Information Protection and Data Loss Prevention is the best part to protect your data across Microsoft Teams from Team to Team. Protect your data from chats to private channels to shared channels from organization to organization and from storage to storage.
Microsoft Teams is our and your Hub for Teamwork. We are working together with other employees of the same company and of other companies. In this connection we invite people into our Teams, in our private Channels or new in our shared Channels which will be available in 2022. Moreover, we have Chat or Group chats and Meetings with internal and external people every day.
Working together is the key to success in a hybrid workplace and our tool is Microsoft Teams. We can work without any restrictions of time zones or devices or special places.
This free space is a chance for everyone to structure the day in a better work-life balance and a more flexible art to work. But this free space has a second view, the security and compliance view, which need restrictions to protect the data and keep the secret.
With free space comes Responsibility for everyone to protect and secure companies information and data in the hybrid Workplace with Microsoft Teams.
In this connection Microsoft Information Protection and Data Loss Prevention in combination with Zero Trust Principles with Tools like conditional access and Endpoint Manager bringing everyone the tools to protect data in Microsoft Teams.
Microsoft Information Protection (MIP) on Ignite 2021 H2 bringing new features to work better together in a secure way.
The first one is the opportunity to work together with encrypted files[1] and in this result with sensitive and highly sensitive information. After the Activation in the Microsoft 365 Admin Center the user can work together in MIP default Key encrypted Files like a Word File with Microsoft 365 Apps for Enterprise and in Office Online. It´s possible with the newer version of Office files like the .docx one.[2]
This feature is also working together with Microsoft Teams, so that people can use MIP to classify and encrypt files in the SharePoint Site of Microsoft Teams to have a more detailed Access Management. So that also external People can be a part of the Team and don´t have access to different files in the channel, also when an employee accidentally are copy a highly sensitive file into the Teams File Tab.
Moreover, the same Label, we use for Labeling files, can be a Container Label of a Microsoft Team without any trouble. As a requirement of this functionality, a AAD P1 license and the AIP P1 license is needed. In this connection the User can label a Microsoft Team in the creating Process and can change the Container Label in the lifecycle of a Team. The result isn´t an auto labeling of files in the Team, but it´s an access management with and without Guests and a detailed sharing Management in the Microsoft Teams Team.
Here you see the creating process with a container label:
and the option to change the label in a Microsoft Teams lifecycle:
As the next component it´s possible to use auto labeling functionality in Microsoft Team for the SharePoint Site and all files. This is possible with information sensitive types and trainable classifier. Moreover, there are two new features for that:
- Set a default Label for a library
- out-of-the-box classification in the Microsoft 365 Compliance Center for nine new Trainable Classifiers
- Enhanced Automatic Classification Capabilities
- New Sensitive Information Types (SITs)
It´s announced on Ignite that it´s possible to set up a default Label for a library. This is working only for all new files, which are uploading in the library. The requirement is a PowerShell Script and an AIP P2 license for all user, who are working in the library for example of a Microsoft Teams Team.
Moreover, the new nine pretrained trainable classifier can categorize data across finance, information technology, tax, contracts, legal, healthcare, human resources, business procurement, and intellectual property. These can be used for your Microsoft Teams Teams.
Classifier |
Description |
Sample content detected by classifier |
Business – Finance |
Includes Corporate Finance, Accounting, Economy, Banking, Investment topics |
Budget proposals, Business analyses, financial statements, proposals, and sales reports |
Business – IT |
IT and Cybersecurity topics (e.g. Network settings, Information Security, hardware, and software) |
Cybersecurity assessments, Incident reports, IT admin documents, and Software specifications |
Business – Tax |
Tax-related content |
Tax planning documents, tax forms, Tax filing, and regulation documents |
Business – Contract |
Contract-related content |
Non-disclosure agreements, statements of work, loan and lease agreements, employment and non-compete agreements |
Business – Healthcare |
Medical and healthcare administration aspects (e.g. services, diagnoses, treatment, claims, and payment) |
Medical records, Health benefit documents, Insurance forms, Prior authorizations, and referral forms |
Business – Legal |
Includes litigation, legal process, legal obligation, legal terminology, law and legislative issues |
Court cases, Corporate bylaws, Legal advice, and documents with terms and conditions |
Business - HR |
Includes recruitment, interviewing, hiring, training, evaluating, warning, and termination |
Job posts, hiring, onboarding and training documents, Payroll documents, and Employee discipline-related content |
Business - Procurement |
Includes bidding, quoting, purchasing and paying for suppliers and vendors |
Quotations, purchase orders, sales orders, delivery orders, and invoices |
Business - IP |
Relates to confidential information that contains Intellectual Property and trade secrets |
Patent applications, documents with non-disclosure content |
Furthermore, there are new Enhanced classification templates and the trail with is out now. On Ignite new 10 enhanced classification templates, which can be used across our Data Loss Prevention, Auto-labeling, and Information governance solutions are introduced. These enhanced templates combine entities along with sensitive information types to make it simple to classify and protect data across categories such as financial, healthcare, and privacy.
The scope for service-side auto labeling to allow administrators to turn on policies for all SharePoint sites and OneDrive users within their tenants is also extended. This scope can be confidently tested within the ‘simulation mode’ before a policy is turned on for the entire tenant. With the recently released co-authoring of protected documents, administrators can even go ahead and confidently turn on encryption with auto labeling as this helps information workers continue to stay productive while the organization applies labels with encryption across their tenant.
The new 52 Sensitive Information Types (SITs) help administrators classify documents, emails, and chats to look for named entities, which span person names, physical addresses, and medical terms. Examples of these new SITs include 38 country-specific addresses covering the US, EU, and other regions, 10 healthcare-specific entities (e.g. Surgical procedures, brand medication names). This will enable customers to better address several regulatory & compliance scenarios such as GDPR, HIPAA, FINRA, etc. across several countries and geographies.
It´s a great option to combine these capabilities with Data Loss Prevention to prevent that file will lose your enviroment and your control.
A part of this DLP architecture is Microsoft Teams and also Microsoft Information Protection. A rollout of both tools is highly recommended to deploy a high secure enviroment and work with highly sensitive data.
In this connection Microsoft Teams is a Business App and an allowed App. Nevertheless, it is possible to define apps in which information can neither be uploaded nor text clippings inserted. In the result Microsoft Teams, SharePoint Online, Outlook and the Edge Browser is allowed, but Apps like Notepad, Twitter or private 3rd Party Browser Apps aren´t allowed. On Ignite the DLP protection is extended from Windows to Mac OS, which brings the same experience to the Apple OS, when policies are define, which can be created with the Sensitive Information Types.
It´s highly recommended to work with Protection actions like alerts and customize access and override settings to restrict the options for this sensitive information. Here you see an example for Windows devices:
At least to secure against cyber attacks it´s possible to use the Microsoft Defender for Office 365 Safe Links and Teams integration to beware the user for example for Phishing attacks.
You want to learn more about Microsoft Information Protection, I can recommend the new Ninja training https://aka.ms/MIPNinja.
You want to see the lastest News to DLP, watch this session Prevent Data Loss in Microsoft 365: https://myignite.microsoft.com/sessions/5dc963d4-dd4a-40be-94ab-b5fc8a22210e?source=sessions
Bio
Raphael Koellner combining the law and the information technology in particular the cloud computing and Compliance, Security and GDPR. He worked for universities, Microsoft Germany (DX), law companies and Microsoft Partners. As an Executive consultant for BDO Digital GmbH as a part of BDO AG and his own company digitallawyer.de he worked for huge international companies. Raphael Koellner is Microsoft Regional Director. He is an 8 time MVP for Office Apps & Services, Insider MVP from the first hour, Teams ELITE 100 Program member, MCT and Microsoft Student Partner. As a Microsoft MVP, Raphael is a frequent speaker at international events and conferences. He is the lead of the Office 365 Usergroup Germany, the Azure Meetup Cologne and founded the compliancefam.
[1] https://techcommunity.microsoft.com/t5/security-compliance-and-identity/co-authoring-on-microsoft-information-protection-encrypted/ba-p/2693718.
[2] See all Prerequirements here https://docs.microsoft.com/en-us/microsoft-365/compliance/sensitivity-labels-coauthoring?view=o365-worldwide#prerequisites.
Posted at https://sl.advdat.com/2YxBn65