The document discusses data classification, retention, and sensitivity labeling within Microsoft 365, emphasizing the importance of a comprehensive data governance strategy amidst increasing compliance costs and regulatory updates. It highlights tools and policies for effectively managing data protection and retention while addressing challenges faced by users and organizations in a fragmented data landscape. Key features include sensitivity labels, retention strategies, and automated processes to classify and manage data throughout its lifecycle.

1. M365 Chicago – 2021
Drew Madelung
Labelling in Microsoft 365:
Retention & Sensitivity

2. https://otsn.live/M365CHI-CFFDonation
Your donations make a difference!

4. Help Us Improve OurConference!
Help Our Speakers Improve!
https://otsn.live/M365CHI-Feedback

5. Drew Madelung
Email : drew.madelung@protiviti.com
Twitter : @dmadelung
Website: drewmadelung.com
Associate Director – Cloud Applications

6. Data Classification
Labelling in M365
Sensitivity Labels
Retention Labels
Labelling in Microsoft
365: Retention &
Sensitivity
M365 Chicago 2021
Demos on Demos

7. Where is everyone with
data classification &
labels?

9. The market is fragmented
and confusing
Breach
notification
Supervision
GDPR
Information
governance
Data loss
prevention
Archiving
Fraud
prevention
Information
protection
eDiscovery
Privacy
Records
management
Access
management
Hundreds of compliance controls
Hundreds of vendors

12. Structured
Systems
Unstructured Systems
Company
Information
Paper
Business
Records
Personal
Data

13. 163 zettabytes of data a year will
be created by 2025
Cost of compliance continues to
increase year over year
200+ updates per day from 750
regulatory bodies

14. Adopt a comprehensive data governance
strategy
Leverage the shared responsibility model
Use integrated tools that span end to
end scenarios
163 zettabytes of data a year will
be created by 2025
200+ updates per day from 750
regulatory bodies
Cost of compliance continues to
increase year over year

15. Unified approach to discover,
classify & label
Automatically apply policy-based actions
Proactive monitoring to identify risks
Broad coverage across locations and
applications
Data growing at exponential rate
Label
Discover Classify
Unified approach
Devices Apps Cloud services On-premises ISVs, 3rd-party
 Sensitive data discovery
 Data at risk
 Policy violations
Monitor
 Label Analytics
 Proactive alerts
 Supervision
Protection Governance
 Encryption
 Restrict access
 Watermark
 Header/Footer
 Archiving
 Retention & deletion
 Records management
 Event based
Apply policy
Comprehensive policies to protect and govern your most
important data – throughout its lifecycle

16. Powered by

17. Powered by
Sensitivity labels Retention labels
Description Labels to classify and protect emails,
documents, Sites, Groups
Labels to classify and preserve emails &
documents in M365 – Exchange, SPO, Groups
Label Settings
• Encryption
• Content Marking
• DLP
• Conditional Access Controls
• Retention
• Deletion
Label Persistence Yes No
Deployed to User Container

18. Get to know the admin center(s)
Centralized administration for controlling
your Microsoft 365 technologies
Split into
• security.microsoft.com
• compliance.microsoft.com
Protection.office.com is still used and you will still need it

20. Questions &
Discussion

21. Sensitivity Labels

22. Powered by
Microsoft Information Protection at three levels
Sensitivity Labels

23. Powered by
Sensitivity Labels

24. Powered by
Sensitivity Labels for files & email

27. Powered by
Sensitivity Labels for containers

29. Questions &
Discussion

30. Retention Labels

31. Do you have a
strategy for retaining
and managing
regulatory and
business critical
data?
Do you know what your regulatory
requirements are for your organization?
Do you know where the data resides
requiring retention?
Do you have established guidelines on
the information lifecycle of this data
from creation thru disposal?

32. Retain Retain and Delete Delete
Retention can…
Keep Access Requests for
at least 5 years
Keep customer information
for 10 years and then
delete
Keep Team collaboration
content no longer than 8
years

33. Classify and govern data and records intelligently
Manual
Location
SharePoint, OneDrive, Exchange, Teams,
Skype, Yammer, Groups
Metadata and property
E.g., Content type
Trainable classifiers
6 OOTB + built your own
E.g., resumes, contracts, those that are not
easily found by pattern recognition
Sensitive information types
100+ OOTB + custom
E.g., financial, healthcare, privacy
Keywords and queries
E.g., “Project Foo”, “change management”
Classify
Automated
Policy
Retention period
E.g., 7 years retain + delete;
7 days delete
Level of immutability
Retention, record, or
regulatory record labels
Actions
Only retain, delete automatically,
disposition review
Enforcement point
Event-based or when content
was created, last modified,
labeled
Document understanding
SharePoint Syntex
Machine teaching models part of business
processes
Does
it
look
like…
Does
it
contain…

34. Keeping data longer than needed or required…
• imposes significant costs and risks for your organization
Removing data sooner than you should…
• may cause undue hardship if it’s required for business reasons
• may make you non-compliant with policies and government regulations
tools to manage retention and policy-based deletion are needed to balance these
needs in a uniform way

35. Retention wins
over deletion​
1
Longest
retention period
wins​
2
Explicit inclusion
wins over
implicit inclusion​
3
Shortest
deletion period
wins
4
Tie-breaking flow

36. • Best for targeted retention scenarios
• Can be applied automatically or by end-
users
• Have more choices than a Retention
Policy for timing
• Can trigger a disposition review before
removal
• Can add metadata to label to enhance
administration

37. Site
Document
library
Folder
Document
• Retention Labels are published to a site making
it available to all lists and libraries on the site
• Document Libraries, Folders, and Document
Sets can have a DEFAULT retention label
• End user can manually apply a Retention Label
on a document or folder
• Labels can be auto-applied
• Labels can make a document a ‘Record’

38. Can be age-based or event-based
Age-based:
- From created date
- From last modified date
- From date it was labeled
Event-based:
- From an event date
- Examples:
- When a contract expires
- When an employee leaves

40. Questions &
Discussion

41. Powered by
Challenges
? ?

42. What are the things I can do today based on my licensing?

43. @AaronDinnage

44. Problems of security
 Users need to access data from any device, location
End user
Data admin/Compliance admin
 Challenge in training users on security policies
Bottomline: Protect data & have happy users
 Who should I share and what kind of data?
 Where can I save what kind of data?
 What are my company policies and how
do I remember those?
Bottomline: Just need to get the work done

45. Crawl-Walk-Run Strategy
Goals Ideas for each phase Time to get started
“A measured, gradual approach to adopting something new
allowing for incremental improvements along the way.”

46. What’s the advantage of Crawl-Walk-Run?
Allows you to start
without having it all
figured out
Allows for
incremental
improvements
Eases information
workers into the
world of protection
and retention
Some protection
and retention is
better than nothing

47. Questions?
Email: drew.madelung@protiviti.com
Twitter: @dmadelung
Website: drewmadelung.com
Slides: http://bit.ly/DrewSlides

48. Labelling in
Microsoft 365
– Retention &
Sensitivity
M365 Chicago 2021