Govern your data- Microsoft SC-400 Certification

The following capabilities help you to prevent accidental oversharing of sensitive information:

  • Data loss prevention: This is a feature intended to help prevent the unintentional sharing of sensitive information.
  • Endpoint data loss prevention: This extends the data loss prevention capabilities to items used and shared on Windows 10 computers.
  • The protection of sensitive information in Microsoft Teams chat and channel messages. This extends some data loss prevention capabilities to Teams chat and channel messages.

This features list does indeed help you to safeguard any information, regardless of its storage location, from unauthorized access and accidental or malicious sharing, and strengthens your compliance status with regulatory requirements.

These features are listed on the following website:

https://docs.microsoft.com/en-us/microsoft-365/compliance/information-protection?view=o365-worldwide

We have covered the fundamentals regarding the capabilities of Information Protection, what features are available, and how they could help us safeguard our data throughout its life cycle. It is required of you as an Information Protection Administrator to have knowledge of these capabilities in order to understand where to use which feature and explain why it should be implemented.

Information protection use cases

Microsoft Information Protection is commonly used to identify your data, supply protection for your data, and govern your data to minimize the risk of data leakage or oversharing. The features listed in the previous section provide you and your organization with the tools to achieve all of this.

The following diagram depicts the features of Information Protection that can be applied to sensitive data, and how they interact with each other:

Figure 2.1 – Safeguarding mechanisms that can be applied to protect sensitive information

We will present Example A. Let’s say that we have produced a document containing sensitive information regarding one of the employees in your organization. It could range from HR-related information to specific information that could cause harm to the individual if said information wound up in the wrong person’s mailbox.

This is a perfect example of where Information Protection would swoop in with both labeling and encryption to make sure of the following:

  1. The document containing the sensitive information is labeled automatically by leveraging sensitive information types.
  2. The information in the document cannot be read by anyone not in possession of the correct access to it.
  3. The document is labeled in such a way that, visually, it is easy to identify that it contains sensitive information.

Keeping example A in mind, the information is of such a nature that it must not leave the organization under any circumstances.

This calls for data loss prevention (DLP), Example B. With DLP, we could apply policies stating that information labeled with a certain label must not be shared outside the organization using email, SharePoint, OneDrive, or Teams chat and channel messages. Here, a DLP policy would interact with the end user stating that the item they are about to share or are trying to share externally is labeled such that external sharing is forbidden.

The following diagram is a brief overview of what a DLP policy consists of. The rules are paired to their own conditions and actions:

Figure 2.2 – Example of what a DLP policy could look like

In Example A, we are using sensitive information types, sensitivity labels, and encryption to safeguard the information on a document level.

As specified in Figure 2.1, the capabilities to label and/or retain information can work with a data loss prevention policy to further govern access to your data and make sure that no oversharing of sensitive information occurs. The following diagram shows what a data loss prevention policy consists of:

Figure 2.3 – How sensitivity labels and DLP policies interact with each other to apply protection

In Example B, we are leveraging the capabilities of DLP accompanied by our sensitivity labels to make sure that no accidental sharing of this information occurs.

The examples use a few features of Microsoft Information Protection that can help you and your organization safeguard your information in a cost-effective and user-friendly manner.

Other use cases for Microsoft Information Protection could have an even broader sense than one document.

Say that your organization needs insight into whether you are staying compliant with the General Data Protection Regulation (GDPR). This is a situation where Microsoft Information Protection could come into play as well. Leveraging the capabilities of sensitive information types, sensitivity labels, trainable classifiers, Azure Information Protection unified labeling scanners, Microsoft Defender for Cloud Apps, and the data classification dashboard, you would gain a lot of insight into which types of information are being stored where, such as whether it is on-premises or in a cloud instance.

The following diagram shows a brief overview of how Microsoft Defender for Cloud Apps operates in your cloud and on-premises environment. We will discuss the feature Microsoft Defender for Cloud Apps in more depth later in the book:

Figure 2.4 – Overview of what Microsoft Defender for Cloud Apps is capable of

In summary, for you to gain knowledge and insight into what information is being processed in your on-premises or cloud environment, you need to search for it, label it, and protect it to stay compliant with regulatory standards and make sure that the intellectual property of your organization stays inside the organization.

Microsoft Information Protection helps with all of this, and when you have completed this book and the certification exam it is intended to help you prepare for, you will also have the toolset to implement these features in your organization.

We have covered some Information Protection use cases and will proceed with our next topic, which discusses the scope of Information Protection.

Leave a Reply

Your email address will not be published. Required fields are marked *