With Microsoft Teams and modern SharePoint team sites being created at a record pace, how can you keep all of that content secured, protected, and retained? Microsoft MVP Joanne Klein (@JoanneCKlein) explains.
4. Webinar-ProtectyourTeamsworkacrossOffice365
JoanneKleinx
Discovering and managing data is challenging
of corporate data is “dark” ‒ itʼs not
classified, protected nor governed2
>80%
Protecting and governing
sensitive data is the biggest
concern in complying with
regulations3
#1
of organizations no longer have
confidence to detect and prevent
loss of sensitive data1
88%
1. Forrester. Security Concerns, Approaches and Technology Adoption, December
2018
2. IBM. Future of Cognitive Computing, November 2015
3. Microsoft GDPR research, 2017
5. Webinar-ProtectyourTeamsworkacrossOffice365
JoanneKleinx
Not all Teams are created Equal
Company
Department/Division
Workgroups
Authoritative curated content
1:many broad conversations
Functional units
Few:many specific
conversations
Transient groups
Microsoft Teams, Yammer,
SharePoint
Cross-collaboration
11. Webinar-ProtectyourTeamsworkacrossOffice365
JoanneKleinx
John works in the
IT department of
Woodgrove bank.
They usually use
restrictive
settings.
Kate works in the IT
department of Contoso.
They always try to find
the best balance
between user freedom
and IT control.
Chad works in the IT
department of Tailspin
Toys. They want to drive
productivity by removing
as many barriers as
possible.
Scenario-based governance and controls
12. Webinar-ProtectyourTeamsworkacrossOffice365
JoanneKleinx
We control site provisioning with a strict
approval process and automation to
control external access, naming
conventions, and protection.
We leverage consistent site designs for
our users and allow them to provision
sites without approval. We follow-up
after-the-fact for additional guidance
and controls.
We use out-of-the-box provisioning
features in our tenant. End-users know
what they want and we donʼt want to
get in their way.
John
Kate
Cha
d
Scenario: Self-serve site creation
15. Webinar-ProtectyourTeamsworkacrossOffice365
JoanneKleinx
DATA LOSS PREVENTION (DLP)
Use DLP to govern your sensitive data (team work)
SENSITIVITY LABELS
Use sensitivity labels to identify and protect your data (team
work)
KNOW YOUR DATA
Understand where your sensitive data lives, what
users are doing with it and why it may be at risk
GET READY
Define your classification scheme
wherever it lives!Protect your sensitive team work
16. Webinar-ProtectyourTeamsworkacrossOffice365
JoanneKleinx
Highly confidential
The most critical data for Microsoft. Share it only with named recipients.
Confidential
Crucial to achieving our goals. Limited distribution ‒ on a need-to-know basis.
General
Daily work product used and shared throughout Microsoft, like personal settings and zip codes. Share it
throughout Microsoft internally.
Public
Public data is unrestricted data meant for public consumption like publicly released source code and
announced financials. Share it freely.
Define your classification scheme
17. End-user experience with Sensitivity labels
Office apps:
Outlook on the web:
iOS Outlook app:
Office for
the web
rolling out
now!
20. Webinar-ProtectyourTeamsworkacrossOffice365
JoanneKleinx
BASED ON SENSITIVE
INFORMATION TYPES
HELP IF USER
FORGETS TO SET A
LABEL
WILL SEE IN SENSITIVITY
COLUMN IN SHAREPOINT
ENCRYPTED (PROTECTED) FILES
OPEN AND EDIT IN OFFICE ONLINE
CO-AUTHORING ALLOWED
SEARCHABLE
Allows for DLP and
eDiscovery
2 new Sensitivity Label Features
AUTO-LABELING FILES AT RES
IN SHAREPOINT
21. Webinar-ProtectyourTeamsworkacrossOffice365
JoanneKleinx
• Detects when an action conflicts with a DLP policy
• They can:
• Prevent content from being shared
• Allow end-user to override
• Can now use sensitivity label as a condition
• DLP for Microsoft Teams blocks sensitive content when
shared with Microsoft Teams users who have:
• guest access in teams and channels; or
• external access in meetings and chat sessions
Data Loss Prevention (DLP) to govern team work
24. Webinar-ProtectyourTeamsworkacrossOffice365
JoanneKleinx
Enforce conditional access to sensitive data
DLP actions to block sharing
Encrypt files and emails based on sensitivity
label
Prevent data leakage through DLP policies
based on sensitivity label
Business data separation from personal data on
devices
Manually apply sensitivity label consistently
across apps, applications, and endpoints
Show recommendations and tooltips for
sensitivity labels with auto-labeling and DLP
Visual markings to indicate sensitive documents
across apps/services: watermark, lock icon,
sensitivity column
Co-author and collaborate with sensitive
documents
Enable searching and eDiscovery of encrypted
files in SharePoint
SECURE DATA ENABLE PRODUCTIVITY
Striking a balance
25. Webinar-ProtectyourTeamsworkacrossOffice365
JoanneKleinx
Scenario: Protecting your sensitive content
We automatically apply sensitivity
labels to our content and will require
users to provide a reason for override if
necessary. We use DLP across all
locations.
We allow our users to collaborate freely
with external users, however, we are
currently monitoring when sensitive
information is being shared to build our
DLP policies.
We apply a default sensitivity label to
all content and rely on our users to
adjust it if necessary. We allow external
sharing on all sites.
John
Kate
Cha
d
26. Webinar-ProtectyourTeamsworkacrossOffice365
JoanneKleinx
DELETE
“Delete all team collaboration
content 8 years after its last
modified date”
RETAIN
“Retain all Access Request
forms for 5 year”
RETAIN and DELETE
“Retain all customer
information for 10 years and
then delete it after review”
Retaining content where
you work (“Built-in”
compliance)
Applying retention across your team work
28. Webinar-ProtectyourTeamsworkacrossOffice365
JoanneKleinx
End-user applies a retention label on a
specific document or email.
MANUALLY APPLIED
Automatically apply retention based on
location, sensitive information type, keyword,
content type, or metadata. Automatically apply
a retention label from a Microsoft Flow.
AUTOMATICALLY APPLIED
Using machine learning to apply a retention
label based on a trainable classifier.
MACHINE-LEARNING APPLIED **
MANUAL
AUTOMATIC
MACHINE
LEARNING
Applying retention across your team work
30. Webinar-ProtectyourTeamsworkacrossOffice365
JoanneKleinx
#1 ‒ Automatically apply at a document library level
#2 ‒ Automatically apply at a folder or document set level
#3 ‒ Auto-apply based on a sensitive information type
#4 ‒ Auto-apply based on a keyword query
#5 ‒ Auto-apply based on a content type
#6 ‒ Auto-apply based on a metadata value
#7 ‒ Automatically set using Microsoft Flow
#8 ‒ Auto-apply based on a Trainable Classifier (Available soon!)
Ways to Auto-apply a Retention label
34. Webinar-ProtectyourTeamsworkacrossOffice365
JoanneKleinx
We have retention labels published
aligning to our File Plan to retain
regulated content with disposition
review. We have retention policies on
Teams chat and channel messages.
We have retention policies published
across collaboration locations including
Microsoft Teams. This is transparent to
our end-users but still allows it to be
discoverable.
We have a few retention labels defined
for our most valuable content. We use
auto-apply so end-users donʼt have to
remember to do it.
John
Kate
Cha
d
Scenario: Retaining your team work
38. Webinar-ProtectyourTeamsworkacrossOffice365
JoanneKleinx
Configured in the Teams admin center for org
External access users have no access to Teams
or Teams resources
Allows external users in other domains to find,
call, chat, and set up meetings with you
Default: allow all external domains, can add
allowed domains or blocked domains
Gives access permission to an entire domain
Enabled in the Teams admin center for org
Grant external user access to existing Teams
and Channels in Microsoft Teams
Teams administrator can control which features
guests can and canʼt use in Microsoft Teams
Anyone not part of your organization can be
added as a guest in Teams
Gives access permission to an individual user
EXTERNAL ACCESS GUEST ACCESS
Collaborating with “externals”
39. Webinar-ProtectyourTeamsworkacrossOffice365
JoanneKleinx
ALLOWING IT
Allow all domains (default), some
domains, or block some domains.
RECOMMENDATIONS
Use allow/deny lists for your external
partner domains.
ALLOWING IT
Can be set at a Teams org-wide level
or a Teams/Group level.
Can control who can allow guests to
be added (guest inviter role).
RECOMMENDATIONS
Leverage the “Guest Inviter” role.
Audit what Guest users are doing via
Audit logs.
GUEST ACCESS EXTERNAL ACCESS
AVAILABLE SOON
Disable guest access at a Teams/Site
level based on sensitivity of
Team/Site.
AVAILABLE SOON
Automatic expiration of external user
access
Collaborating with External users securely
41. Webinar-ProtectyourTeamsworkacrossOffice365
JoanneKleinx
COLLABORATION
Enable external sharing
by default. Disable based
on classification.
DOMAINS
Limit domains as
required.
EDUCATE
Educate your users on
how to share and what
to share.
ANYONE LINKS
New: Use DLP to prevent
“Anyone Links” from
SharePoint/ODFB for
sensitive documents.
AUDIT
Make security audits
part of your governance
process.
01 02 03 04 05
External Sharing recommendations
42. Webinar-ProtectyourTeamsworkacrossOffice365
JoanneKleinx
Scenario: Guest access and external access
We need to be very selective on who we
collaborate with. We use “allow lists”
for external access to limit collaboration
to specific domains.
We allow our users to collaborate with
external users, however, we currently
prevent guest users while we establish
our organizational collaboration culture
in Teams.
We allow communication with any
external parties. We do no want to
impede our usersʼ ability to do more.
John
Kate
Cha
d
45. Webinar-ProtectyourTeamsworkacrossOffice365
JoanneKleinx
• Redact sensitive content (Advanced eDiscovery)
• Use electronic holds (retention policies) to retain content
• Available now:
• Reconstruct Teams conversations in Advanced eDiscovery
• Discover a userʼs teams automatically (Teams and SharePoint sites)
• Available by end of year: eDiscovery for Yammer!
Discovery of your team work
49. Webinar-ProtectyourTeamsworkacrossOffice365
JoanneKleinx
CLASSIFICATIONS 01
Document your organization’s data classifications
(keep it meaningful)
ENFORCE POLICIES 03
Determine policies to enforce based on the
classification: sensitivity, retention, privacy, guest
access, conditional access
EXTERNAL USER STRATEGY 02
Establish your external user strategy for
collaboration including guest access, external access
and external sharing.
EDUCATE USERS 04
Educate/train information workers across your
organization on “e-safety in the org”
Takeaways from today
50. Webinar-ProtectyourTeamsworkacrossOffice365
JoanneKleinx
• Set public vs. private based on
classification
• External sharing limited based on
classification
• Guest membership disallowed with
classification
COMING SOON IN PRODUCT
• Ownership accountability: (1 full-time, 2 people, re-
attestation
• Limit reach based on classification
• Set and validate policies and divisional policies on groups
and SharePoint
• Membership management (org based; profile based)
CUSTOMIZATIONS
• Enable self-service site collection/group creation
• Collect classification for all containers
• User awareness: display classification
• Enforce naming rules
• Usage guideline visibility
• Life cycle: 6-month expiry
• Multi-geo; provision based on user’s region
• Membership life cycle: enforce external renewals
IN PRODUCT
(OFFICE 365/AZURE AD)
How Microsoft enforces policy on their team work
51. Webinar-ProtectyourTeamsworkacrossOffice365
JoanneKleinx
Feature discussed
today
Office 365 E3
Microsoft
365 E3
Office 365 E5
Microsoft 365
E5
Compliance
Office 365
Advanced
Compliance
AIP
Premium
P1
AIP
Premium
P2
Sensitivity labels Yes Yes Yes Yes Yes
Sensitivity label auto-apply
(automatic or recommended)
No Yes Yes No Yes
DLP protection for SPO, EXO,
OneDrive (incl. Microsoft Teams
files)
Yes Yes Yes N/A N/A
DLP for Microsoft Teams
chat/channel messages
No Yes Yes N/A N/A
Retention Policies Yes Yes Yes N/A N/A
Retention Labels (Manual) Yes Yes Yes N/A N/A
Retention Labels auto-apply No Yes Yes N/A N/A
Trainable Classifiers TBD TBD TBD N/A N/A
Group Expiration Azure AD Premium P1 Azure AD Premium P1 Azure AD Premium P1 N/A N/A
Core eDiscovery Yes Yes Yes N/A N/A
Advanced eDiscovery No Yes Yes N/A N/A
Licensing
52. Webinar-ProtectyourTeamsworkacrossOffice365
JoanneKleinx
• Trainable Classifiers: Public Preview, rolling out now
• Sensitivity labels for Teams/Site/Groups: Public Preview, rolling out
now (Starts Nov. 20, 2019)
• Sensitivity labels with Protection for Files: Public Preview
• Sensitivity labels in Office for the web: Preview, rolling out now
• Threaded Teams conversations for eDiscovery:
https://aka.ms/SPOLabels
Microsoft Ignite Announcements relating to today