Collaboration is a crucial part of our daily work lives. Microsoft Teams made collaboration easier and the sky is the limit. In between all the applause and cheers, customers are starting to answer an important question: How can we secure and manage our data? Jasper Oosterveld, Microsoft MVP & Modern Workplace Consultant, is going to answer this question. You can expect real world advise around sensitivity & retention labels, DLP and managing external access.
4. #ScottishSummit2022
Speaker
Bio
• Microsoft Teams
• Compliance
• Governance
• Adoption
“Try to be kind”
Microsoft MVP &
Consultant
www.linkedin.com/in/jasperoosterveld
www.jasperoosterveld.com
@jasoosterveld
11. #ScottishSummit2022
Managing the risks
• Apply MFA for guests.
• Apply sensitivity labels & DLP to protect sensitive content.
• Apply Conditional Access for unmanaged devices.
12. #ScottishSummit2022
Managing external access
• Block or allow specific domains.
• Expiration policy.
• Reauthentication (verification code).
• Enable for specific teams.
• Type of sharing link (new and/or existing).
13. #ScottishSummit2022
Reviewing external access
• Azure Access Reviews (Azure AD P2)
• Custom solution (for example: blog.atwork.at | Groups
Governance Toolkit Part 5-External Guests).
• 3rd party solution (for example: ShareGate & AvePoint).
15. #ScottishSummit2022
Trends
Data is exploding! 10x amount of data created and stored by 2025 (vs. 2016).
The regulatory landscape is complex and shifting.
COVID-19 caused an explosion in the usage of Microsoft Teams.
16. #ScottishSummit2022
Challenges
88% of organizations no longer have confidence to detect and prevent loss of
sensitive data.
>80% of corporate data is “dark” – it’s not classified, protected or governed.
Protecting and governing sensitive data is biggest concern in complying with
regulations.
Source
1.Forrester. Security Concerns, Approaches and Technology Adoption. December 2018
2.IBM. Future of Cognitive Computing. November 2015
3.Microsoft GDPR research, 2017
18. #ScottishSummit2022
Real world examples
• "OLVG receives fine of 440,000 euros for unlawful access to
sensitive information".
• "Personal data of 65,000 civil servants on the street due to
data leak at ministry.
• "Over 100,000 resumes illegally downloaded at Employee
Insurance Agency“.
19. #ScottishSummit2022
Three important questions
1. Do you know where your business critical and sensitive data
resides and what is being done with it?
2. Do you have control of this data as it travels inside and
outside of your organization?
3. Are you using multiple solutions to classify, label, and protect
this data?
23. #ScottishSummit2022
Information Classification Policy
Non-business
data, for personal
use only.
Company data
specifically
prepared and
approved for public
use.
Company data
intended for
general use within
and outside the
organization
(business
partners).
Sensitive company
data that damages
the company if it is
shared with
unauthorized
people.
Highly sensitive
company data that
causes damage to
the company if it is
shared with
unauthorized
people.
Personal Public Internal Confidential Secret
24. #ScottishSummit2022
Information protection policy
Personal
“Non-business data, for personal use only.”
No protection
“Company data specifically prepared and approved for public use.”
No protection
“Company data intended for general use within and outside the organization (business partners).”
No protection
Internal
Public
25. #ScottishSummit2022
Information protection policy
“Sensitive company data that damages the company if it is shared with unauthorized people.”
• Accessible for all Contoso employees (internal) & for authorized persons (external).
• Example: HR & Finance
“Highly secret company data that causes damage to the company if it is shared with unauthorized
people.”
• Accessible to authorized people per department.
• Example: Board of Directors
Confidential
Secret
28. #ScottishSummit2022
Sensitivity labels: Why?
Sensitive information
• Protect sensitive information from unauthorized access by
applying encryption.
• The encryption continues to work regardless of the location of
the sensitive information.
29. #ScottishSummit2022
Sensitivity labels: Why?
Microsoft 365 Groups (Microsoft Teams)
• Enforcing governance agreements:
• Default privacy setting.
• Enable or disable guest access.
• Type of external sharing links.
• Type of access with unmanaged devices.
31. #ScottishSummit2022
Auto labels & sensitive info types
• Pattern-based classifiers for sensitive content.
• Out-of-the-box:
• IBAN
• Credit card
• Social Security Number
• Create your own:
• PlayStation 6
35. #ScottishSummit2022
#ScottishSummit2022
Scenario
• Alex works as PM on the
development of the PlayStation
6 (codename: Project Raven).
• Alex wants a private & secure
collaboration space with
Microsoft Teams.
• External access is only allowed
with approved accounts.
Alex Wilber
Project Manager
41. #ScottishSummit2022
DLP: How?
High level
• Create a policy based on existing regulations (GDPR) or
customize your own.
• Select the location (M365, OnPrem, Devices, OS & non-MS
cloud apps).
• Define your policy settings (conditions & actions).
• Test & deploy.
47. #ScottishSummit2022
Options
• Retain content for a specified period (days, months & years).
OR
• Retain & automatically delete content after a specified period (days,
months & years).
OR
• Automatically delete content after a specified period (days, months &
years).
OR
• Retain content forever.
53. #ScottishSummit2022
Tips & tricks
• Start by defining your policies instead of a focus on the
technology!
• Start with a pilot.
• Don’t forget about governance & change management.
• Be aware of licensing! Auto = E5, DLP & Teams = E5.