Microsoft SC-900 – Module 4 : Describe the capabilities of Microsoft compliance solutions part 2
- Data classification capabilities of compliance Center
Let’s talk and understand about the data classification capabilities of the Compliance Center. Organizations need to know the data to identify important information across the estate of services and the estate of data. To ensure that the data is handled in line with compliance requirements, administrators can enable their organization to know know it’s data through data classification capabilities and tools. Inside the Microsoft 365 Compliance Center. You will get to know about the information like sensitive Information Types, Trainable Classifiers, Content Explorers and Activity Explorers. Now let’s go through these, each one of them and understand what they mean.
Sensitive Information Types with Microsoft 365 Compliance Center, the administrators would be able to identify and protect any kind of sensitive information. Sensitive information types have set patterns that can be used to identify them. For example, if you look at the country or the region, there is an identification number next to it, so there is a pattern associated along with it. Microsoft 365 includes several built in sensitive information types based on the pattern that are defined by the regular expression or in short, called as regex. The examples are credit card numbers, passport numbers, your identification numbers, possibly bank account numbers, and health service informations as well. Now, data classification in Microsoft 365 would support the ability to create custom sensitive information types as well.
So if you got information outside these points, then you can definitely customize that sensitive information type based on your regulation or requirement.An example of that would be if an organization needs to create sensitive information type to represent employee ID or maybe project numbers. Trainable Classifiers use an artificial intelligence method and machine learning as well to intelligently classify your data. And they are most useful when you’re classifying data unique to an organization. For example, there could be specific kinds of contracts, invoices and customer records. Now, this method of classification is more than training a classifier in order to identify an item based on what the item is and not based on the various elements or matching pattern.
Now, within the training classifiers, you got two different classifiers. There’s pretrain classifiers and custom trainable classifiers. Look at the first one pretrain. Now that name itself says that means that Microsoft has created a pretrained set of classifiers that you can start without training them. These classifiers will appear with the status of ready to use and Microsoft 365 comes with five pretrained classifiers. Now these will be detecting and classifying things like resumes, source code, harassment, profanity and Threat. The next one is custom trainable classifiers. Microsoft supports the ability to create and train Custom Classifiers. So think about individual contracts, customer records, probably invoices.
Now, these are most useful when classifying data unique to an organization. In order to get a Custom Trainable classifier, you need to accurately identify an item as being in a particular category of the content. It must first be presented with many samples of types of content in the category because it is using certain thing called as a prediction model. There’s a chance of always false positive here and that’s why we need to train our classifiers so that indirectly we are training the algorithm that is in turn running the artificial intelligence and machine learning programs. We need to also test that model to ensure that we are getting the right classification and there is a right match.
The result of each prediction should be manually verified, which will then serve as an input to improve the accuracy of the prediction model. After you get the right accuracy score, it means that the model has been stabilized. The classifier can be published. The trainable classifiers can then sort through items like the ones located in SharePoint, Online, Exchange and OneDrive as well. At this time, classifiers only work with items that are in English and that are not encrypted. So if you got your classifiers in a different language and if you got encrypted content, probably we need to wait because Microsoft might accommodate in the next releases.
- Content Explorer and Activity Explorer
Data classification is really a conversom activity, and that is because it can involve large volume of documents and emails in order to help the administrators easily derive those insights and understanding. There’s an overview section of the Data classification pane in the Compliance Center, and you get a lot of details out there. For example, the number of items that are classified as sensitive and what classes specifications are there, what’s going on with them, and then details on the locations of data based on their sensitivity, and also what are the users doing with that sensitive content across the organization.
So Admins would definitely love to go to the summary section and also the two important panes, what’s called as Content Explorer and Activity Explorer. Let’s learn about that. Now, the Content Explorer is available as a tab in the Data classification pane of the Compliance Center. Now, it enables administrators to gain the visibility into the content that has been summarized in the overview pane, so you can drill down further into it. That means that you can get further visibility and details of the content that’s available under the overview pane. So when you go right in there, you got the data. But keep in mind that access to the Content Explorer is highly restricted because it is possible to read the contents of the scan file as well.
Now, there are two roles that grant access to Content Explorer. There is content explorer list viewer and content explorer content viewer. Now, anybody who wants to access Content Explorer must have an account in one or both of the role groups. With Content Explorer, administrators get a current snapshot of individual items that have been classified across the organization. It will enable administrators to further drill down into items by allowing them to access and review the scanned sources that are stored in different kinds of locations, such as it could be Exchange, SharePoint or OneDrive.
Activity Explorer will provide visibility into what content has been discovered and labeled and where that content is. It makes it possible to monitor what’s being done with the labeled content across the organization. The administrators gain visibility into document level activities. For example, label changes and label downgrades, such as when someone changes a label from confidential to public, you must get notified. Administrators would use filters to see the details of specific label, including file types, users, and activities as well. The Activity Explorer would help you understand what’s being done and what labels were changed over a period of time. The administrators would use the Activity Explorer to evaluate if controls already in place are effective.
There are different kinds of activities that can be analyzed, and these could be files copied to removable media, files copied to a network share, or somebody applied a label or changed the label. Administrators can use more than 30 kinds of filters for data, including the date, range, activity type, location, user sensitivity, label and retention label. Now, the value of understanding what actions are being taken with sensitive content is that admins can see if the controls that they have already put in place, such as data loss prevention policies, are effective or not. An example of this would be if it is discovered that a large number of items labeled highly confidential have suddenly been downgraded to public. So admins can update the policies and act to restrict undesired behavior as a response.
- Sensitivity labels
Sensitivity labels, organizations must protect their data in order to safeguard their customers as well as their business operations and that will in turn help to meet their compliance standards. Administrators have got numerous options in Microsoft Three six five Compliance Center that will let you protect the data through various capabilities, including adding the sensitivity labels and policies. Let’s go ahead and understand what sensitivity label is, which is a part of the information protection in the Microsoft 365 Compliance Center. With sensitivity labels, organizations can decide on labels to apply to content such as emails and documents.
And much like different stamps are applied to physical documents, labels are customizable, they are clear text and persistent as well. When I say customizable, it means that admins can create different categories specific to the organization such as personal, public confidential and highly confidential. Then there is clear text because each label is stored in clear text in the contents metadata, third party applications and services can read it and then apply their own protective actions if required. And then the persistent one, which is let’s say after you apply a sensitivity label to a content, the label is stored in the metadata of that email or document.
The label then moves with the content, including the protection settings and this data becomes the basis for applying and enforcing the policies. Now, each item that supports sensitivity labels can only have one label applied to it at any given time. Sensitive to labels can be used to encrypt the documents or emails we can also use to mark the content and also apply the label automatically. Well, you can also protect content in containers such as sites and groups and you can extend the sensitivity labels to third party applications and services. You can also classify content without using any protection settings.
Now, if you look at the first one, encryption is quite a generic term there, but with this you can choose to encrypt email only or both email and documents. Now, when a document or email is encrypted, access to the content is restricted and why do we need to restrict it?So that it can be decrypted only by the users authorized by the labels encryption settings. Also, this remains encrypted no matter where it stays inside the organization or outside the organization, even if the file is renamed, the emails or documents are encrypted both at rest, for example, they are sitting in OneDrive or in transit, for example, an email message as it traverses the internet. You can also mark the content, which is when office applications are used.
So marketing the content includes adding watermarks headers or footers. So headers and footers can be used to emails or documents that have the label applied. Watermarks can be applied to documents but not to email. You can apply the label automatically in office applications or also recommend the label. Administrators choose the types of sensitive information to be labeled. The label can be applied automatically or configured to prompt users to apply the recommended label. Get the last three points, which is protect content in containers such as Sites and Groups. Now, when this capability is enabled, this label configuration does not result in documents being automatically labeled.
Instead, the label settings protect content by controlling access to the container where the documents are stored. The next point extend sensitivity labels to third party applications and services. Using the Microsoft Information Protection SDK, you can have the third party applications read sensitivity labels and apply protection settings. The last one classify content without using protection settings. Now, a classification can be assigned to a content. It’s just like a sticker. You assign it to a document, but this will persist and it will roam with the content because it is used and shared. The classification can be used to generate usage reports and view activity data of that sensitive content. So that was all about sensitivity labels. Let’s go ahead and chat about label policies.
- Label Policies
Now, once you’ve applied the sensitivity labels, they need to be published to make them available to people and services in the organization. Sensitivity labels are published to users or groups through label policies. Label policies will let admin do several things. For example, rolebased access controls. The first point here is choosing the users and groups that can labels. Labels can be published to specific users distribution groups Microsoft 365 Groups as well in Azure Active Directory. And then you can also apply a default label to, let’s say, all new emails and documents that the specified users and groups create. Users can always change the default label if they believe the document or email has been mislabeled. Sometimes you require a justification for label changes.
So if a user wants to remove a label or replace it, admins can require the user to provide a valid justification to complete the action. The user will be prompted to provide an explanation for why the label should be changed. Then you can require users to apply a label, which is a mandatory labeling, so it ensures thata label is applied before users can save their documents, send emails, or create new sites or groups. Finally, you can also link users to custom help pages. That means it will help users to understand what the different labels mean and how they should be used. Once a sensitivity label is applied to an email or a document, any configured protection setting for that label are enforced on the content.
For example, let’s say you chose an encryption setting for a sensitivity label. Now, admins can protect content so that only users with an organization can open that confidential document or email. Only users in a specific department can edit it or possibly print it, while other users can just read it. Users cannot forward or copy an information in the email. Users cannot open a document after a specified date. So these are all the kind of protection settings that can be applied to a label. Admins can also enable users to label and protect their files using the Windows File Explorer by installing the Azure Protection Unified Labeling Client on Windows devices. Let’s talk about the next important section, which is data loss prevention.
- Data Loss Prevention
No organization would like to get into a situation where they have to deal with data losses. Data losses can harm an organization’s customers, business processes, and the organization itself. An organization needs to prevent data loss by detecting any kind of risky behaviors and preventing sensitive information from being shared inappropriately. Admins can use data loss prevention policies available in Microsoft 365 Compliance Center. So, what is DLP or data loss prevention? Well, it is a way to protect sensitive information and prevent its disclosure. With DLP in place, administrator can do a lot of things, including monitoring, identifying, and automatically protecting the sensitive information across Microsoft 365, including OneDrive for Business, SharePoint Online and Microsoft Teams, as well as Exchange Online.
It will also help users learn how compliance works without interrupting their workflow. For example, if a user tries to share a document containing sensitive information, a DLP policy can send them an email notification and send them a policy tip. You can also view DLP reports showing content that matches the organization’s DLP policies. Now, in order to assess how the organization is following a DLP policy, admins can see how many matches each policy has over time. DLP policies protect content through the enforcement of rules that consists of conditions, actions, and locations. Conditions is all about ensuring that the content must match before the rule is enforced. Actions is about what kind of action the admin wants to take automatically when content that matches the condition has been found.
Finally, the location where the policy has been applied, such as Exchange, SharePoint, OneDrive, and several other options inside the DLP. Let’s understand this with an example. Consider that there is an admin who wants to configure a DLP policy that would help detect information that’s subject to compliance regulation. Like HIPAA. HIPAA is Health Insurance Portability and Accountability Act. The admin wants to do it for all the SharePoint sites and OneDrive for Business. The admin can block the relevant documents from being shared inappropriately DLP policies protect information by identifying and automatically protecting sensitive data. Think about the scenarios where DLP policies will be helpful to you.
Think about credit card numbers stored in OneDrive for Business accounts. Think about automatically sending a block email which has information about employees personal information that’s going outside the organization. So this is a policy, a DLP policy that can contain multiple rules. And each rule consists of conditions and actions at the minimum.
- Data Loss Prevention on endpoints and teams
The data loss can occur from your Windows Ten devices and also from Microsoft Teams. The objective of this discussion is to understand the endpoint data loss prevention as well as Microsoft Teams data loss prevention. Admins can choose to target Windows Ten devices when creating a DLP policy. And the endpoint DLP will be enabling admins to audit and manage activities that users complete on sensitive content. And it could be creating an item or probably renaming an item, copying items to removable media or copying items to a network share, printing documents as well as accessing items using unallowed applications or any kind of blocked browsers.
Now, in the Activity Explorer, you can view information about what users are doing with that sensitive content. So how many files copied via network share removable drives as well as with unallowed applications, something that you can see in the Activity Explorer. Now, talking about data loss prevention in Microsof Teams, the DLP capabilities have been extended to Microsoft Teams chat and channel messages as well. With DLP, administrators can now define policies that prevent users from sharing sensitive information in Teams chat session or probably in the channel. Whether it’s a message or a file, DLP has ice on it.
So just like Exchange, Outlook, SharePoint, and OneDrive for Business, administrators can use DLP’s policy tips that will be displayed to the user to show them why a policy has been triggered. For example, look at the screenshot here. It shows that there is a policy tip on a chat message that was blocked because the user attempted to share a Social Security number. The users can then find out more information about why their message was blocked by selecting and hitting the what can I do? Hyperlink and then take appropriate actions. With DLP policies, Microsoft Teams can help users across organizations to collaborate securely and in a way that’s in line with compliance requirements.