Brief Summary
This video provides a comprehensive guide to data protection in Microsoft 365, focusing on creating custom sensitive information types (SITs), data loss prevention (DLP) policies, and sensitivity labels. It uses a fictional law firm, Hawthorne Bell LLP, as a case study to illustrate how to protect specific types of data such as client case numbers, legal contract templates, and confidential client names. The video also explains how to use Copilot for regular expressions, test SITs, and implement DLP policies across various Microsoft 365 services.
- Creating custom sensitive information types (SITs)
- Configuring data loss prevention (DLP) policies
- Implementing sensitivity labels
Introduction
The video introduces the topic of data protection in Microsoft 365, prompted by a fictional law firm, Hawthorne Bell LLP, seeking to protect its confidential data. The video will cover creating custom sensitive information types, data loss prevention policies, and sensitivity labels to safeguard the firm's data.
Law Firm Requirements
Charles Bell from Hawthorne Bell LLP has specific data protection needs, including client case numbers, proprietary legal contract templates, client entity names in high-profile cases, and personal identifiers like national insurance numbers. The firm's client case numbers follow a specific format: HB, the year, and a random four-digit code. Legal contract templates also have a consistent format, with random digits at the end.
Sensitive Information Types
Microsoft 365 needs to be taught what data is sensitive for Hawthorne Bell by creating sensitive information types (SITs). SITs are the foundation for all data protection in Microsoft 365. Microsoft doesn't inherently understand the data, so the requirements must be programmed into the system.
Access Microsoft Purview
To create SITs, navigate to the Hawthorne Bell Microsoft 365 admin center and launch Microsoft Purview. From there, go to Solutions > Data Loss Prevention > Classifiers > Sensitive Information Types. Microsoft has built-in SIT templates, but the video focuses on creating custom ones.
Patterns for SIT
Creating a pattern involves teaching Microsoft what to look for in the data to identify sensitive information. This is done by defining a primary element, such as a regular expression, that matches the format of the sensitive data. The confidence level can be adjusted based on the accuracy of the pattern.
Use Copilot for Regex
Regular expressions (regex) are used to define the pattern for sensitive data. Copilot can be used to generate the regex for specific data formats. For example, Copilot can create a regex for client case numbers that start with "HB," followed by the year and four random digits.
Supporting Elements
Supporting elements, such as keyword lists, can be added to improve the accuracy of SITs. These elements help to reduce false positives by ensuring that the data also contains specific keywords related to the sensitive information. The balance between usability and security is important to avoid frustrating users with inaccurate detections.
Test the SIT
After creating an SIT, it's important to test it to ensure it works correctly. This can be done by uploading a sample document and checking if the SIT detects the sensitive information. The test results show the confidence level and the matched elements.
Create 2nd SIT
The next step is to create a sensitive information type for legal contract templates, which have a different format. The process is similar to creating the SIT for client case numbers, but with a different regular expression and supporting keywords.
Create 3rd SIT
The video explains how to create a sensitive information type for confidential client names. This SIT uses a keyword list instead of a regular expression to identify the names of confidential clients.
Keyword List vs Dictionary
The difference between a keyword list and a keyword dictionary is that a keyword list is a simple list of words or phrases, while a keyword dictionary groups keywords into categories. A keyword dictionary is more advanced and is useful for detecting combinations of concepts.
Create SIT using Template
Microsoft provides templates for common sensitive information types, such as UK national insurance numbers. These templates can be used directly without creating a custom SIT.
Create DLP Policies
To start protecting data, data loss prevention (DLP) policies need to be created using the sensitive information types. DLP policies define the actions to take when sensitive information is detected.
DLP Policy Templates
Microsoft provides templates for DLP policies, but the video focuses on creating a custom policy from scratch. The custom policy allows for more granular control over the protection of sensitive information.
Admin Units
Admin units are used to manage DLP policies in large organizations with multiple IT departments. For smaller organizations, this feature is not necessary.
Choose Policy Targets
DLP policies can be applied to various locations, including Exchange email, SharePoint sites, OneDrive accounts, and Teams chats. The policies can be scoped to all users, groups, and sites, or targeted at specific ones.
Create Advanced DLP Rules
Advanced DLP rules define the conditions and actions for the policy. Conditions specify when the policy should be applied, such as when content is shared externally and contains sensitive information. Actions specify what should happen when the conditions are met, such as blocking access to the content.
Choose Policy Mode
DLP policies can be run in simulation mode to test their effectiveness before turning them on. This allows organizations to identify and correct any issues before enforcing the policy.
DLP Priority
DLP policies are assigned a priority, with lower numbers indicating higher priority. The most restrictive and critical rules should have a lower priority to ensure they are enforced first.
User Experience
The video tests the DLP policies by simulating a user, Shawn Walton, trying to leak data. The DLP policies successfully block the data from being shared externally via email, Teams, and OneDrive.
DLP In Outlook
When Shawn tries to send an email containing a client case reference, a policy tip appears, warning him about the sensitive information. The email is blocked from being sent until the sensitive information is removed or an override is provided with a business justification.
DLP In Teams
Shawn attempts to share the client case reference via Teams, but the message is blocked, demonstrating the DLP policy's effectiveness across different Microsoft 365 services.
DLP In OneDrive
A policy tip appears in Shawn's OneDrive, indicating that the document conflicts with a policy in the organization. Unlike email and Teams, OneDrive scans files asynchronously, so enforcement may be delayed.
Sensitivity Labels
Sensitivity labels are used to classify and protect data as it's being created. They act as a virtual "handle with care" sticker, allowing organizations to encrypt data, control access, and ensure data is protected even when accessed offline.
Recommended Labels for Example
For Hawthorne Bell, recommended sensitivity labels include "Confidential Client Data" to protect client case numbers and "Legal Contract Template" to protect legal documents. It's important to limit the number of labels to avoid confusing users.
Create Sensitivity Label
To create a sensitivity label, navigate to Microsoft Purview > Solutions > Information Protection > Sensitivity Labels. Provide a name, display name, and description for the label. Choose a color to visually identify the label.
Access Control
Define the scope for the label, specifying where users can apply it. Assign permissions to specific users or groups, determining who can access the data. Configure offline access settings to control whether users can access the data without being connected to Microsoft 365.
Content Marking
Content marking involves adding watermarks, headers, and footers to the data to visually identify it as sensitive. Customize the text to provide additional information or warnings.
Auto-Labelling
Auto-labeling allows sensitivity labels to be automatically applied based on the content of the data. This integrates sensitivity labels with data loss prevention, creating a comprehensive data protection strategy. Configure the conditions that trigger the automatic application of the label, such as the presence of client case numbers.
Publish Label
After creating a sensitivity label, it needs to be published to make it available to users. Create a new label policy to publish the label, specifying the users and groups who should have access to it. Configure policy settings, such as requiring users to provide a justification for removing a label.
User Experience for Labels
In Shawn Walton's mailbox, the sensitivity label is available for manual application to emails. The label can also be automatically applied based on the content of the email. Sensitivity labels are also available in Microsoft Word, allowing users to classify and protect documents.
