admin
• More infos https://docs.microsoft.com/en-us/microsoft-
365/compliance/retention-policies-sharepoint?view=o365-
worldwide

Event based retention
• Retention based on organisational events :
• Employee leaving the organisation
• Contract expiring
• Enforcing product lifecycle and documentation
• Existing Graph API

DLP Applies to
• Exchange Online email
• SharePoint Online sites
• OneDrive accounts
• Teams chat and channel messages
• Microsoft Defender for Cloud Apps
• Windows 10, Windows 11, and macOS (three latest released versions)
devices
• On-premises repositories
• PowerBI sites (preview)

Based on
• Properties
• SIT
• Sensitivity labels
• Trainable classifiers
• Retention labels
• Can use logical operators (AND/ OR) and exceptions
• Allow or not end users to override policy

Actions
• show a pop-up policy tip to the user that warns them that they
may be trying to share a sensitive item inappropriately
• block the sharing and, via a policy tip, allow the user to override
the block and capture the users' justification
• block the sharing without the override option
• for data at rest, sensitive items can be locked and moved to a
secure quarantine location
• for Teams chat, the sensitive information will not be displayed

Actions

DLP policies applied through Edge

Get Alerts / reports

Licensing (thanks Aaron Dinnage)

aMS Aachen -Personal and confidential data - how to manage them in M365 2022-11-15

Recommended

Recommended

More Related Content

Similar to aMS Aachen -Personal and confidential data - how to manage them in M365 2022-11-15

Similar to aMS Aachen -Personal and confidential data - how to manage them in M365 2022-11-15 (20)

More from Sébastien Paulet

More from Sébastien Paulet (20)

Recently uploaded

Recently uploaded (20)

aMS Aachen -Personal and confidential data - how to manage them in M365 2022-11-15