Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Webinar: Protect your teams work across office 365

337 views

Published on

With Microsoft Teams and modern SharePoint team sites being created at a record pace, how can you keep all of that content secured, protected, and retained? Microsoft MVP Joanne Klein (@JoanneCKlein) explains.

Published in: Technology
  • Be the first to comment

Webinar: Protect your teams work across office 365

  1. 1. Protect your Teamswork acrossOffice 365 with Joanne Klein Office Apps & Services MVP Webinar -November 21, 2019 @ 2:00 PM (ET)
  2. 2. Webinar-ProtectyourTeamsworkacrossOffice365 JoanneKleinx Agenda for today THEROOT CONCERN THESHARED RESPONSIBILITY MODEL PROTECTINGYOUR SENSITIVE INFORMATION RETAININGYOUR TEAM WORK COLLABORATING WITHEXTERNAL USERSSECURELY EDISCOVERYAND YOURTEAM WORK
  3. 3. Webinar-ProtectyourTeamsworkacrossOffice365 JoanneKleinx “Employ smart governance to control sprawl while enablingafriction-free collaboration experience.” -KaruanaGatimu
  4. 4. Webinar-ProtectyourTeamsworkacrossOffice365 JoanneKleinx Discovering and managing data is challenging of corporate data is “dark” ‒ itʼs not classified, protected nor governed2 >80% Protecting and governing sensitive data is the biggest concern in complying with regulations3 #1 of organizations no longer have confidence to detect and prevent loss of sensitive data1 88% 1. Forrester. Security Concerns, Approaches and Technology Adoption, December 2018 2. IBM. Future of Cognitive Computing, November 2015 3. Microsoft GDPR research, 2017
  5. 5. Webinar-ProtectyourTeamsworkacrossOffice365 JoanneKleinx Not all Teams are created Equal Company Department/Division Workgroups Authoritative curated content 1:many broad conversations Functional units Few:many specific conversations Transient groups Microsoft Teams, Yammer, SharePoint Cross-collaboration
  6. 6. Webinar-ProtectyourTeamsworkacrossOffice365 JoanneKleinx IT Business Employee IT AdminLegal/Compliance Security officer Roles and their needs
  7. 7. Webinar-ProtectyourTeamsworkacrossOffice365 JoanneKleinx A Shared Responsibility Model 220+ updates per day from 1000 regulatory bodies¹ Get your electronic house in order! ¹ Thomson Reuters, "Cost of Compliance 2018 Report: Your biggest challenges • Leverage the shared responsibility model • Coordinated effort of 3 groups
  8. 8. Webinar-ProtectyourTeamsworkacrossOffice365 JoanneKleinx Business information workers IT Teams Legal, Risk, Compliance, Governance Teams Information Governance has 3 Stakeholder groups!
  9. 9. Webinar-ProtectyourTeamsworkacrossOffice365 JoanneKleinx Legal constraints and obligations (eDiscovery) Regulatory obligations (Government/Industry regulations) Contractual obligations (Payment card industry requirements) Legal, Risk, Compliance, Governance Teams…
  10. 10. Webinar-ProtectyourTeamsworkacrossOffice365 JoanneKleinx Types of Governance
  11. 11. Webinar-ProtectyourTeamsworkacrossOffice365 JoanneKleinx John works in the IT department of Woodgrove bank. They usually use restrictive settings. Kate works in the IT department of Contoso. They always try to find the best balance between user freedom and IT control. Chad works in the IT department of Tailspin Toys. They want to drive productivity by removing as many barriers as possible. Scenario-based governance and controls
  12. 12. Webinar-ProtectyourTeamsworkacrossOffice365 JoanneKleinx We control site provisioning with a strict approval process and automation to control external access, naming conventions, and protection. We leverage consistent site designs for our users and allow them to provision sites without approval. We follow-up after-the-fact for additional guidance and controls. We use out-of-the-box provisioning features in our tenant. End-users know what they want and we donʼt want to get in their way. John Kate Cha d Scenario: Self-serve site creation
  13. 13. Webinar-ProtectyourTeamsworkacrossOffice365 JoanneKleinx Container and Content Governance Protecting your (sensitive) team work Retaining your team work
  14. 14. Webinar-ProtectyourTeamsworkacrossOffice365 JoanneKleinx IDENTIFY VALUABLE CONTENT Require classification for containers Scan with Data Loss Prevention (DLP) PROTECT ASSETS Retention/Deletion Use Conditional Access Use Information Rights Management (IRM) ENSURE ACCOUNTABILITY Manage group/site ownership Review external membership EMPOWER EMPLOYEES Self-service site creation Life-cycle management Container and Content Governance
  15. 15. Webinar-ProtectyourTeamsworkacrossOffice365 JoanneKleinx DATA LOSS PREVENTION (DLP) Use DLP to govern your sensitive data (team work) SENSITIVITY LABELS Use sensitivity labels to identify and protect your data (team work) KNOW YOUR DATA Understand where your sensitive data lives, what users are doing with it and why it may be at risk GET READY Define your classification scheme wherever it lives!Protect your sensitive team work
  16. 16. Webinar-ProtectyourTeamsworkacrossOffice365 JoanneKleinx Highly confidential The most critical data for Microsoft. Share it only with named recipients. Confidential Crucial to achieving our goals. Limited distribution ‒ on a need-to-know basis. General Daily work product used and shared throughout Microsoft, like personal settings and zip codes. Share it throughout Microsoft internally. Public Public data is unrestricted data meant for public consumption like publicly released source code and announced financials. Share it freely. Define your classification scheme
  17. 17. End-user experience with Sensitivity labels Office apps: Outlook on the web: iOS Outlook app: Office for the web rolling out now!
  18. 18. Webinar-ProtectyourTeamsworkacrossOffice365 JoanneKleinx Public Preview announced at Microsoft Ignite! Rolling out by end of year
  19. 19. Webinar-ProtectyourTeamsworkacrossOffice365 JoanneKleinx BASED ON SENSITIVE INFORMATION TYPES HELP IF USER FORGETS TO SET A LABEL WILL SEE IN SENSITIVITY COLUMN IN SHAREPOINT ENCRYPTED (PROTECTED) FILES OPEN AND EDIT IN OFFICE ONLINE CO-AUTHORING ALLOWED SEARCHABLE Allows for DLP and eDiscovery 2 new Sensitivity Label Features AUTO-LABELING FILES AT RES IN SHAREPOINT
  20. 20. Webinar-ProtectyourTeamsworkacrossOffice365 JoanneKleinx • Detects when an action conflicts with a DLP policy • They can: • Prevent content from being shared • Allow end-user to override • Can now use sensitivity label as a condition • DLP for Microsoft Teams blocks sensitive content when shared with Microsoft Teams users who have: • guest access in teams and channels; or • external access in meetings and chat sessions Data Loss Prevention (DLP) to govern team work
  21. 21. Webinar-ProtectyourTeamsworkacrossOffice365 JoanneKleinx DLP and Microsoft Teams
  22. 22. Webinar-ProtectyourTeamsworkacrossOffice365 JoanneKleinx DLP Roadmap
  23. 23. Webinar-ProtectyourTeamsworkacrossOffice365 JoanneKleinx Enforce conditional access to sensitive data DLP actions to block sharing Encrypt files and emails based on sensitivity label Prevent data leakage through DLP policies based on sensitivity label Business data separation from personal data on devices Manually apply sensitivity label consistently across apps, applications, and endpoints Show recommendations and tooltips for sensitivity labels with auto-labeling and DLP Visual markings to indicate sensitive documents across apps/services: watermark, lock icon, sensitivity column Co-author and collaborate with sensitive documents Enable searching and eDiscovery of encrypted files in SharePoint SECURE DATA ENABLE PRODUCTIVITY Striking a balance
  24. 24. Webinar-ProtectyourTeamsworkacrossOffice365 JoanneKleinx Scenario: Protecting your sensitive content We automatically apply sensitivity labels to our content and will require users to provide a reason for override if necessary. We use DLP across all locations. We allow our users to collaborate freely with external users, however, we are currently monitoring when sensitive information is being shared to build our DLP policies. We apply a default sensitivity label to all content and rely on our users to adjust it if necessary. We allow external sharing on all sites. John Kate Cha d
  25. 25. Webinar-ProtectyourTeamsworkacrossOffice365 JoanneKleinx DELETE “Delete all team collaboration content 8 years after its last modified date” RETAIN “Retain all Access Request forms for 5 year” RETAIN and DELETE “Retain all customer information for 10 years and then delete it after review” Retaining content where you work (“Built-in” compliance) Applying retention across your team work
  26. 26. Webinar-ProtectyourTeamsworkacrossOffice365 JoanneKleinx Collaboration Workspace Retention Policy Retention Label (Label Policy) Exchange mailbox Yes Yes OneDrive for Business site Yes Yes SharePoint site Yes Yes Office 365 Group Yes Yes Chat and channel messages (1-day retention allowed) Yes No Meeting recordings No No Applying retention across your team work
  27. 27. Webinar-ProtectyourTeamsworkacrossOffice365 JoanneKleinx End-user applies a retention label on a specific document or email. MANUALLY APPLIED Automatically apply retention based on location, sensitive information type, keyword, content type, or metadata. Automatically apply a retention label from a Microsoft Flow. AUTOMATICALLY APPLIED Using machine learning to apply a retention label based on a trainable classifier. MACHINE-LEARNING APPLIED ** MANUAL AUTOMATIC MACHINE LEARNING Applying retention across your team work
  28. 28. Webinar-ProtectyourTeamsworkacrossOffice365 JoanneKleinx Applying retention acrossyour team work … at scale AUTOMATIC MANUAL MACHINE LEARNING
  29. 29. Webinar-ProtectyourTeamsworkacrossOffice365 JoanneKleinx #1 ‒ Automatically apply at a document library level #2 ‒ Automatically apply at a folder or document set level #3 ‒ Auto-apply based on a sensitive information type #4 ‒ Auto-apply based on a keyword query #5 ‒ Auto-apply based on a content type #6 ‒ Auto-apply based on a metadata value #7 ‒ Automatically set using Microsoft Flow #8 ‒ Auto-apply based on a Trainable Classifier (Available soon!) Ways to Auto-apply a Retention label
  30. 30. Webinar-ProtectyourTeamsworkacrossOffice365 JoanneKleinx OFFENSIVE LANGUAGE SOURCE CODE RESUMESPROFANITY THREAT TARGETED HARASSMENT Powered by Machine Learning 6 built-in classifiers Build your own custom Classifiers! Trainable Classifiers (Public Review)
  31. 31. Webinar-ProtectyourTeamsworkacrossOffice365 JoanneKleinx Use when publishing a retention label…
  32. 32. Webinar-ProtectyourTeamsworkacrossOffice365 JoanneKleinx Rolling out into Preview by end of year Trainable Classifiers with Sensitivity Labels…
  33. 33. Webinar-ProtectyourTeamsworkacrossOffice365 JoanneKleinx We have retention labels published aligning to our File Plan to retain regulated content with disposition review. We have retention policies on Teams chat and channel messages. We have retention policies published across collaboration locations including Microsoft Teams. This is transparent to our end-users but still allows it to be discoverable. We have a few retention labels defined for our most valuable content. We use auto-apply so end-users donʼt have to remember to do it. John Kate Cha d Scenario: Retaining your team work
  34. 34. Webinar-ProtectyourTeamsworkacrossOffice365 JoanneKleinx Itʼs10 oʼclock. Do you know where you datais?
  35. 35. Webinar-ProtectyourTeamsworkacrossOffice365 JoanneKleinx Security Governance Collaborating with external users securely
  36. 36. Webinar-ProtectyourTeamsworkacrossOffice365 JoanneKleinx Configured in the Teams admin center for org External access users have no access to Teams or Teams resources Allows external users in other domains to find, call, chat, and set up meetings with you Default: allow all external domains, can add allowed domains or blocked domains Gives access permission to an entire domain Enabled in the Teams admin center for org Grant external user access to existing Teams and Channels in Microsoft Teams Teams administrator can control which features guests can and canʼt use in Microsoft Teams Anyone not part of your organization can be added as a guest in Teams Gives access permission to an individual user EXTERNAL ACCESS GUEST ACCESS Collaborating with “externals”
  37. 37. Webinar-ProtectyourTeamsworkacrossOffice365 JoanneKleinx ALLOWING IT Allow all domains (default), some domains, or block some domains. RECOMMENDATIONS Use allow/deny lists for your external partner domains. ALLOWING IT Can be set at a Teams org-wide level or a Teams/Group level. Can control who can allow guests to be added (guest inviter role). RECOMMENDATIONS Leverage the “Guest Inviter” role. Audit what Guest users are doing via Audit logs. GUEST ACCESS EXTERNAL ACCESS AVAILABLE SOON Disable guest access at a Teams/Site level based on sensitivity of Team/Site. AVAILABLE SOON Automatic expiration of external user access Collaborating with External users securely
  38. 38. Webinar-ProtectyourTeamsworkacrossOffice365 JoanneKleinx • Have a strategy! • Teach users the importance of sharing • Set at tenant level • Further restrict at site level External Sharing
  39. 39. Webinar-ProtectyourTeamsworkacrossOffice365 JoanneKleinx COLLABORATION Enable external sharing by default. Disable based on classification. DOMAINS Limit domains as required. EDUCATE Educate your users on how to share and what to share. ANYONE LINKS New: Use DLP to prevent “Anyone Links” from SharePoint/ODFB for sensitive documents. AUDIT Make security audits part of your governance process. 01 02 03 04 05 External Sharing recommendations
  40. 40. Webinar-ProtectyourTeamsworkacrossOffice365 JoanneKleinx Scenario: Guest access and external access We need to be very selective on who we collaborate with. We use “allow lists” for external access to limit collaboration to specific domains. We allow our users to collaborate with external users, however, we currently prevent guest users while we establish our organizational collaboration culture in Teams. We allow communication with any external parties. We do no want to impede our usersʼ ability to do more. John Kate Cha d
  41. 41. Webinar-ProtectyourTeamsworkacrossOffice365 JoanneKleinx Discovery Governance Discoverability of your team work
  42. 42. Information Governance Identification Preservation & Collection Processing Review Production Presentation Analysis eDiscovery process Volume Relevance 1Reference: https://www.edrm.net/resources/frameworks-and-standards/edrm-model/ The Electronic Discovery Reference Model1
  43. 43. Webinar-ProtectyourTeamsworkacrossOffice365 JoanneKleinx • Redact sensitive content (Advanced eDiscovery) • Use electronic holds (retention policies) to retain content • Available now: • Reconstruct Teams conversations in Advanced eDiscovery • Discover a userʼs teams automatically (Teams and SharePoint sites) • Available by end of year: eDiscovery for Yammer! Discovery of your team work
  44. 44. Webinar-ProtectyourTeamsworkacrossOffice365 JoanneKleinx Teams message view to…
  45. 45. Webinar-ProtectyourTeamsworkacrossOffice365 JoanneKleinx …conversation threading in eDiscovery
  46. 46. Webinar-ProtectyourTeamsworkacrossOffice365 JoanneKleinx Summary
  47. 47. Webinar-ProtectyourTeamsworkacrossOffice365 JoanneKleinx CLASSIFICATIONS 01 Document your organization’s data classifications (keep it meaningful) ENFORCE POLICIES 03 Determine policies to enforce based on the classification: sensitivity, retention, privacy, guest access, conditional access EXTERNAL USER STRATEGY 02 Establish your external user strategy for collaboration including guest access, external access and external sharing. EDUCATE USERS 04 Educate/train information workers across your organization on “e-safety in the org” Takeaways from today
  48. 48. Webinar-ProtectyourTeamsworkacrossOffice365 JoanneKleinx • Set public vs. private based on classification • External sharing limited based on classification • Guest membership disallowed with classification COMING SOON IN PRODUCT • Ownership accountability: (1 full-time, 2 people, re- attestation • Limit reach based on classification • Set and validate policies and divisional policies on groups and SharePoint • Membership management (org based; profile based) CUSTOMIZATIONS • Enable self-service site collection/group creation • Collect classification for all containers • User awareness: display classification • Enforce naming rules • Usage guideline visibility • Life cycle: 6-month expiry • Multi-geo; provision based on user’s region • Membership life cycle: enforce external renewals IN PRODUCT (OFFICE 365/AZURE AD) How Microsoft enforces policy on their team work
  49. 49. Webinar-ProtectyourTeamsworkacrossOffice365 JoanneKleinx Feature discussed today Office 365 E3 Microsoft 365 E3 Office 365 E5 Microsoft 365 E5 Compliance Office 365 Advanced Compliance AIP Premium P1 AIP Premium P2 Sensitivity labels Yes Yes Yes Yes Yes Sensitivity label auto-apply (automatic or recommended) No Yes Yes No Yes DLP protection for SPO, EXO, OneDrive (incl. Microsoft Teams files) Yes Yes Yes N/A N/A DLP for Microsoft Teams chat/channel messages No Yes Yes N/A N/A Retention Policies Yes Yes Yes N/A N/A Retention Labels (Manual) Yes Yes Yes N/A N/A Retention Labels auto-apply No Yes Yes N/A N/A Trainable Classifiers TBD TBD TBD N/A N/A Group Expiration Azure AD Premium P1 Azure AD Premium P1 Azure AD Premium P1 N/A N/A Core eDiscovery Yes Yes Yes N/A N/A Advanced eDiscovery No Yes Yes N/A N/A Licensing
  50. 50. Webinar-ProtectyourTeamsworkacrossOffice365 JoanneKleinx • Trainable Classifiers: Public Preview, rolling out now • Sensitivity labels for Teams/Site/Groups: Public Preview, rolling out now (Starts Nov. 20, 2019) • Sensitivity labels with Protection for Files: Public Preview • Sensitivity labels in Office for the web: Preview, rolling out now • Threaded Teams conversations for eDiscovery: https://aka.ms/SPOLabels Microsoft Ignite Announcements relating to today
  51. 51. @JoanneCKlein joannecklein@nexnovus.com joannecklein.com SharePoint & Office 365 consultant | Data Protection | Data Retention | Data Governance | eDiscovery Letʼs connect!
  52. 52. Webinar-ProtectyourTeamsworkacrossOffice365 JoanneKleinx Thank you.

×