Successfully reported this slideshow.
Your SlideShare is downloading. ×

Protecting your Teams Work across Microsoft 365

Ad
Ad
Ad
Ad
Ad
Ad
Ad
Ad
Ad
Ad

Check these out next

1 of 64 Ad
Advertisement

More Related Content

Slideshows for you (20)

Similar to Protecting your Teams Work across Microsoft 365 (20)

Advertisement

More from Joanne Klein (15)

Recently uploaded (20)

Advertisement

Protecting your Teams Work across Microsoft 365

  1. 1. rencore.com CHAPTER II Protecting your Teams work across Microsoft 365 Joanne Klein
  2. 2. SYNOPSIS  With Modern Team sites and Microsoft Teams being created at a record pace these days, are you concerned how content within them can be secured, protected, and retained?  Join me in this session to learn how various Office 365 features work together to address these requirements so you can breathe a little easier. Key Takeaways:  Understand Microsoft's shared responsibility model and what this means for you  Ways to prevent sensitive information in your Teamwork from leaving your organization  How to apply retention across your Teamwork  How to have oversight across your sensitive Teamwork
  3. 3. Hi! I’m Joanne! @JoanneCKlein joannecklein@nexnovus.com joannecklein.com SharePoint & Office 365 consultant | Data Protection | Data Retention | Data Governance | eDiscovery
  4. 4. Agenda for today THE SHARED RESPONSIBILIT Y MODEL PROTECTING YOUR SENSITIVE INFORMATION RETAINING YOUR TEAMWORK COLLABORATING WITH EXTERNAL USERS WHERE TO START Viewed thru a Governance Perspective
  5. 5. DISCOVERING AND MANAGING DATA IS CHALLENGING of corporate data is “dark” (not classified, protected nor governed2) >80% Protecting and governing sensitive data to comply with regulations4 #1 Concern of organizations no longer have confidence to detect and prevent loss of sensitive data1 88% 1. Forrester. Security Concerns, Approaches and Technology Adoption, December 2018 2. IBM. Future of Cognitive Computing, November 2015 3. Gartner CXO survey 4. Microsoft GDPR research, 2017 of CXOs indicate that Information Security is a primary risk from COVID- 193 40%
  6. 6. NOT ALL TEAMS ARE CREATED EQUAL Company Department/Division Where Teamwork happens Authoritative curated content 1:many broad conversations Functional units Few:many specific conversations Transient groups Microsoft Teams, Yammer, SharePoint Cross-collaboration
  7. 7. A SHARED RESPONSIBILITY MODEL Support for >90 global, national, regional, and industry-specific regulations Get your own digital house in order! ¹ Thomson Reuters, "Cost of Compliance 2018 Report: Your biggest challenges • Leverage the shared responsibility model • Coordinated effort of 3 groups
  8. 8. INFORMATION GOVERNANCE HAS 3 STAKEHOLDER GROUPS! Business information workers
  9. 9. In one corner, we have firewalls, encryption, anti- virus software, conditional access, MFA, DLP, sensitivity labels, external sharing strategies, auto- provisioning solutions,… And in the other corner… we have “Steve”
  10. 10. BE “CYBER-SECURE” SHIFT FROM AN “IN-PERSON” TO AN “ONLINE” MINDSET KNOW HOW TO EFFECTIVELY USE MODERN COLLABORATION TOOLS KNOW HOW TO COLLABORATE SECURELY ACROSS ALL NETWORKS BUSINESS INFORMATION WORKERS HELP THEM MAKE A “DIGITAL MIND-SHIFT”
  11. 11. COVID19 TRAINING KIT (FREE)  3 end user phish and privacy education courses  2 videos about how attackers using pandemic to target victims  Blog posts, posters, newsletters, infographics  Download:  https://security.microsoft.com/attackSimulatorTrainings HELP USERS BE “CYBER-SECURE”
  12. 12. WHAT CONTENT IS CONSIDERED “SENSITIVE” IN OUR ORGANIZATION, DO WE HAVE ANY IN THIS TEAMWORK AND, IF SO, WHAT ARE THE PROPER HANDLING CONTROLS FOR IT? HOW DO WE CLOSE DOWN OUR TEAM WHEN THE WORK IS DONE? WHAT ARE TEAM OWNERS’ RESPONSIBILITIES FOR THIS TEAM? BASED ON THE TEAM’S CLASSIFICATION, WHAT ARE OUR COLLABORATION GUIDELINES? GET BUSINESS INFORMATION WORKERS TO SIGN OFF ON A “TEAMWORK AGREEMENT” INCORPORATE THIS INTO YOUR PROVISIONING PROCESS!
  13. 13. INFORMATION GOVERNANCE HAS 3 STAKEHOLDER GROUPS! Business information workers Legal, Risk, Compliance, Governance Teams
  14. 14. LEGAL, RISK, COMPLIANCE, GOVERNANCE TEAMS… Legal constraints and obligations (eDiscovery) Regulatory obligations (Government/Industry regulations) Contractual obligations (Payment card industry requirements)
  15. 15. INFORMATION GOVERNANCE HAS 3 STAKEHOLDER GROUPS! Business information workers Legal, Risk, Compliance, Governance Teams IT Teams
  16. 16. IMPLEMENT CONTROLS THRU A GOVERNANCE LENS
  17. 17. SCENARIO-BASED GOVERNANCE AND CONTROLS John works in the IT department of Woodgrove bank. They usually use restrictive settings. Kate works in the IT department of Contoso. They always try to find the best balance between user freedom and IT control. Chad works in the IT department of Tailspin Toys. They want to drive productivity by removing as many barriers as possible.
  18. 18. EXAMPLE SCENARIO: SELF-SERVE SITE CREATION We control site provisioning with a strict approval process and automation to control external access, naming conventions, protection, and retention. We leverage consistent site designs for our users and allow them to provision sites without approval. We follow-up after-the-fact for additional guidance and controls. We use out-of-the-box provisioning features in our tenant. End-users know what they want and we don’t want to get in their way. John Kate Cha d
  19. 19. Container and Content Governance Protecting your (sensitive) teamwork Retaining your teamwork
  20. 20. Container and Content Governance IDENTIFY VALUABLE CONTENT Require classification for containers Scan with Data Loss Prevention (DLP) PROTECT ASSETS Retention/Deletion Use Conditional Access Use Rights Management Information Barriers ENSURE ACCOUNTABILITY Manage group/site ownership Review external membership EMPOWER EMPLOYEES Self-service site creation Life-cycle management
  21. 21. DATA LOSS PREVENTION (DLP) Use DLP to govern your sensitive data (teamwork) SENSITIVITY LABELS Use sensitivity labels to identify and protect your data (teamwork) KNOW YOUR DATA Understand where your sensitive data lives, what users are doing with it and why it may be at risk GET READY Define your classification scheme Protect your sensitive teamwork wherever it lives!
  22. 22. GET READY! DEFINE YOUR OWN CLASSIFICATION SCHEME Highly confidential This is the most critical data for Microsoft. Share it only with named recipients. Confidential This content is key to achieving our goals. Limited distribution – on a need-to-know basis. General Product used and shared throughout Microsoft, like personal settings and zip codes. Share it throughout Microsoft internally. Public Non-restricted data meant for public consumption like publicly released source code and announced financials. Share it freely.
  23. 23. IT’S 3 O’CLOCK. DO YOU KNOW WHERE YOUR (SENSITIVE) DATA IS? IS IT BEING PROTECTED AND RETAINED?
  24. 24. KNOW YOUR DATA USING DATA CLASSIFICATION  Use Content Explorer to gain insight into your sensitive data  Where are sensitive information types located?  Where are sensitivity labels being used?  Where are retention labels being used?  Use Activity Explorer to show activities across your locations  When labels were applied  Who modified sensitive data  When was a file printed  Etc. * Assign members of your Governance teams to role groups required for monitoring this!
  25. 25. Link: aka.ms/MIPDataClassification
  26. 26. SENSITIVITY LABELS  Content markings  Protection (encryption)  Rights management  Auto-apply/Recommend based on sensitive information type (and Trainable Classifiers*) on the Client  On the Service side, auto-apply SP/OD content at rest, EXO emails in-transit*
  27. 27. END-USER EXPERIENCE WITH SENSITIVITY LABELS Office apps: Outlook on the web: iOS Outlook app: Office for the web:
  28. 28. BASED ON SENSITIVE INFORMATION TYPES HELPS IF USER FORGETS TO SET A LABEL WILL SEE IN SENSITIVITY COLUMN IN SHAREPOINT LISTS AND LIBRARIES ENCRYPTED (PROTECTED) FILES OPEN AND EDIT IN OFFICE ONLINE CO-AUTHORING ALLOWED SEARCHABLE Allows for DLP and eDiscovery 2 new Sensitivity Label Features AUTO-LABELING FILES AT RES IN SHAREPOINT
  29. 29. SHAREPOINT LIBRARY SENSITIVITY COLUMN
  30. 30. Now Generally Available
  31. 31. END-USEREXPERIENCE
  32. 32. INCOMPATIBLE SENSITIVITY LABEL  Possible security concern  Upload is not prevented  Sensitivity label events are audited, and notifications sent
  33. 33. DATA LOSS PREVENTION (DLP) TO GOVERN TEAMWORK  A DLP Policy can:  Prevent content from being shared  Allow end-user to override  Use sensitive information types and retention labels as conditions  Soon…use sensitivity label as a condition (Preview now!)  DLP for Microsoft Teams blocks sensitive content when shared with Microsoft Teams users who have:  guest access in teams and channels; or  external access in meetings and chat sessions
  34. 34. DLP ACROSS YOUR TEAM WORK
  35. 35. DLP AND MICROSOFT TEAMS
  36. 36. Set-SPOTenant -MarkNewFilesSensitiveByDefault BlockExternalSharing
  37. 37. SECURE DATA ENABLE PRODUCTIVITY Striking a perfect balance Manually apply sensitivity label consistently across apps, applications, and endpoints Show recommendations and tooltips for sensitivity labels with auto-labeling and DLP Visual markings to indicate sensitive documents across apps/services: watermark, lock icon, sensitivity column Co-author and collaborate with sensitive documents Enable searching and eDiscovery of encrypted files in SharePoint Enforce conditional access to sensitive data DLP actions to block sharing Encrypt files and emails based on sensitivity label Prevent data leakage through DLP policies based on sensitivity label Mark files as sensitive by default
  38. 38. SCENARIO: PROTECTING YOUR SENSITIVE CONTENT We automatically apply sensitivity labels to our content and will require users to provide a reason for override if necessary. We use DLP across all locations and block access to SharePoint sites from all unmanaged devices. We allow our users to collaborate freely with external users, however, we are currently monitoring when sensitive information is being shared to build our DLP and auto-labeling policies. We allow web-only access to confidential SharePoint sites. We apply a default sensitivity label to all content and rely on our users to adjust it if necessary. We allow external sharing on all sites. We allow full access to SharePoint sites even from unmanaged devices. John Kate Cha d
  39. 39. DELETE “Delete all team collaboration content 8 years after its last modified date” RETAIN “Retain all Access Request forms for 5 year” RETAIN and DELETE “Retain all customer information for 10 years and then delete it after review” APPLYING RETENTION ACROSS YOUR TEAMWORK Retaining content where you work (“Built-in” compliance)
  40. 40. Collaboration Workspace Retention Policy Retention Label (Label Policy) Exchange mailbox Yes Yes OneDrive for Business site Yes Yes SharePoint site Yes Yes Microsoft 365 Group Yes Yes Chat and (standard) channel messages (minimum 1-day retention allowed) Yes No Meeting recordings No No APPLYING RETENTION ACROSS YOUR TEAMWORK
  41. 41. End-user applies a retention label on a specific document or email. MANUALLY APPLIED Automatically apply retention based on condition(s). AUTOMATICALLY APPLIED Using machine learning to apply a retention label based on a trainable classifier. MACHINE-LEARNING APPLIED ** MANUAL AUTOMATIC MACHINE LEARNING APPLYING RETENTION ACROSS YOUR TEAMWORK
  42. 42. Applying retention across your teamwork … at scale AUTOMATIC MANUAL MACHINE LEARNING
  43. 43. WAYS TO AUTO-APPLY A RETENTION LABEL #1 – Automatically apply at a document library level #2 – Automatically apply at a folder or document set level #3 – Auto-apply based on a sensitive information type #4 – Auto-apply based on a keyword query #5 – Auto-apply based on a content type #6 – Auto-apply based on a metadata value #7 – Automatically set using Microsoft Flow #8 – Automatically set using custom code/PowerShell #9 – Auto-apply based on a Trainable Classifier
  44. 44. SOURCE CODE RESUMESPROFANITY THREAT TARGETED HARASSMENT TRAINABLE CLASSIFIERS (Preview) Powered by Machine Learning 5 built-in classifiers Build your own custom Classifiers! Contracts Financial Agreements Employee Forms
  45. 45. USE WHEN PUBLISHING A RETENTION LABEL… * Preview
  46. 46. TRAINABLE CLASSIFIERS WITH SENSITIVITY LABELS… In Public Preview mode now
  47. 47. SCENARIO: RETAINING YOUR TEAMWORK We have retention labels published aligning to our File Plan to retain regulated content with disposition review. We have retention policies on Teams chats to delete them after 5 days. We have a mature training program for business users for retention education. We have retention policies published across collaboration locations including Microsoft Teams. This is transparent to end-users, but still allows it to be discoverable. We delete Teams chats after 1 month. We have a few retention labels defined for our most valuable content. We use auto-apply capabilities, so end- users don’t have to remember to do it. We don’t delete Teams chats. John Kate Cha d
  48. 48. Security Governance Collaborating with external users (securely)
  49. 49. EXTERNAL ACCESS VERSUS GUEST ACCESS EXTERNAL ACCESS  External access users have no access to specific Teams or Teams resources  Allows external users in other domains to find, call, chat, and set up meetings with you GUEST ACCESS  External users with access to existing Teams and Channels in Microsoft Teams  Anyone not part of your organization can be added as a guest in Teams  Teams Admins/Owners control what guests can and cannot do
  50. 50. ALLOWING IT Turned off by default. Can be set at a Teams org- wide level or a Teams/Group level. RECOMMENDATIONS Audit what Guest users are doing via regular security audits via audit logs. COLLABORATING WITH EXTERNAL USERS SECURELY GUEST ACCESS AVAILABLE NOW Disable guest access at a Teams/Site level based on sensitivity of Team/Site. ALLOWING IT Allow all domains (default), some domains, or block some domains. RECOMMENDATIONS Use allow/deny lists for your external partner domains. EXTERNAL ACCESS
  51. 51. COLLABORATION Enable external sharing by default. Disable based on classification. (coming soon via site classification) DOMAINS Limit domains as required. EDUCATE Educate your users on sharing with external parties. ANYONE LINKS New: Use DLP to prevent “Anyone with the link” access from SharePoint/ODFB for sensitive documents. AUDIT Make security audits part of your governance process. 01 02 03 04 05 EXTERNAL SHARING RECOMMENDATIONS
  52. 52. SCENARIO: GUEST ACCESS AND EXTERNAL ACCESS We need to be very selective on who we collaborate with. We use “allow lists” for external access to limit collaboration to specific domains. We do not allow guest users into our Confidential sites. We allow our users to collaborate with external users, however, we currently prevent guest users while we establish our organizational collaboration culture in Teams and define our classification scheme. We allow communication with any external parties. We do no want to impede our users’ ability to do more. We train our end-users to periodically monitor the ‘Shared with external users’ list. John Kate Cha d
  53. 53. Where to start?
  54. 54. DATA CLASSIFICATIONS 01 Document your organization’s data classifications to build your classification scheme (keep it simple) ENFORCEAND AUTOMATE POLICIES 03 Determine policies to enforce based on your classification scheme: sensitivity, retention, privacy, guest access, conditional access. Automate as much as you can during the provisioning process. UNDERSTAND WHERESENSITIVE DATA IS 02 Monitor where your sensitive data is located to start building your organization’s protection strategy where it will have the biggest impact EDUCATEUSERS 04 Educate information workers across your organization to know how to work with sensitive data. Consider a “Teamwork Agreement” and a “User Resource Center”. 4 PLACES…
  55. 55. LICENSING Feature discussed today Office 365 E3 Microsoft 365 E3 Office 365 E5 Microsoft 365 E5 Compliance Office 365 Advanced Compliance AIP Premium P1 AIP Premium P2 Sensitivity labels Yes Yes Yes Yes Yes Sensitivity label auto-apply (automatic or recommended) No Yes Yes No Yes DLP protection for SPO, EXO, OneDrive (incl. Microsoft Teams files) Yes Yes Yes N/A N/A DLP for Microsoft Teams chat/channel messages No Yes Yes N/A N/A Retention Policies Yes Yes Yes N/A N/A Retention Labels (Manual) Yes Yes Yes N/A N/A Retention Labels auto-apply No Yes Yes N/A N/A Trainable Classifiers TBD TBD TBD N/A N/A Data Classification No Yes Yes (also Advanced Threat Intelligence add-on) N/A N/A
  56. 56. CAPABILITIES MENTIONED TODAY Coming soon or here…  Sensitivity labels for Office Apps: GA  Sensitivity labels for Teams/Site/Groups: GA  Sensitivity labels with protection in SharePoint and OneDrive: GA  Auto-classification with Sensitivity labels in M365: Public Preview  Trainable Classifiers: Public Preview  Data Classification: GA Top of mind for rest of year…  External sharing based on Sensitivity  Separation of Sensitivity labels (Doc/Emails vs. Sites/Teams/Groups)  Inherit the label (w/encryption) on the site to documents in that site  Survey for your feedback
  57. 57. @JoanneCKlein joannecklein@nexnovus.com joannecklein.com SharePoint & Office 365 consultant | Data Protection | Data Retention | Data Governance | eDiscovery Let’s connect!
  58. 58. Thank you!
  59. 59. Additional Materials
  60. 60. rencore.com Moving from AIP to Unified Sensitivity Labels • AIP Classic client and Label Management in the Azure Portal will be deprecated on March 31, 2021 • Steps for migrating: • https://docs.microsoft.com/en-us/azure/information-protection/configure-policy- migrate-labels • Compare the labeling clients: • AIP Classic client VERSUS Unified Labeling client VERSUS Office built-in labeling client • https://docs.microsoft.com/en-us/azure/information-protection/rms-client/use- client#compare-the-labeling-clients-for-windows-computers

×