Session about how to use Microsoft sensitivity labels and retention labels to improve compliance and information protection for content stored in M365.
Session given during aMS Southeast Asia on 10/16/2021
2. #amssea21 – Guillaume Letarnec - @SP_twit
Security today
• Zero Trust model : new compliance and information protection
features
• Impossible to encrypt/control/keep
everything
• You need to classify your assets to control it
3. #amssea21 – Guillaume Letarnec - @SP_twit
Discovery and data management is a challenge
4. #amssea21 – Guillaume Letarnec - @SP_twit
Discovery and data management is a challenge
6. #amssea21 – Guillaume Letarnec - @SP_twit
Interrogation
• Are those data sensitive?
• Do they engage the company liability?
• Is there a risk in case of leak?
• Is there a retention duration to manage?
Report
Protect
Act
Defend
7. #amssea21 – Guillaume Letarnec - @SP_twit
See existing with “Content Explorer”
• Are those data sensitive?
• Do they commit the company?
• Is there a risk in case of leak?
• How to manage retention?
13. #amssea21 – Guillaume Letarnec - @SP_twit
Principles of retention : labels & policies priorities
• More infos https://docs.microsoft.com/fr-fr/microsoft-
365/compliance/retention?view=o365-worldwide
14. #amssea21 – Guillaume Letarnec - @SP_twit
Retention policies
• Define & deploy
strategies for your
tenant
◦ By sharepoint sites
◦ By mailboxes
◦ By Office365 usergroups
• Adaptive scope the new features that will help you maintain those strategies
15. #amssea21 – Guillaume Letarnec - @SP_twit
Retention Labels
• Configure retention labels to the tenant level to manage
retention rules on email and documents
• Personal data, Finances etc..
• Automatic classification , suppress or archive a the end of the
retention period
• (ex : last modification + XX years)
• Applying a Retention Label can also be used to prevent wrongful user suppression
19. #amssea21 – Guillaume Letarnec - @SP_twit
Deploy labels to your tenant
1h to 24h to deploy through your tenant
20. #amssea21 – Guillaume Letarnec - @SP_twit
Event based retention
• Retention based on organisational events :
• Employee leaving the organisation
• Contract expiring
• Enforcing product lifecycle and documentation
21. #amssea21 – Guillaume Letarnec - @SP_twit
Disposition reviews
• Compliance administrator can review (with proper permissions) all
records pending disposition
• A 1 to 5 steps workflow
• More infos https://docs.microsoft.com/en-us/microsoft-
365/compliance/disposition?view=o365-worldwide#
disposition-reviews
22. #amssea21 – Guillaume Letarnec - @SP_twit
Protecting your data
• If user deletes or adds a version to a file
labeled as record :
• A version of the document is sent to the
Preservation Hold Library
• The document will be stored until the end of its retention label
or strategy
• This PHL is only accessible
by admin and compliance admin
• More infos https://docs.microsoft.com/en-us/microsoft-
365/compliance/retention-policies-sharepoint?view=o365-
worldwide
24. #amssea21 – Guillaume Letarnec - @SP_twit
Sensitivity Labels
• Can be applied manually of Automatically
• Encrypt your data
• Impossible to access for non-authenticated users
• Restrict actions
• Block Copy/Paste, Printing, Screenshots, etc...
• Watermark
• On Word & Excel files
• [EMS] Block copy to USB key or use on non O365 services
• Windows information protection & Intune required
26. #amssea21 – Guillaume Letarnec - @SP_twit
How it works
• Brings “permissions” at file level
• Can be organized with labels / sub labels
• Public/private key system and on-the-fly encryption
(public keys RSA 2048 bits, and SHA-256 for signatures)
See https://docs.microsoft.com/fr-fr/information-protection/
understand-explore/how-does-it-work
• For most sensitive contents:
• Use DKE (Double Key Encryption)
• Use a third-party key management system so even Microsoft is unable to decrypt file content
• Beware of service limitations (antimalware, eDiscovery, search, Office Web Apps)
28. #amssea21 – Guillaume Letarnec - @SP_twit
In a nutshell
• EXPLORE
• With Content Explorer to discover where content containing sensitive info are stored
• COMPLIANCE
• Manage global (big bucket) retention with retention policies by Mailbox/OneDrive/SharePoint
• Classify specific content types with Retention labels to keep track and/or automatically delete content
• Use auto-apply policy if there are criteria (properties, keywords, sensitive info types) (O365 E5 required) or try
with Trainable classifiers (M365 E5 Compliance) or Syntex
• SECURITY
• Classify with Sensitivity label to avoid data leaks (O365 E3 required)
• Use auto-apply policy if there are criteria (properties, keywords, sensitive info types) (O365 E5 required)
29. Brought to you by:
Community for Azure, Microsoft 365 & SharePoint
Thank You
Do join us for other sessions in different tracks !