Here are 3 Common Office 365 Data Loss Scenarios you need to watch out for.
One of Microsoft’s goals with Office 365 was to combine what were previously two separate services. Office 365 labels were originally developed as “retention labels” and were used to define how long content would be kept in Office 365. Azure Information Protection labels were part of an Azure service to put access controls on content.
In the broader world of “Why do we label documents?” these stories can be summarized as “How long do I need to keep this?” and “Under what circumstances should this be accessible?”
These essentially boil down to retention and sensitivity. Retention is usually governed by regulation, such as “Financial records must be retained for at least seven years.” Sensitivity has more to do with security, i.e. “Where can content be accessed, and by whom?” These requirements are typically defined by different teams in a business setting, and a coherent labeling strategy requires input from both.
Take contracts, for instance. A contract of any kind might be required to be held for three years. However, all contracts don’t hold the same level of sensitivity. A contract to provide water jugs to the office might be pretty innocuous, whereas a contract to provide derivatives to certain customers (perhaps with their Tax ID numbers) could be more sensitive.Having trouble figuring out how to leverage Office 365 labels? Check out this article: Click To Tweet
Retention Labels in Office 365
Here’s how Microsoft is handing labels in Office 365 now. Keep in mind that my example environment has E3 licenses assigned to all active users.
Malcolm Singer is an IT admin who needs to create some new retention and sensitivity labels, so he goes to the Security & Compliance admin center, navigates to Classifications, and subsequently decides to start with retention labels.
When Malcolm creates a new label, he’s going to:
- Give it a name that users will see
- Jot down any notes for future administrators
- Write a description for users who aren’t certain what the label means
While it’s possible to create a retention label with no settings, the whole point of retention labels is to define a retention period and then define what happens after that period ends.
In this instance, contracts must be kept for three years. After that, Cindy in finance is responsible for reviewing them. The clock starts as soon as the content is labeled.
Retention labels include the option to declare a document as a SharePoint Record, which means that it cannot be edited or deleted. However, the metadata about a Record can be edited. In this instance, Malcolm isn’t setting the label to declare content as a record.
Once the label is created, it still needs to be published in order to be available. Labels are published to a label policy, and individual labels may be published to multiple label policies.
When a retention label is published to a label policy, it can be made available to all supported Office 365 services (Groups, Exchange, SharePoint, and OneDrive), or limited to specific services. By selecting the latter option, a label policy can also be limited to specific users or groups of users. A pretty common use case might be: “Department X has very fine-tuned labeling requirements that don’t apply to anyone else.”
In this case, the label policy will be available to everyone in all services.
Why it Matters
So, why is all of this important?
The Finance department might have a sophisticated set of labels to use in identifying their retention policies. They might have labels for contracts, credit memos, payables, receivables, and so on.
Perhaps Malcolm has already created a dozen labels for Finance and applied them to a “Finance Retention Policy.”
The following month the Facilities team tells Malcolm that they want to ensure that they don’t throw away any contracts. After talking to them, Malcolm realizes that the definition of “Contract” used for Finance works well enough for Facilities, but they don’t need the others. In response, Malcolm creates a new “Facilities Retention Policy” that only has the one label, for Contracts. Both of these policies are limited in scope to Facilities and Finance, respectively.
Sensitivity Labels in 365
There’s a bit more complexity when working with sensitivity labels. We must take into account that certain functionality that was previously exclusive to Azure Information Protection (AIP) is getting rolled into 365 Enterprise licenses.
Note: This isn’t AIP being included with Office 365. This is adding functionality to Enterprise Office 365 licenses, functionality that was previously only part of AIP.
Sensitivity labels differ from retention labels in few key ways. For one, sensitivity labels have tabs for loss prevention, configuring encryption, and marking. Sensitivity labels are also more about controlling how content is handled, whereas retention labels indicate how long organizations should keep content.
The Encryption section can be a bit misleading since the settings that can be configured are quite granular and not specific to any one encryption method. If you’re familiar with the old Information Rights Management (IRM), though, you’ll feel right at home.
To start, you can decide whether to apply the rule solely to files or to both email and files. You can time-bomb access to data or require that the user be online in order to access it. You can also time-bomb access to files offline; no more stuffing the hard drive and walking off the job with perpetual access to those files.
Additionally, you can grant specific permissions to specific users or groups in your environment or by email address or domain name. You can either define them by role (co-author, co-owner, viewer, or reviewer), or by customizing from the list of settings below.
Above, I’ve applied the same scope and availability rules to both jkmccoy and julie.wins, but jkmccoy can only view content that is labeled TLM Secret, while julie.wins has a co-author role for content labeled TLM Secret.
Content marking is pretty straightforward. It’s, well, putting marks in-document, whether that be entering text in the header, footer, or including a full-page watermark. For now, all these marks are text-only—no defined images.
Lastly, sensitivity labels allow you to enable endpoint data loss prevention. By throwing this switch, you are effectively enabling Windows Information Protection to protect the document.
In my next post, I’ll go into more detail about automatic labels. Why rely on puny humans to add labels? Make labeling easier for your workforce by automating the process!