Protect your Teams work across Office 365

Protect your Teams work across Office 365


Hi everyone and thanks for joining the
ShareGate webinar today I’m thrilled for the great topic we will be covering
today before that I know there’s always a lot of questions around the webinar
such as will the webinar be recorded today absolutely yes the webinar will be
recorded today and we will make it available and send it to everyone that
registered as soon as it’s out likely early next week so stay tuned today
we’re very excited to be talking about protecting your Team’s work across
Office 365 with Joanne Klein an MVP of Microsoft and a Microsoft ignite
speaker a couple of weeks ago I don’t know anyone better to talk about this
topic as it covers a number of areas that we want to look into if at any
point in time during this webinar you have a question myself as well as my
colleagues here at the ShareGate office in Montreal we’re ready simply click on the
Q&A box at the bottom and we will try to answer as fast as possible we’ll make
sure that we cover as much otherwise I’ll be available in the recording and
blog that will follow next week so without further ado I’d like to
introduce Joanne Klein again thanks for accepting to take this topic here at the
ShareGate webinar today we’re thrilled and now let you introduce yourself alright
thanks for the intro Ben hi everybody I’m Joanne Klein and it’s my pleasure to
be with you over the next 40 minutes or so talking about this very important
topic protecting your Team’s work across Office 365 I’m an independent consultant
and I work with customers focusing on really the data protection data
protection and data governance aspects of team work across Office 365
so I’m hoping to share a lot of my observations and findings and learnings
from that experience with you today so the agenda for today is going to be
pretty simple I’m going to start about talking about the route concerns some
common concerns people have the shared responsibility model however the bulk of
today’s presentation is going to be around these things I have highlighted
because those are the concentrating on the actual controls you can implement in
your environment to protect your teamwork now I want to start with a
quote from Karuana Gatimu now she is the customer advocacy group lead
in Microsoft Teams and I love this quote because I believe this is the balance
we’re all striving to reach and it’s a lot easier said than done to implement
those governance controls while still enabling a great collaboration
experience so this is a goal I think we should all have and likely all do so I’m
going to talk about some specific things we can do to get us a little bit closer
to this utopia some common concerns I hear I’m thinking they probably align
with what you’re hearing as well is site sprawl is a concern some
intellectual property is perhaps going to be lost some sensitive information
might be you know inadvertently shared outside of the company these are all
real and legitimate concerns so let’s dig into some of those this is a very
challenging problem and these are some numbers I heard of the recent Microsoft
Ignite conference and they really demonstrate how widespread this concern
is 88% of organizations no longer having confidence that they can detect and
prevent loss of the sensitive data they have and a lot of that corporate
data is what we call dark so it’s not you know monitored or classified or
tightly controlled and understood and that’s a good part of our corporate data
and the number one concern done by a Microsoft GDPR
research is definitely complying with regulation
so these are real problems and they can’t be dealt using manual means or by
just hiring more people to address this problem we really need to leverage AI
and automation to address this problem at scale and we need to approach it
really in a proactive manner rather than a reactive manner and a lot of the
controls that are implemented in Office 365 are approaching it in that way which
I think is really setting us up for being able to get our organizations
towards that compliance picture however just like not all data is equal not all
Teams are created equal for instance whether you’re talking about you know a
corporate level maybe intranet level area of collaboration where it’s kind of
a one-to-many broad conversation you know down a little bit lower where you
have a few people communicating out to larger audiences and then down to what I
call those transient groups so this can be a combination of Microsoft Teams
Yammer or SharePoint teamwork can be contained within all of those
workloads lots of cross collaboration happens there so you can’t paint all of
these types of Teams and all of the type of data that’s contained in those Teams
with one broad brush it often takes a much more targeted focused and targeted
application of some of these controls at any one particular point in time so
instead of really looking at your data the same way across everything this is
where tapping into your classification system through sensitivity labels and
making that more contextual for where your app makes a lot of sense and how I
think organizations are going to be able to get ahead of this problem of all of
this dark data that is out there however there are some competing I guess demands
and requirements across most organizations the business
they want to of course accomplish their business goals as simply as possible
with the tools that you provide them and without little disruption employees just
want to get their job done quickly they don’t want you to kind of impede their
collaboration experience but they want their stuff protected when it’s
sensitive in nature IT admins this is the group that implements the technical
controls they really have in some cases a challenging job to keep up with the
changing services in office 365 and the increasing threat that is in front of us
it’s only getting smarter and only getting more advanced so we really need
to keep ahead of that of course the legal compliance governance risk all of
those business teams that are focused on the governance aspect and the protection
aspect of the data they have their own set of concerns as well as security
officers are protecting against data breaches and that high-value information
so these are all in some cases competing priorities and competing requirements
they have against each other so one way of addressing this is what Microsoft
calls the shared responsibility model and this makes a lot of sense when you
think about it because there’s so many updates
happening all the time against whatever kind of regulatory body your particular
organization has to adhere to Microsoft you know is bringing in these new
regulations and they say a way of kind of keeping up with that is to leverage
the shared responsibility model by that they mean you as an organization are
responsible for protecting the data the identities and the devices within your
organization whereas Microsoft vigorously protects the Office 365
services so together you can protect your data that makes sense however
within your own organization there’s also a coordinated effort that has to go
on you have to get your own I call it your own electronic host in order with
the controls that you have and this takes a coordinated effort
of I believe three key groups first one is the biggest group and that would be
the people working on your team work creating the content some of them
sharing with external parties some of them working with sensitive information
this group really needs to understand how to work safely and securely inside a
modern workplace today it’s a new skill I believe it’s incumbent upon
us in IT to teach them these skills in addition to putting the controls on but
controls alone will not be able to do that then there’s the IT teams which are
the resources that implement the technical controls involved in some of
the training and configuration and last but certainly not least is the groups
that you need to help define your classification system across your
environment legal risk compliance governance internal audit all of those
types of regulatory teams now this group of business teams are in a unique
position because they really understand the organization’s duty to preserve some
of this information and protect it beyond its immediate business value
which is what the information workers are looking at so we need to lean into
those business groups to help us in IT define what it is we have to secure and
protect so you need to bring them in from the start today for the rest of the
presentation I’m going to approach this from a perspective of governance and I
firmly believe this is how this needs to be managed
and I’m particularly going to focus in on because there’s more than one type of
governance that’s a very broad term but container and content governance is key
when you’re talking about teamwork security governance of course and then a
little bit on discovery governance but to be clear all of these work together
to have a governed and compliant environment end to end I saw this
example in some Microsoft Teams sessions I went to at Ignite and I loved this
approach so to demonstrate some of the controls I’m about to talk about I’m
going to have three examples of three different types of organizations just
kind of one extreme to the other and hopefully you’ll be able to identify
with one of the three or a combination of the three so John is working in an IT
department at a bank and they use restrictive settings Kate works in IT
department at contoso and they like to strike that perfect balance between user
freedom and IT control and then Chad at tailspin toys as an IT and they like to
drive productivity by removing as many barriers as possible odds are your
organization isn’t you know specifically in one of these three but it’s to
demonstrate the different controls and how different organizations can look at
those controls to suit their organizational culture regulatory
requirements and compliance needs so for instance provisioning a new Team let’s
say how would these three personas address this so John in the bank might
say we could completely control site provisioning with a strict approval
process and we automate the controls for external access we strictly have naming
conventions and apply the appropriate protection Kate they leverage standard site
designs for their users but they allow them to provision them without approval
and then they follow up after the fact for additional guidance and controls
Chad they just use the out-of-the-box provisioning features and users know
what they want and they don’t want to get in their way
so as you can see three quite different approaches to site provisioning none of
them are wrong none of them are perfectly right it just depends what is
right for your organization in your environment and that is up to you to
make that path for your own organization okay so let’s start with container and
content governance in here I want to focus on protecting your teamwork
particularly your sensitive teamwork and retaining your teamwork two specific
things that anybody in those business teams and those compliance areas will
definitely be focused on so I like to think of container and content
governance kind of in these four pillars and all of the things I mention in here
should likely be addressed in your own organization and I’m going to touch not
on all of them because we don’t have that much time today but I’m going to
focus on four or five of these P one is requiring classifications for your
containers that is the underpinning for absolutely everything else in managing
and protecting and securing your Office 365 teamwork data loss prevention is
another tool it’s been around for a while but they’re continuing to evolve
that tool with the new modern team collaboration options that are out there
protecting your assets that’s where retention options come into
play conditional access is what do you do when you have unmanaged devices
coming in to access your teamwork rights management do you need to encrypt any of
your content and then of course external membership which is something we are all
faced in our organizations today no longer you know are you contained within
your own firewall it’s it’s completely commonplace to be collaborating with an
external partner or Ben or customer on something so we need to
have controls in place to make sure we can do that securely so protecting your
sensitive teamwork really we want to do this wherever it lives that’s the
strength I believe of these controls whether you’re talking about an exchange
email or a Microsoft teen conversation or a file that’s sitting in SharePoint
we want to protect it wherever that lives and on whatever device you may be
accessing accessing it from the first thing you need to do and you will
probably involve your those business teams in your governance departments is
define your own organizational classification scheme that’s key to
everything then understand your data landscape where does your sensitive data
live what are users doing with it and why it may be at risk are they sharing
that routinely with external parties you really need to have a handle on the
activity and what’s being done in your own environment and then we can start to
apply sensitivity labels based on your classification system to help identify
and protect your data in this case your teamwork and we can also leverage data
loss prevention to govern your sensitive data as well so first thing kind of to
take away from this is there’s more than one control at play at any point in time
and in fact it’s a number of controls that work together to really increase
and pretend improve your security and your protection posture so I’m sharing
this classification scheme with you because this is Microsoft’s
classification scheme and I find not that everybody needs to do the same as
them but I find it fascinating because Microsoft of course is a very large
organ and the fact that they were able to pare
down their classification scheme to four classifications is is impressive and a
few takeaways from this I want to highlight and one is the words are very
clear to understand there’s no ambiguity between one term and the next which is
critical because your end-users your information workers sitting in front of
the keyboard sometimes having to make the call on whether something is
confidential or highly confidential they really need to understand what that
difference is it’s it’s critical to to do it in terms that everybody across
your whole organization is going to be able to understand as much as the
automated controls are coming into play there will always be a need for a manual
setting of some of these classification systems so that’s to me that’s the
takeaway from Microsoft’s classification scheme scheme now once you have your
classification scheme yeah many many things follow on after that and one is
sensitivity labels these can do things like content markings and by that I mean
a watermark on your document maybe it’s a top-secret
document I had her in a footer they can apply protection or encryption on a
document they can apply rights management so on that little image I
have shown there is is as granular as you can get on some of these sensitivity
labels you can prevent someone from printing something if they want for
instance which is perhaps something you would want to do on a top-secret
document and you can automate this or recommend it based on this sensitive
information type this is licensed dependent of course and because I
typically get licensed questions for most of the things I talked about today
I did include a license slide at the end of the presentation for you to refer
back note though that that is a point in time licensing may change product
features may change so as of right now that’s what the licensing
options are an excellent point if you may the licensing is a big key to all of
these there was something interesting earlier you talked about securing or
container governance and I know it’s something that came up and I was
wondering if you could describe what you mean by container governance before we
continue on with these labels that we can add on to it for people that are
looking into this sure yeah good point when I am referring
in in in the scope of teamwork when I say container governance I am talking
about the SharePoint site let’s say or the Microsoft team or the exchange
mailbox I’m talking about what is it that you can manage and how the controls
that are in office 365 at what level are they kind of published to so in
sensitivity labels it actually can be published at a couple of different
levels we can what I’m showing here is it can be published right down to the
targeted document or email if you want now there’s some new announcements that
ignite I’m going to talk about in a little bit further where you can now
also apply it at a higher container level so you can apply a sensitivity
setting to an entire Microsoft teams or a kintyre an entire SharePoint site if
you want to so the the beauty of that is everything within that container
inherits that same sensitivity setting by default alright so the end user
experience with these sensitivity labels these are three little gifs I put on
this page just to demonstrate what they are office apps up in the top I’m in a
Word document there and you can see I’m setting such a sensitivity of a document
to confidential on the bottom left is Outlook on the web and on the right I
have an iPhone so this is iOS a couple things I want to point out here one is
there the same sensitivity label options on all three this is
unified across all platforms this is derived from the data classification of
my organization so whatever your classifications that your governance
teams come up with it is going to show across all these environments which is
point again that these have to be very clearly understood because end-users are
going to be presented with these on you know many times and in the middle I’m
just pointing out rolling out right now I don’t have it yet but office for the
web will have these same options as well so if you’re in word online you’ll be
able to set the sensitivity setting in there as well so I really like how
Microsoft is integrating these sensitivities settings right within the
products all right now you can also set this at a container level in this case a
site level and these are this exact same classification so I’m setting this board
of directors site to highly confidential now I’m going to go to the site and
where you will see this classification is up near the top right by the site
name and if you click that you can set this up so it goes to a URL in my case I
always recommend set up a page on your governance site because everybody here
should have one right on explaining what all your sensitivity classifications
mean that’s an end user assist for you we really need to make sure end-users
understand these settings 100% I often hear or see people talking about
governance directly jump to a 27 page PDF or word that Microsoft has a
template and a ultimately governance is trying to guide users to good use of the
platform and nothing better than to help them quickly get the information they
need and the SharePoint site can definitely do that hundred percent agree
love to see what you’ve done therefore site sensitivity usage guidelines yeah
awesome I I agree it needs to be quick snappy they just want to get in get out
make the decision on what the sensitivity is and continue on with
their work awesome this was announced at ignite and I’m super excited about it
what I just showed you in the SharePoint admin Center for setting of sensitivity
at a SharePoint site you’ll now be able to hook more controls into that
sensitivity setting to affect the site container the first is determining the
privacy option for that sensitivity label private or public will you by
default allow external users so perhaps if a site is labeled confidential you
will not allow external user access that’s a decision you could make at the
sensitivity level on manage devices this is where conditional access comes into
play if you have a confidential site will you allow devices that are
unmanaged access into it or will it be limited such that they have to use the
online versions of the office products and not the desktop clients so this is
the decision you can make rate at the sensitivity label setting which is
another fantastic addition to sensitivity labels in office 365 this is
announced at ignite as a public preview and is rolling out by the end of the
year ok for those of you in the audience who have used a protected document using
information rights management you will likely have noticed this when you’re
trying to share a document with somebody and they try to open it this is what
they will get in the online versions of the prop of the office products
Microsoft has now fixed this they will now there are treating encrypted
documents as first-class citizens which means you will be able to open and edit
it directly in office online which is fantastic here again increasing that or
improving that collaboration experience for the end users you’ll now be able to
co-author in there and they will be searchable which has follow-on effects
for data loss prevention can now leverage these and as well as ediscovery
can find them this was announced at ignite as well and something called Auto
labeling files at rest in SharePoint if you have some documents that are not
labeled which let’s face it is going to happen quite a bit soon there will be an
auto auto labeling feature for those documents and they will be labeled
automatically which will be great and you will be able to see that in there’s
a sensitivity column in SharePoint and you will be able to see that value there
and as far as I know right now it’s going to be based on sensitive
information types but that likely will expand over time okay so that’s what
that was sensitivity labels want to go on to talk
about data loss prevention this is another way another kind of way of
preventing exposure of your sensitive information maybe you are trying to
share Health Services number with somebody external to your own
organization and you don’t want that to happen so this is a tool you can use for
that you can allow an end user to override it and it can detect certain
things so I talked about a Health Services number that would be considered
a sensitive information type in office 365 there’s many built in sensitive
information types I want to say around 100 but I might have lost count you can
base this off of retention labels you could also do it through voucher
information protection labels or sensitivity labels before through
PowerShell but soon you’ll be able to do that through the UI as well which is
really really good because if you have both it’s double the protection and you
do need both here’s an example of what this looks like to an end user so on the
left there’s an email message and they’re trying to share this is a custom
sensitive information type that I’ve built into this
tenant customer BB – four four four four so it detects that and gives a policy
tip in line saying who you’re trying to send this to is external you aren’t
allowed to send this information well sorry
and on the right hand side is a share I’m trying to do with somebody external
again on a document that contains sensitive information so it’s it’s built
into the end-user experience really trying to prevent them from accidentally
or in a yeah inadvertently trying to share information however here’s an
example of a tool that’s been around for a while and they’re now bringing in some
new workloads to it in this case Microsoft teams so DLP is now in current
integrated with Microsoft team teams to block sensitive content when it’s being
shared so we this includes both users that have guest access or external
access and I’m going to talk about the difference between those two in a few
slides from now but know that it will detect that so I’ve got a another Jeff
here and I’m in a channel conversation with an external user and I’m sharing a
social insurance number it’s detected that and it’s blocked it so I can click
the what can I do and in this case because the DLP policy has been
configured to allow this I can override it and give it a reason which that’s a
terrible reason by the way but it will allow that to be sent so on the bottom
left you can see what the recipient of that chat message would see if in fact
it was blocked and I I didn’t override it so it would say they’re sensitive
content this can’t be sure this works in both the team’s desktop client and the
team’s web app by the way so great feature to enable in your environment
particularly if you’re using Microsoft teams I just want to show this roadmap
was shared with me at ignite and I want to key in on three particular things on
the right-hand side that I’m excited a boat that relates specifically to
protecting the your teamwork and one is blocking anonymous access for sensitive
files so if you’ve identified them as sensitive we can make sure that there is
no way you can anonymously share those files I talked about enforcing those DLP
controls based on a sensitivity label and another one I love is treating
brand-new files as sensitive by default in SharePoint Online until they’re
scanned one thing I didn’t explain is how DLP works is it works on a scanning
mechanism so it’s not immediate so the risk with that is you could put upload a
sensitive document and between the moment that you do that in the moment
that it’s scanned by DLP there is a period of time in which you could share
that so this will kind of prevent that or that’s a stopgap and prevent that
from happening so I think that’s great so if it’s not clear by now I think it
should be and that is really our role as IT administrators and as business teams
working in the compliance area is we need to strike a really good balance
between data security and enabling productivity in our environment so I
won’t go through all of these but you can see in some cases they’re you know
competing priorities but data security we should try to enable all of these
things and then assist the productivity side as much as we can but still try to
integrate these controls so it doesn’t impede them any more than we absolutely
have to okay so if we go back to our personas we
can talk about how these three would protect their sensitive content so John
at the bank they may automatically apply sensitivity labels to their content and
require users to provide a reason for override and they definitely use DLP
across all of their locations Kate they allow their users to collaborate freely
with external users however they are currently monitoring when sensitive
information is being shared to build their the DLP policies so another thing
I didn’t talk about on DLP is you can test out your policies ahead of time the
advantage of doing that is you can see how much and who is sharing sensitive
data and based on those analytics you can adjust and fine-tune your DLP
policies before you actually turn them on live across your environment and Chad
at tailspin toys they apply a default sensitivity label which is something you
can do that’s an easy place to start but they rely on their end users to adjust
it if necessary and they definitely allow external sharing on all of their
sites so in Chad’s case it would be incumbent upon him and his IT team to
make sure the end users really understood those sensitivity label
settings so they could change them when they needed to but three very different
perspectives on the exact same controls ok retention so now that you’re
protecting your teamwork the information management and record management teams
in your organization are going to be looking at this with an eye of retaining
the records out of those teams and at a high level they’ll want to do one of
three things one is retain and that retention policies and retention labels
can both do these three things so you may want to retain something for a
minimum of years let’s say they can both retain and
delete in one definition so an example there is retaining customer information
for 10 years and then deleting it after a review and then maybe not so obvious
but they might just want to outright delete some content so maybe you want to
delete team collaboration content eight years after its last modified although
I’ve not seen an organization do that one yet but that is definitely an
example the idea behind retention in office 365 is it’s built in compliance
its retaining in place it’s not moving the content out to an external archive
to retain it in some cases it may move to a different site but it doesn’t move
it out of office 365 which has an advantage of you know still making that
content discoverable within office 365 information workers can still find it it
there’s an audit trail of everything that’s gone on with the document there’s
many advantages to leaving it under the office 365 umbrella so I put this little
grid together on the team workloads on the like small team work clothes on the
left-hand side and what a retention policy can retain and what a retention
label can retain they’re slightly different from each other and there’s
some things one can do that the other can’t do I would just want to point out
on Microsoft teens chat and channel messages our retention policy can be
published to those workloads currently our retention label cannot and a
requirement I see in some organizations is one day retention is now allowed on
team chat messages it used to be I believe a minimum of 30 days so that
gives you yes go ahead yeah while we’re looking at these different workloads and
where it’s applied there was two questions I thought actually very
interesting which was if we want to classify protect our data on cross
office 365 so we don’t need to install either
information protection on client users pcs right the answer to that is it it
depends on there’s two clients that you can pick if you’re going to there’s the
traditional a juror information protection you can migrate them to
sensitivity labels I’m talking about the sensitivity labels today that you
configure from the security and compliance center once you have them
there’s two different ways you can leverage or use them in your clients one
is an add in to your office clients and the other is built into the office
installed so either one of them will work they do have different capabilities
depending on which one you’re using though sounds good and one last one
front it’s what is the difference between sensitivity labels or the
relationship between sensitivity labels and permissions management which can be
applied at various levels a sensitivity label is always applied at the the
document level like a one document or an an email level whereas what was the what
was the other one they asked about basically permissions management and
this sensitivity labels what why one or the other or both or what’s the
relationship between both of them well you can a set you can set certain
permission management that was that little screen I had up there where you
can control at a very granular level the permissions for a sensitivity label view
edit print etc so that’s optional you don’t you certainly don’t have to do
that but sin it’s an additional level of control and protection you can associate
with a sensitivity label if that is shared externally okay thank you okay I want to try to explain at a high
level kind of the three ways of applying retention to demonstrate a point that
speaks back to the all of the corporate dark data that organizations are
concerned with one is you can certainly manually apply a retention label
information workers it’s just like associating a piece of metadata to a
document and you can do that or an email you can autumn automatically apply it
I just finished a 20 minute theater session at ignite where I talked about
seven ways you can Auto apply a retention label to a piece of content
but you can also announced at ignite use machine learning and this I think is a
game-changer for retention across office 365 and in fact it’s really the only way
in my opinion that you’re going to be able to manage this at scale and it’s
using a new technique machine learning to be able to go across everything that
you either haven’t manually or automatically apply to label with and
associate our retention to it so these are the seven ways I talked about at
ignite but number eight and the one that’s using machine learning is
trainable classifiers not available yet it’s in public preview but it will be a
game changer and really really smart way of identifying content across your
organization and then applying retention to it what I’m showing you here is is
the bill six built-in classifiers that are going to come to every tenant and
you can certainly leverage those but you can also build your own classifiers so
it’s it’s a fairly involved process of course get a sample of data kind of
identify what your classifier looks like feed some positives and some negatives
into it so it learns what your classifier looks like and then kind of
send it out across all of your data in your organization
to identify it and then take action on it in the action you can take on it is
apply a retention label which is what I love about this so there’s going to be a
third option on this list right now there’s only the top two but soon we’re
going to be able to apply a retention label to any Content that matches one of
these classifiers and what’s even better yet is you’ll be able to associate a
classifier with a sensitivity label so when you’re setting this up you’ll be
able to say anything with the classifier of if you use resumes make sure it’s
identified as sensitive and this was rolling out into preview by end of year
so I’m anxious to get my hands on that so if we go back to our scenario
retaining our teamwork what would those three personas do for this so John at
the bank they would have retention labels fairly closely aligned to their
file plan to retain regulated content and they would probably have disposition
review on a lot of their content by that I mean they need to approve the
deletions before they happen which is very common and regulated industries
they have retention policies on their team chat and channel messages as well
Kate they have retention policies published across their collaboration
locations including Microsoft teams that is transparent to their end users but it
still allows it to be discoverable that is one key difference between retention
label and retention policy retention policy happens behind the scenes either
in the recoverable items partition in exchange or in the preservation whole
library in SharePoint an end-user really has no idea that it’s going on and Chad
at tailspin toys they have a few retention labels for their most valuable
content but they rely on their end users to manually apply them sorry has your
experience been that you require dedicated people for what’s in the
security and compliance center or is this something that we can do one time
is set up would you recommend to John Kate and
Chad’s company to do I would say particularly in John’s and likely in
Kate’s they require dedicated resources now you might have depending on the size
of your organization you might have one rule that’s doing a number of things in
there but each each of these things I’m talking about is a significant piece in
the security and compliance center and requires you know a lot of care and
attention in order to not only configure it initially but to audit you know
what’s going on how it’s being used across your organization get some
insights into that and then adjust so yeah it it in some cases takes a team of
people to really keep the wheel spinning behind the scenes thank you I saw this
saying at ignite and I absolutely loved it
so even if you have all of your controls in place and you know you left work
yesterday at 5:00 p.m. when you come in this morning do you really have a handle
on where your data is and that chances are unless you use some of these AI and
automation controls I would say you probably can’t answer that yes so it
demonstrates the point you really need to be monitoring constantly adjusting
leveraging these AI and automation to manage this at scale so label analytics
is one place within the security compliance center that you can see and
have visibility into the volume and location of the sensitive and business
critical information and what kind of activities are going on there it’s
really I believe can help refine those protection and governance policies you
have in place this is where the rubber hits the road and you can see what users
are actually doing so for example on the retention label side you can see what
retention labels they’re using and what workloads are using it against on the
sensitivity label side you can see what sensitivity labels are being used and
the types of locations that they’re being used on
so there again further to Ben’s point somebody needs to be looking at these
things and taking action on them when there’s something that needs to be
addressed or adjusted all right security governance this is collaborating with
external users securely so there’s two kinds of I call them externals
particularly in Microsoft teams is what I’m going to focus on but to be clear at
the top there’s many levels that you can configure external access from Azure ad
level to the team level at the group level and at SharePoint Online and
onedrive for business this graphic is mostly looking at Microsoft teams
external access is basically giving control to an entire domain or in to
have access into your environment or blocking an entire domain okay so it
would give users access to find call chat and set up meetings with you it
does not give them access to a team and to be a member of a team that is called
guest access they’re both administered in the team’s
admin Center but they’re very different types of users and access so uh guest
access would be when you invite an external member into a team and you’re
chatting with them in a channel conversation and they can have you know
varying levels of controls and you can this is where those dlp that dlp example
i talked to you about before that would show up in this case as well if you have
a guest access user the thing I love about this if organizations are a little
leery or hesitant to bring in external guests or external access into their
environment is one key benefit of allowing them in is if your organization
is collaborating with them anyway at least if the data is kept in your tenant
you can protect it you can monitor it you
have control of it and that is a much better place to be than if you don’t
allow external users and your information workers find a way to
somehow collaborate with them outside of your sanctioned tools maybe send them a
copy of a document or or whatever so to me this is a critical piece to really
enabling secure and compliant collaboration within your environment I’ve just got some things about allowing
it some recommendations and what features are coming soon on both sides
on the guest access side you’ll soon be able to ID Emin strated that disabled
guests access at a team site level let’s say you have a confidential or a
top-secret team site you know I can see completely you will not allow guest
access on that on the external access side you can soon be able to
automatically expire external user access which is another good thing so my
recommendations for external sharing so up in the top right are the options you
have for external sharing and some recommendations for that I love the
approach of number one enable external sharing by default but disabled based on
classification the example I just gave disable it if it’s confidential site for
instance limit domains is required really educate your end-users on the
importance of sharing how to share do not send a copy of a document share make
sure you have those controls in place so they are comfortable doing that
and they can share when they need to new will be the ability to use data loss
prevention to prevent anyone links from sharepoint onedrive for business for
sensitive documents which is another good thing and again getting back to
Ben’s comment about how many people do you need in that security compliance
Center you need to make security audits part of your governance process and that
mean somebody in there monitoring those
things on a daily basis seeing what’s going on so our three personas John
would be very selective on who they collaborate with and they only allow
certain external domains in their environment kate allows her users to
collaborate with external users however they prevent guest users because they’re
still figuring things out and Chad they allow communication with any external
parties because they don’t want to impede their users ability to do more
all right the last one is discovery governance and the discoverability of
your teamwork so this is talking about ediscovery basically which is using this
ediscovery model it’s just a description of how a discovery works it starts that
identification phase and goes all the way over to presentation phase so it’s
searching against all of your teamwork content okay it can search against all
of those workloads and find content relevant to the e-discovery case reason
I want to point out this diagram is it demonstrates the precursor to
e-discovery is all of the information governance controls we’ve talked about
up to this point in time so you need to do a good job on that information
governance piece before your legal teams come in and start their discovery
process it’s very quickly lots of neat things you can do in any discovery and a
few new announcements at ignite particular one I want to point out is
the ability to reconstruct a team’s conversation in advance to discovery it
gives you the context of the conversation and discover a user’s teams
automatically which becomes really important if you’re let’s say
investigating an end user in your organization and you want to search
against all of their teams there’s now facility to do that automatically and
great news a discovery will be available for those that use Yammer for the
content that’s stored in there as well so just a quick visual of what that
team’s message discovery looks like so if we have this team’s conversation
going on it would look like this any Discovery so
you can see you can see the context of the conversation which is critical to a
legal team when they’re trying to understand the meaning of a particular conversation so that’s key okay so
that’s the end but I’ve got a couple takeaways from today pretty simple
actually if you’re just starting out I think if you followed these four very
high-level points you you would be at a very good place to start so document
your organization’s data classification that’s number one make sure you involve
those business teams when you’re doing that have an external user strategy are
you going to allow external users if not how are you going to prevent it when are
you going to allow external users number three enforce those policies I
talked about several of them today there’s many others as well lots of
controls in the environment I talked about kind of the big hitters today but
you can implement all of those based on the sensitivity classifications that you
have set up and last but certainly not least is educating your end users which
is critical in today’s world and because I found this interesting this is how
Microsoft enforces policy on their own teamwork not to say you have to do it
like they do it but it’s very interesting to see the controls that
they themselves have implemented for their very large organization all right
I have a licensing slide I won’t stay on that another slide I talked about the
features I mentioned today where they’re at in rolling out many of them coming
very soon there is a preview program on the bottom a kms / SP labels for those
sensitivity labels with protection for files that you may want to sign up for
all right so please connect with me off off-hours and through any of those means
I blog a lot at Joanns equine comm reach out to me via email or Twitter and I
just want to thank you all for joining me today thank you share gate I really
appreciate it and I don’t know we have time for any more questions we’ve got
maybe a few minutes left I just had one or two questions and okay I know you’ve
covered a lot of content and once again thank you so much we’re already getting
feedback that this was very helpful which comes with two additional
questions will it be will the recording be available and will the slides be
available and the answer is yes early next week we want to make sure that we
go through the video we take out some of the pieces that were said and we can
rewrite it as a piece of content you can consume however you prefer so stay tuned
early next week we should send out the link to everyone who registered and
it’ll be available on our blog they were two quick questions
one was can retention still just be applied to created and modified fields
or is it possible to add custom say I have a contract end date field and I
want to trigger it off of that a contract end date there’s a couple of
ways you could do that if you have the sufficient licensing you can use event
based retention and the event is when the contract is ended another way you
could do it is if you use an auto apply based on a contract end date and when
it’s in the past I demoed that actually in my ignite seven ways to auto apply a
retention label options so that is just a keyword condition you put in the auto
apply another way you could do it is through Microsoft flow because you can
set or power automate I should say now you can always set a retention label
through an action in power automate so that is another way you could do it so a
couple different ways and I think you have a blogs actually that’s the second
question it would be interesting to hear experiences of possibilities of using
flows or power automate to Auto apply retention labels or is that advanced you
discover or do you usually get tools or so I
thank you I found actually my colleague found a very detailed post that you have
around using flow to apply retention labels yes I’ve written a blog post on
it I forget the title right now so okay awesome yeah and that is something I
think is a great way to do it because if you don’t have the licensing to do the
auto apply you can use power automate to do it instead and you can basically add
a retention label based on any kind of custom condition that you might have
very cool and while I go at the very last question
so far somebody was wondering if you could bring back the licensing slide for
a second so they can look if what they’re looking for is actually their
license model again I’m passing through the many thanks that we’re getting for
your content in your time Joe and there is one question around stream and
whether or not it’s well covered in a security and compliance center and if
they’ll eventually be able to look at the transcripts and protect that as well
if you have any insights those aspects I know I don’t have a lot of insights I do
know right now they are not discoverable by e-discovery and I’m not sure where
that is on the roadmap but to date they are not discoverable you would have to
go to the actual actual stream video and do a search on each one for whatever it
is you’re looking for so there needs to be some improvements in that one for
sure perfect well thank you very much Joanna
really appreciated this was really a great even for myself learned a couple
of things and from what I can tell it’s the same for everyone I want to respect
everyone’s time including you Joanne thank you very much and have a wonderful
rest of the thank you so much for having me goodbye everyone goodbye thank you

You May Also Like

About the Author: Oren Garnes

Leave a Reply

Your email address will not be published. Required fields are marked *