In preview now: A simpler protection framework for Teams and other Group-connected SharePoint sites

Back to Blog
07Jan2020

In preview now: A simpler protection framework for Teams and other Group-connected SharePoint sites

Microsoft has previously published a framework for protecting Teams. There is another very much like it for SharePoint. The goal was to create some recommendations that “balance security with ease of collaboration.”

Image credit: Microsoft

It is a fine balance indeed. The most interesting feature of this framework is that Microsoft suggests using retention labels to classify Teams/Sites based on their sensitivity.

But wait a minute,” you might ask… “Isn’t that what Sensitivity labels are for?

Well, one might think that. But in practice it has proved difficult to use Sensitivity labels in this manner for several reasons. The main reason is that Sensitivity labels have the power to encrypt the contents of any file to which they are applied using a unique “tattoo.”

And on the one hand, that’s great–because it means the “tattoo” will travel with a protected document wherever it may roam, so that prying and unauthorized eyes can’t read the content whether its in Microsoft 365 or any other cloud, or on local media, or external media, or whatever–the content is always protected.

On the other hand, that level of protection means that SharePoint can’t read the content either. Therefore stuff breaks. Important stuff. Search. Data Loss Prevention. Delve. Co-Authoring. Autosave. Web apps. The list goes on.

By contrast, retention labels do not encrypt content, and so they can still be used in conjunction with other protections, such as DLP. In fact, Retention labels can be used to trigger DLP.

Therefore if your retention label can indicate the sensitivity of a SharePoint library, for instance, you can apply a DLP policy to warn or block users when they attempt to share content from a sensitive, labeled location.

So this is why retention labels are being used in Microsoft’s recommended framework as the basis for sensitivity–because they are visible to DLP, and they don’t destroy other collaboration features.

For the same reason, we are advised to apply Sensitivity labels (manually) only on the most sensitive, Highly Confidential content–and even then the protection is listed as optional. Why?

Because file-level encryption was (until recently) highly disruptive to the Microsoft 365 productivity experience.

This is all going to change…

We had two important previews drop very recently that I encourage you to go and test drive when you get a chance. The first is Sensitivity labels for SharePoint, OneDrive and Office Online.

Fine print is displayed as soon as you enable the preview

While they are quick to point out that some limitations / known issues still exist in this preview, a lot of functionality has opened up, and I think we can see the general direction this is all going–Sensitivity labels are going to become a much more integrated and seamless part of the native Microsoft 365 experience–and a more important cornerstone in our Data governance strategy. (We’re not all the way there yet, but its coming).

Lookie! Sensitivity shows up on the web!

Integration with DLP is partially included as well (DLP can find content in an encrypted file). And the natural next step of course–if DLP can already read the content within the file–then we should also be able to use the label itself to trigger some action like incident report or notify/block (like we can with retention labels). FYI: so far this feature has yet to light up, even with the preview enabled.

The second big announcement and preview is Sensitivity labels for Teams, Groups and Sites. This is my favorite part–because it means we can allow end users to quickly classify their own content and apply policies like Conditional Access that they would have had to rely on admins for in the past, AND they can do this at the Group/Team/Site level.

In this example, we create a label that allows for External Collaboration.

Now it is important to note that if a label contains both encryption settings and Group/Site based settings, applying the label on the Group level will not actually apply the label and its encryption settings to the files within. It’s just something to be aware of (you may still want to label individual files for further protection, even inside of a “Confidential” Team, for instance. Remember:

  • Encryption = File-level settings (does not affect Groups)
  • Site and group settings = Group-level settings (does not affect files)

After building and publishing your labels to include Site and group settings, they will be visible in applications like Outlook and Microsoft Teams. For instance, based on the settings in my Public label, we are restricted from creating a Private team.

So now the whole game changes, right? Retention labels can do what they do best: retain and dispose of information based on compliance requirements and corporate policies. Meanwhile, Sensitivity labels may someday soon live up to their namesake as well!

In the future…

The recent leaps forward with Sensitivity labels effectively democratize security (a theme we’re seeing more and more with Microsoft) and enable self-service data protection, like so:

We’re almost there. In a single label selection users can now define: their own privacy settings, external collaboration/guest access, device-based Conditional access–WOW–this is huge!

It would be nice to tie DLP in here as well, although again at this time I don’t see the option. Even though we cannot build DLP policies based on a Sensitivity label just yet, be patient–it’s sure to turn up eventually.

In the meantime, we could potentially design some Conditional Access App Control policies in Microsoft Cloud App Security that could, for instance, apply a label automatically on download, or block certain downloads from happening outright.

On the other hand, maybe DLP is becoming less relevant in a world where we can apply strong identity-based encryption and access controls to the files and groups themselves without giving up the rich collaboration experiences that we’ve come to love in Microsoft 365.

If a Sensitive file were downloaded to a non-corporate location (if that were even allowed via the label to begin with), just to open the data you would need to pass through Azure AD, MFA, Conditional Access, etc. And if the security boundary gets brought down to the level of the data itself, I think that’s really a unique thing to be able to offer your customers.

What do you think, reader?

Opinion, Productivity , , , , , 2 Comments
Share:

Comments (2)

  • Franck Reply

    Thanks for the great article.
    After searching for 2 hours on reliable content of the new functionalities in Sensitivity Labels on SPO,
    this article provided some good insight.
    However a few questions remain:
    – Is it correct that I can still not automatically apply a sensitivity label to files that are uploaded to a specific SharePoint library?
    – I cannot see the IRM settings on SPO. Could it be that these are removed when this Preview for Sensitivity Label is enabled?

    Thanks,
    Franck

    March 9, 2020 at 5:14 am
    • Alex Reply

      Had you previously enabled IRM settings? I did not check for this in my testing, but it wouldn’t surprise me if IRM goes away w/ Sensitivity in full effect?? I guess it is another blog for another day! As for auto labeling, in the current preview the only app that is working is Word, so when you edit a document in Word Online, then the online version of Word will apply the label based on the criteria specified. To my knowledge there is not anything yet that “crawls over” content in the repositories online and applies labels. You have to actually open/edit the file, and then the app (e.g. either Word desktop or Word on the web) will look at your available labels and determine if any autolabeling needs to happen based on the content in the document.

      March 9, 2020 at 12:05 pm

Leave a Reply

Back to Blog

Related Posts

16Nov

Three Azure solutions to SMB problems: The first rule of Azure is you don’t sell Azure

Different MSP's out there embrace the cloud to more or less extent. Most providers are doing Office 365 nowadays, but Azure (or IaaS solutions like it) is still nebulous or even a little scary: Some providers feel threatened by services like Azure, because deploying and... read more
10Aug

Vulnerability Assessments vs. Pen Testing: Walk before you run

Sales people are some of my favorite people in the world. They make me laugh out loud almost every day.  The company I work for offers a few different flavors of network & security assessments for small to mid-sized businesses, but we do not offer... read more
25Apr

Knowledge is Power: What does it mean?

Knowledge is Power. Everyone knows that. But not all forms of knowledge were created equally. The same is true of the corresponding power. There are many different shades of knowledge in life, and we do not always distinguish among them in common everyday discourse. However, in most... read more
15Apr

We need “MDATP Lite,” not full MDATP, in order to complete Defender’s value proposition in the SMB–and this is what it looks like

TL;DR: Just give me the device risk level with a description of "why" so I can follow up with potentially at-risk users. You can keep Advanced Hunting, etc. So many people I talk to in the SMB community think that they want MDATP. Well, it is... read more
26Jun

Password sync in the age of COVID-19

This is something I have been seeing and hearing a lot from customers. So I thought it would be a good time to address the age-old topic of Directory Synchronization. Azure AD Connect is usually the best way to get up and running quickly in... read more
05Sep

Replacing your traditional file server with Microsoft Teams and OneDrive, part 2: How to make it happen fast

As promised, today I am going to show you how easy it is to replace your legacy file server and network drive experience with Microsoft Teams and OneDrive. Seriously, anyone can set this up, and it takes just a few minutes. Pre-requisites are: Windows 10... read more
25Aug

Poser alert: Do you think this may be leveraged for Social engineering? Or what…?

Interesting thing appeared in my WordPress comments over the weekend: it appears that someone lifted content from my blog and re-posted it as their own. Why or how WordPress picked up on this and alerted me via my comments is unknown at this time (maybe... read more
Hybrid Azure AD Join or not?
08Jul

Should I use Hybrid Azure AD Join or not?

I consulted with an MSP recently about one of their larger customers, and whether or not to implement Hybrid Azure AD Join for existing Windows workstations (joined to traditional Active Directory). The classic consultant answer of course is, "It depends." In certain cases, perhaps. But... read more
05Apr

Meet Microsoft 365 Business: The new Small Business Server(less) Solution

I've been waiting for this moment for a long time. And I can't tell you how happy I am that it is finally here. Today we're going to talk about Microsoft 365 Business (not Office 365). Actually, I've been sitting on it for a while, because... read more
22Dec

Reader question: Do you recommend Defender in place of third-party antivirus or security tools?

It feels like it has been a while since I addressed a reader question on the blog. This is one I get frequently, all the more so in recent months since Microsoft Defender for Endpoint (formerly Microsoft Defender ATP) became available as a standalone subscription... read more

Helping IT Consultants Succeed in the Microsoft Cloud

Have a Question? Contact me today.

Contact Me