Microsoft 365 Blog: Updates & News

Sensitivity Labels in Microsoft 365: Your Path to Compliance

Written by Michal Pisarek | May 19, 2021 7:00:00 AM

Updated June 2023

Compliance is a team sport and it is everyone’s responsibility in an organization.

We need to understand that it is more than a technical problem and must be tackled with more tools and processes than technical controls. So, it is time to go beyond the accountability of IT professionals and ensure end-users are also working in a compliant manner. It is pivotal to ensure that your digital workplace is equipped with governance, automation, training, in-the-moment help, and consistency, to adhere to long-term compliance policies.

Sensitivity labels are one great way to maintain protection and compliance in your Microsoft 365 environment and throughout the organization as well. Let us explore this further and understand how to put Sensitivity Labels to good use in Microsoft 365.

Don't feel like reading? Check out our Sensitivity Labels webinar!

 

Microsoft Information Protection - The Greater Ecosystem

Microsoft Information Protection (MIP) is a construct for which data protection is rolled out across Microsoft 365 and central to this is a service called Data Classification Service. With data classification, you can build and identify your own sensitive information types. Part of that and your own organization’s data classification scheme is Sensitivity Labels.

Underneath all these layers there is a lot of groundwork that goes in before you can define your Sensitivity Labels. Conveniently, Sensitivity Labels can be applied across Microsoft 365 applications and services and numerous devices that use these apps.

 

Sensitivity Labels – The Problem Solver

There are some real security concerns that keep executives and business owners up at night, such as, is the data we are working with is protected? Discerning sensitive data from not sensitive data, ensuring data security at all times, and many others are all on the list. Sensitivity Labels, if implemented correctly, take care of these and thus, provide a more restful sleep, by:

 

Microsoft 365 Compliance Through Sensitivity Labels

If you are looking to articulate a path to compliance and what you want from it, then you need to communicate this four-step path with your compliance and risk teams:

1. Know Your Data –> 2. Protect Your Data –> 3. Prevent Data Loss –> 4. Govern Your Data

In this blog, we will be going over the first two stages of the compliance path and discussing how they tie into Sensitivity Labels.

1. Know Your Data

It is important to understand your data landscape and identify important data across your hybrid environment.

You need to know what data your users are working within all of the collaboration tools that they are using. Out-of-the-box Microsoft tools can help identify sensitive information types in your environment.

The power of data identification is that you can define the data type once in a unified location and use it across a number of tools in the backend such as Sensitivity Label conditions, Retention Label Policy conditions, Data Loss Prevention (DLP) conditions, and Microsoft cloud app security.

Additionally, you can scale your identification by using trainable classifiers. These come with the option to create custom ones or use pre-built ones provided by Microsoft.

Knowing your data is not enough, you also must be able to monitor what you know. The Data Classification in Microsoft 365 compliance interface is an effective way to gain insight into your environment.

Image: Use reports to know your data with data classification metrics.

For a guided experience to understanding your data and the role of Sensitivity Labels, watch our webinar session recording featuring Joanne C. Klein:

 

2. Protect Your Data

Data protection keeps your data secure as it travels inside and outside your organization. Although there are many tools in the backend that would be considered compliance control options as part of the MIP solution, Sensitivity Labels play an integral role.

Let’s focus on the protection of your sensitive information wherever it lives and any exchange that takes place between these collaboration assets – Exchange, Microsoft Teams, SharePoint and OneDrive.

  • Define your organizational classification scheme: The classification scheme does not have to be complicated, in fact, the simpler it is the better it is for end users to know and utilize them correctly. Here is a basic example of what a classification scheme can look like:
Image: An example of defining classification scheme for an organization.

Tip: 5 -6 parent Sensitivity Labels are enough and you can add sub-labels, if required. If you are going over that then you need to regroup to define what are the distinguishing controls between all those labels.

  • Prepare your end users: This is integral to ensuring that compliance policy is enforced and implemented. End users are your ally in any information protection strategy. The best way to keep them involved and updated is by utilizing a SharePoint Communication Site for all your governance documentation. This Site can include: End user documentation so that they understand new terms you may be using or what they will be seeing in the user interface, a high-level glossary of terms, user guidance around Sensitivity Labels, etc.
  • Build Sensitivity Labels correctly: When creating Sensitivity Labels, it is super important to get the description right so that labels are clearly differentiated one from the other. At the same time, you need to keep in mind that you will have to structure proper end user training around it so that they understand what each aspect of it means.

 

Image: Creating a new label in the Microsoft Compliance Center

  • Apply Sensitivity Labels: There are 3 high-level places where you can apply Sensitivity Labels:

Files/Emails: Sensitivity Labels can be applied to manage content markings, encryption, right management, client-side auto-apply, and service side auto-apply.

Auto-labeling client-side: This is based on sensitive types detected at the moment, and can be applied while using or editing documents, or while composing emails. This kind of label can be automatically applied or recommended to the user.

Auto-labelling service-side: These are based on sensitive types detected in content at rest, such as in SharePoint or OneDrive. It helps if users forget to set a label, and can be applied at scale.

Groups/Sites: In this case, Sensitivity Labels control privacy settings, guest access, device access, & external sharing.

Data: Sensitivity labels are used across Azure Purview, files in azure blob storage, files in azure lake data storage, and several database columns.

Once labels are applied you can see them across your Microsoft 365 applications.

Image: Defining the scope of sensitivity labels.

Note: When you apply a sensitivity label to an MS Teams team, it is not automatically copied over to each file shared in that team, therefore, to get granular you need to apply Sensitivity Labels at the file level separately.

To make this process simpler for you, we have this wildly helpful checklist to guide you through the creation and implementation of a Sensitivity Labels:

Image: A comprehensive checklist for configuring and applying sensitivity labels.
 

Unleash the Full Power of Microsoft 365 with Orchestry

Most organizations are not using Microsoft 365 to its full potential.

Orchestry makes Microsoft 365 simple for all users.

Orchestry  is an adoption and governance platform that allows End Users, Workspace Owners, IT admins and organizations to take full advantage of Microsoft 365.

To see Orchestry in action, request a demo!